Application of API and PNR security systems by using travel information

An abstract of a research report conducted by by Rovshan Namazov
Head of Division at the State Customs Committee of the Republic of Azerbaijan

The full research report can be downloaded here >>

Protecting the borders from the threats such as terrorists, criminals, illegal movement of weapons, drugs, and contraband, as well as facilitating the seamless and lawful movement of people across the borders is quite significant to national security, economic prosperity and sovereignty of the nations.

Broadly speaking, border risk priorities ranges for each country and each operation is based on risk analysis and uniquely tailored to the circumstances identified by law enforcement agencies. The scope of threats ranges from terrorists who may have weapons of mass destruction to transnational criminals smuggling drugs or counterfeit goods, to unauthorized migrants intending to enter the country. However, there is one truth that a top priority mostly for all law enforcement agencies is to keep terrorists and their weapons away from their borders while facilitating the legitimate travelling of passengers and vehicles.

The border activities against the potential threats are differing from the availability of various types of borders – air, land, sea, and railway. Implementation of effective border management and security activities particularly presents unique challenges at the air borders. Because of that, the huge volume of arrivals and exits and high frequency of the flights make it very hard to detect risky passengers on time at the airport by law enforcement agencies, while ensuring the smooth movement of legitimate passengers.

The International Civil Aviation Organization (ICAO) has reported 4.3 billion passengers globally carried by air transport on scheduled services in 2018, a 6.1% increase over 2017. It is estimated that the global volume of air passengers grows at a rate between 5% and 7% every year and could reach 7.2 billion by 2036 (Commission, European Commission, 2020).

Certainly, the pandemic plunge in air traffic since 2019 and right after wide-scale lockdown measures, border closures, travel restrictions and strict quarantine rules dramatically reduced the international passenger traffic. ICAO reports that as seat capacity fell by 50% in 2020, passenger totals dropped by 60% with just 1.8 billion passengers taking to the air during the first year of the pandemic, compared to 4.5 billion in 2019 (ICAO, 2021). The pandemic is going to be over and following ICAO, in an optimistic scenario, passenger traffic is expected to recover to 86% of its 2019 levels by December 2022, based on 73% international traffic recovery and 95% domestic (ICAO, 2022).

The modern world is developing and witnessing many large-scale events and conferences and first and foremost tourism development is a key strategy of each country. With the dramatic growth in passenger numbers on scheduled and charter flights across the world on one hand and the increasing trend of terrorism and other transnational crimes on the other, it is difficult to ignore the threats against the airline industry and passengers. This continuous growth has greatly increased the workload of border agencies (customs, border service, immigration, police, etc.) and additionally, it requires certain proactive measures aiming at speeding up border controls while combating irregular immigration and ensuring internal security, like the processing of Advance Passenger Information (hereafter API) and Passenger Name Records (hereafter PNR).

API data is the set of data consisting of the details of the flight by the aircraft operators and the biographic data of a passenger or crew member available on his or her travel document collected by air carriers during check-in and, complemented with travel route information, transmitted by these carriers to the border control authorities of the country of destination. According to the International Air Transport Association (IATA), over 90 countries now require airlines to send API before the flight’s arrival. More countries are planning to introduce similar requirements soon.

In general, API data includes:
• Surname;
• First name;
• Middle name;
• Date of birth;
• Gender;
• Citizenship or nationality;
• Passport number;
• Country of passport issuance.

API data elements are transmitted by the airline companies to the law enforcement agencies of the arrival country during check-in, more clearly prior to the flight departure and the time or frequency of the data transmission requirements can be different under the established procedures between the governments and airline companies.

PNR data – is a generic name given to records created by aircraft operators or their authorized agents for each journey booked by or on behalf of any passenger. PNR data are used by operators for their own commercial and operational purposes in providing air transportation services. More clearly, PNR is related to travelers’ reservation and itinerary data contained in the carrier’s departure and control reservation systems. The PNR data can contain some more sensitive personal data and the set of data required from the carriers can be varied according to the legislation of each country. Normally the PNR data includes, but is not limited to the following:
• PNR locator code ;
• Date of reservation;
• Dates of intended travel;
• Ticketing information;
• Travel agency information;
• Seat information;
• Check-in information;
• Baggage information;
• Phone number, mail address, payment details and some other sensitive data can also be required.

