On 4 December 2015 the Council approved the compromise text agreed with the European Parliament on the proposal for a directive on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
“The compromise agreed today will enable the EU to set up an effective PNR system which fully respects fundamental rights and freedoms”, said Etienne Schneider, Luxembourg Deputy Prime Minister, Minister of Internal Security and President of the Council.
The directive aims to regulate the transfer from the airlines to the member states of PNR data of passengers of international flights, as well as the processing of this data by the competent authorities. The directive establishes that PNR data collected may only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
Under the new directive, air carriers will be obliged to provide member states' authorities with the PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PNR data concerning selected intra-EU flights. Each member state will be required to set up a so-called Passenger Information Unit, which will receive the PNR data from the air carriers.
The new rules create an EU standard for the use of such data and include provisions on:
- the purposes for which PNR data can be processed in the context of law enforcement (pre-arrival assessment of passengers against pre-determined risk criteria or in order to identify specific persons; the use in specific investigations/prosecutions; input in the development of risk assessment criteria);
- the exchange of such data between the member states and between member states and third countries;
- storage (data will initially be stored for 6 months, after which they will be masked out and stored for another period of four years and a half, with a strict procedure to access the full data);
- common protocols and data formats for transferring the PNR data from the air carriers to the Passenger Information Units; and
- strong safeguards as regards protection of privacy and personal data, including the role of national supervisory authorities and the mandatory appointment of a data protection officer in each Passenger Information Unit.
PNR data are already today stored in the carriers' reservation systems. They concern the information provided by passengers to carriers when booking a flight and when checking in on flights. PNR data includes the name, travel dates, travel itinerary, ticket information, contact details, travel agent at which the flight was booked, means of payment used, seat number and baggage information.
The use of these data by member states' law enforcement bodies in specific cases is nothing new: Various member states already use PNR data for law enforcement purposes, either on the basis of specific legislation or on the basis of general legal powers. The collection and use of PNR data has been essential in fighting certain cross-border crimes, such as drug trafficking in human beings or children trafficking. However, there is as yet no common approach across the EU.
The UK and Ireland have opted in to this directive. Denmark is not participating.
The Parliament's Civil Liberties, Justice and Home Affairs Committee is expected to vote soon.
The directive will be then submitted, following legal-linguistic revision, to the European Parliament for a vote at first reading, and to the Council for adoption.
Once adopted, member states will have two years to bring into force the laws, regulations and administrative provisions necessary to comply with this directive.