Regulating the use of passenger name record (PNR) data
Passenger name record (PNR) data is personal information provided by passengers and collected and held by air carriers. It includes information such as the name of the passenger, travel dates, itineraries, seats, baggage, contact details and means of payment. The proposal for a directive presented by the Commission aims to regulate the transfer of such PNR data to member states' law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
On 4 December 2015, the Council approved the compromise text agreed with the European Parliament. The Parliament's Civil Liberties, Justice and Home Affairs Committee endorsed the text on 10 December 2015.
Why do we need it?
The EU has already signed agreements allowing EU carriers to transfer PNR data to the United States, Australia and Canada.
In June 2015, the Council adopted a decision authorising the opening of negotiations for an agreement with Mexico.
Organised crime and terrorist activities often involve international travel. As a response to the abolition of internal border controls under the Schengen Convention, the EU provides for the exchange of personal data between law enforcement authorities. The PNR system aims to complement the already existing tools to cope with cross-border crime. Processing PNR data would allow law enforcement authorities to discover persons unsuspected of crime or terrorism before a specific data analysis would show they might be.
In addition, most member states already use PNR data granted under national law to the police or other authorities. An EU PNR system would also harmonise member states' legal provisions, avoiding legal uncertainty and security gaps, whilst at the same time safeguarding data protection.
In detail
The draft directive aims to regulate the transfer of PNR data from the airlines to national authorities, as well as their processing of this data. Under the new directive, airlines will have to provide PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PRN data concerning selected intra-EU flights.
The directive establishes that PNR data collected may only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
In the context of these activities, PNR data can be used in several ways:
- for a pre-arrival or pre-departure assessment of passengers against defined risk criteria, or in order to identify specific persons
- as input in the development of these risk criteria
- for specific investigations or prosecutions
To protect the fundamental rights to protection of personal data, to privacy and to non -discrimination, the directive includes a series of limitations for the transfer, processing and retention of PNR data:
- the directive prohibits the collection and use of sensitive data
- PNR data can only be kept for a period of 5 years, and must be depersonalised after a period of 6 months so the data subject is no longer immediately identifiable
- member states are required to establish a passenger information unit to handle and protect the data; this unit must include a data protection officer
- member states must ensure that passengers are clearly informed about the collection of PNR data and of their rights.
- automated processing of PNR data cannot be the only basis for decisions producing adverse legal effects or seriously affecting a person.
- transfer of PNR data to third countries can only take place in very limited circumstances and on a case-by-case basis
Next steps
Following a revision of the text by lawyer -linguists, the European Parliament and the Council will formally adopt the text.
From the day of entry into force, member states will have two years to transpose the directive into national law.