The Passenger Name Record (PNR) – one of the most controversial tools used by governments against Jihadist terrorism – is ready to take effect in Spain. Every day, the list will cross-reference three million passenger data with police databases from the Intelligence Center for Counter-Terrorism and Organized Crime, the future home of the National Office for Passenger Information (ONIP). This center will store and transfer the personal traveler information sent by the airline companies. The Data Protection Agency will audit the system.
Each passenger’s full name, telephone number, email, date flight is booked for, payment information, complete travel itinerary, frequency of travel, agency or flight operator, check-in confirmation, type of luggage, seat number, nationality, gender, date of birth and any change to these fields – all this information will be sent by approximately 1,000 air carriers in Spain to the ONIP.
Here it will be processed, stored, handled and transferred by a computer system that has cost more than €4 million, and will remain visible for six months. After this period, it will be blacked out. And in five years, the information will be permanently deleted. The system will also be periodically audited by the Spanish Data Protection Agency, which will release a statistical report each year for the European Commission. These are the instructions from the directive from the European Parliament on the PNR from April 27, 2016.
Supporters of the system say it would have helped identify the mastermind of the Barcelona terrorist attack
Since its draft version was launched in Europe in 2012, the PNR system has overcome many stumbling blocks – particularly in relation to the use and protection of traveler information. Support for the measure has also sadly surged following the terrorist attacks in London, Nice, Paris, Berlin and Barcelona.
But the European directive must first be adjusted to Spanish legal norms and passed as an organic law given that it affects fundamental rights and requires majority approval from parliamentary groups. Once this occurs, information that is regularly collected by air carriers to complete a flight booking and sale could be used by national and international police databases that are part of CITCO and that receive constant input from different police bodies. Fake documents will even be included in some of the databases.
The system has been designed so that any information movement leaves an indelible trace CITCO sources
This information will be used in investigations relating to a broad range of crimes including terrorism, organized crime, human trafficking, sexual exploitation, corruption, trafficking in organs, weapons and cultural assets, corruption, fraud, money laundering, cybercrimes, environmental crimes, rape and kidnapping among others.
According to the European directive, information can be solicited by law enforcement agencies, regional police forces, courts and customs officials in cases relating to 26 different crime categories.
A draft version of the law has already been approved by the Spanish Data Protection Agency, according to CITCO sources, but it still needs the green light from the relevant police and legal agencies. In theory, the system should be ready by May 25, according to EU recommendations. Once the law is approved, air carriers will be obliged to send these details to the ONIP via a pre-established secure channel. The data transfer will take place in real time: between 24 and 48 hours before a flight’s departure and again as a confirmation following takeoff.
The program can also collate information on an individual who has already been identified in a police investigation
“The system has been designed so that everything is recorded; any information movement leaves an indelible trace,” said CITCO sources.
The project is already up and running in the United States, Canada and Mexico.
The idea is to store the information of all passengers who enter or leave Spain or the European Union in order to cross-reference them if needed. This information could also be shared with both EU and non-EU countries, according to the directive, as long as the requests meet the established security goals.
The promoters of the system argue that the mastermind of the Barcelona and Cambrils terrorist attacks, Abdelbaki Es Satty, would have been detected by the program because the imam's criminal record would have been included in police databases. “He would have been a positive match,” they said.
The system will automatically log the information sent by air carriers and is also able to create profiles according to predetermined characteristics, for instance: woman, 30 years old, traveling to Turkey, French national. The program can also inversely collate information on an individual who has already been identified in a police investigation.
English version by Melissa Kitson.