Passenger name record (PNR) data is personal information provided by passengers and collected and held by air carriers. It includes information such as the name of passengers, travel dates, itineraries, seats, baggage, contact details and means of payment. The proposal for a directive, presented by the Commission, aims at regulating the transfer of such PNR data to member states’ law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The European Parliament and the Council agreed on a compromise text in December 2015. On 14 April 2016, the European Parliament adopted its position. The Council then adopted the directive on 21 April 2016. Member states will have two years to bring into force the laws, regulations and administrative provisions necessary to comply with this directive.

After a five years long series of delays and setbacks the new directive regulating the use of Passenger Name Record (PNR) data in the EU for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was approved by the Parliament on Thursday 14 April.

Despite strong criticism from the left side, the issue was pushed to the top of the Parliament’s agenda following the recent terrorist attacks in Paris and Brussels. In fact, some objections were moved, especially the Greens and the Liberals, concerning the fact that each country will keep control of its own database, the vague nature of data collected and the length of time passenger information may be stored.

Although there was little suspense regarding the positive outcome of the vote, a number of MEPs, such as the Dutch Liberal Sophie in’t Veld, tried to derail the PNR dossier by tabling amendments that would change the essence of the compromise. At the end, the text was approved by MEPs for 461 votes to 179, with 9 abstentions.

The Greens have consistently criticized the proposed system, which, according to them, will fail to address the terrorist threat, whilst undermining the fundamental lights of EU citizens. After the vote, Green MEP and home affairs spokesperson Jan Philipp Albrecht said:

« This EU PNR system is a false solution, based on the flawed political obsession with mass surveillance. PNR is a placebo at best, which will not only undermine the fundamental rights of EU citizens but also undermine the security of our societies by diverting badly-needed resources from security and intelligence tools that could actually be useful for combating terrorism, like targeted surveillance.”

Despite all the negative evaluations, British conservative and PNR rapporteur, Timothy Kirkhope said: “There were understandable concerns about the collection and storage or people’s data, but I believe that the directive puts in place data safeguards, as well as proving that the law is proportionate to the risks we face. EU governments must now get on with implementing this agreement »

French Home Affairs Minister, Bernard Cazeneuve, who had been fighting intensively for the adoption of this system since the Paris attacks of January 2015 and the attacks of November, welcomed the outcome and this “vital step in stepping up the fight against terrorism in Europe”.

Under the new directive, air carriers will be obliged to provide member states’ authorities with the PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PNR data concerning selected intra-EU flights. However, considering the current security situation in Europe, all member states declared that by the date of transposition of the directive they will make full use of the possibility provided for by Article 2 which states that selected intra-EU flights could be included.

Thus, under the new rules, each member state will also be required to set up a so-called Passenger Information Unit (PIU’s), which will receive the PNR data from the air carriers.

The new rules create an EU standard for the use of such data and include provisions on:

• the purposes for which PNR data can be processed in the context of law enforcement (pre-arrival assessment of passengers against pre-determined risk criteria or in order to identify specific persons; the use in specific investigations/prosecutions; input in the development of risk assessment criteria);
• the exchange of such data between the member states and between member states and third countries;
• storage (data will initially be stored for 6 months, after which they will be masked out and stored for another period of four years and a half, with a strict procedure to access the full data);
• common protocols and data formats for transferring the PNR data from the air carriers to the Passenger Information Units; and
• strong safeguards as regards protection of privacy and personal data, including the role of national supervisory authorities and the mandatory appointment of a data protection officer in each Passenger Information Unit.

Member states could then extend the directive to “intra-EU” flights (i.e. from an EU country to one or more other EU countries), if they notify it to the EU Commission. EU countries may also choose to collect and process PNR data from travel agencies and tour operators (non-carrier economic operators), as they also manage flight bookings.

There will be also guaranties applied to safeguard data protection:

• National PIUs will have to appoint a data protection officer responsible for monitoring the processing of PNR data and implementing the related safeguards.
• Access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period.
• All processing of PNR data should be documented.
• Explicit prohibition of processing personal data revealing a person´s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

Under the new directive, air carriers will be obliged to provide member states’ authorities with the PNR data for flights entering or departing from the EU. Member states will have two years to incorporate the text into national law but at least 16 States already have a national PNR system.

Elena Dal Monte

For further information:

• Image source https://www.theparliamentmagazine.eu/articles/news/meps-approve-preliminary-eu-pnr-deal
• The European Parliament News http://www.europarl.europa.eu/news/en/news-room/20160407IPR21775/Parliament-backs-EU-directive-on-use-of-Passenger-Name-Records-(PNR)
• Council of the European Union http://www.consilium.europa.eu/en/press/press-releases/2016/04/21-council-adopts-eu-pnr-directive/
• The greens in the European Parliament http://www.greens-efa.eu/pnr-air-passenger-data-retention-15436.html
• The Netherlands EU Presidency 2016. http://english.eu2016.nl/latest/news/2016/03/25/joint-statement-of-eu-ministers-on-the-terrorist-attacks-in-brussels