Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

The Commission issued on 2 February 2011 a proposal for a Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, (COM(2011) 32 final). It followed a previous proposal for a framework-decision made on 6 November 2007 and intended to provide for a reactive, real time, and proactive tool to law enforcement authorities in the fight against terrorism by using data collected by air carriers. The first proposal for a framework-decision was not adopted.

The European Data Protection Supervisor issued an Opinion on 25 March 2011, explaining that it was a better proposal but still needed changes to be considered as sufficiently balanced. Similarly, the Opinion issued by the European Economic and Social Committee on 5 May 2011 underlined the risk that this proposal steps up “security at the expense of citizens' rights”. The Article 29 Working Party on Data Protection’s Opinion and the European Fundamental Rights Agency’s Opinion did also raise serious doubts about this proposal. The Council adopted a general approach on the text proposed by the Commission on 23 April 2012, before starting the negotiations with the Parliament. This first draft of the Directive was rejected by the LIBE Committee (Rapporteur: Timothy Kirkhope) of the European Parliament, questioning its necessity and its proportionality, on 24 April 2013 and was no longer considered as a priority.

The project regained attention at the beginning of the year after the terrorist attacks in Paris. In a resolution on anti-terrorism measures adopted on 11 February 2015, the European Parliament stated that the PNR Directive should be adopted by the end of the year. The Parliament stressed the necessity to take into account the fundamental rights principles and the Digital Rights Ireland Judgment. The LIBE Committee of the European Parliament issued on 17 February a first draft report on the proposition, and a second report on this proposal on 7 September. These new drafts narrowed the scope of the project to cover terror offences and serious "transnational" crime (Art. 1(2)), gave specific consideration for sensitive data (Art 4(1), limited the access to PNR data to four years instead of five for serious crime (Art. 9 (2a)), created the obligation for each EU member state to appoint a data protection supervisory officer (Art. 3a), and requested specific training and selection of the person who access and analyze the PNR data (Art. 3a (1)).

An informal meeting of the Heads of State or Government on 12 February 2015 asked the EU legislators to urgently adopt a strong and effective European Passenger Name Records Directive with solid data protection safeguards. Following this, the COREPER agreed on 18 February 2015, that the general approach should be used as a basis for informal trilogues with the European Parliament. The Luxembourg presidency started the discussion in order to prepare the first informal trilogue held in September 2015. The JHA Councils on 12-13 March and on 15-16 June reiterated the crucial importance of soon reaching an agreement on PNR. The document issued by the Presidency underlined the key elements that needed to be discussed. The scope of the Directive is the main issue. While the Council wanted to extend it to prevention of “serious crime” in general, the European Parliament wanted to limit it to serious transnational crime only and also to provide a list of the offences considered as being serious. Similarly, the optional inclusion by the Member States of intra EU-flights was proposed in the Council general approach because of its usefulness as regards the monitoring of foreign terrorist fighters but was rejected by the Parliament. The parliament however wished to extend the scope of the Directive to the prevention of immediate and serious threats to public security and also to data held by non-carrier economic operators. The possibility to allow EUROPOL to access these data, requested by the Parliament, is also a question. No information about the negotiations has been released.

In its second opinion on the proposal on 24 September, the European Data Protection Supervisor pointed out that in spite of the improvement made, the draft still does not comply with necessity and proportionality principles. It reiterates “the EU needs to justify on a basis of available evidence why a massive, non-targeted and indiscriminate collection of data of individuals is necessary and why that measure is urgently needed”. Beyond this general lack of justification about the necessity of the project, the European data protection supervisor also underlined several shortcomings of the Proposal. Most of them are based on the Digital Rights Ireland case. For example, the data retention period should be justified by objective criteria and the Directive should clearly provide that the PNR data may not be used for other purposes than the prevention, detection, investigation or prosecution of terrorist offences and serious transnational crime. Moreover, court or an independent administrative body should give a prior approval upon a request of access to the data by a competent authority. Furthermore, the scope of the PNR scheme should be much more limited and framed. Finally, the criteria to justify the PNR access by the competent authorities should also be clearly defined.

Following a request from the Parliament, the Court of Justice will give on opinion on the agreement envisaged between the European Union and Canada on the transfer and processing of Passenger Name Record data, which will clarify the compatibility of this practice with fundamental rights.

After the terrorist attack in Paris this 13 November 2015, the Council reiterates the urgency and priority to finalise an ambitious EU PNR before the end of 2015. On 2 December 2015, after negotiations with the Parliament, the Council issued the proposed compromise for approval of a final compromise text. It clearly underlined the main political issues and the final decisions. Concerning the scope of the Directive, the processing of data is allowed only for the purpose of prevention, detection, investigation and prosecution of terrorist offences and serious crime (Art. 1 (2)). The definition of serious crime encompassed categories of offences listed in annex II (Recital 12). The text also incorporates part of the European Parliament amendments by including a data protection officer (Art. 3a). The text permits the Member States to extend the scope of the Directive to include in the national implementation non carrier economic operator such as travel agencies and tour operators (Recital 28) and intra-EU flights (Art. 1a). Concerning the period of data retention, a maximum is fixed at 5 years (Recital 32, Art. 9 (1)), and the data shall be systematically depersonalized six months after the initial transfer of data. Afterwards, disclosure of the full PNR data shall be permitted only in very specific conditions (Art. 9 (2)).

At the same time, considering the current security situation in Europe, the Member states issued a declaration to the minutes of the Council. They declare that they will make full use of their possibility to include intra EU-flights in the scope of their national law implementing the Directive. Moreover, they will undertake to extent the collection of PNR data to non-air carrier such as travel agencies and tour operators which provide travel-related services including the booking of flights for which they collect and process PNR data (this was later repeated in a statement of the Council).

The plenary of the European Parliament adopted its position at first reading, on 14 April 2016 with only one amendment to the proposed draft, requesting the Council to adopt at the same time the PNR Directive and the package on data protection. The Council adopted unanimously the Directive in first reading on 25 April 2016. The final text was adopted on 27 April 2017. Directive 2016/681 has been published in the official journal on 4 May 2016 (OJ L 119).

Following a request from the Parliament, the Court of Justice will give on opinion on the agreement envisaged between the European Union and Canada on the transfer and processing of Passenger Name Record data, which will clarify the compatibility of this practice with fundamental rights.