The Parliament is working on amending the Act on Passenger Flight Data Processing. This is necessitated by a ruling of the EU Court of Justice, which held that some of the regulations introduced by the directive and implemented in member states are overly restrictive. In particular, the focus is on the obligation to provide passenger data on all flights within the EU. Improvements in the Polish act also require a mechanism for imposing penalties on carriers for non-compliance with obligations. So far, airlines are facing a potential fine of PLN 4 billion, but the draft law proposes an amnesty.
“The Polish PNR Act, meaning the Processing of Passenger Data Act, was implemented into the Polish legal system some time ago, but rather unfortunately,” says Maciej Jóźwiak, a lawyer, partner at Eversheds Sutherland. – There were numerous problematic provisions, which ended up causing a substantial issue for airlines operating in Poland. The potential cost, which the Border Guard, as the agency responsible for these data, could impose on the entire market for not providing or providing delayed passenger data, was PLN 4 billion. Since then, the process of amending this Act has begun, and hopefully it will partially be finished by the end of this year.
The obligation for airlines to provide PNR data (passenger name record) comes from the Act of May 9, 2018, which implemented the directive on the use of passenger flight data for the prevention of terrorist offenses and serious crime, their detection, conducting preparatory proceedings, and their prosecution. However, Polish regulations turned out to be more restrictive: they required carriers to provide PNR data to the Border Guard within 48 hours under penalty of PLN 20,000 per flight. In addition, initially the system did not work efficiently, causing airlines to face technical issues in meeting these requirements.
“The PNR regulation, i.e. the provision of passenger data, who are on board an airplane on a given route, primarily requires airlines to connect to a system, which was created and prepared by the Border Guard. Most airlines operating in Poland are already connected to this system, the beginnings were very difficult, at this point about 99% of data is passed on time, according to the Border Guard’s expectations,” says Maciej Jóźwiak.
Due to these problems and the growing administrative penalties, a two-year suspension period for the started proceedings and the initiation of further ones for violations made up to December 31, 2021, was established in 2022. The suspension also applied to the execution of penalties already imposed. However, this grace period ended in February 2024, and the amendment to the Act is ongoing.
“The key for airlines is to avoid penalties. Penalties are currently hanging over them, but if the regulations pass in the form we hope they would, it would result in amnesty, meaning the cancellation of the penalties that have been charged so far and the airlines will be able to rest easy, at least for the period from the original implementation of the regulation to the day the amendment comes into effect,” the lawyer explains.
In June 2022, the EU Court of Justice confirmed the conformity and validity of the PNR directive with EU law, but also ruled that the transfer, processing, and storage of PNR data must be limited to actions strictly necessary for the fight against terrorism and serious crime, and should be interpreted restrictively. The court also decided that the regulation obliging the transfer and processing of PNR data for all flights inside the Union is non-compliant.
“The idea should be to collect data on those routes which are exposed to such a threat,” points out the partner at Eversheds Sutherland. “The problem is that if we say which routes are a threat, the terrorists will start flying on other routes, so there is a problem in providing this information to the airlines. At the moment this problem is not solved yet, but the community has an idea. It is planned to create a central database of passenger flights where data will be forwarded centrally to this organization and only from there, based on specific guidelines, will the relevant agencies in each member country receive it. In Poland, it would be the Border Guard.”