The new directive regulating the use of Passenger Name Record (PNR) data in the EU for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was approved by Parliament on Thursday. It will oblige airlines to hand national authorities passengers' data for all flights from third countries to the EU and vice versa.
"We have adopted an important new tool for fighting terrorists and traffickers. By collecting, sharing and analysing PNR information our intelligence agencies can detect patterns of suspicious behaviour to be followed up. PNR is not a silver bullet, but countries that have national PNR systems have shown time and again that it is highly effective”, said Parliament's rapporteur for the proposal, Timothy Kirkhope (ECR, UK).
“There were understandable concerns about the collection and storage or people's data, but I believe that the directive puts in place data safeguards, as well as proving that the law is proportionate to the risks we face. EU governments must now get on with implementing this agreement", Mr Kirkhope added.
The text was approved by 461 votes to 179, with 9 abstentions.
Member states will have to set up "Passenger Information Units" (PIUs) to manage the PNR data collected by air carriers. This information will have to be retained for a period of five years, but after six months, the data will be “masked out”, i.e., stripped of the elements, such as name, address and contact details that may lead to the identification of individuals. PIUs will be responsible for collecting, storing and processing PNR data, for transferring them to the competent authorities and for exchanging them with the PIUs of other member states and with Europol. The directive states that such transfers shall only be made “on a case-by-case basis” and exclusively for the specific purposes of “preventing, detecting, investigating or prosecuting terrorist offences or serious crime”.
The directive is to apply to “extra-EU flights”, but member states could also extend it to “intra-EU” ones (i.e. from an EU country to one or more other EU countries), provided that they notify the EU Commission. EU countries may also choose to collect and process PNR data from travel agencies and tour operators (non-carrier economic operators), since they also manage flight bookings.
Data protection safeguards
- National PIUs will have to appoint a data protection officer responsible for monitoring the processing of PNR data and implementing the related safeguards.
- Access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period.
- All processing of PNR data should be logged or documented.
- Explicit prohibition of processing personal data revealing a person´s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.
The EU Commission will have to carry out a revision of the EU PNR directive two years after its transposition into national laws. It must pay special attention to compliance with personal data protection standards, the necessity and proportionality of collecting and processing PNR data for each of the stated purposes, the length of the data retention period, and also "the effectiveness of the sharing of data between the member states".
Following Parliament´s approval, the proposal needs now to be formally approved by the Council. Once published in the EU Official Journal of the EU, member states will have two years to transpose it into their national laws.