Accesso directo à navegação principal (Premir "enter")
Acesso aos conteúdos da página (clicar sobre "Entrar")
Accesso directo a lista de outros sítios Web (Premir "enter")

EU Passenger Name Record (PNR) directive: an overview

Justice and home affairs01-06-2016 - 15:48
 

The provisional deal reached by Parliament and Council negotiators on 2 December 2015 on an EU directive regulating the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was approved by plenary on 14 April 2016 by 461 votes to 179, with 9 abstentions. The text was approved by the Council of the EU on 21 April.


Once published in the EU Official Journal of the EU, member states will have two years to transpose the legislation into their national laws.


The EU PNR directive will oblige airlines to hand EU countries their passengers' data in order to help the authorities to fight terrorism and serious crime. It would require more systematic collection, use and retention of PNR data on air passengers, and would therefore have an impact on the rights to privacy and data protection.


MEPs sought to ensure, in three-way talks ("trilogues") with the Council and Commission, that the draft law complies with the proportionality principle and includes strict personal data protection safeguards.


In this background note you will find information on what happened in the Civil Liberties Committee since this proposal came to Parliament.

REF. : 20150123BKG12902
Updated: ( 14-06-2016 - 17:33)
 
 

What are PNR data?

Passenger Name Record (PNR) data is information provided by passengers and collected by air carriers during reservation and check-in procedures. Non-carrier economic operators, such as travel agencies and tour operators, sell package tours making use of charter flights for which they also collect and process PNR data from their customers.


PNR data include several different types of information, such as travel dates, travel itinerary, ticket information, contact details, baggage information and payment information.


The assessment of PNR data would enable to identify persons who were previously unsuspected of involvement in terrorism or in serious crime before an analysis of that data suggests that they may be involved in such crime, and who could therefore be subject to further examination by the competent authorities.


EU-level measures such as the directive on Advance Passenger Information (API), the Schengen Information System (SIS) and the second-generation Schengen Information System (SIS II) do not enable law enforcement authorities to identify “unknown” suspects in the way that an analysis of PNR data does.

 
 

What is the PNR situation in the EU today?

The use of PNR data is not currently regulated at EU level. Some member states already have a PNR system (e.g. the UK), while others have either enacted legislation or are currently testing PNR data systems. Most EU countries use PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime in a non-systematic way or under general powers granted to the police or other national authorities.


The proposal aims to harmonise member states’ provisions on the collection and processing of PNR data. Once approved, member states would have two years to transpose the directive into their national laws.


PNR systems in member states and EU funding

In 2011, when the EU PNR directive was proposed by the Commission, only the UK had a fully-fledged PNR data collection system. In 2012, while the draft law was still under examination by the European Parliament, the Commission launched a call for proposals aiming to establish Passenger Information Units (PIUs) in the member states, under its 2007-2013 programme "Prevention of and Fight against Crime".


In 2013, a total of €50 million, made available by the Commission, was distributed among 14 EU countries which presented projects for developing their national PNR schemes.


 
 

How would the proposed PNR system work?

Under the Commission proposal, air carriers operating flights between a third country and the territory of at least one EU member state would be obliged to send PNR data to the competent authorities of that member state.


Carriers would send this data by the so-called “push” method, meaning that member states would not have direct access to the carriers’ IT systems.


PNR data would be sent by air carriers to a single designated unit – the "Passenger Information Unit" (PIU) - of the member state in which the international flight arrives or from which it departs.


The PIU would be responsible for collecting PNR data, storing them, analysing them and supplying the results of the analysis to the competent authorities (each member state would have to approve a list of the competent authorities entitled to request or receive PNR data or the result of the processing of PNR data from the PIU). An independent national supervisory authority would be responsible for advising and monitoring how PNR data are processed.


Member states would share alerts created from the processing of PNR data where necessary for the prevention, detection, investigation and prosecution of terrorist offences or serious crime (e.g. human trafficking, drug trafficking, or child pornography). Member states would also have the right to request PNR data from another member state in support of a specific investigation.


The collection and use of sensitive data directly or indirectly revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life, would be prohibited.


The Commission proposal would allow PNR data to be retained for 5 years and 30 days.

 
 

What happened in Parliament on EU PNR from 2011 to early 2015?

