Migration and Home Affairs

Passenger Name Record (PNR)

Passenger Name Record (PNR) data is information provided by passengers and collected by air carriers for enabling reservations and carrying out the check-in process. It is a record of each passenger's travel requirements held in carriers' reservation and departure control systems. It may contain a wide range of information, such as dates of travel, travel itinerary, ticket information, contact details, travel agent, means of payment, seat number and baggage information.

The collection and processing of PNR data is considered by many states, within and outside the EU, as an important law enforcement tool allowing to prevent, detect and investigate terrorism and other forms of serious crime (such as drugs and human trafficking, child sexual exploitation and others). At the same time, the use of PNR data for law enforcement purposes involves the processing of personal data which raises important issues with respect to the fundamental rights to the protection of private life and to the protection of personal data.

The PNR directive

On 27 April 2016, the European Parliament and the Council adopted Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (The PNR Directive). The Directive notably provides for the obligation of air carriers to transfer to Member States the PNR data they have collected in the normal course of their business. Member States must establish specific entities responsible for the storage and processing of PNR data, called Passenger Information Units. The Directive regulates the way Member States can use the PNR data collected and provides for the necessary data protection safeguards. Member States must transpose the Directive before May 2018.

 

Main provisions of the PNR Directive:

  • Air carriers must transfer PNR data to the Member States, provided that such data are collected by air carriers in the normal course of their business;
  • Member States must establish or designate special entities (Passenger Information Unit) responsible to collect, store and process the PNR data received from air carriers. Member States must also adopt a list of authorities entitled to request or receive PNR data ("competent authorities").
  • The Passenger Information Units must compare PNR data against relevant law enforcement databases and process them against pre-determined criteria, in order to identify persons that may be involved in a terrorist offence or serious crime. The Passenger Information Units must also reply, on a case-by-case basis, to duly reasoned requests for PNR data originating from the above-mentioned competent authorities, Europol, other Member States or third countries.
  • The PNR data or the result of processing PNR data can be exchanged between Member States and with Europol, on a case-by-case basis, to enhance the effectiveness of PNR processing at the level of the European Union.
  • The Directive applies primarily to extra-EU flights. Member States can however decide to apply it also to intra-EU flights, or to selected intra-EU flights, subject to a notification in this respect to the Commission.
  • The Directive provides for a number of data protection safeguards, such as:
  • PNR data can be processed only for the fight against terrorism and the offences exhaustively listed in annex II
  • the PNR data must be deleted after 5 years and must be depersonalised through masking out after 6 months
  • prohibition of the processing of data that could reveal a person's race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life or sexual orientation
  • oversight of the processing of PNR data an independent national supervisory authority
  • recognition of the data subjects' rights of access, rectification, erasure and restriction, as well as the rights to compensation and judicial redress

The implementation of the PNR Directive

The Commission is actively assisting Member States to ensure the timely implementation of the PNR Directive.

Details on the Commission's support measures can be found in the Implementation plan for the PNR Directive, presented on 28 November 2016.

The data formats and transmission protocols to be used by air carriers when transferring PNR data to Passenger Information Units are established by the Commission through an implementing decision adopted by means of a comitology procedure.

Third country agreements

An increasing number of third countries are requesting PNR data from air carriers operating flights from the territory of the European Union. The EU has so far concluded international PNR agreements with the United States, Canada and Australia, allowing air carriers to transfer PNR data to these third countries. Such cooperation can bring major security gains, in areas like foreign terrorist fighters travelling to conflict zones for terrorist training, drugs trafficking or travelling sex offenders.

In 2010 the Commission issued a Communication "On the global approach to transfers of Passenger Name Record data to third countries" to set out the elements of the EU's external PNR policy. This Communication established a set of general criteria that must be fulfilled by future bilateral PNR agreements, including, in particular, a number of data protection principles and safeguards. These general criteria formed the basis of the renegotiations of the PNR Agreements with the US, Australia and Canada, leading to the conclusion of new PNR Agreements with the two first mentioned countries, which are subject to regular reviews and evaluation. The envisaged new EU-Canada Agreement has, however, not entered into force because in November 2014 the Parliament voted to seek the opinion of Court of Justice as to whether the draft Agreement is compatible with the Treaties and the Charter of Fundamental Rights

Once the European Court of Justice has issued its opinion on the envisaged PNR Agreement with Canada, the Commission intends to review the current approach towards transfers of PNR data to third countries, to address the increasing third country requests in a clear and coherent way, including by considering a model agreement setting out the requirements third countries have to meet to be able to receive PNR data from the EU.