On 14 April 2016, the European Parliament approved a joint system for police and justice officials to access airline passenger data on all flights to and from the EU. The Directive endorses the use of passenger name records (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

For flights entering or departing from the EU, air carriers will have to provide the PNR data to EU Member States’ authorities. Beyond this basic obligation, Member States will also be allowed to collect PNR data on selected intra-EU flights, provided that they notify the Commission. They may also choose to collect and process PNR data from travel agencies and tour operators who manage flight bookings.

“Passenger Information Units” (PIUs) will be set up in each Member State to collect, store and process data. The information will be retained for five years, but after six months, the data will be stripped of the elements that may lead to the identification of individuals, such as name, address and contact details.

The decision has been welcomed by the European Commission, calling it a “strong expression of Europe’s commitment to fight terrorism and organised crime”.

“We have adopted an important new tool for fighting terrorists and traffickers. By collecting, sharing and analysing PNR information our intelligence agencies can detect patterns of suspicious behaviour to be followed up. PNR is not a silver bullet, but countries that have national PNR systems have shown time and again that it is highly effective”, said Parliament’s rapporteur for the proposal, Timothy Kirkhope (ECR, UK).

“There were understandable concerns about the collection and storage of people’s data, but I believe that the directive puts in place data safeguards, as well as proving that the law is proportionate to the risks we face. EU governments must now get on with implementing this agreement”, Mr Kirkhope added.

The data protection safeguards include the following:

  • national PIUs will have to appoint a data protection officer responsible for monitoring the processing of PNR data and implementing the related safeguards;
  • access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period;
  • all processing of PNR data should be logged or documented; and
  • an explicit prohibition on processing personal data revealing a person´s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

Now that the European Parliament has endorsed the agreed text at first reading, the Council will formally adopt the Directive at an upcoming Council meeting. It will be published in the Official Journal and member states will have two years to transpose it into their national laws.