The provisional deal reached by Parliament and Council negotiators on 2 December 2015 on an EU directive regulating the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was approved by plenary on 14 April 2016 by 461 votes to 179, with 9 abstentions. The text was approved by the Council of the EU on 21 April.
Once published in the EU Official Journal of the EU, member states will have two years to transpose the legislation into their national laws.
The EU PNR directive will oblige airlines to hand EU countries their passengers' data in order to help the authorities to fight terrorism and serious crime. It would require more systematic collection, use and retention of PNR data on air passengers, and would therefore have an impact on the rights to privacy and data protection.
MEPs sought to ensure, in three-way talks ("trilogues") with the Council and Commission, that the draft law complies with the proportionality principle and includes strict personal data protection safeguards.
In this background note you will find information on what happened in the Civil Liberties Committee since this proposal came to Parliament.
Passenger Name Record (PNR) data is information provided by passengers and collected by air carriers during reservation and check-in procedures. Non-carrier economic operators, such as travel agencies and tour operators, sell package tours making use of charter flights for which they also collect and process PNR data from their customers.
PNR data include several different types of information, such as travel dates, travel itinerary, ticket information, contact details, baggage information and payment information.
The assessment of PNR data would enable to identify persons who were previously unsuspected of involvement in terrorism or in serious crime before an analysis of that data suggests that they may be involved in such crime, and who could therefore be subject to further examination by the competent authorities.
EU-level measures such as the directive on Advance Passenger Information (API), the Schengen Information System (SIS) and the second-generation Schengen Information System (SIS II) do not enable law enforcement authorities to identify “unknown” suspects in the way that an analysis of PNR data does.
The use of PNR data is not currently regulated at EU level. Some member states already have a PNR system (e.g. the UK), while others have either enacted legislation or are currently testing PNR data systems. Most EU countries use PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime in a non-systematic way or under general powers granted to the police or other national authorities.
The proposal aims to harmonise member states’ provisions on the collection and processing of PNR data. Once approved, member states would have two years to transpose the directive into their national laws.
PNR systems in member states and EU funding
In 2011, when the EU PNR directive was proposed by the Commission, only the UK had a fully-fledged PNR data collection system. In 2012, while the draft law was still under examination by the European Parliament, the Commission launched a call for proposals aiming to establish Passenger Information Units (PIUs) in the member states, under its 2007-2013 programme "Prevention of and Fight against Crime".
In 2013, a total of €50 million, made available by the Commission, was distributed among 14 EU countries which presented projects for developing their national PNR schemes.
Under the Commission proposal, air carriers operating flights between a third country and the territory of at least one EU member state would be obliged to send PNR data to the competent authorities of that member state.
Carriers would send this data by the so-called “push” method, meaning that member states would not have direct access to the carriers’ IT systems.
PNR data would be sent by air carriers to a single designated unit – the "Passenger Information Unit" (PIU) - of the member state in which the international flight arrives or from which it departs.
The PIU would be responsible for collecting PNR data, storing them, analysing them and supplying the results of the analysis to the competent authorities (each member state would have to approve a list of the competent authorities entitled to request or receive PNR data or the result of the processing of PNR data from the PIU). An independent national supervisory authority would be responsible for advising and monitoring how PNR data are processed.
Member states would share alerts created from the processing of PNR data where necessary for the prevention, detection, investigation and prosecution of terrorist offences or serious crime (e.g. human trafficking, drug trafficking, or child pornography). Member states would also have the right to request PNR data from another member state in support of a specific investigation.
The collection and use of sensitive data directly or indirectly revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life, would be prohibited.
The Commission proposal would allow PNR data to be retained for 5 years and 30 days.
The EU PNR proposal, presented by the Commission in February 2011, comes under the "co-decision procedure" (first reading), whereby the European Parliament and the EU Council of Ministers legislate on an equal footing.
Rejection in committee
The 2011 draft directive was rejected by the Civil Liberties Committee in April 2013 by 30 votes to 25. The issues that the committee debated were, inter alia, the necessity and proportionality of the proposal, its scope as regards offences and as regards international and intra-EU flights, the data retention period, centralised v. decentralised system, obligatory v. facultative system, etc.
MEPs voting against in committee questioned the proportionality of the proposed EU scheme for the collection, use and retention of airline passengers' data (irrespective of whether or not they are suspects) and its compliance with fundamental rights, especially data protection, while those voting in favour highlighted its potential added value for EU counter-terrorism policy, underlining that a EU framework would be better than a patchwork of differing national systems.
In June 2013, Parliament decided in plenary session to refer the matter back to the Civil Liberties Committee, for it to continue its work in search of an agreement.
