The European Commission has proposed a Passenger Name Record Directive that would require airlines to provide EU Member States with data on passengers arriving from, or departing to, countries outside the EU. Under the proposal, copies of such PNR data held on an airline’s reservation system would be transferred to a dedicated “Passenger Information Unit” in the Member State of arrival or departure, for the purpose of fighting serious crime and terrorism. The Passenger Information Unit would be an authority (or a branch of an authority) with responsibility for preventing, detecting, investigating or prosecuting such offences. The Directive would also require the Commission to undertake a study on applying these PNR transfer requirements to internal EU flights.
PNR is defined to mean “a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers.” According to the Commission, this would include data already collected by airlines for their own commercial purposes such as travel dates, itinerary, ticket information, contact details, means of payment and baggage information. The Commission says that airlines would not be required to retain additional data under the Directive. Transfer of “sensitive data” such as information revealing a traveler’s religious beliefs or political views would be prohibited.
The proposal could, however, face a tough review from the European Parliament, where arrangements to transfer PNR and financial data to the US have come under criticism on privacy grounds. The European Data Protection Supervisor has also questioned the consistency of such PNR transfer requirements with individuals’ data protection rights, in particular the principle of proportionality.
The Commission maintains that access to PNR data is critical for combating serious crime and terrorism. The Commission also notes that several Member States already have or are implementing PNR transfer requirements. The Directive, the Commission says, will ensure a harmonized approach.
It is expected to take two years for a final agreement on the proposal to be reached with the Parliament and the Council, which represents Member States.