Regulating the use of passenger name record (PNR) data

Passenger name record (PNR) data is personal information provided by passengers and collected and held by air carriers. It includes information such as the name of the passenger, travel dates, itineraries, seats, baggage, contact details and means of payment. The proposal for a directive presented by the Commission aims to regulate the transfer of such PNR data to member states' law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The European Parliament and the Council agreed on a compromise text in December 2015. On 14 April 2016, the European Parliament adopted its position. The Council then adopted the directive on 21 April 2016. Member states will have two years to bring into force the laws, regulations and administrative provisions necessary to comply with this directive.

Why do we need it?

The EU has already signed agreements allowing EU carriers to transfer PNR data to the United States, Australia and Canada.

In June 2015, the Council adopted a decision authorising the opening of negotiations for an agreement with Mexico.

Organised crime and terrorist activities often involve international travel. As a response to the abolition of internal border controls under the Schengen Convention, the EU provides for the exchange of personal data between law enforcement authorities. The PNR system aims to complement the already existing tools to cope with cross-border crime. Processing PNR data would allow law enforcement authorities to discover persons unsuspected of crime or terrorism before a specific data analysis would show they might be.

In addition, most member states already use PNR data granted under national law to the police or other authorities. An EU PNR system would also harmonise member states' legal provisions, avoiding legal uncertainty and security gaps, whilst at the same time safeguarding data protection.

In detail

The draft directive aims to regulate the transfer of PNR data from the airlines to national authorities, as well as their processing of this data. Under the new directive, airlines will have to provide PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PRN data concerning selected intra-EU flights.

The directive establishes that PNR data collected may only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

In the context of these activities, PNR data can be used in several ways:

  • for a pre-arrival or pre-departure assessment of passengers against defined risk criteria, or in order to identify specific persons
  • as input in the development of these risk criteria
  • for specific investigations or prosecutions

To protect the fundamental rights to protection of personal data, to privacy and to non -discrimination, the directive includes a series of limitations for the transfer, processing and retention of PNR data:

  • the directive prohibits the collection and use of sensitive data
  • PNR data can only be kept for a period of 5 years, and must be depersonalised after a period of 6 months so the data subject is no longer immediately identifiable
  • member states are required to establish a passenger information unit to handle and protect the data; this unit must include a data protection officer
  • member states must ensure that passengers are clearly informed about the collection of PNR data and of their rights.
  • automated processing of PNR data cannot be the only basis for decisions producing adverse legal effects or seriously affecting a person.
  • transfer of PNR data to third countries can only take place in very limited circumstances and on a case-by-case basis