EU PNR back under the spotlight
Debate on the proposal gained momentum due to concerns over possible threats to the EU's internal security posed by Europeans returning home after fighting abroad for terrorist groups. On 30 August 2014, the European Council called on Parliament and the Council of Ministers to finalise work on the EU PNR proposal. In the aftermath of the January 2015 terrorist attacks in Paris, this proposal again came under the spotlight.
The Civil Liberties Committee debated the EU PNR proposal again on 11 November 2014. MEPs were still divided on the issue, but most stressed the need to assess the EU Court of Justice (ECJ) ruling annulling the data retention directive, to assess whether existing measures suffice before taking new ones and to put in place adequate data protection safeguards.
"We must put in place our own EU rules and standards (...) as soon as possible", to prevent criminals exploiting gaps in the EU, said the Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK). "Threats to EU security are much greater than they were one year ago" [when the Civil Liberties Committee rejected the Commission proposal], he stressed, adding that he would pursue work on the EU PNR.
European Parliament resolutions on anti-terrorism and on security and on preventing radicalisation
On 11 February 2015, the European Parliament passed a resolution on anti-terrorism measures in which it:
"Commits itself to work towards the finalisation of an EU PNR Directive by the end of the year; therefore urges the Commission to set out the consequences of the ECJ judgment on the Data Retention Directive and its possible impact on the EU PNR Directive; encourages the Council to make progress on the Data Protection package so that trilogues on both – EU PNR Directive and Data Protection Package – could take place in parallel.
Encourages the Commission to invite independent experts from the law enforcement, security and intelligence communities and representatives of Working Party 29 to contribute views and principles, in light of security needs, regarding the necessity and proportionality of the PNR".
This position was reiterated in a resolution on the European Agenda on Security voted on 9 July 2015, in which it:
"Acknowledges the Commission’s urgent call to finalise the work on the adoption of the EU PNR Directive; reiterates its commitment to work towards its finalisation by the end of the year; stresses that the PNR Directive should respect fundamental rights and data protection standards, including the relevant case law of the Court of Justice, while providing an efficient tool at EU level; calls on the Commission to continue to support this process by providing any relevant additional elements for the necessity and proportionality of an EU PNR Directive; asks that any future proposal creating new tools in the field of security, such as PNR, systematically includes mechanisms for the exchange of information and cooperation between Member States".
On 25 November 2015 (after the 13 November Paris terrorist attacks), Parliament voted a resolution on the prevention of radicalisation and recruitment of European citizens by terrorist organisations in which it:
"Reiterates its commitment to work towards the finalisation of an EU directive on passenger name records (PNR) by the end of 2015 and to guarantee that such a directive will be compliant with fundamental rights and free from any discriminatory practices based on ideological, religious or ethnic stigmatisation, and will fully respect the data protection rights of EU citizens; recalls, however, that the EU PNR directive will be just one measure in the fight against terrorism, and that a holistic, ambitious and comprehensive strategy on counterterrorism and the fight against organised crime, involving foreign policy, social policy, education policy, law enforcement and justice, is required to prevent the recruitment of European citizens by terrorist organisations".
Negotiations on the data protection reform and on EU PNR
The data protection reform package consists of two draft laws: a general regulation covering the bulk of personal data processing in the EU and a directive on processing data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties.
The three-way talks between Parliament, Council and Commission negotiators (“trilogues”) on the data protection regulation started on 24 June 2015, after the Council agreed its general approach on 15 June. The trilogues on the data protection directive kicked-off on 27 October 2015 (Council's general approach was reached on 9 October).
On the EU PNR, the Council agreed its general approach on 26 April 2012. The European Parliament's Civil Liberties Committee approved the mandate to start negotiations with the Council on 15 July 2015 and the trilogues started on 24 September 2015.
A new draft text on an EU system for the use of Passenger Name Record (PNR) data, tabled by lead MEP Timothy Kirkhope (ECR, UK), was discussed in the Civil Liberties Committee on 26 February 2015.
An evaluation of the necessity and proportionality of the proposal in the face of current security threats, its scope (list of offences covered and the inclusion or exclusion of intra-EU flights), retention periods, the connection with the on-going data protection reform, as well as the consequences of the EU Court of Justice judgement annulling the 2006 data retention directive, were among the issues discussed by MEPs.
The 2011 Commission proposal would require more systematic collection, use and retention of PNR data on passengers taking “international” flights (those entering the EU from, or leaving it for, a third country), and would therefore have an impact on the rights to privacy and data protection.
