Search papers

Aviation Security & the EU


The deliberate crashing of four passenger aircraft in the United States on September 11 2001 led to a world-wide reappraisal of aviation security arrangements.  The EU, which had hitherto not been an actor in this aspect of aviation, decided to become involved and to set common aviation security standards across the single market.

Since that initial legislation in 2002, further developments have proved controversial, particularly in respect of the gathering, and then sharing, of passenger data.  The question of what passenger data to request from airlines and how such data can be used is still not fully resolved.

This paper looks at the measures to raise aviation security standards across the EU after 9/11 and at the controversy over passenger name records, including the disputes over data sharing with the US.  The Group has also published a paper, ‘The EU and the Fight Against Terrorism’, which covers a wider field.  Aviation safety will be covered in a future paper on wider civil aviation policy.


Aviation Security Standards

The EU agreed legislation in 2002 which set minimum standards to be followed at all airports in the EU.  These measures cover such issues as access airside, the identification and screening of baggage, the controls to be applied to cargo, the vetting and training of security staff and technical specifications for certain equipment.

The 2002 regulations were reviewed by the Commission and in a report published in 2005 the Commission said that while there had been considerable improvements in many Member States, there needed to further improvements to both the legislation and the standard with which it was applied.  The result was a new regulation, adopted in March 2008, which updates common rules and common basic standards for aviation across the EU.

One of the questions which arose after 9/11 was who should pay the higher costs of improved airport security.  The Commission published a proposal in May 2009 for a directive on aviation security charges, requiring all such charges to be non-discriminatory between passengers and between airlines, full consultation of airlines by airports about security charges and a requirement for security charges to be spent exclusively on security costs.  This proposal is being considered by the Council of Ministers and by the European Parliament.


Passenger Name Records & API

Passenger name record data – known as PNR – much of which is collected by airlines in the normal course of their business.  It contains personal and confidential information about passengers and countries increasingly request that airlines handover PNR for the purposes of immigration control and security.  A crucial point is that the most basic data, referred to as “advance passenger information” (API) is (or will be) available for all passengers.  The records collected for API are usually:

  • passport number;
  • country which issued passport;
  • passport expiry date;
  • given names (as they appear on the passport);
  • last name;
  • gender;
  • date of birth;
  • nationality

After the attacks of 9/11 the demand for PNR data by security authorities increased dramatically.  The United States, Canada and Australia have required PNR data from airlines for all incoming passengers for some years.  The UK also now collects PNR data – as part of its e-Borders project – but 100 per cent coverage of all passengers was only achieved under these plans in 2014.  PNR data goes beyond that covered by API and can include as many as 60 different types of information.  PNR data may additionally include:

  • address, email address and contact telephone;
  • travel agency and agent, billing address and form of payment;
  • seat number and seat information;
  • frequent flyer information;
  • general remarks;
  • OSI (Other Service-related Information);
  • SSI/SSR (Special Service Information/Special Service Requests)

This more personal information can be used to make judgements about a passenger, including whether he or she constitutes a threat.  It is this more extensive data which is increasingly required by governments for security purposes.  The release of such information to third parties raises questions about the security of the data and about the uses to which it might be put.  A particular concern in respect of civil liberties has been data concerning the race and the health of passengers.  The US authorities have indicated that they would wish to use PNR data that revealed information about a passenger’s medical conditions.  Special service requests can also reveal significant information about a passenger’s race or religion which would otherwise be prohibited from use (a request for a Halal meal for example).

The US sought to extend its requirements for PNR after 9/11 by demanding this for all incoming flights from the EU.  This put the US in conflict with EU data protection legislation. An agreement was negotiated between the EU and the US, designed to balance the security requirements of the US with the data protection concerns of the EU. The 2004 agreement was however challenged in the European Court of Justice by the European Parliament and annulled by the Court because it found no legal base in the Treaty allowing such a directive but the effect of the Court’s decision was not what the Parliament had intended. The Court decided that this measure could not be lawful under the European Community provisions of the treaties (i.e. those which require the agreement of the Parliament as well as the Council) but this decision did not stop Member States from agreeing to legislation under the justice and home affairs part of the Treaty on European Union – which would not require the agreement of the Parliament.

A temporary agreement to replace that of 2004 was put in place in 2006 and a final agreement signed in 2007. This agreement was subject to ratification processes in a number of Member States. Although the explanatory letter attached to the agreement said that the PNR data would be used in the US for the prevention and combating of terrorism, serious crime and flights from custody, it contained a potential loophole when it said that PNR could be used in certain other circumstances, including: “for the protection of the vital interests of the PNR subject or other persons”, in criminal judicial proceedings and “as otherwise required by law”.

A new agreement was signed between the EU and the USA in December 2011 and was approved by the European Parliament in April 2012 following extensive renegotiation to protect data from misuse. Despite the agreement being approved and ratified, there remain considerable concerns on both sides of the Atlantic that PNR data will be used in the USA for health control, immigration control and other purposes outside those originally intended.


The PNR Framework Decision

Member States decided to proceed with a framework decision that would establish a common EU approach to PNR for law enforcement purposes; this is a separate issue from the EU-US agreement. Such decisions require consultation with the European Parliament and unanimity in the Council.

The British Government did not find the draft decision acceptable because it wanted to be able to go further in terms of the use of PNR data than the draft proposed. The first Article of the draft stated the purpose of the legislation:

[it] provides for the making available by air carriers of PNR data of passengers of international flights to the competent authorities of the Member States, for the purpose of preventing and combating terrorist offences and organised crime, as well as the collection and retention of those data by these authorities and the exchange of those data between them.

This Article restricts the use of the PNR data to the prevention and combating of terrorism and organised crime. The British Government said that it wished the framework decision to permit PNR data to be used for a wider range of criminal offences and for immigration purposes. As originally drafted, that was not possible. The April 2009 version of the draft replaced “organised crime” with “serious crime”, meaning offences covered existing European legislation, including that relating to the European Arrest Warrant. These offences include people trafficking but not wider immigration offences.

A proposed directive on the use of PNR data to prevent, detect, investigate and prosecute terrorist offences and serious crime is currently being negotiated between the Parliament, the European Council and the European Commission. These negotiations are likely to take some time due to continuing concerns about data privacy, particularly on the Parliament’s part, considering previous negotiations on legislation in this area.



The EU plays a useful role in achieving common standards in aviation security (and in aircraft safety) but there are important questions of civil liberties as well as of security involved. In resolving the future of the framework decision on PNR, Member States will have to demonstrate that they have achieved a proper balance between security and civil liberties.

Revised November 2015