API data elements are transmitted by the airline companies to the law enforcement agencies of the arrival country during check-in, more clearly prior to the flight departure and the time or frequency of the data transmission requirements can be different under the established procedures between the governments and airline companies.

It is important to note that countries should limit their data requirements to the minimum necessary and according to national legislation. Principally, API data can be divided into two main categories:

Non-interactive Batch Style API Systems – It is a simple form of API to implement and the data are transmitted as a single data file or batch. The definition of API Batch is an electronic communications system whereby required data elements are collected and transmitted to border control agencies prior to flight departure or arrival and made available on the primary line at the airport of entry (ICAO, Annex 9 to the Convention on International Civil Aviation, 2017). Non-interactive batch style API data is covering all passengers and, in many cases, all crew members on board a specific flight are gathered during the check-in process and then transmitted in a single manifest message at or immediately following flight reconciliation or departure (WCO/IATA/ICAO, 2014).

Interactive API System (i-API) – It is an electronic system that transmits, during check-in, API data elements collected by the aircraft operator to public authorities, who within existing business processing times for passenger check-in, return to the operator a response message for each passenger and/or crew member. i-API allows government and carriers to take precautionary activities interactively and reduce any potential risks prior to travel. Implementation of i-API systems is more complex than non-interactive batch style API systems in terms of cost and time. Governments should establish best practices when working with individual carriers and service providers, to ensure adequate network protocols are available. Therefore, formulation of certain action plans and comprehensive analysis is the key part of general the implementation process.

Legal readiness
Legal readiness and having a strongly complied legal basis is the first key pillar of the implementation process of API and PNR systems. At first, the availability of appropriate legislation adjusts and reinforces collaboration matters on data transmission between the airline industry and governments. The stipulation of certain articles in national legislation on data transmission issues (set of data, format, frequency, time etc.) makes clear the format of cooperation and create legal obligations as well as penalty mechanisms between the parties. In as much as, airline companies are sometimes not willing to transmit the passenger data in advance to law enforcement agencies of the arrival country, and it creates additional difficulties for law enforcement agencies to require the data from the carriers in advance if there is no legal obligation between the parties.

On top of that, one of the important aspects of API and PNR systems is the consideration of data protection mechanisms and this issue need to be legally adjusted before the application of the systems. Legislation on data protection must be enacted in countries to protect the individual’s right to privacy and allow individuals to exercise their rights relating to the use of their personal data. Certainly, each country has its own legislation and data protection mechanisms vary from country to country. However, there is a common provision of such legislation. Such as, personal data (WCO/IATA/ICAO 2014) :
• should be obtained and processed fairly and lawfully;
• should be stored for legitimate purposes and not used in any way incompatible with those purposes;
• should be adequate, relevant and not excessive in relation to the purposes for which they are stored;
• should be accurate and, where necessary, kept up to date;
• should be preserved in a form which permits identification of the data subjects for no longer than is required for the purposes for which that data is stored.

Concerning the international obligation on States to implement API and PNR systems at a national level, the International Civil Aviation Organization (ICAO) has already elevated the deployment of API capacity initially as a recommended practice and followingly, accepted as a Standard in Annex 9 to the Chicago Convention. On 23 October 2017, a standard was established under Annex 9 — Facilitation, regarding the use of Advance Passenger Information (API) systems by the ICAO’s Member States, and recognized that many ICAO’s Member States have yet to implement this standard.

Article 9.5 clearly states that each Contracting State shall establish an Advance Passenger Information (API) system and Article 9.6 stipulates that the API system of each Contracting State shall be supported by appropriate legal authority (such as, inter alia, legislation, regulation or decree) and be consistent with internationally recognized standards for API. In addition to that, the obligation to develop the capability to collect, process and analyze, PNR data should become a standard according to the Amendment 28 to the Annex 9 .