The changes proposed by Timothy Kirkhope in the revised draft report include:
The wrap-up of the live Twitter coverage of the debate @EP_Justice is available here.
The deadline for MEPs to table amendments to Mr Kirkhope's text was18.00 on 1 April.
These amendments touch on a wide range of issues, such as which flights should be included or excluded, the data retention period, several data protection provisions, clearer rules on how data should be processed and by whom, etc. Some amendments would reject the Commission proposal, and others would change it from a directive to a regulation.
The debate on the amendments took place in the Civil Liberties Committee on 4 June 2015.
The vote in the Civil Liberties Committee took place on 15 July 2015. The amended rules were approved by 32 votes to 27. The mandate to open negotiations with the EU Council of Ministers was approved by 36 votes to 14, with 8 abstentions. The result of the roll-call vote in the committee – MEPs voting in favour and against - is available here.
Only flights to and from the EU
The PNR rules would apply to air carriers and non-carriers such as travel agencies and tour operators operating "international flights", i.e. those to or from the EU, according to the committee amendments. They would not apply to “intra-EU” flights between EU member states.
Under the amended rules, PNR data could be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime". The list approved by MEPs includes, for example, trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime.
Data protection safeguards
The application of these rules "must be duly justified and the necessary safeguards must be in place in order to ensure the lawfulness of any storage, analysis, transfer and use of PNR data", says the approved text.
Safeguards inserted by MEPs include the following requirements:
Data protection provisions prohibiting the use of sensitive data or the transfer of PNR data to private parties were also backed by MEPs.
Data retention period
PNR data transferred by air carriers and non-carriers would be retained in the national PIU for an initial period of 30 days, after which all data elements which could serve to identify a passenger would have to be "masked out", and then for up to five years.
The "masked out" data would be accessible only to a limited number of PIU staff, with security training and clearance, for up to four years in serious transnational crime cases and five years for terrorism ones.
After the five years, PNR data would have to be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).
Step up information-sharing among member states
MEPs inserted new provisions requiring member states to share PNR data with each other and with Europol and stipulating conditions for doing so. EU countries should use Europol's Secure Information Exchange Network Application (SIENA) system to share PNR data. A one-stop shop could be created to register and pass on requests for information exchanges, MEPs suggest.
This vote gave the rapporteur a mandate to start negotiations with the EU Council of Ministers to agree on the draft directive. The three-way talks between Parliament, Council and Commission negotiators (“trilogues”) started in September.
"Without this EU system in place a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called 'foreign fighters' has made this system even more essential", said Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK).
"PNR is not a ‘silver bullet’ but it can be an invaluable weapon in the armoury. We will now open talks with national governments with a view to reaching a final agreement before the end of the year", he added.
The European Parliament's Civil Liberties Committee approved the mandate to start negotiations with the Council on 15 July 2015 and the trilogues (three-way talks between Parliament, Council and Commission negotiators) started on 24 September 2015.
Dates of the trilogues
1st trilogue: 24 September
2nd trilogue: 29 September
3rd trilogue: 9 November
4th trilogue: 17 November
5th trilogue: 2 December
The provisional deal reached by Parliament and Council negotiators on 2 December 2015 on an EU directive regulating the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was endorsed by the Civil Liberties, Justice and Home Affairs Committee on 10 December 2015 by 38 votes to 19, with 2 abstentions. The result of the roll-call vote in the committee – MEPs voting in favour and against - is available here.
The draft directive will be put to a vote by Parliament as a whole early next year (2016).
"We cannot wait any longer to put this system in place. (...) The choice is not between an EU PNR system and no EU PNR system; it is between an EU PNR system and 28 national PNR systems that will have vastly differing, or absent, standards for protecting passenger data", said Parliament's Civil Liberties Committee lead negotiator on the EU PNR proposal, Timothy Kirkhope (ECR, UK).
MEPs sought to ensure, in three-way talks ("trilogues") with the Council and Commission, that the draft law complies with the proportionality principle and includes strict personal data protection safeguards.
Flights included in the scope
The agreed directive will provide for the transfer by air carriers to EU member states' "Passenger Information Units" (PIUs) of PNR data of passengers of "extra-EU flights" (i.e. from a third country to an EU member state or vice-versa). It will allow, but not oblige, member states to apply its provisions also to "intra-EU flights" (i.e. from an EU member state to one or more of the other). If a member state wishes to apply this directive to intra-EU flights, "it shall give notice in writing to the Commission to that end", says the text.
Non-carrier economic operators, such as travel agencies and tour operators which provide travel-related services including booking flights, for which they collect and process PNR data, are not included in the directive’s scope, but it does allow member states to provide, under their domestic law, for a system for collecting and processing PNR data from these operators.
