Passenger name record (PNR) data is personal information provided by passengers and collected and held by air carriers. It includes information such as the name of the passenger, travel dates, itineraries, seats, baggage, contact details and means of payment. The proposal for a directive presented by the Commission aims to regulate the transfer of such PNR data to member states' law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
The European Parliament and the Council agreed on a compromise text in December 2015. On 14 April 2016, the European Parliament adopted its position. The Council then adopted the directive on 21 April 2016. Member states will have two years to bring into force the laws, regulations and administrative provisions necessary to comply with this directive.
The EU has already signed agreements allowing EU carriers to transfer PNR data to the United States, Australia and Canada.
In June 2015, the Council adopted a decision authorising the opening of negotiations for an agreement with Mexico.
Organised crime and terrorist activities often involve international travel. As a response to the abolition of internal border controls under the Schengen Convention, the EU provides for the exchange of personal data between law enforcement authorities. The PNR system aims to complement the already existing tools to cope with cross-border crime. Processing PNR data would allow law enforcement authorities to discover persons unsuspected of crime or terrorism before a specific data analysis would show they might be.
In addition, most member states already use PNR data granted under national law to the police or other authorities. An EU PNR system would also harmonise member states' legal provisions, avoiding legal uncertainty and security gaps, whilst at the same time safeguarding data protection.
The draft directive aims to regulate the transfer of PNR data from the airlines to national authorities, as well as their processing of this data. Under the new directive, airlines will have to provide PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PRN data concerning selected intra-EU flights.
The directive establishes that PNR data collected may only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
In the context of these activities, PNR data can be used in several ways:
To protect the fundamental rights to protection of personal data, to privacy and to non -discrimination, the directive includes a series of limitations for the transfer, processing and retention of PNR data: