Migration and Home Affairs

Passenger Name Record (PNR)

PNR data are unverified information provided by passengers and collected by air carriers to enable the reservation and check-in processes.

What kind of information is contained in PNR?

The content of PNR data varies depending on the information given by the passenger and may include, for example:

  • dates of travel and travel itinerary,
  • ticket information,
  • contact details like address and phone number,
  • travel agent,
  • payment information,
  • seat number and baggage information.

Why is this useful?

The analysis of PNR data can provide the authorities with important elements from a criminal intelligence point of view, allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement. Accordingly, the processing of PNR data has become a widely used essential law enforcement tool, in the EU and beyond, to prevent and fight terrorism and other forms of serious crime, such as drugs-related offences, human trafficking, and child sexual exploitation.

The EU PNR Directive

On 27 April 2016, the European Parliament and Council adopted a Directive on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crimes.

It defines the responsibilities of EU countries regarding the collection of PNR data, requiring them to:

  • establish specific entities responsible for the collection, storage, and processing of PNR data  ̵  the so-called passenger information units (PIUs) and
  • adopt a list of competent authorities entitled to request or receive PNR data.

The rules apply to flights arriving from third countries to the EU countries, but EU countries can decide to apply them to flights departing from or arriving to another EU country (intra-EU flights).

The European Commission also put in place the appropriate framework for connectivity between air carriers and EU countries in an implementing decision (2017) on the data formats and common protocol, which will be reviewed in 2021.

Role of the passenger information units (PIUs)

PIUs are in charge of:

  • collecting PNR data from airlines,
  • comparing PNR data against relevant law enforcement databases and processing them against pre-determined criteria, to identify persons potentially involved in a terrorist offence or serious crime,
  • disseminating PNR data to national competent authorities, Europol, and PIUs of other EU countries, either spontaneously or in response to duly reasoned requests.

Data protection safeguards

The PNR Directive provides data protection safeguards, such as:

  • sensitive data must not be processed,
  • data must be depersonalised after 6 months,
  • data may be re-personalised only under strict conditions,
  • data must be deleted after 5 years,
  • a data protection officer is appointed in each PIU and
  • an independent national supervisory authorities must oversee the processing activities.

Review of the PNR Directive

In July 2020, the Commission adopted the PNR Directive Review Report, which reviewed its first two years of application. This Review shows that the development of the EU-wide PNR system is well under way, with the use of PNR data already delivering tangible results in the fight against terrorism and serious crime.

Transfer of PNR to third countries

Existing international PNR Agreements

Australia

United States of America

Ongoing negotiations for PNR Agreements

Canada

The Court of Justice in its Opinion 1/15 of 26 July 2017 declared that the envisaged Agreement between the EU and Canada signed on 25 June 2014 may not be concluded in its current form.

Following this Opinion, new PNR negotiations with Canada were launched in June 2018.

Japan

On 18 February 2020, the Council adopted a decision authorising the opening of negotiations between the EU and Japan for an agreement on the transfer and use of PNR data.

Future external PNR Policy

The 2010 Communication laid down the global approach towards PNR transfers to third countries, establishing a set of general criteria which were to be fulfilled by bilateral PNR agreements, including, in particular, a number of data protection principles and safeguards.

The Commission intends to update and streamline this approach with the aim to adapt it to today’s realities and take into consideration developments occurred since 2010. For this purpose, the Commission published a Roadmap on 24 July 2020. This initiative will aim at setting out the policy objectives and key challenges of both legal and operational nature that a future revised strategy should aim to tackle.

Advance Passenger Information (API)

API data is information on passengers (usually contained in travel documents like passports and identity cards) collected by air carriers during check-in and transmitted by these carriers after check-in closure to the border control authorities of the country of destination. These authorities screen the passengers while in-flight; thus, the use of API enables a risk-based data-driven approach to border security allowing the identification of travellers who may need further investigation and speeding up border checks for the majority of travellers.

In the EU, the transmission of advance passenger data is regulated by Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data. The main objectives of the Directive are to combat irregular immigration and to improve border control. The Directive also allows Member States to use API data for law enforcement purposes on the basis of national law. API data are a very useful tool for law enforcement authorities when used in combination with PNR data.

Related documents

EU PNR

International agreements

External PNR policy