The EU PNR proposal, presented by the Commission in February 2011, comes under the "co-decision procedure" (first reading), whereby the European Parliament and the EU Council of Ministers legislate on an equal footing.

Rejection in committee

The 2011 draft directive was rejected by the Civil Liberties Committee in April 2013 by 30 votes to 25. The issues that the committee debated were, inter alia, the necessity and proportionality of the proposal, its scope as regards offences and as regards international and intra-EU flights, the data retention period, centralised v. decentralised system, obligatory v. facultative system, etc.


MEPs voting against in committee questioned the proportionality of the proposed EU scheme for the collection, use and retention of airline passengers' data (irrespective of whether or not they are suspects) and its compliance with fundamental rights, especially data protection, while those voting in favour highlighted its potential added value for EU counter-terrorism policy, underlining that a EU framework would be better than a patchwork of differing national systems.


In June 2013, Parliament decided in plenary session to refer the matter back to the Civil Liberties Committee, for it to continue its work in search of an agreement.

EU PNR back under the spotlight


Debate on the proposal gained momentum due to concerns over possible threats to the EU's internal security posed by Europeans returning home after fighting abroad for terrorist groups. On 30 August 2014, the European Council called on Parliament and the Council of Ministers to finalise work on the EU PNR proposal. In the aftermath of the January 2015 terrorist attacks in Paris, this proposal again came under the spotlight.


The Civil Liberties Committee debated the EU PNR proposal again on 11 November 2014. MEPs were still divided on the issue, but most stressed the need to assess the EU Court of Justice (ECJ) ruling annulling the data retention directive, to assess whether existing measures suffice before taking new ones and to put in place adequate data protection safeguards.


"We must put in place our own EU rules and standards (...) as soon as possible", to prevent criminals exploiting gaps in the EU, said the Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK). "Threats to EU security are much greater than they were one year ago" [when the Civil Liberties Committee rejected the Commission proposal], he stressed, adding that he would pursue work on the EU PNR.

European Parliament resolutions on anti-terrorism and on security and on preventing radicalisation


On 11 February 2015, the European Parliament passed a resolution on anti-terrorism measures in which it:

"Commits itself to work towards the finalisation of an EU PNR Directive by the end of the year; therefore urges the Commission to set out the consequences of the ECJ judgment on the Data Retention Directive and its possible impact on the EU PNR Directive; encourages the Council to make progress on the Data Protection package so that trilogues on both – EU PNR Directive and Data Protection Package – could take place in parallel.

Encourages the Commission to invite independent experts from the law enforcement, security and intelligence communities and representatives of Working Party 29 to contribute views and principles, in light of security needs, regarding the necessity and proportionality of the PNR".


This position was reiterated in a resolution on the European Agenda on Security voted on 9 July 2015, in which it:

"Acknowledges the Commission’s urgent call to finalise the work on the adoption of the EU PNR Directive; reiterates its commitment to work towards its finalisation by the end of the year; stresses that the PNR Directive should respect fundamental rights and data protection standards, including the relevant case law of the Court of Justice, while providing an efficient tool at EU level; calls on the Commission to continue to support this process by providing any relevant additional elements for the necessity and proportionality of an EU PNR Directive; asks that any future proposal creating new tools in the field of security, such as PNR, systematically includes mechanisms for the exchange of information and cooperation between Member States".

On 25 November 2015 (after the 13 November Paris terrorist attacks), Parliament voted a resolution on the prevention of radicalisation and recruitment of European citizens by terrorist organisations in which it:

"Reiterates its commitment to work towards the finalisation of an EU directive on passenger name records (PNR) by the end of 2015 and to guarantee that such a directive will be compliant with fundamental rights and free from any discriminatory practices based on ideological, religious or ethnic stigmatisation, and will fully respect the data protection rights of EU citizens; recalls, however, that the EU PNR directive will be just one measure in the fight against terrorism, and that a holistic, ambitious and comprehensive strategy on counterterrorism and the fight against organised crime, involving foreign policy, social policy, education policy, law enforcement and justice, is required to prevent the recruitment of European citizens by terrorist organisations".

Negotiations on the data protection reform and on EU PNR


The data protection reform package consists of two draft laws: a general regulation covering the bulk of personal data processing in the EU and a directive on processing data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties.


