BelPIU: I am preparing for international travel
What are the consequences for me, as a passenger, of the law on the processing of passenger data?
Why collect passenger data?
As almost every Member State of the European Union, Belgium has established a Passenger Information Unit in which data of passengers to, from or via Belgium are collected, recorded and processed. This measure’s purpose is to fight against terrorism and serious and organised crime: it is one of the 18 priority measures announced by the Federal Government after the attacks in Paris in 2018. It is based on the European Directive on the use of Passenger Name Record data. Given that the booking data of the passenger are assembled in a Passenger Name Record (PNR), it is called PNR data gathering.
People suspected of a terrorist offence or other serious violations often follow specific travel behaviours that change quickly. Passenger data play an important part in identifying travel movements, the collection of evidence and the dismantlement of criminal networks. PNR data are analysed with the help of previously defined criteria, confronted to various databases of wanted persons and used for targeted searches. An efficient use of those data provides a substantial contribution to ensuring our national security by preventing terrorism and serious forms of crime, looking into suspicious travel patterns and following suspects. The processing of thosedata is done in respect of strict guarantees of privacy.
For what purposes can the authorities use PNR data?
The purposes of passenger data collection are to detect and prosecute serious crimes. Punishable acts for which the processing of passenger data can be used are determined in article 8 of the law on the processing of passenger data. It concerns for example terrorism offences, drug trafficking, human trafficking, child trafficking, industrial espionage, cybercrime or murder.
The law on the processing of passenger data is a transposition of the above-mentioned Directive. It sets the foundations of the processing of passenger data. The Belgian legislation applies to air transport, high speed trains, international bus transport, international maritime transport of passengers and travel agencies, for international travel to, from or via Belgium, and for intra-EU as well as for extra-EU routes. The law only comes into force for a specific sector after the publication of a corresponding Royal Decree. Those Royal Decrees are written to take into account as much as possible the particularities of each sector.
The Royal Decree of 18 July 2017 enforces the law for the aviation sector and goes into force for each airline operating flights from, to or via Belgium once they receive an official notification letter and on the date mentioned in this notification.
The next steps consist first of adopting a Royal Decree for the high speed train sector and a second one for the international bus sector. Then we will adopt a Royal Decree for the international maritime transport of passengers in a following phase.
What are the collected data?
PNR data are data communicated by the passengers themselves, collected and recorded by the operator. Each company determines itself if they collect a small number of data (for example, name, itinerary, operator which made the reservation, etc.) or asks for complementary information (for example, email address, phone number, etc.)
The data that the Belgian authorities may collect are limited by the law. It is important to note that sensitive information such as meal choices or religion may not be recorded by the authorities and that the operators won’t have to collect more data than what they dispose of. The Belgian Law on the processing of passenger data establishes a limited list of data that may be collected by the authorities:
- PNR record locator;
- Date of reservation/issue of ticket;
- Date(s) of intended travel;
- Address and contact information (telephone number, e-mail address);
- All forms of payment information, including billing address;
- Complete travel itinerary for specific PNR;
- Frequent flyer information;
- Travel agency/travel agent;
- Travel status of passenger, including confirmations, check-in status, no-show or go-show information;
- Split/divided PNR information;
- General remarks (including all available information on unaccompanied minors under 18 years, such as the name and gender of the minor, its age, language(s) spoken, the name and contact details of the guardian on departure and relationship to the minor, the name and contact details of the guardian on arrival and relationship to the minor, departure and arrival agent);
- Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, automated ticket fare quote fields;
- Seat number and other seat information;
- Code share information;
- All baggage information;
- Number and other names of travellers on the PNR;
- Any advance passenger information (API) data collected (including the type, number, country of issuance and expiry date of any identity document, nationality, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time)
- All historical changes to the PNR listed in numbers 1 to 18.
API data come from authentic documents such as a passport or an ID card and are precise enough to identify a person. Those data are collected during the check-in or at the moment of boarding in a transport.
It concerns the following data:
- type of travel document;
- document number;
- country of issue of the document;
- document expiry date;
- surname, first name, gender, date of birth;
- carrier/travel operator;
- transport number;
- date of departure, date of arrival;
- place of departure, place of arrival;
- time of departure, time of arrival;
- total number of persons transported;
- seat number;
- PNR locator code;
- number, weight and identification details of items of luggage;
- border crossing point of entry into the national territory.
What difference between intra-EU and extra-EU travels?
API data are only collected for extra-EU transports for border control purposes. PNR data are collected and transmitted for intra-EU as well as for extra-EU itineraries.
In the future, when you will go in a foreign country, by plane, by high speed train, by bus or by boat, your data will therefore be stored and may be analysed. As far as national travel is concerned, nothing changes. Passenger data collection only concerns border-crossing transportation.
What do I need to think about, as a passenger?
- To avoid any problems during the boarding, verify thoroughly if the data communicated during reservation is correct.
- Be in possession of an identity document to go to the boarding point.
What are the privacy guarantees?
- The law on the processing of passenger data describes precisely the purpose of the processing of passenger data, as foreseen in the PNR Directive;
- The Passenger Information Unit processes and protects the data in a secure location;
- Its members dispose of a security clearance in line with his or her assignements and all their actions in the passenger database are logged so that all their searches can be monitored and checked to see if they fall within the scope of the law;
- The law on the processing of passenger data forbids the collection and use of sensitive data. Data about race or ethnic origin, religion or philosophical beliefs, political opinions, trade union membership, health, sexual life or sexual orientation cannot be asked or stored;
- After six months, PNR data are depersonalised, so the passenger can no longer be immediately identified in the BelPIU database;
- The data are stored for 5 years. After that, they are automatically deleted from the database;
- The transfer of PNR data to other Member States of the EU and to third countries is only possible in very restricted conditions;
- A Data Protection Officer (DPO) is appointed to safeguard the different measures in place.
- Any question related to the processing of your personal data can be sent to the DPO on the following addresses: email@example.com or DPO - Rue de Louvain 1, 1000 Brussels
- The rights acknowledged by the data protection legislation can be exercised by the directing civil servant (firstname.lastname@example.org) or where appropriate by the Intelligence Committee (www.comiteri.be).