EU passenger name record (European PNR)

In “Civil Liberties, Justice and Home Affairs - LIBE”

PDF version

After almost five years of negotiation, the co-legislators adopted the directive on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime on 27 April 2016.

The aim of the directive, proposed by the European Commission in 2011, was to enhance EU’ internal security and to harmonise national laws by setting-up an EU system to collect flight passenger data. Consequently, all air carriers flying on routes covered by the directive have to provide PNR data to Member States’ law enforcement authorities.

The draft directive was initially rejected by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) in April 2013, over privacy concerns. Members of the EP questioned the necessity and proportionality of the proposed EU scheme, and the length of the data retention period. Furthermore, following the annulment of the data retention directive by the European Court of Justice, the EP stressed the need to assess the Court of Justice’s ruling before taking any new steps. On the grounds of privacy concerns, the Parliament also referred the EU Canada PNR agreement to the European Court of Justice.

However, the proposal has gained momentum following the terror attacks on European soil, as well as concerns over threats to the EU’s internal security posed by Europeans returning home after fighting in conflict zones for terrorist purposes. Convinced of the EU PNR’s potential added value for EU counter-terrorism policy, the European Council several times called on Parliament to swiftly adopt its position on the issue and to finalise work with the Council.

In a resolution on anti-terrorism measures adopted on 11 February 2015, the Parliament committed itself to work towards the finalisation of an EU PNR directive by the end of 2015. At the same time, it encouraged the Council to make progress on the data protection package, in order for the trilogues on both the EU PNR directive and data protection package to take place in parallel. In further resolutions on the European agenda on security (9 July 2015) and on the prevention of radicalisation (25 November 2015), the Parliament reiterated its commitment but also stressed that the PNR directive should comply with fundamental rights and data protection standards and be free from any discriminatory practices. The necessity to include mechanisms for the exchange of information and cooperation between Member States in any new security tools, such as the PNR, was also emphasised.

A revised European Parliament report was presented to the LIBE Committee in February 2015. More than 800 amendments were introduced and views on the proposal remained quite divergent as regards, in particular, privacy, necessity and proportionality issues.

After several debates, the LIBE Committee adopted a final report in July 2015.

In its report, the LIBE Committee adopted the following recommendations:

  • only non-EU flights should be covered by the directive;
  • the use of PNR should only be justified for a narrow list of serious crimes, such as trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime, as well as terrorist offences;
  • the directive should include strong data protection safeguards, including an obligation to appoint a data protection officer in each Passenger Information Unit (PIU), prohibition to use sensitive data, stricter conditions for transfer of data to third countries and obligation to inform passengers about collection of their data and their rights;
  • the data retention period would be of 30 days and then up to five years in ‘masked out’ form;
  • PNR data should be shared between Member States and with Europol, with a possibility to create a ‘one-stop shop’ for information exchange.

During the trilogue negotiations which followed, the EP negotiators sought to ensure that strict personal data protection safeguards were included and that the draft complied with the proportionality principle.

The Parliament and the Council agreed on a compromise text in December 2015. Most EP recommendations, namely on data protection safeguards, were taken into account. The issue of the data retention period was one of the most controversial aspects, with the Council wishing to keep ‘unmasked’ data for two years. The EP managed to strike a compromise on a retention period of six months. Member States were also to be allowed (but not obliged) to include intra-EU flights. Moreover, the Parliament insisted on including a review clause into the agreed text: the Commission will have to carry out a review of the EU PNR directive two years after its transposition into national laws and could present a proposal to amend it. The Directive was finally adopted in early April 2016.

Directive (EU) 2016/681 of 27 April 2016 was published in the Official Journal on 4 May 2016. Member States have two years to transpose the directive.

References:

Further reading:

Author: Sofija Voronova, Piotr Bąkowski, Members' Research Service, legislative-train@europarl.europa.eu

As of 20/01/2023.