PNR data are unverified information provided by passengers and collected by air carriers to enable the reservation and check-in processes. The data is used by the air carriers for their own commercial and operational purposes, to manage their air transportation services.
What kind of information is contained in PNR?
The content of PNR data varies depending on the information given by the passenger and may include, for example:
- dates of travel and travel itinerary,
- ticket information,
- contact details like address and phone number,
- travel agent,
- payment information,
- seat number and baggage information.
Why is this useful?
The analysis of PNR data can provide the authorities with important elements from a criminal intelligence point of view, allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement. Accordingly, the processing of PNR data has become a widely used essential law enforcement tool, in the EU and beyond, to prevent and fight terrorism and other forms of serious crime, such as drugs-related offences, human trafficking, and child sexual exploitation.
The EU PNR Directive
On 27 April 2016, the European Parliament and Council adopted a Directive on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crimes.
It defines the responsibilities of EU countries regarding the collection of PNR data, requiring them to:
- establish specific entities responsible for the collection, storage, and processing of PNR data ̵ the so-called passenger information units (PIUs), as amended and
- adopt a list of competent authorities entitled to request or receive PNR data.
The rules apply to flights arriving from third countries to the EU countries, but EU countries can decide to apply them to flights departing from or arriving to another EU country (intra-EU flights, as amended).
The European Commission also put in place the appropriate framework for connectivity between air carriers and EU countries in an implementing decision (2017) on the data formats and common protocol, which has been reviewed in 2021.
Role of the passenger information units (PIUs)
PIUs are in charge of:
- collecting PNR data from airlines,
- comparing PNR data against relevant law enforcement databases and processing them against pre-determined criteria, to identify persons potentially involved in a terrorist offence or serious crime,
- disseminating PNR data to national competent authorities, Europol, and PIUs of other EU countries, either spontaneously or in response to duly reasoned requests.
Data protection safeguards
The PNR Directive provides data protection safeguards, such as:
- sensitive data must not be processed,
- data must be depersonalised after 6 months,
- data may be re-personalised only under strict conditions,
- data must be deleted after 5 years,
- a data protection officer is appointed in each PIU and
- an independent national supervisory authorities must oversee the processing activities.
Review of the PNR Directive
In July 2020, the Commission adopted the PNR Directive Review Report, which reviewed its first two years of application. This Review shows that the development of the EU-wide PNR system is well under way, with the use of PNR data already delivering tangible results in the fight against terrorism and serious crime.
Relevant case law of the EU Court of Justice
On 21 June 2022, the Court of Justice has delivered a judgement on a series of preliminary reference questions raised by the Belgian Constitutional Court (Case C-817/19, Ligue des droits humaines v. Council of Ministers).
The Court has confirmed the validity of the PNR Directive and considered that a PNR system set up in accordance with the PNR Directive is justified, necessary, and proportionate to the aim of combating terrorism and serious crime. At the same time, the Court provided a restrictive interpretation to some of the Directive provisions.
Transfer of PNR to third countries
Existing international PNR Agreements
- Agreement signed on 29 September 2011, entered into force on 1 June 2012
- 2013: Joint review of the EU-Australia PNR Agreement
- 2019: Joint review and joint evaluation of the EU-Australia PNR Agreement
- Agreement signed on 14 December 2011, entered into force on 1 July 2012
- 2015: Joint review of the U.S - EU PNR Agreement
- 2019: Joint evaluation U.S - EU PNR Agreement
Ongoing negotiations for PNR Agreements
Following this Opinion, new PNR negotiations with Canada were launched in June 2018 and are currently ongoing.
On 18 February 2020, the Council adopted a decision authorising the opening of negotiations between the EU and Japan for an agreement on the transfer and use of PNR data.
Future external PNR Policy
The 2010 Communication laid down the global approach towards PNR transfers to third countries, establishing a set of general criteria which were to be fulfilled by bilateral PNR agreements, including, in particular, a number of data protection principles and safeguards.
The Commission intends to update and streamline this approach with the aim to adapt it to today’s realities and take into consideration developments occurred since 2010. For this purpose, the Commission published a Roadmap on 24 July 2020. This initiative will aim at setting out the policy objectives and key challenges of both legal and operational nature that a future revised strategy should aim to tackle.
Advance Passenger Information (API)
API data is information on passengers (usually contained in travel documents like passports and identity cards) collected by air carriers during check-in and transmitted by these carriers after check-in closure to the border control authorities of the country of destination. These authorities screen the passengers while in-flight; thus, the use of API enables a risk-based data-driven approach to border security allowing the identification of travellers who may need further investigation and speeding up border checks for the majority of travellers.
In the EU, the transmission of advance passenger data is regulated by Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data. The main objectives of the Directive are to combat irregular immigration and to improve border control. The Directive also allows Member States to use API data for law enforcement purposes on the basis of national law. API data are a very useful tool for law enforcement authorities when used in combination with PNR data.
- PNR directive (2016)
- National Transposition measures of the PNR Directive
- PNR implementation plan (2016)
Commission implementing decision on data formats and common protocols to be used by air carriers for the transfer of PNR data to PIUs (2017)
- Report on the review of the PNR Directive and its accompanying Staff Working Document. (July 2020)
- List of Member States who decided to apply the PNR Directive to intra-EU flights
List of Passenger Information Units (PIUs)
- Corrigendum to the list of PIUs (19 September 2019)
- List of competent authorities entitled to request and/or receive PNR data or the result of processing those data from their national PIU
- Corrigendum to the list of competent authorities (25 June 2018)
- Corrigendum to the list of competent authorities (22 February 2019)
- Corrigendum to the list of competent authorities (30 October 2020)
- EU-Australia PNR agreement (2012)
- Report on the Joint review of the EU AUS PNR Agreement (2013) and its accompanying Staff Working document
- Report on the Joint review of the EU AUS PNR Agreement (2019) and its accompanying Staff Working document
- Report on the Joint evaluation of the EU AUS PNR Agreement (2019) and its accompanying Staff Working document
- EU-US PNR agreement (2012)
- Report on the Joint Review of the EU US PNR Agreement (2015) and its accompanying Staff Working document
- Report on the Joint Evaluation of the EU US PNR Agreement (2019) and its accompanying Staff Working document