Another great sample of international obligation, the UN Security Council Resolution 2178 (2014) was adopted and the resolution clearly states that the Member States must ensure that any measures taken to counter terrorism comply with all their obligations under international law, in particular international human rights law, international refugee law, and international humanitarian law, underscoring that respect for human rights, fundamental freedoms and the rule of law are complementary and mutually reinforcing with effective counter-terrorism measures, and are an essential part of a successful counter-terrorism effort and notes the importance of respect for the rule of law to effectively prevent and combat terrorism. Additionally, it has been stressed in the resolution that foreign terrorist fighters increase the intensity, duration and intractability of conflicts, and also may pose a serious threat to their States of origin, the States they transit and the States to which they travel.

In connection with these provisions, the UN Member States are called upon to require that airlines operating in their territories provide advance passenger information to the appropriate national authorities in order to detect the departure from their territories, or attempted entry into or transit through their territories, and further calls upon Member States to report any such departure from their territories, or such attempted entry into or transit through their territories, of such individuals to the UN Security Council Committee, as well as sharing this information with the State of residence or nationality, as appropriate and in accordance with domestic law and international obligations.

The UN Security Council Resolution 2396 (2017) is another obligation that was put in place for States to implement a Passenger Name Record (PNR) system in the fight against terrorism and serious crime. Chapter VII, “Border security and information sharing”, calls upon the Member States to prevent the movement of terrorists by effective national border controls and controls on the issuance of identity papers and travel documents, and through measures for preventing counterfeiting, forgery or fraudulent use of identity papers and travel documents and urges the Member States to expeditiously exchange information, through bilateral or multilateral mechanisms and in accordance with domestic and international law.

Moreover, resolution double stresses that in furtherance of paragraph 9 of resolution 2178 and the standard established by ICAO that its Member States establish advance passenger information (API) systems as of October 23, 2017, Member States shall require airlines operating in their territories to provide API to the appropriate national authorities, in accordance with domestic law and international obligations, in order to detect the departure from their territories, or attempted travel to, entry into or transit through their territories.

However, the latest and most important part of this resolution was an obligation about the PNR data collection. Article 12 clearly states that the UN Member States shall develop the capability to collect, process and analyze, in furtherance of ICAO standards and recommended practices, passenger name record (PNR) data and to ensure PNR data is used by and shared with all their competent national authorities, with full respect for human rights and fundamental freedoms for the purpose of preventing, detecting and investigating terrorist offenses and related travel.

Further, calls upon Member States, the UN, and other international, regional, and sub-regional entities to provide technical assistance, resources and capacity building to Member States in order to implement such capabilities, and, where appropriate, encourages Member States to share PNR data with relevant or concerned Member States to detect foreign terrorist fighters returning to their countries of origin or nationality, or travelling or relocating to a third country, and also urges ICAO to work with its Member States to establish a standard for the collection, use, processing and protection of PNR data.

Furthermore, the UN Security Council Resolution 2482(2019) states that implement obligations to collect and analyze Advance Passenger Information (API) and develop the ability to collect, process and analyze, in furtherance of International Civil Aviation Organization (ICAO) standards recommended practices, Passenger Name Record (PNR) data and to ensure PNR data is used by and shared with competent national authorities, with full respect for human rights and fundamental freedoms, which will help security officials make connections between individuals associated to organized crime, whether domestic or transnational and terrorists, to stop terrorist travel and prosecute terrorism and organized crime.

WCO/IATA/ICAO (2014) API guidelines are also one of the main international regulatory instruments on API and joint recommendations by the World Customs Organization (WCO), International Air Transport Association (IATA) and the International Civil Aviation Organization (ICAO) are quite useful and productive in this regard.

In summary, effective implementation of API and PNR systems requires governments to apply a comprehensive approach by considerin the legal, technical, operational and cooperation sides of the implementation stages. The transmission of high-quality data from the carriers to law enforcement agencies, the establishment of closer cooperation between stakeholders and application of effective targeting by using intelligence and risk management tools help border officials to identify high-risk travellers on time, prevent serious crimes and facilitate movement of legitimate passengers across the borders. The effective processing and profiling of API and PNR data play a crucial role in ensuring national security and appropriate implementation of the concept of integrated border management. The development of cooperation among all relevant authorities and agencies involved in border management extremely enhances the data and information sharing practice and a risk-based data-driven approach in operational activities.

The full research report can be downloaded here >>