Council adopts EU Passenger Name Record (PNR) directive
On 21 April 2016 the Council adopted a directive on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
The directive aims to regulate the transfer from the airlines to the member states of PNR data of passengers of international flights, as well as the processing of this data by the competent authorities. The directive establishes that PNR data collected may only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
Under the new directive, air carriers will be obliged to provide member states' authorities with the PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PNR data concerning selected intra-EU flights. However, considering the current security situation in Europe, all member states declared that by the date of transposition of the directive they will make full use of the possibility provided for by Article 2 to include also selected intra-EU flights.
Each member state will also be required to set up a so-called Passenger Information Unit, which will receive the PNR data from the air carriers.
The new rules create an EU standard for the use of such data and include provisions on:
- the purposes for which PNR data can be processed in the context of law enforcement (pre-arrival assessment of passengers against pre-determined risk criteria or in order to identify specific persons; the use in specific investigations/prosecutions; input in the development of risk assessment criteria);
- the exchange of such data between the member states and between member states and third countries;
- storage (data will initially be stored for 6 months, after which they will be masked out and stored for another period of four years and a half, with a strict procedure to access the full data);
- common protocols and data formats for transferring the PNR data from the air carriers to the Passenger Information Units; and
- strong safeguards as regards protection of privacy and personal data, including the role of national supervisory authorities and the mandatory appointment of a data protection officer in each Passenger Information Unit.
PNR data are already today stored in the carriers' reservation systems. They concern the information provided by passengers to carriers when booking a flight and when checking in on flights. PNR data includes the name, travel dates, travel itinerary, ticket information, contact details, travel agent at which the flight was booked, means of payment used, seat number and baggage information.
The use of these data by member states' law enforcement bodies in specific cases is nothing new: Various member states already use PNR data for law enforcement purposes, either on the basis of specific legislation or on the basis of general legal powers. The collection and use of PNR data has been essential in fighting certain cross-border crimes, such as drug trafficking in human beings or children trafficking. However, there is as yet no common approach across the EU.
The UK and Ireland have opted in to this directive. Denmark is not participating.