On 4 December 2015, a provisional deal was reached by European Parliament and European Council negotiators on an EU Directive which will regulate the collection and retention of the personal data of all airline passengers travelling in and out of the EU. This was endorsed by the Parliament's Civil Liberties, Justice and Home Affairs Committee ("LIBE") on 10 December 2015.
As part of an anti-terrorism measure, the proposed EU PNR Directive would require airlines to provide EU countries with passengers' data for all flights entering and leaving the EU. It would also allow EU Member States to collect data for intra-EU flights.
The draft Directive will be put to a vote by the full European Parliament in early 2016. If adopted, Member States would have two years to incorporate the Directive into their national law.
What constitutes PNR data?
Passenger Name Record ("PNR") data is information provided by passengers to flight companies during reservation and check-in procedures. The data includes: contact details; baggage information; travel itineraries; and payment details.
What happens with PNR data?
PNR data would be sent by flight companies to the relevant "Passenger Information Unit" ("PIU") of the EU Member State from which the flight is departing or arriving. Each Member State would be required to have its own PIU which would process, store and analyse PNR data. The findings of the data analysis would then be provided to the "competent authorities": each Member State will have to endorse a list of the competent authorities allowed to access PNR data.
How does this sit alongside Data Protection principles?
The Directive would have safeguards in place aimed at protecting privacy and personal data. These include:
- A requirement for PIUs to appoint data protection officers to monitor the processing of PNR information; they would also act a point of contact for concerned passengers.
- National PIUs would only be permitted to process PNR data for specific purposes, such as identifying a passenger who may be involved in a terrorist offence or serious transnational crime who requires further examination.
- PNR data would be retained for up to five years. The data would initially be stored for 6 months "unmasked" i.e. this will include information identifying passengers, after which data identifying a passenger would have to be "masked out" for the remaining four and half years.
Whilst the recent developments have been welcomed by some, including Home Secretary Theresa May, the proposals are not without their critics. European Data Protection Supervisor Giovanni Buttarelli described the PNR Directive as "the first large-scale and indiscriminate collection of personal data in the history of the European Union."
Such proposals were always likely to be controversial. In seeking to implement the Directive, EU law makers have the difficult and unenviable task of striking the balance between national security interests and individuals' privacy. However, given the extent and nature of the information being collected and processed, it is crucial that the safeguards proposed are adequate, and that Member States ensure these are closely abided by.