All Posts by Helene Dubos

solution-transmit-APIPNR-states

A Solution for Business Aviation, Charters, Tour Operators and its Travel Agencies to Transmit the Air Passenger Information to States

Our objective: Ease the data transmission (PNRGOV) to States and reduce the cost at the minimum for Business Aviation operators, Tour Operators (TO) and Charters.

According to french Decree n°2018 714 of 3 August 2018, tour operators, travel agencies, and all air carriers are obliged to transmit the passenger data collected to the French administration in a format that can be used by the French API-PNR system.

We all know it, new regulations generate additional works for companies that need to be compliant. And unfortunately, those works don’t bring much, apart from additional costs and complex projects to manage. Therefore, we have worked to build a solution to alleviate this burden.

After studying the processes followed by Business Aviation carriers and TO, and based on the expertise and experience with Passenger Informations Units* of different States and PNR project implementation, we have designed a platform to help Business Aviation, TO and Charters to transmit easily the legal passengers’ information to the States they are operating in.

The GOVlink  platform has been designed to be compatible with the various systems in place and can connect to any carrier systems (it supports multiple protocols) to retrieve the data required.

Once the data is collected, the platform handles a series of validation to check the data quality, transform the data into the requested format by the recipient State and forward the data in the required times.

Everything has been thought to ease the work of the impacted actors. An online interface is accessible to allow the data sender :

  • to complete or update his data.
  • to monitor the proper move of its data until the recipient State.

This interface has been designed to handle the specificities and needs of TO, Travel Agencies and Charters processes which imply the intervention of all these entities to collect the passenger’s data of a flight.

Therefore, all entity part of the data collection chain will have its own account to ensure the restriction of data visualization to the data owner. Thus passengers’ personal details such as email or phone number will stay confidential and not accessible to other entities.

Download the GOVlink presentation

In terms of personal data protection, all processes have been elaborated to ensure compliance with the rules in force and systems configured to reach a high level of security.
The platform is limited to gateway advanced functions whose goal is to ease the data transmission between air carriers and States. The platform doesn’t keep data and data can’t be read by anybody but the sender.

In terms of the economic model, the platform has been built in a community spirit. We wish that the subscribed carrier to directly benefit the economy of scale of the platform. Therefore the price will decrease for all subscribers as the volume of message and subscribers increase. This model is fully in line with the PAXGOV mission which consists of reducing the costs of API PNR projects through shareable tools and knowledge.

* The Passenger Informations Units are State representatives in charge of implementing and operating the EU directive voted in 2018 about collecting the data of air passengers to fight crimes.

Contact our staff today and test our try & buy offer. 

Why the EU’s PNR law is problematic in practice

EU directive 2016/681, which came into effect on 25 May 2018, was designed in response to calls for better information sharing between national police forces and crime-fighting agencies to help prevent serious crime and terrorism. Before the directive was introduced, EU countries were, at best, patchy when it came to detecting terrorists and criminals entering their territory from outside the EU or even from other countries within the bloc.

 

A crucial part of this information sharing requires airlines to send passenger name records (PNR) to Passenger Information Units (PIU) in the country they are flying to – these are monitored by the authorities to check for suspicious travelers. In theory, this is a smart idea. The trouble is, making it happen in reality has been a serious challenge for both airlines and security forces.

 

Today, only one EU country have not begun the PIU implementation, although legally speaking, some other countries have not yet transposed the directive.  All other EU members are ready to start or have already started data collection from airlines.

What the PNR directive requires

On a practical level, the directive should work as follows: all airlines generate a PNR whenever a customer books a flight ticket. For any airline ticket booked, the airline is expected to send an electronically defined set of data, called PNR data, to the PIU of the destination country. All PNR information is sent on a per flight basis, in batches, on three separate occasions – 48 hours before departure and at the time of departure, depending on the local state’s rules.

 

Even before the EU directive was introduced, some countries had begun developing such systems; and, after the 9/11 attacks in the USA, American authorities demanded that airlines share their PNRs with the police. Nevertheless, the 2016/681 directive is by far the largest and most comprehensive such undertaking. In fact, the USA, Canada, Australia and in the future Mexico, have agreed to work with the EU on this project.

Far from easy to implement

The EU’s PNR legislation should certainly be welcomed. However, many EU members have only partially begun their journey to compliance. At the same time, airlines are struggling to respond to the different ways EU countries are implementing the legislation. This makes compliance for airlines especially challenging.

 

1. Problems with PNR data itself

Even if the directive stipulates that airlines shouldn’t have to collect more data than those they usually collect for its operation.  It sets in the annex I a list of 19 separate pieces of information that are part of a standard PNR and could therefore be expected by a requesting authorities . These include the passenger name and itinerary, but also other information, including luggage (number of bags and weight), nationality, payment method, ticket currency and so on. It’s clear that some of this information could be useful for law enforcement to spot possible threats but collecting and processing that data on time could be challenging for incumbent airlines with standardised processes and systems due mainly to IT constraints. Additionally, when it comes to specific types of flights, such as charter or business jet, it could be simply impossible. Much of the requested data is not part of the information collected at the time of booking (or even after).

