Passenger Data

Passenger name record (PNR)

Passenger name necord data is unverified information provided by passengers and collected by air carriers to enable the reservation and check-in processes. The data is used by the air carriers for their own commercial and operational purposes, to manage their air transportation services.

What kind of information is contained in passenger name record?

The content of PNR data varies depending on the information given by the passenger and may include, for example:

dates of travel and travel itinerary,
ticket information,
contact details like address and phone number,
travel agent,
payment information,
seat number and baggage information.

Why is this useful?

The analysis of PNR data can provide the authorities with important elements from a criminal intelligence point of view, allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement. Accordingly, the processing of PNR data has become a widely used essential law enforcement tool, in the EU and beyond, to prevent and fight terrorism and other forms of serious crime, such as drugs-related offences, human trafficking, and child sexual exploitation.

The EU PNR Directive

On 27 April 2016, the European Parliament and Council adopted a Directive on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crimes.

It defines the responsibilities of EU countries regarding the collection of PNR data, requiring them to:

establish specific entities responsible for the collection, storage, and processing of PNR data ̵ the so-called passenger information units (PIUs), as amended and
adopt a list of competent authorities entitled to request or receive PNR data.

The rules apply to flights arriving from third countries to the EU countries, but EU countries can decide to apply them to flights departing from or arriving to another EU country (intra-EU flights, as amended).

The European Commission also put in place the appropriate framework for connectivity between air carriers and EU countries in an implementing decision (2017) on the data formats and common protocol, which has been reviewed in 2021.

Role of the passenger information units (PIUs)

PIUs are in charge of:

collecting PNR data from airlines,
comparing PNR data against relevant law enforcement databases and processing them against pre-determined criteria, to identify persons potentially involved in a terrorist offence or serious crime,
disseminating PNR data to national competent authorities, Europol, and PIUs of other EU countries, either spontaneously or in response to duly reasoned requests.

Data protection safeguards

The PNR Directive provides data protection safeguards, such as:

sensitive data must not be processed,
data must be depersonalised after 6 months,
data may be re-personalised only under strict conditions,
data must be deleted after 5 years,
a data protection officer is appointed in each PIU and
an independent national supervisory authorities must oversee the processing activities.

Review of the PNR Directive

In July 2020, the Commission adopted the PNR Directive Review Report, which reviewed its first two years of application. This Review shows that the development of the EU-wide PNR system is well under way, with the use of PNR data already delivering tangible results in the fight against terrorism and serious crime.

Relevant case law of the EU Court of Justice

On 21 June 2022, the Court of Justice has delivered a judgement on a series of preliminary reference questions raised by the Belgian Constitutional Court (Case C-817/19, Ligue des droits humaines v. Council of Ministers).

The Court has confirmed the validity of the PNR Directive and considered that a PNR system set up in accordance with the PNR Directive is justified, necessary, and proportionate to the aim of combating terrorism and serious crime. At the same time, the Court provided a restrictive interpretation to some of the Directive provisions.

Transfer of PNR to third countries

Existing international PNR Agreements

Australia

Agreement signed on 29 September 2011, entered into force on 1 June 2012
2013: Joint review of the EU-Australia PNR Agreement
2019: Joint review and joint evaluation of the EU-Australia PNR Agreement

United States of America

Agreement signed on 14 December 2011, entered into force on 1 July 2012
2015: Joint review of the U.S - EU PNR Agreement
2019: Joint evaluation U.S - EU PNR Agreement

Ongoing negotiations for PNR Agreements

Canada

The Court of Justice in its Opinion 1/15 of 26 July 2017 declared that the envisaged Agreement between the EU and Canada signed on 25 June 2014 may not be concluded in its current form.

Following this Opinion, new PNR negotiations with Canada were launched in June 2018 and are currently ongoing.

Japan

On 18 February 2020, the Council adopted a decision authorising the opening of negotiations between the EU and Japan for an agreement on the transfer and use of PNR data.

Future external PNR Policy

The 2010 Communication laid down the global approach towards PNR transfers to third countries, establishing a set of general criteria which were to be fulfilled by bilateral PNR agreements, including, in particular, a number of data protection principles and safeguards.

The Commission intends to update and streamline this approach with the aim to adapt it to today’s realities and take into consideration developments occurred since 2010. For this purpose, the Commission published a Roadmap on 24 July 2020. This initiative will aim at setting out the policy objectives and key challenges of both legal and operational nature that a future revised strategy should aim to tackle.

Advance Passenger Information (API)

On 13 December the Commission proposed two new Regulations to strengthen the use of Advance Passenger Information (API) data to enhance external border management and to counter serious crime and terrorism. The two Regulations will replace the 2004 Advance Passenger Information Directive (API Directive) to facilitate the flow of air passengers entering the Schengen area and help Member States’ law enforcement authorities to prevent, detect, investigate and prosecute terrorist offences and serious crime.

API data is information on passengers (usually contained in travel documents like passports and identity cards) collected by air carriers during check-in and transmitted by these carriers after check-in closure to the border control authorities of the country of destination. These authorities screen the passengers while in-flight; thus, the use of API enables a risk-based data-driven approach to border security allowing the identification of travellers who may need further investigation and speeding up border checks for the majority of travellers.

In the EU, the transmission of advance passenger data is regulated by Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data. The main objectives of the Directive are to combat irregular immigration and to improve border control. The Directive also allows Member States to use API data for law enforcement purposes on the basis of national law. API data are a very useful tool for law enforcement authorities when used in combination with PNR data.

Study on Advance Passenger Information (API) - Publications Office of the EU (europa.eu)

Proposal Regulation collection transfer advance passenger information (europa.eu)