Skip to content. | Skip to navigation

Personal tools
You are here: Home Breaking news MEPs back EU directive on use of Passenger Name Records

MEPs back EU directive on use of Passenger Name Records

14 April 2016, 16:31 CET
MEPs back EU directive on use of Passenger Name Records

Photo By Leonid Mamchenkov

(STRASBOURG) - Airlines will have to hand national authorities passengers' data for all flights from third countries to the EU and vice versa following EU Parliament approval of a directive regulating the use of Passenger Name Record data in the EU.

The new directive regulates the use of Passenger Name Record (PNR) data in the EU for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. It will oblige airlines to hand national authorities passengers' data for all flights from third countries to the EU and vice versa.

A European Commission statement said: "This is a strong expression of Europe's commitment to fight terrorism and organised crime together through enhanced cooperation and effective intelligence sharing. The atrocious terrorist attacks in Paris on 13 November last year and Brussels on 22 March showed once more that Europe needs to scale up its common response to terrorism and take concrete actions to fight it. The EU PNR Directive will be an important contribution to our common response.

"The EU PNR Directive will improve the safety and security of our citizens, while also including robust privacy and data protection safeguards ensuring full compliance with the right to data protection."

There had been concerns about the collection and storage or people's data, but Parliament's rapporteur for the proposal Timothy Kirkhope said: "I believe that the directive puts in place data safeguards, as well as proving that the law is proportionate to the risks we face. EU governments must now get on with implementing this agreement."

EU Member States will have to set up "Passenger Information Units" (PIUs) to manage the PNR data collected by air carriers. This information will have to be retained for a period of five years, but after six months, the data will be "masked out", i.e., stripped of the elements, such as name, address and contact details that may lead to the identification of individuals. PIUs will be responsible for collecting, storing and processing PNR data, for transferring them to the competent authorities and for exchanging them with the PIUs of other member states and with Europol. The directive states that such transfers shall only be made "on a case-by-case basis" and exclusively for the specific purposes of "preventing, detecting, investigating or prosecuting terrorist offences or serious crime".

The directive is to apply to "extra-EU flights", but member states could also extend it to "intra-EU" ones (i.e. from an EU country to one or more other EU countries), provided that they notify the EU Commission. EU countries may also choose to collect and process PNR data from travel agencies and tour operators (non-carrier economic operators), since they also manage flight bookings.

Data protection safeguards

  • National PIUs will have to appoint a data protection officer responsible for monitoring the processing of PNR data and implementing the related safeguards.
  • Access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period.
  • All processing of PNR data should be logged or documented.
  • Explicit prohibition of processing personal data revealing a person´s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

Review clause

The EU Commission will have to carry out a revision of the EU PNR directive two years after its transposition into national laws. It must pay special attention to compliance with personal data protection standards, the necessity and proportionality of collecting and processing PNR data for each of the stated purposes, the length of the data retention period, and also "the effectiveness of the sharing of data between the member states".

Next steps

Following Parliament´s approval, the proposal needs now to be formally approved by the Council. Once published in the EU Official Journal of the EU, member states will have two years to transpose it into their national laws.

Further information, European Parliament

Adopted text will be available here (click on 14.04.2016)

Background note – EU PNR proposal: an overview

Document Actions