2. Quality problems

Another challenge arises from providing accurate data. Consider the realities of ticket booking. The PNR might be generated after someone books offline (such as through partner airlines, travel agencies or call centres) or online (internet booking sites), or through one of many other intermediaries over which the airline has no influence.

 

What’s more, PNR data often goes unverified. There will not necessarily be name checks, or any other checks on data provided by the passenger and/or travel agent for the reservation. PNRs also contain both structured and free format text depending on the internal processes of each of the stakeholders. To make matters murkier, business jet airlines or charter airlines and network carriers providing charter flights have methods of recording passenger data and apply processes that make compliance with the regulation difficult to sustain. For instance, the collection of name and passport data only happens at the airport a few hours before the flight for a charter flight and baggage information for business jet flights is not collected. Those compliance challenges oblige those airlines to engage in individual negotiations with each EU state to obtain exemptions.

3. Communication problems

Besides problems collecting the data itself, there are also challenges when it comes to communicating this data between the airline and the member state’s PIU. Airlines have received non-industry standards requests, while other PIUs are not leaving the choice of protocols or formats to the airlines, which really changes how they structure their data files before sending them. All this means that airlines are forced to engage in technology development which results in increased implementation costs.

4. Airline IT resources

Since the introduction of the law, many airlines’ IT resources have been seriously stretched. The PIU’s in different EU countries have been demanding they follow their specific requirements, and this has resulted in bottlenecks and delays as airlines struggle to adapt to the needs of 28 member states.

5. IT implementation timeframes

Many airlines have also complained about the unrealistic timeframes for compliance with the regulation. Consider the enormous complexity of these projects, with airlines which fly from anywhere in the world into the EU having to securely send sensitive passenger data to 28 different PIUs in different formats. Making this happen in just a couple of years is a huge project.

6. IT costs

Airlines have also complained about the costs involved in implementing PNR programmes. Besides the actual implementation, they must also cover continuous data transmission costs and maintenance.

Compliance is not optional

Despite these challenges, airlines are keenly aware of the need to comply with the regulation. There could be heavy fines for non-compliance, and one country has already begun penalising airlines who have fallen foul of the law. There is an even bigger risk too – airlines that don’t comply may be completely barred from flying to destination countries.

So what should airlines do? Going it alone can be costly and confusing, so it’s definitely worth working with PNR project experts who will be able to manage IT projects, negotiate implementation plans and obtain exemptions to regulation for some types of carriers, such as charter flights. Airlines can of course also seek advice about PNR strategy from airline associations.

It’s also worth looking to the market for off-the-shelf IT solutions that can help. Conztanz’s EU PNR gateway, for instance, is currently being used by various airlines and the state of Luxembourg for its PNR data collection. While the PNR directive is problematic in practice, it could help law enforcement detect and prevent crime and terrorism. And there are now a growing number of options that make it easier for airlines and member states to comply too.

ETIAS and EES : How will Airlines and States adopt the EU’s new systems ?

In 2015, there were more than 200 million border crossings at EU frontiers, as well as 1.8 million irregular entries. The current system for monitoring who these visitors are, where they are, and whether they have left or not, is seriously struggling.

“The current architecture for border control and security in the European Union is marked by fragmentation due to the different contexts in which the systems have been developed. Information is stored separately in various systems. There is inconsistency between databases and access to data diverges between different relevant authorities. This can lead to blind spots notably for law enforcement authorities. It is, therefore, necessary and urgent to work towards integrated solutions for improved accessibility to data for border management and security, in full compliance with fundamental rights”.

European Comission, Smart Borders Package Q&A

 

To help manage these challenges, the European Parliament voted in two related pieces of legislation which aim to give the EU more control over its borders,the Entry and Exit System (EES) which will manage a digital record of visitors coming into and leaving the EU’s border-less Schengen Zone – and the European Travel Information and Authorisation System (ETIAS), which will ask visa-exempt travelers visiting EU to declare their visit and obtain official authorization via an online process prior to their venue.

 

While these two measures will certainly give national authorities more control over their borders, it is expected to provide some additional technological headaches for airlines. What exactly are ETIAS and EES, what technological demands will they make, and how can these be overcome?

What is ETIAS?

ETIAS aims to bring border control into the 21st Century and reinforce security. Similar in form to the US’s ESTA or Canada’s eTA, ETIAS is an electronic visa service which essentially asks the citizens of all visa-exempt countries outside the EU to fill in a short online application form whenever they plan to enter the EU, providing background information and details of criminal history.

This information is then cross-checked against a range of international databases and the individual’s application will either be accepted or rejected.

The introduction of ETIAS will undoubtedly improve security by limiting the opportunities for high-risk individuals to enter the EU.

What is EES?

The Entry and Exit System (EES) is a central system which is designed to track whenever non-EU citizens enter, exit or are refused access at a border.