The three-way talks between Parliament, Council and Commission negotiators (“trilogues”) on the data protection regulation started on 24 June 2015, after the Council agreed its general approach on 15 June. The trilogues on the data protection directive kicked-off on 27 October 2015 (Council's general approach was reached on 9 October).


On the EU PNR, the Council agreed its general approach on 26 April 2012. The European Parliament's Civil Liberties Committee approved the mandate to start negotiations with the Council on 15 July 2015 and the trilogues started on 24 September 2015.






 
 

What were the changes put forward in the revised draft report presented in February 2015?

A new draft text on an EU system for the use of Passenger Name Record (PNR) data, tabled by lead MEP Timothy Kirkhope (ECR, UK), was discussed in the Civil Liberties Committee on 26 February 2015.


An evaluation of the necessity and proportionality of the proposal in the face of current security threats, its scope (list of offences covered and the inclusion or exclusion of intra-EU flights), retention periods, the connection with the on-going data protection reform, as well as the consequences of the EU Court of Justice judgement annulling the 2006 data retention directive, were among the issues discussed by MEPs.


The 2011 Commission proposal would require more systematic collection, use and retention of PNR data on passengers taking “international” flights (those entering the EU from, or leaving it for, a third country), and would therefore have an impact on the rights to privacy and data protection.


The changes proposed by Timothy Kirkhope in the revised draft report include:


  • the scope of the proposal is narrowed to cover terror offences and serious "transnational" crime (the list of specific offences includes, for instance, trafficking in human beings, child pornography, trafficking in weapons, munitions and explosives),
  • sensitive data to be permanently deleted no later than 30 days from the last receipt of PNR containing such data by competent authorities. Other data will continue to be masked after 30 days,
  • the inclusion of intra-EU flights (not initially included by the Commission, but the Council of the European Union favours the inclusion of internal EU flights),
  • 100% coverage of flights (the Commission text proposed to reach 100% coverage of international flights in gradual steps),
  • access to the PNR data continues to be allowed for five years for terrorism, but is reduced to four years for serious crime,
  • each EU member state should appoint a data protection supervisory officer,
  • persons who operate security controls, who access and analyse the PNR data, and operate the data logs, must be security cleared, and security trained,
  • references are made in the text to the EU Court of Justice judgment on data retention and to the current EU data protection rules, and
  • the period for member states to transpose the directive is extended from two to three years (given the specific technological and structural demands of setting up an EU PNR system for each member state). 

The wrap-up of the live Twitter coverage of the debate @EP_Justice is available here.


The deadline for MEPs to table amendments to Mr Kirkhope's text was18.00 on 1 April.

 
 

How many amendments have been tabled in Parliament?


These amendments touch on a wide range of issues, such as which flights should be included or excluded, the data retention period, several data protection provisions, clearer rules on how data should be processed and by whom, etc. Some amendments would reject the Commission proposal, and others would change it from a directive to a regulation.


The debate on the amendments took place in the Civil Liberties Committee on 4 June 2015.

 
 

What was the outcome of the vote in the Civil Liberties Committee?

The vote in the Civil Liberties Committee took place on 15 July 2015. The amended rules were approved by 32 votes to 27. The mandate to open negotiations with the EU Council of Ministers was approved by 36 votes to 14, with 8 abstentions. The result of the roll-call vote in the committee – MEPs voting in favour and against -  is available here.


Only flights to and from the EU


The PNR rules would apply to air carriers and non-carriers such as travel agencies and tour operators operating "international flights", i.e. those to or from the EU, according to the committee amendments. They would not apply to “intra-EU” flights between EU member states.

Offences covered


Under the amended rules, PNR data could be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime". The list approved by MEPs includes, for example, trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime.

Data protection safeguards


The application of these rules "must be duly justified and the necessary safeguards must be in place in order to ensure the lawfulness of any storage, analysis, transfer and use of PNR data", says the approved text.


Safeguards inserted by MEPs include the following requirements:


  • member states' "Passenger Information Units" (PIUs) would be entitled to process PNR data only for limited purposes, such as identifying a passenger who may be involved in a terrorist offence or serious transnational crime and who requires further examination,
  • PIUs would have to appoint a data protection officer to monitor data processing and safeguards and act as a single contact point for passengers with PNR data concerns,
  • all processing of PNR data would have to be logged or documented,
  • passengers would have to be clearly and precisely informed about the collection of PNR data and their rights, and
  • stricter conditions would govern any transfer of data to third countries.

