Migration and Home Affairs

Passenger Name Record (PNR)

What is PNR?

Information provided by passengers and collected by airlines, in the normal course of their business, for enabling reservations and carrying out the check-in process.

What kind of information are contained in a PNR?

It may contain information, such as dates of travel, travel itinerary, ticket information, contact details, travel agent, means of payment, seat number and baggage information.

How is that useful?

It is a very important law enforcement tool allowing to prevent, detect and investigate terrorism and other forms of serious crime (such as drugs, human trafficking, child sexual exploitation and others).

What are the EU Member States required to do?

  • To implement the rules before 25 May 2018. The state of play across the Member States is available here.
  • To establish specific entities responsible for the collection, storage and processing of PNR data, the Passenger Information Units (PIUs); The European Commission has published in the Official Journal of the European Union the list of Member States who had established the PIU by 2 July 2018. On 19 September 2018, the Commission published an additional list of the Member States added to the first one.
  • Member States must also adopt a list of competent authorities entitled to request or receive PNR data; Two corrigenda had been published in the meantime, available here and here.
  • The rules apply to flights arriving from third countries to the European Union Member States. Member States can decide to apply these measures to flights departing from and arriving to an EU Member State (intra-EU flights).

What is the role of the Passenger Information Units (PIUs)?

  1. Collect the PNR data from air carriers
  2. Compare PNR data against relevant law enforcement databases & process them against pre-determined criteria, in order to identify persons that may be involved in a terrorist offence or serious crime.
  3. Disseminate PNR data to national competent authorities, Europol and PIUs of other Member States, either spontaneously or in response to duly reasoned requests.

What about data protection safeguards?

The Directive provides data protection safeguards, such as:

  • Sensitive data must not be processed;
  • Data must be deleted after 5 years;
  • Data depersonalised after 6 months;
  • Data Protection Officer within the PIU
  • Independent National Supervisory Authority

Background Information on EU PNR

On 27 April 2016, the European Parliament and the Council adopted the Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

On 28 November 2016 the Commission adopted an Implementation Plan for the PNR Directive which broadly outlined the stage reached by Member States in the process of implementing the PNR Directive, by that time and identified a number of indicative milestones that Member States should meet in order to have functional PNR systems in place by May 2018.

Moreover, as regards to the issue of carrier connectivity and in order to make this crucial activity of connecting to air carriers meaningful, the European Commission put in place the appropriate framework, that of the Commission implementing decision on the data formats and common protocols to be used by air carriers for the transfer of PNR data to Member States. This decision was adopted in April 2017.

PNR International Agreements

Australia

  • Signed on 29 September 2011;
  • Entered into force on 1 June 2012.

United States of America

  • Signed on 14 December 2011;
  • Entered into force on 1 June 2012.

Canada