Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

European Union: Draft Directive on Collection and Transfer of Air Passenger Record Data

(Dec. 23, 2015) In the wake of the recent terrorist attacks in France, the issue of the collection of passenger name record (PNR) data from airlines and the transfer of that data to the appropriate national authorities of the Member States of the European Union has been revisited with a renewed sense of urgency. On December 4, 2015, the Council of the European Union moved swiftly to endorse a proposal for a PNR directive that had initially been put forward by the Commission in 2011, but that due to privacy concerns raised by the European Parliament had not been approved. (Press Release, Council of the EU, EU Passenger Name Record (PNR) Directive: Council Confirms Agreement Found with EP, European Council/Council of the European Union website (Dec. 4, 2015).) Following the Council’s approval, on December 10, 2015, the draft directive was informally approved by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee.  The Parliament, meeting in a plenary session, is expected to vote on the measure in early 2016. (Id.)

The proposed directive aims to harmonize the different PNR systems that already exist in several EU Member States. PNR data are passenger information collected by airlines during reservations and check-in procedures. The data are subsequently transferred to domestic authorities in order to prevent, detect, investigate, and prosecute terrorist offenses and serious crimes. These offenses include trafficking in human beings; participation in a criminal organization; cybercrime; child pornography; and trafficking in weapons, munitions, and explosives. The directive will require air carriers to provide to Member States’ authorities the PNR data for flights entering or departing from the EU. Member States will have the option to make this measure mandatory for intra-EU flights. Each Member State will be required to establish a Passenger Information Unit (PIU) to receive the PNR data from the air carriers. Once the directive is adopted, the Member States will have about two years to transpose it into their respective legal systems. (Regulating the Use of Passenger Name Record (PNR) Data, European Council/Council of the European Union website (last reviewed Dec. 10, 2015).)

The proposed directive contains a number of safeguards to ensure that personal data are handled in compliance with EU privacy rules. For example, it prohibits the collection and use of sensitive data, that is, data related to a person’s race, religion, ethnic origin, or political beliefs. The proposal allows the retention of “unmasked data,” that is, data that reveals the person’s identity, for a period of 30 days in the database of the national PIU; after that period, the data can be retained for a period of five years, but the names, addresses, and contact information have to be masked. In the case of a specific threat of a terrorism event or other serious crime, other PIUs must have access to masked data, even after the 30-day period. The Parliament argued that the initial retention period of unmasked data should be prolonged to a period of six months, while the Council proposed that the total period of retention of unmasked data should be two years. (EU Passenger Name Record (PNR) Proposal: An Overview, EUROPEAN PARLIAMENT NEWS (Dec. 12, 2015).)

The European Parliament also added the following safeguards: (a) national PIUs are required to appoint a data protection officer responsible for monitoring the processing of PNR data and implementing the related safeguards; (b) the national supervisory authority must have the power to ensure the lawfulness of the data processing and the power to conduct investigations; and (c) access to the full PNR data, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period. (Id.)

EU Members must notify the passengers that their personal air flight data are collected and apprise them of their rights. Member States may transfer PNR data to third countries only in very limited circumstances and on a case-by-case basis. (Regulating the Use of Passenger Name Record (PNR) Data, supra. )

Britain, being the first EU country to establish a PNR collections system, as part of its eBorders program, has been an ardent supporter of the proposal on tracking PNR. It therefore welcomed the vote as an “important step” in combatting terrorism. (EU Lawmakers Back Air Passenger Data Deal, EURACTIV (updated Dec. 11, 2015).)

The European Data Protection Supervisor, in its second opinion adopted in September 2015, expressed its concern as to whether the proposed directive meets the criteria of necessity and proportionality, as established by the Court of Justice of the EU. (European Data Protection Supervisor, Opinion 5/2015, Second Opinion on the Proposal for a Directive of the European Parliament and of the Council on the Use of Passenger Name Record Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime (Sept. 24, 2015) EUROPA.)