PNR data are unverified information provided by passengers and collected by air carriers to enable the reservation and check-in processes.
The content of PNR data varies depending on the information given by the passenger and may include, for example:
The analysis of PNR data can provide the authorities with important elements from a criminal intelligence point of view, allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement. Accordingly, the processing of PNR data has become a widely used essential law enforcement tool, in the EU and beyond, to prevent and fight terrorism and other forms of serious crime, such as drugs-related offences, human trafficking, and child sexual exploitation.
On 27 April 2016, the European Parliament and Council adopted a Directive on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crimes.
It defines the responsibilities of EU countries regarding the collection of PNR data, requiring them to:
The rules apply to flights arriving from third countries to the EU countries, but EU countries can decide to apply them to flights departing from or arriving to another EU country (intra-EU flights).
The European Commission also put in place the appropriate framework for connectivity between air carriers and EU countries in an implementing decision (2017) on the data formats and common protocol, which will be reviewed in 2021.
PIUs are in charge of:
The PNR Directive provides data protection safeguards, such as:
In July 2020, the Commission adopted the PNR Directive Review Report, which reviewed its first two years of application. This Review shows that the development of the EU-wide PNR system is well under way, with the use of PNR data already delivering tangible results in the fight against terrorism and serious crime.
Following this Opinion, new PNR negotiations with Canada were launched in June 2018.
On 18 February 2020, the Council adopted a decision authorising the opening of negotiations between the EU and Japan for an agreement on the transfer and use of PNR data.
The 2010 Communication laid down the global approach towards PNR transfers to third countries, establishing a set of general criteria which were to be fulfilled by bilateral PNR agreements, including, in particular, a number of data protection principles and safeguards.
The Commission intends to update and streamline this approach with the aim to adapt it to today’s realities and take into consideration developments occurred since 2010. For this purpose, the Commission published a Roadmap on 24 July 2020. This initiative will aim at setting out the policy objectives and key challenges of both legal and operational nature that a future revised strategy should aim to tackle.
API data is information on passengers (usually contained in travel documents like passports and identity cards) collected by air carriers during check-in and transmitted by these carriers after check-in closure to the border control authorities of the country of destination. These authorities screen the passengers while in-flight; thus, the use of API enables a risk-based data-driven approach to border security allowing the identification of travellers who may need further investigation and speeding up border checks for the majority of travellers.
In the EU, the transmission of advance passenger data is regulated by Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data. The main objectives of the Directive are to combat irregular immigration and to improve border control. The Directive also allows Member States to use API data for law enforcement purposes on the basis of national law. API data are a very useful tool for law enforcement authorities when used in combination with PNR data.