Rwanda’s newly proposed law that may require airlines to provide, in advance, passenger information and name record data to the Directorate General of Immigration and Emigration before starting journeys, is a good move according to experts in the aviation and security sector.
On July 31, the parliament approved the relevance of the draft law "on advance passenger information and passenger name record data,” under which are clauses that aim at bolstering measures against terrorism and serious crimes.
ALSO READ: Airlines to be required to share passenger data under new bill
The draft law is now subject to further scrutiny by a committee of the Lower House before being submitted to the plenary to be debated and eventually voted into law.
The advance sharing of passenger information and name record data is expected to be used for the preclearance of passengers or detection, investigation, and prosecution in case of terrorist offenses and serious crimes.
According to Emmanuel Butera, a consumer protection specialist at the African Civil Aviation Commission, a specialized agency of the African Union, the new proposal as set in the bill is actually "an ICAO standard.”
The International Civil Aviation Organization is a specialized agency of the UN. It coordinates the principles and techniques of international air navigation and fosters the planning and development of international air transport to ensure safe and orderly growth.
Referring to the UN agency’s July 2022 international standards and recommended practices, Butera noted that Advance Passenger Information (API) is an international requirement and that contracting states shall establish an advance passenger information system that requires airlines operating in their territories to provide such information.
The API system is defined as an electronic communications system whereby required data elements are collected and transmitted to border control agencies prior to flight departure or arrival and made available on the primary line at the airport of entry.
"Rwanda is one of the first countries to move to enact such a bill,” Butera said.
The API involves the capture of a passenger’s or crew member’s biographic data and flight details by the aircraft operator prior to departure. This information is electronically transmitted to the border control agencies in the destination or departure country. Thus, passenger and, or crew details are received in advance of the departure or arrival of the flight.
Irina Tsukerman, a US national security lawyer, geopolitical analyst, and President of Scarab Rising, a security and geopolitical risk strategic advisory, told The New Times that gathering the information of passengers is nothing new and has become standard practice in Europe, the United States, and many other countries.
"Moreover, airlines are mandated to share that information with security services upon request, and there is a growing international cooperation to share such information in the course of investigations or suspicions of terrorist or criminal activity,” she noted.
However, she warned, this method of intelligence sharing only works because there are safeguards in place to protect the privacy of passengers, so that the process itself will not end up causing security issues.
"That information cannot be disseminated freely in advance or after the flight and can only be shared with legitimate authorities as needed, or else the sharing could itself create security problems for the passengers,” she said.
Making reference to Covid-19 times, Tsukerman gave an example of how passenger information can be misused.
"Various airlines started sharing their own private no-fly lists of passengers who had been disruptive or violated the pandemic protocols. One of the reasons for such sharing was to coordinate permanent no fly lists of such individuals. However, that is precisely an example of taking passenger information sharing a step too far because other airlines are not an investigative authority and have no business sharing information about any individual's flight record,” she said.
For her, any security risk should only be shared with investigators.
She noted that when many parties are privy to someone's private data, the more likely it is for that data to either be leaked or misused.
ALSO READ: How Rwanda’s data protection, privacy law will benefit users
"Another concern is more general - the airlines have become targets of malicious hackers gathering private data on passengers. In gathering and sharing such information, the airlines have a responsibility in protecting the rights of their passengers by taking extra security precautions and guarding against phishing attempts,” she said.
She called for training of the staff of the Directorate General of Immigration and Emigration in secure methods of operation, and appropriate times for sharing that information with investigative bodies.
She noted that the Immigration office should have some level of oversight against abusing this power.
Hans Mast, an American expert in travel with up to 15 years of work as a travel agent at Golden Rule Travel, a company that specializes in travel for non-profit organizations, said he thinks Rwanda's proposed law can be a significant step towards enhancing its security infrastructure, particularly in preventing terrorism.
"Sharing passenger information in advance allows for more comprehensive security checks and can aid in the early detection and prevention of potential threats. It's a practice that's already widely adopted in several countries around the world, and it has proven beneficial in many instances,” he noted.
Just like Tsukerman, Mast called for measures to ensure the right balance between security and privacy.
"Handling such sensitive information requires robust data protection measures to prevent misuse or unauthorized access. It's equally crucial that passengers are made fully aware of this process and its implications for their privacy,” he said.
ALSO READ: Why personal data protection law was necessary in Rwanda
Tabling the draft law in the parliament, the Minister in the Office of the President, Judith Uwizeye, said that once it is enacted, all transport operators [road, water, or airways] will be obliged to transmit passenger information and name record data by electronic means so that the information gets processed and the results forwarded to responsible organs.
Though this system exists and has been used since 2020, she said, there is no law that requires transport carriers to provide passenger data to a responsible authority before the passengers enter the country – pointing out that currently, information is obtained through mutual arrangements with carriers such as airlines.