Public Law and Procurement

Passenger name records (PNR) Directive

After the terrorist attacks at the beginning of this year, ranging from the Charlie Hebdo attack to the most recent train shooting in Northern France, the EU has decided, in response, to revive the debate on adoption of the draft PNR Directive.

The Passenger Name Record (PNR) is unverified data provided by passengers, collected and held by air carriers. The data incudes: names; travel dates; itineraries; seats; baggage; contact details and means of payment.

EU officials believe that PNR data could be used for the prevention, detection, investigation and prosecution of terrorists.

The EU has already signed agreements allowing EU carriers to transfer PNR data to the United States, Australia and Canada.

Considering that many EU countries have already developed their own systems for holding PNR data, European Parliament Civil Liberties (LIBE) Committee rapporteur Timothy Kirkhope believes that ‘with one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called “foreign fighters” has made this system even more essential’.

The current Proposal is an amended version of a proposal presented in 2011.[1] The ‘old’ proposal had been rejected by the LIBE Committee because it was considered too invasive.[2] The same Committee approved on 15 July 2015 the amended version of the proposal.

The new PNR rules would apply only for flights outside the EU and would concern air carriers and non-carriers such as travel agencies and tour operators. Internal flights between EU Member States are, for the moment, off the table, but some MEPs consider that the idea should be introduced in future discussions.

In the ‘new’ version some provisions have been added, requiring Member States to share the PNR data with each other and with Europol.[3]

The safeguards inserted in the new proposal include the following requirements:

  • Member States’ Passenger Information Units (PIUs) would be entitled to process PNR data only for limited purposes, such as identifying a passenger who may be involved in a terrorist offence or serious transnational crime and who requires further examination;
  • PIUs would have to appoint a data protection officer to monitor data processing and safeguards and act as a single contact point for passengers with PNR data concerns;
  • All processing of PNR data would have to be logged or documented;
  • Passengers would have to be clearly and precisely informed about the collection of PNR data and their rights; and
  • Stricter conditions would govern any transfer of data to third countries.

Furthermore, having regard to the recent judgment of the Court of Justice,[4] in relation to the impact of the proportionality principle, two different limitation periods – five years for terrorism and four years for serious transnational crimes – have been introduced for accessing the data. The full information should be retained for the first 30-day period, after that it should be ‘masked out’ for the remaining period.[5]

After the four-five year period, the PNR data should be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).

Despite these new amendments some doubts remain about the impact of PNR data retention on fundamental rights, such as:

  • The right to privacy;[6]
  • The right to data protection, especially in the context of the on-going reform of the EU data protection framework.[7] The controversies relate – inter alia – to the lengthy period of data retention, the incomplete nature of anonymisation of data, allowing for its easy retrieval, and the transfer of data to third countries;
  • The right of non-discrimination, with indirect discrimination being more likely than direct discrimination, given the prohibition on processing sensitive data under the proposed Directive;
  • The right to free movement. According to the EU Free Movement Directive,[8] Member States may restrict the freedom of movement of EU citizens on grounds of public policy or public security. However, such restrictions need to comply with the principle of proportionality and be based exclusively on the personal conduct of the individual concerned representing a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society. A risk of the breach of this right is highlighted in regard to the possible extension of the EU PNR scheme to intra-EU flights.

The European Data Protection Supervisor, Mr Giovanni Buttarelli, has criticised the proposal stating that it is too invasive and is unlikely to stop terrorism.

The trilogue on this matter should begin in September.[9] In a resolution voted on 11 February 2015, the EU Parliament has in fact committed itself ‘to work towards the finalisation of an EU PNR directive by the end of the year’.

The difficult balance between national security and citizens’ privacy is a frequent problem that our modern society must face. It is not only the EU that attempts to fight terrorism and crime. The EU Member States are trying to find acceptable solutions in order to protect their citizens.

For instance, the French Senate passed, on 24 June 2015, a new statute allowing the French authorities to monitor and intercept citizens’ communications. On 23 July 2015, the Constitutional Court approved that new law, finding only a few articles contrary to constitutional principles.

Manuel Valls, the French Prime Minister, believes that ‘from now on, France has a security framework against terrorism that respects liberties. It’s decisive progress’.

In France, for wireless phone taps, hidden cameras and microphones there will be no need of a warrant or any type court approval. The new law has now provided for the mandatory consultation of the National Commission for the Control of Intelligence. The recommendations of this Authority are not binding.

The LIBE Committee has raised concerns about the compatibility of some of the French provisions with the EU Treaties.

Mr Buttarelli was also critical of the French law saying that ‘mass surveillance is against values and has no legitimacy in the EU’. He also added that ‘as people become more monitored and more profiled, they risk discrimination in terms of access to services’.

We will keep you posted on the adoption of the PNR Directive and the debate around the new French law and its compatibility with EU principles.

[1] Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, COM(2011) 32 final, 2.2.2011.

[2] The LIBE Committee deals with Civil Liberties, Justice and Home Affairs (for further information,

[3] In sharing the PNR data the Europol’s Secure Information Exchange Network Application (SIENA) system should be used.

[4] Joined Cases C-293/12 and C-594/12, Digital rights Ireland Ltd and Karntner Landesregieurung, judgment of 8 April 2014, not yet published.

[5] When the information is ‘masked out’ all the data that could serve to identify the passenger is anonymised. In this period of time the data will be accessible only to a limited number of personnel of the Passenger Information Unit specifically authorized to carry out analysis of PNR data and develop assessment criteria.

[6] The right to privacy falls within the scope of Article 7 of the Charter of Fundamental Rights of the European Union (C 364 of 18.12.2000, p.1) providing that: ‘Everyone has the right to respect for his or her private and family life, home and communications’.

[7] The right to data protection is protected under Article 8 of the Charter of Fundamental Rights of the European Union reading as follows: ‘Everyone has the right to the protection of personal data concerning him or her. // 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. // 3. Compliance with these rules shall be subject to control by an independent authority.’

[8] Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within  the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC, OJ L 158, 30.4.2004, p.77.

[9] The three-way talks between Parliament, Council and Commission negotiators to agree on the final text of a legislative act when one or more of the three institutions have reached incompatible conclusions or introduced incompatible amendments.

Ricevi i nostri aggiornamenti