Draft EU rules on sharing and protecting the Passenger Name Record (PNR) data of people flying to or from the EU, and its use by member states and Europol to fight terrorism and serious transnational crime, were approved by the Civil Liberties Committee last week.
PNR data is information provided by passengers and collected by air carriers during reservation and check-in procedures, and must only be used to prevent, detect, investigate and prosecute these crimes, said MEPs, inserting safeguards to ensure “the lawfulness of any storage, analysis, transfer and use of PNR data”.
“Without this EU system in place a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called ‘foreign fighters’ has made this system even more essential”, said Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK).
“PNR is not a ‘silver bullet’ but it can be an invaluable weapon in the armoury. We will now open talks with national governments with a view to reaching a final agreement before the end of the year”, he added.
The new PNR rules cover only flights to and from the EU and would apply to air carriers and non-carriers such as travel agencies and tour operators operating “international flights”, i.e. those to or from the EU; not “intra-EU” flights between EU member states.
Under the amended rules, PNR data could be processed “only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime”. The list approved by MEPs includes, for example, trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime.
Data protection safeguards
Safeguards inserted by MEPs include the following requirements:
- Member states’ “Passenger Information Units” (PIUs) would be entitled to process PNR data only for limited purposes, such as identifying a passenger who may be involved in a terrorist offence or serious transnational crime and who requires further examination,
- PIUs would have to appoint a data protection officer to monitor data processing and safeguards and act as a single contact point for passengers with PNR data concerns,
- All processing of PNR data would have to be logged or documented,
- Passengers would have to be clearly and precisely informed about the collection of PNR data and their rights,
- Stricter conditions would govern any transfer of data to third countries.
Data protection provisions prohibiting the use of sensitive data or the transfer of PNR data to private parties were also backed by MEPs,
Data retention period
PNR data transferred by air carriers and non-carriers would be retained in the national PIU for an initial period of 30 days, after which all data elements which could serve to identify a passenger would have to be “masked out”, and then for up to five years.
The “masked out” data would be accessible only to a limited number of PIU staff, with security training and clearance, for up to four years in serious transnational crime cases and five years for terrorism ones.
After the five years, PNR data would have to be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).