Data protection provisions prohibiting the use of sensitive data or the transfer of PNR data to private parties were also backed by MEPs.

Data retention period


PNR data transferred by air carriers and non-carriers would be retained in the national PIU for an initial period of 30 days, after which all data elements which could serve to identify a passenger would have to be "masked out", and then for up to five years.


The "masked out" data would be accessible only to a limited number of PIU staff, with security training and clearance, for up to four years in serious transnational crime cases and five years for terrorism ones.


After the five years, PNR data would have to be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).

Step up information-sharing among member states


MEPs inserted new provisions requiring member states to share PNR data with each other and with Europol and stipulating conditions for doing so. EU countries should use Europol's Secure Information Exchange Network Application (SIENA) system to share PNR data. A one-stop shop could be created to register and pass on requests for information exchanges, MEPs suggest.

Next steps

This vote gave the rapporteur a mandate to start negotiations with the EU Council of Ministers to agree on the draft directive. The three-way talks between Parliament, Council and Commission negotiators (“trilogues”) started in September.


"Without this EU system in place a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called 'foreign fighters' has made this system even more essential", said Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK).


"PNR is not a ‘silver bullet’ but it can be an invaluable weapon in the armoury. We will now open talks with national governments with a view to reaching a final agreement before the end of the year", he added.



 
 

When did the trilogues take place?

The European Parliament's Civil Liberties Committee approved the mandate to start negotiations with the Council on 15 July 2015 and the trilogues (three-way talks between Parliament, Council and Commission negotiators) started on 24 September 2015.


Dates of the trilogues

1st trilogue: 24 September

2nd trilogue: 29 September

3rd trilogue: 9 November

4th trilogue: 17 November

5th trilogue: 2 December


 
 

What was agreed by Parliament and Council negotiators and endorsed by the committee?

The provisional deal reached by Parliament and Council negotiators on 2 December 2015 on an EU directive regulating the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was endorsed by the Civil Liberties, Justice and Home Affairs Committee on 10 December 2015 by 38 votes to 19, with 2 abstentions. The result of the roll-call vote in the committee – MEPs voting in favour and against - is available here.


The draft directive will be put to a vote by Parliament as a whole early next year (2016).


"We cannot wait any longer to put this system in place. (...) The choice is not between an EU PNR system and no EU PNR system; it is between an EU PNR system and 28 national PNR systems that will have vastly differing, or absent, standards for protecting passenger data", said Parliament's Civil Liberties Committee lead negotiator on the EU PNR proposal, Timothy Kirkhope (ECR, UK).


MEPs sought to ensure, in three-way talks ("trilogues") with the Council and Commission, that the draft law complies with the proportionality principle and includes strict personal data protection safeguards.

Flights included in the scope


The agreed directive will provide for the transfer by air carriers to EU member states' "Passenger Information Units" (PIUs) of PNR data of passengers of "extra-EU flights" (i.e. from a third country to an EU member state or vice-versa). It will allow, but not oblige, member states to apply its provisions also to "intra-EU flights" (i.e. from an EU member state to one or more of the other). If a member state wishes to apply this directive to intra-EU flights, "it shall give notice in writing to the Commission to that end", says the text.


Non-carrier economic operators, such as travel agencies and tour operators which provide travel-related services including booking flights, for which they collect and process PNR data, are not included in the directive’s scope, but it does allow member states to provide, under their domestic law, for a system for collecting and processing PNR data from these operators.


The PNR data may be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and serious crime". A single list of offences has been agreed upon, including, for example, trafficking in human beings, participation in a criminal organisation, cybercrime, child pornography, and trafficking in weapons, munitions and explosives.

Data retention and "masking out"


The PNR data provided by the air carriers to the national PIUs is to be retained for a period of five years. For the first six months, the data will be "unmasked", i.e. will include personal identifying information. The data will then have to be "masked out" for the remaining four and a half years.


Depersonalising data through "masking out" means rendering certain data elements of such data invisible to a user, such as name(s), including the names of other passengers on PNR and number of travellers on PNR travelling together, address and contact information, etc. (i.e. data elements which could serve to directly identify the passenger to whom the PNR data relate).