EES will allow the European States to know whether someone has left their territory yet or if they have overstayed their visa. Also, the EU as a whole will have more definitive data on the exact number of non-EU individuals within the territory.

EES will also speed up border control processes – enabling non-EU citizens to access self-service kiosks at the border crossing point – as well as allowing enhanced detection of stolen identities, and identification travelers who overstay their permitted time.

The technological challenge that ETIAS poses

ETIAS and EES will come into effect until the early 2020s. Nonetheless, to comply with both these pieces of legislation, airlines will have to start preparing soon.

Currently, the border regulation only requires airlines to send a specific message listing the boarded passengers, called API Advance Passenger Information (API) to the state border authorities, in batch mode. This message is automatically sent by the Departure Control System (DCS) when the gate is closed and the flight is ready for take-off.

ETIAS and EES introduce new authorization process to handle at airlines level who are now facing the burden of checking the ETIAS/EES authorization status of any traveler entering into the eligible European states to ensure the individual has the right to fly and to implement new processes to manage the unauthorized travelers.

This checking process poses numerous technical challenges.

In order to automate the process, ETIAS/EES status has to be collected by the Departure Control System DCS for each traveler in interactive mode between check-in and boarding times. Travelers who are unapproved according to pre-defined criteria are then denied for boarding.

However, this process requires that each DCS have the ability to send the “check status” query for each individual passenger to the ETIAS/EES systems, through the new protocol called iAPI (Interactive Advanced Passenger Information), and process answers, ideally in real-time, to accept or deny passengers at the earliest moment e.g. while the checking-in.Unfortunately, not all DCS have such advanced capabilities. Some aren’t even able to integrate the iAPI protocol.

PAXGOV is involved in various studies with the EU Member States and EU-LISA to define a community solution

PAXGOV has now been involved in several PNR European projects acting as subject matter expert for both governments and airlines. Based on these experiences, PAXGOV has developed with the Luxembourg authorities an API-PNR Gateway, a community solution easing API and PNR data collection acting as a central point to interconnect Airlines and the Member States. 

Continuing this idea, this central point could also allow for the integration with EES and ETIAS systems, with the goal of simplifying workloads for airlines when sending and receiving this information and solving the problem linked to DCS technical limits.

An Innovative Solution Which Makes Luxembourg a Pioneer in Data Exchange in the Field of Security

On May 8, 2019: François BAUSCH, Minister of Homeland Security, and Bertrand KIENTZ, Chief Executive Officer of the software editor company Conztanz, signed the statutes of the Economic Interest Group “Luxembourg agency for the promotion of a unified interface in the field of passenger data exchange for security purposes”.

Access the Press release in French from the Luxembourg Police.

 

This Economic Interest Grouping (EIG) operates in the context of the exchange and use of air passenger record data, in order to prevent and detect terrorist offenses and serious forms of crime. The EIG, of which the Luxembourg State holds 75% of the shares and Conztanz 25%, aims to develop, operate, support and maintain a single IT gateway for this data as well as promote the platform to other States.

 

This gateway is called the API-PNR Gateway (related “Advanced Passenger Information” and “Passenger Name Record”) and functions as a central communication node. It proposes to securely process, validate, transform and route messages sent by airlines or their representatives (certified data providers) to the analysis systems of the Member States of the European Union and to other countries – without, however, storing information.

 

Created on the initiative of  Conztanz and Grand Ducal Police’s experts, the tool is innovative in the sense that it considerably simplifies the flow of information. Indeed, thanks to this solution, the airlines as well as the States using the platform as technical intermediary just have to set up one point of connection to the gateway, instead of building myriad of connections between each others. After having been fed with the airlines information, the API-PNR Gateway dispatches the information in an automated and secure way to the actors of the concerned states. This approach opens up new opportunities for sharing security information systems between States and for pooling development, maintenance and infrastructure costs.

 

For now, the tool is mainly used for data exchange between the airlines operating in Luxembourg and the Grand Ducal Police. The aim is to promote the platform so that the competent authorities of other countries can also benefit from it. In addition, this common solution would allow all stakeholders to reduce their costs in the long term through economies of scale and the establishment of a unique connexion for each state – instead of one to each airline.
Similarly, the API-PNR Gateway would be economically attractive for airlines, otherwise forced to put in place individual communication procedures with each national authority. Therefore, the API-PNR Gateway as a central communication node would be a “win-win” solution for both the participating States and the air operators. Initial contacts with other States, european institutions and international organizations have already generated strong interest.

 

The signature of the statutes of the Economic Interest Group “Luxembourg Agency for the promotion of a unified interface for the exchange of passenger data in the field of security” marks a new moment for the development and promotion of the solution API-PNR Gateway.

 

In parallel, have been appointed on the Board of Managers of the GIE : Stéphane LEVY, acting Director of the Information Processing Department of the Grand-Ducal Police, Florent GONIVA, Director of the International Relations Department of the Grand-Ducal Police, as the State representatives and Eric ISABEY, in charge of Security & Government affairs of Conztanz, as Conztanz representative.