The European Parliament voted by a large majority on April 14 2016 to approve a new directive on Passenger Name Record (PNR) data that will oblige airlines to hand to national authorities all passenger data for flights between EU and non-EU countries.
The new directive is intended for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, according to a statement by the European Parliament.
Approval of the directive by the European Council is pending. After it is approved by the European Council and comes into effect by publication in the EU’s official journal, EU countries will have a deadline of two years to incorporate it into their national laws.
The rapporteur on the proposal, UK MEP Timothy Kirkhope, said: “We have adopted an important new tool for fighting terrorists and traffickers.
“By collecting, sharing and analysing PNR information our intelligence agencies can detect patterns of suspicious behaviour to be followed up. PNR is not a silver bullet, but countries that have national PNR systems have shown time and again that it is highly effective,” Kirkhope said.
“There were understandable concerns about the collection and storage or people’s data, but I believe that the directive puts in place data safeguards, as well as proving that the law is proportionate to the risks we face. EU governments must now get on with implementing this agreement,” he said.
The text was approved by 461 votes to 179, with nine abstentions.
EU countries will have to set up “Passenger Information Units” (PIUs) to manage the PNR data collected by air carriers.
This information will have to be retained for a period of five years, but after six months, the data will be “masked out”, meaning, stripped of the elements, such as name, address and contact details that may lead to the identification of individuals.
PIUs will be responsible for collecting, storing and processing PNR data, for transferring them to the competent authorities and for exchanging them with the PIUs of other member states and with Europol.
The directive says that such transfers shall only be made “on a case-by-case basis” and exclusively for the specific purposes of “preventing, detecting, investigating or prosecuting terrorist offences or serious crime”.
The directive is to apply to “extra-EU flights”, but member states could also extend it to “intra-EU” ones (meaning, from an EU country to one or more other EU countries), provided that they notify the EU Commission.
EU countries may also choose to collect and process PNR data from travel agencies and tour operators (non-carrier economic operators), since they also manage flight bookings.