The PNR data may be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and serious crime". A single list of offences has been agreed upon, including, for example, trafficking in human beings, participation in a criminal organisation, cybercrime, child pornography, and trafficking in weapons, munitions and explosives.
Data retention and "masking out"
The PNR data provided by the air carriers to the national PIUs is to be retained for a period of five years. For the first six months, the data will be "unmasked", i.e. will include personal identifying information. The data will then have to be "masked out" for the remaining four and a half years.
Depersonalising data through "masking out" means rendering certain data elements of such data invisible to a user, such as name(s), including the names of other passengers on PNR and number of travellers on PNR travelling together, address and contact information, etc. (i.e. data elements which could serve to directly identify the passenger to whom the PNR data relate).
At the insistence of the Parliament's lead negotiator, the initial storage period during which the PNR data are not "masked out" is six months (the Council's general approach sought to prolong the first period during which the data are fully accessible to two years, from the 30 days in the initial Commission proposal presented in 2011).
Extra data protection safeguards
Data protection safeguards inserted by MEPs during the negotiations include:
All processing of PNR data should be logged or documented, and passengers should be clearly and precisely informed about the collection of PNR data and their rights.
At MEPs’ request, the agreed text requires the Commission to carry out a review of the EU PNR directive two years after its transposition into national laws. It must pay special attention to compliance with personal data protection standards, the necessity and proportionality of collecting and processing PNR data for each of the stated purposes, the length of the data retention period, and also "the effectiveness of the sharing of data between the member states". The necessity of introducing non-carrier economic operators within the scope of the directive should also be looked at during the review process, says the agreed text.
In the light of this review, a proposal to amend the EU PNR directive could be presented.
The draft directive is to be put to a vote by Parliament as a whole early in 2016 and then formally approved by the EU Council of Ministers. Member states will have to transpose the EU PNR directive into their national laws at the latest two years after its entry into force.
The UK and Ireland have opted in to this directive, while Denmark has a "blanket" opt-out for justice and home affairs legislation.
Rapporteur on the EU PNR proposal
Timothy Kirkhope (ECR, UK) - Contacts: +32(0)2 28 45321 / +33(0)3 88 1 75321
Shadow rapporteurs from the political groups
Axel Voss (EPP, DE) - Contacts: +32(0)2 28 45302 / +33(0)3 88 1 75302
Birgit Sippel (S&D, DE) - Contacts: +32(0)2 28 45559 / +33(0)3 88 1 75559
Sophie in 't Veld (ALDE, NL) - Contacts: +32(0)2 28 45796 / +33(0)3 88 1 75796
Cornelia Ernst (GUE/NGL, DE) - Contacts: +32(0)2 28 45660 / +33(0)3 88 1 75660
Jan Philipp Albrecht (Greens/EFA, DE) - Contacts: +32(0)2 28 45060 / +33(0)3 88 1 75060
Kristina Winberg (EFDD, SE) - Contacts: +32(0)2 28 45172 / +33(0)3 88 1 75172
Agreements for the transfer of PNR data have been concluded between the EU and the USA, Canada and Australia. Another PNR deal is currently being negotiated with Mexico. The European Parliament gives its "consent" to these agreements (it can approve or reject them as a whole, but not amend them).
The EU PNR proposal is for a directive and the co-decision procedure applies, meaning that MEPs can table amendments to the Commission proposal and negotiate the text with the Council and the Commission (in "trilogues") before the text becomes law.
EU-US: the agreement entered into force on 1 July 2012, replacing a previous one dating from 2007. The European Parliament gave its consent in April 2012. Press release
EU-Australia: The European Parliament gave its consent in October 2011. Press release
EU-Canada: Parliament referred the agreement to the EU Court of Justice (ECJ) in November 2014 for an opinion on whether it is in line with the EU Treaties and Charter of Fundamental Rights. Parliament’s final vote of consent will be adjourned until the ECJ has delivered its opinion. A previous EU-Canada PNR agreement from 2006 remains in force until a new one can replace it. Thus the delay caused by seeking the Court's opinion does not result in any security gap. Press release
On 14 July 2015, negotiations for an EU-Mexico PNR data transfer deal were formally launched (the Council has given a mandate to the Commission on 23 June 2015). The plans have been debated in plenary on 15 April 2015 and in the Civil Liberties Committee on 4 June 2015. Any draft PNR agreement with Mexico will need to take into account the content of the ECJ opinion on the EU-Canada PNR deal. Once concluded, it could enter into force only with the European Parliament’s consent.