Among the joy of watching the Portuguese team celebrate their Euro 2016 victory in Paris it was hard not to breathe a large sigh of relief that the event passed off without a major security incident. I cannot remember any major sporting event in recent times taking place under such a cloud of fear.
The French authorities expected 2.5 million football fans from abroad during the 31 day tournament – many flying in during the first week. This type of massive influx of people in such a short space of time provides a nightmare scenario for those tasked with keeping the country secure and safe from the broader threat of terrorism. One invaluable activity is to do a risk assessment of passengers before they fly, to gain better oversight over who enters and leaves the countries. Within the EU, some countries are already using the passenger name record (PNR) data for this purpose, albeit it in a non-systematic way.
This will change.
In April, the European Parliament issued a new directive to systematically collect and use PNR data for the prevention, detection, investigation and prosecution of serious crime and terrorism. The data in question is already collected by airlines but the new legislation sets out detailed rules for national authorities to access it when tackling serious crime and terrorism.
Keeping it simple
The challenge is to ensure that regardless of the underlying system chosen by each EU country, they can all connect to each other in a seamless fashion. Only then will we get the smooth and effective cooperation between the countries, government agencies and the air transport industry envisaged by the Directive.
The airlines need any new system to be easily integrated and have minimum impact on their existing processes and systems. The new rules will help by including provisions on common protocols and data formats for transferring the PNR data from the air carriers.
Another consideration is around the purposes for which the data can be used. To that end, the new rules create an EU standard for the use of the PNR data, which respects two essential principles - privacy and proportionality.
Personally I believe the best way to achieve these aims is to build in safeguards to the system at the earliest stage – or ‘privacy by design’ to use the EU terminology. In other words, include data anonymization and purging requirements, along with secure, role-based access to data, right from the beginning rather than trying to bolt it on as a separate layer afterwards. Partitioned access could facilitate interoperation between departments, while also ensuring that the information is available to the right users for the right purpose.
The bigger picture
The new EU directive is but a first step. While the PNR data provides a good foundation for effective risk management, it is just one part of a much larger picture. By incorporating and analyzing data from multiple sources a more complete picture to detect suspicious behaviors and trends can be built.
One outcome is that it helps experts to sift through the vast amounts of data to identify previously unknown persons of interest. It also provides a solid basis for government agencies to make timely and confident decisions on what action to take - or not to take.
We don’t know how big a part passenger data played in keeping Euro 2016 a safe and enjoyable event for the people watching in the stadiums or at local fan zones, but safe to say that as the EU Directive is implemented across the member states over the next two years, it will provide an important piece of the puzzle to sort out the good guys from the bad. Or to use footballing parlance, the EU have played a blinder on this one.