Brussels, 10 December 2015 – EU institutions were busy focusing on aviation last week. Just days after EU commissioner for transport, Violet Bulc, launched the Commission’s Aviation Package, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee endorsed the draft Passenger Name Record (PNR) Directive. This paves the way for a European Parliament vote on the draft text of the Directive, which is anticipated in early 2016. If the Directive passes, the EU Council of Ministers will formally approve it and Member States will then have two years in which to implement it. The UK and Ireland have opted in to the Directive.
The Directive will enable the use of data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and will oblige airlines operating between Member States and third countries to transfer more extensive PNR data, which includes payment information, to national Passenger Information Units (PIUs). Although mandatory for ‘extra-EU’ flights, the Directive permits Member States to apply the same rules to flights within the EU, provided they notify the Commission of their intention to do so. This question will no doubt be hotly debated as domestic law is drafted, transposing the Directive into national legal frameworks. If not all Member States include intra-EU flights then it will be interesting to see whether the overall objective of aligning PNR data transfer within the EU becomes somewhat undermined. That remains to be seen, but the programme has certainly received some public impetus since the tragic events of Paris in November. Tour operators and travel agencies who book flights are outside the scope of the Directive, but Member States will be able to legislate to extend the requirements to the travel industry at large.
Data protection safeguards will be critical. Processing is strictly limited to the prevention and detection of crime (particularly human trafficking, child pornography, organised crime and weapons trafficking) and, although PNR data may be held for up to five years, PIUs must ‘mask out’, or depersonalise, the data after six months. This is longer than the initial 30-day period that the Commission proposed, but shorter than the Council’s proposed two-year ‘unmasked’ period. PIUs must also have a data protection compliance officer and national data protection enforcement bodies will have oversight powers.
As with all fair and lawful processing of personal data, passengers will need to be informed of their rights. Airline booking terms and conditions, internal systems and processes will eventually need to be revisited to ensure compliance and this is likely to flow down to the wider travel industry, especially in the UK.