Recent Developments
On 4 December 2015, a provisional deal was reached by European Parliament and European Council negotiators on an EU Directive which will regulate the collection and retention of the personal data of all airline passengers travelling in and out of the EU. This was endorsed by the Parliament's Civil Liberties, Justice and Home Affairs Committee ("LIBE") on 10 December 2015.
As part of an anti-terrorism measure, the proposed EU PNR Directive would require airlines to provide EU countries with passengers' data for all flights entering and leaving the EU. It would also allow EU Member States to collect data for intra-EU flights.
The draft Directive will be put to a vote by the full European Parliament in early 2016. If adopted, Member States would have two years to incorporate the Directive into their national law.
What constitutes PNR data?
Passenger Name Record ("PNR") data is information provided by passengers to flight companies during reservation and check-in procedures. The data includes: contact details; baggage information; travel itineraries; and payment details.
What happens with PNR data?
PNR data would be sent by flight companies to the relevant "Passenger Information Unit" ("PIU") of the EU Member State from which the flight is departing or arriving. Each Member State would be required to have its own PIU which would process, store and analyse PNR data. The findings of the data analysis would then be provided to the "competent authorities": each Member State will have to endorse a list of the competent authorities allowed to access PNR data.
How does this sit alongside Data Protection principles?
The Directive would have safeguards in place aimed at protecting privacy and personal data. These include:
Final Comment
Whilst the recent developments have been welcomed by some, including Home Secretary Theresa May, the proposals are not without their critics. European Data Protection Supervisor Giovanni Buttarelli described the PNR Directive as "the first large-scale and indiscriminate collection of personal data in the history of the European Union."
Such proposals were always likely to be controversial. In seeking to implement the Directive, EU law makers have the difficult and unenviable task of striking the balance between national security interests and individuals' privacy. However, given the extent and nature of the information being collected and processed, it is crucial that the safeguards proposed are adequate, and that Member States ensure these are closely abided by.