At the insistence of the Parliament's lead negotiator, the initial storage period during which the PNR data are not "masked out" is six months (the Council's general approach sought to prolong the first period during which the data are fully accessible to two years, from the 30 days in the initial Commission proposal presented in 2011).

Extra data protection safeguards


Data protection safeguards inserted by MEPs during the negotiations include:

  • an obligation for national PIUs to appoint a data protection officer responsible for monitoring the processing of PNR data and implementing the related safeguards, and to act as a single point of contact on all issues relating to the processing of the passengers' PNR data,
  • duties and powers for the national supervisory authority, which will be in charge of checking the lawfulness of the data processing and conduct investigations, and
  • access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period.

All processing of PNR data should be logged or documented, and passengers should be clearly and precisely informed about the collection of PNR data and their rights.

Review clause


At MEPs’ request, the agreed text requires the Commission to carry out a review of the EU PNR directive two years after its transposition into national laws. It must pay special attention to compliance with personal data protection standards, the necessity and proportionality of collecting and processing PNR data for each of the stated purposes, the length of the data retention period, and also "the effectiveness of the sharing of data between the member states". The necessity of introducing non-carrier economic operators within the scope of the directive should also be looked at during the review process, says the agreed text.

In the light of this review, a proposal to amend the EU PNR directive could be presented.


Next steps


The draft directive is to be put to a vote by Parliament as a whole early in 2016 and then formally approved by the EU Council of Ministers. Member states will have to transpose the EU PNR directive into their national laws at the latest two years after its entry into force.

The UK and Ireland have opted in to this directive, while Denmark has a "blanket" opt-out for justice and home affairs legislation.

 
 

Who are the rapporteur and shadow rapporteurs from the political groups?

Rapporteur on the EU PNR proposal


Timothy Kirkhope (ECR, UK) - Contacts: +32(0)2 28 45321 / +33(0)3 88 1 75321

Shadow rapporteurs from the political groups


Axel Voss (EPP, DE) - Contacts: +32(0)2 28 45302 / +33(0)3 88 1 75302


Birgit Sippel (S&D, DE) - Contacts: +32(0)2 28 45559 / +33(0)3 88 1 75559


Sophie in 't Veld (ALDE, NL) - Contacts: +32(0)2 28 45796 / +33(0)3 88 1 75796


Cornelia Ernst (GUE/NGL, DE) - Contacts: +32(0)2 28 45660 / +33(0)3 88 1 75660


Jan Philipp Albrecht (Greens/EFA, DE) - Contacts: +32(0)2 28 45060 / +33(0)3 88 1 75060


Kristina Winberg (EFDD, SE) - Contacts: +32(0)2 28 45172 / +33(0)3 88 1 75172

 




 
 

What about PNR agreements with third countries?

Agreements for the transfer of PNR data have been concluded between the EU and the USA, Canada and Australia. Another PNR deal is currently being negotiated with Mexico. The European Parliament gives its "consent" to these agreements (it can approve or reject them as a whole, but not amend them).

The EU PNR proposal is for a directive and the co-decision procedure applies, meaning that MEPs can table amendments to the Commission proposal and negotiate the text with the Council and the Commission (in "trilogues") before the text becomes law.

EU-US: the agreement entered into force on 1 July 2012, replacing a previous one dating from 2007. The European Parliament gave its consent in April 2012. Press release

EU-Australia: The European Parliament gave its consent in October 2011. Press release

EU-Canada: Parliament referred the agreement to the EU Court of Justice (ECJ) in November 2014 for an opinion on whether it is in line with the EU Treaties and Charter of Fundamental Rights. Parliament’s final vote of consent will be adjourned until the ECJ has delivered its opinion. A previous EU-Canada PNR agreement from 2006 remains in force until a new one can replace it. Thus the delay caused by seeking the Court's opinion does not result in any security gap. Press release

On 14 July 2015, negotiations for an EU-Mexico PNR data transfer deal were formally launched (the Council has given a mandate to the Commission on 23 June 2015). The plans have been debated in plenary on 15 April 2015 and in the Civil Liberties Committee on 4 June 2015. Any draft PNR agreement with Mexico will need to take into account the content of the ECJ opinion on the EU-Canada PNR deal. Once concluded, it could enter into force only with the European Parliament’s consent.

 
 
   
Contacts