In the aftermath of the numerous terrorist attacks in the European Union, EU member states agreed that additional measures were needed regarding the use of passenger name record data to fight potential threats relating to terrorism and serious crime. This update provides an overview of how Belgium has implemented the EU legislative framework and outlines the obligations for air carriers pursuant to the Belgian legal framework.
On April 29 2004 the European Council adopted EU Directive 2004/82/EC on the obligation of carriers to communicate passenger data, which regulates the transfer of advance passenger data by air carriers to the competent national authorities in order to improve border controls and combat illegal immigration. On April 27 2016 the European Parliament and the European Council adopted the EU Passenger Name Record Directive (2016/681/EC) concerning the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
The Passenger Data Processing Act of December 25 2016 transposes the EU Passenger Name Record Directive into Belgian law. This legal framework requires carriers of passengers in various international transport sectors (ie, air, rail, road and sea transport) and travel operators to transfer passenger data to a database managed by the Federal Public Service Internal Affairs.
The Passenger Data Processing Act will come into force for each of the above sectors following the publication of the corresponding royal decree. A royal decree containing the obligations imposed on air carriers was adopted on July 18 2017 and entered into force on August 7 2017.
The Passenger Data Processing Act and the royal decree oblige carriers and travel operators to transfer passenger data to a central database, the Belgian Passenger Information Unit (BelPIU). The unit was established as part of the Federal Public Service Internal Affairs and oversees:
- the collection, storage and processing of passenger name record data;
- the management of the database containing passenger name record data; and
- the sharing of information with corresponding units in other EU member states.
Pursuant to the Passenger Data Processing Act and the royal decree, air carriers must transfer all passenger name record data to BelPIU (ie, the so-called 'push-method'):
- 48 hours before the scheduled flight departure time; and
- immediately following the flight closure (ie, once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for additional passengers to board or leave the aircraft).
Further, air carriers may be required to transfer passenger name record data at other points in time should access to this data be required to respond to a specific and actual threat relating to terrorist offences or serious crime.
At first glance, the obligation for air carriers to transfer passenger name record data 48 hours before the scheduled flight departure time appears to conflict with the reality of air carriers dealing with last-minute bookings made less than 48 hours before the scheduled flight departure time. In this respect, data which cannot be collected for the 'first push' in relation to a given last-minute passenger will not have to be transferred at that time. The Report to the King, which was drafted in the scope of the royal decree, confirms that the details of last-minute passengers will be transferred during the 'second push'.
No air carrier has connected to BelPIU as yet. However, once BelPIU has issued its technical guidelines detailing the security requirements for transferring passenger name record data, air carriers will be able to transfer such data in compliance with the guidelines. While no official deadline has been communicated in this respect, it has been understood that the competent authorities are aiming to issue the guidelines in the next few months.
Besides the above obligations, air carriers should be mindful regarding the application of the General Data Protection Regulation from May 25 2018, as they will be considered processors of personal data.
The Belgian legal framework for passenger name record data will be evaluated three years after its entry into force, which will take place in August 2020 for the aviation sector. It is hoped that the framework will enable all actors to achieve the main aim of fighting terrorist threats and serious crime.
For further information on this topic please contact Pierre D Frühling, Elisabeth Decat or Stéphanie Golinvaux at Holman Fenwick Willan LLP by telephone (+32 2 643 34 00) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Holman Fenwick Willan website can be accessed at www.hfw.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.