Belgium is the first EU member state to extend the PNR security check system to coaches and high-speed trains
The PNR directive explained
The need for increased vigilance on the railways was underlined in August 2015, when three passengers foiled an attempted attack by a Kalashnikov-wielding gunman on a train travelling from Brussels to Paris.
One year later, in the wake of a trio of suicide bombings in Brussels – two at Brussels Airport and one at Maalbeek metro station – in which 32 civilians died, the PNR law was first adopted.
PNR data is provided by air passengers and held in reservation and departure control systems to enable carriers to make reservations and carry out the check-in process. In addition to information pertaining to travel dates, itinerary and tickets, the records may also include contact details, travel agent, means of payment, seat number and baggage data.
The data is sent to the Passenger Information Unit, a collaborative unit within the Federal Public Service (FPS), where it is compared against law enforcement databases in order to identify terrorists and criminals.
The Passenger Information Units are obligated to share, on a case-by-case basis, PNR data with Europol, other EU member states or third parties, in order to improve PNR processing at EU level.
At present, the directive applies primarily to extra-EU flights, but member states can decide to apply it to selected intra-EU flights. It is currently at the discretion of each member state whether they decide to apply the PNR rules to private jets.
One critical distinction to be made is that PNR data differs from the Advance Passenger Information (API), which is gleaned from authentic documents such as an individual’s passport or identity card during the check-in or boarding process, and is sufficiently accurate to identify a person.
Image: Kiev.Victor / Shutterstock
Power to the people: data protection issues
So how will extending the PNR checking system to include trains affect rail passengers? And most importantly, what safeguards are in place to protect their privacy and ensure that personal information isn’t used for purposes other than law enforcement?
The PNR directive stipulates that the processing of passenger data be overseen by an independent national supervisory authority and can only be used for the fight against terrorism and serious crime.
The information must be ‘depersonalised’ through masking out after six months and deleted after five years, and security agencies are not permitted to process data that could reveal a person's race or ethnic origin, political opinions, religious or philosophical beliefs, health or sexual orientation. Passengers also have the right to access their personal data and to rectify it.
Initially at least, the most visible impact on passengers will come in the form of increased bureaucracy, namely as an extra check during boarding to ensure the identity of the traveller matches the name on their ticket.
"We are doing this in consultation with the sector," said Jambon, "and we try to convince companies that extra checks are also beneficial to the passengers themselves.
"It is obvious that it is a bit more complicated for trains and buses, because train or bus passengers can buy a ticket just before departure, so we have to organise it in a different way than in air traffic."
Image: Bjoern Wylezich / Shutterstock
The most visible impact on passengers will be a check during boarding to ensure the identity of the traveller matches the name on their ticket
The use of PNR data for law enforcement raises important questions with respect to the protection of passengers’ private life and personal information
Is applying PNR to public transport practical?
A comment piece in the International Rail Journal takes issue with the proposed system, arguing that applying it to multiple daily cross-border services operating from Belgium to Germany and the Netherlands would result in increased staffing and bureaucracy.
“The move currently appears totally impractical as, with the exception of Eurostar and Thalys, no rail operator requires identification information or pre-reservation,” the editorial read. “Without instituting similar requirements on the hundreds of thousands of motorists who cross Belgium’s borders daily, the measure will also discriminate against public transport and will further decrease its attractiveness.
“If the PNR requirements are not applied equally to drivers and car passengers on the road network, the entire exercise will be pointless as those wishing to avoid detection will simply use the car.”
The expansion of the PNR directive in Belgium is the latest stop in the country’s journey toward improved rail security. In 2017, random baggage searches were introduced for one in ten passengers travelling on high-speed TGV and Thalys trains from two stations: Antwerp Central and Brussels South.
The security apparatus is similar to that installed at airports, but with a focus on weapons and explosives and is employed in tandem with officers trained in behaviour analysis techniques. Persons suspected of terrorism or other serious crimes often exhibit specific and fast-changing travel behaviour across multiple modes of transport, including high-speed, trans-continental rail networks.
In the US, random security checks, plus the presence of police, security officers and canines are currently considered sufficient to protect rail terminals, without having to screen every passenger.
In a hyper-digitalised world, the sharing of passenger data through initiatives such as the PNR directive – combined with feet on the ground in the form of security officers and the general public – is at present deemed the most effective way to keep railways, and those who rely on them, safe.
Image: Willy Barton / Shutterstock