Council adopts EU Passenger Name Record (PNR) directive

On 21 April 2016 the Council adopted a directive on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The directive aims to regulate the transfer from the airlines to the member states of PNR data of passengers of international flights, as well as the processing of this data by the competent authorities. The directive establishes that PNR data collected may only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under the new directive, air carriers will be obliged to provide member states' authorities with the PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PNR data concerning selected intra-EU flights. However, considering the current security situation in Europe, all member states declared that by the date of transposition of the directive they will make full use of the possibility provided for by Article 2 to include also selected intra-EU flights. Each member state will also be required to set up a so-called Passenger Information Unit, which will receive the PNR data from the air carriers. The new rules create an EU standard for the use of such data and include provisions on: the purposes for which PNR data can be processed in the context of law enforcement (pre-arrival assessment of passengers against pre-determined risk criteria or in order to identify specific persons; the use in specific investigations/prosecutions; input in the development of risk assessment criteria); the exchange of such data between the member states and between member states and third countries; storage (data will initially be stored for 6 months, after which they will be masked out and stored for another period of four years and a half, with a strict procedure to access the full data); common protocols and data formats for transferring the PNR data from the air carriers to the Passenger Information Units; and strong safeguards as regards protection of privacy and personal data, including the role of national supervisory authorities and the mandatory appointment of a data protection officer in each Passenger Information Unit.