Draft EU rules on sharing and protecting the Passenger Name Record (PNR) data of people flying to or from the EU, and its use by member states and Europol to fight terrorism and serious transnational crime, were approved by the Civil Liberties Committee on Wednesday. This data must only be used to prevent, detect, investigate and prosecute these crimes, said MEPs, inserting safeguards to ensure "the lawfulness of any storage, analysis, transfer and use of PNR data".
"Without this EU system in place a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called 'foreign fighters' has made this system even more essential", said Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK).
"PNR is not a ‘silver bullet’ but it can be an invaluable weapon in the armoury. We will now open talks with national governments with a view to reaching a final agreement before the end of the year", he added.
The amended rules were approved by 34 votes to 25. The mandate to open negotiations with the EU Council of Ministers was approved by 36 votes to 14, with 8 abstentions.
Only flights to and from the EU
The PNR rules would apply to air carriers and non-carriers such as travel agencies and tour operators operating "international flights", i.e. those to or from the EU, according to the committee amendments. They would not apply to “intra-EU” flights between EU member states.
Under the amended rules, PNR data could be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime". The list approved by MEPs includes, for example, trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime.
Data protection safeguards
The application of these rules "must be duly justified and the necessary safeguards must be in place in order to ensure the lawfulness of any storage, analysis, transfer and use of PNR data", says the approved text.
Safeguards inserted by MEPs include the following requirements:
Data protection provisions prohibiting the use of sensitive data or the transfer of PNR data to private parties were also backed by MEPs,
Data retention period
PNR data transferred by air carriers and non-carriers would be retained in the national PIU for an initial period of 30 days, after which all data elements which could serve to identify a passenger would have to be "masked out", and then for up to five years.
The "masked out" data would be accessible only to a limited number of PIU staff, with security training and clearance, for up to four years in serious transnational crime cases and five years for terrorism ones.
After the five years, PNR data would have to be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).
Step up information-sharing among member states
MEPs inserted new provisions requiring member states to share PNR data with each other and with Europol and stipulating conditions for doing so. EU countries should use Europol's Secure Information Exchange Network Application (SIENA) system to share PNR data. A one-stop shop could be created to register and pass on requests for information exchanges, MEPs suggest.
This vote gives the rapporteur a mandate to start negotiations with the EU Council of Ministers to agree on the draft directive. The three-way talks between Parliament, Council and Commission negotiators (“trilogues”) should start soon.
Note to editors
In a resolution voted on 11 February 2015, Parliament committed itself "to work towards the finalisation of an EU PNR directive by the end of the year" (reiterated in a resolution voted on 9 July 2015) and encouraged the Council to make progress on the data protection package so that trilogues on both "could take place in parallel".
The first trialogue on the data protection regulation took place on 24 June, after the Council agreed its general approach on 15 June. The Council agreed its general approach on the EU PNR proposal in April 2012.
In the chair: Claude Moraes (S&D, UK)
Procedure: co-decision (first reading), mandate for negotiations