The European Commission has proposed a Passenger Name Record Directive that would require airlines to provide EU Member States with data on passengers arriving from, or departing to, countries outside the EU. Under the proposal, copies of such PNR data held on an airline’s reservation system would be transferred to a dedicated “Passenger Information Unit” in the Member State of arrival or departure, for the purpose of fighting serious crime and terrorism. The Passenger Information Unit would be an authority (or a branch of an authority) with responsibility for preventing, detecting, investigating or prosecuting such offences. The Directive would also require the Commission to undertake a study on applying these PNR transfer requirements to internal EU flights.

PNR is defined to mean “a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers.” According to the Commission, this would include data already collected by airlines for their own commercial purposes such as travel dates, itinerary, ticket information, contact details, means of payment and baggage information. The Commission says that airlines would not be required to retain additional data under the Directive. Transfer of “sensitive data” such as information revealing a traveler’s religious beliefs or political views would be prohibited.

The proposal could, however, face a tough review from the European Parliament, where arrangements to transfer PNR and financial data to the US have come under criticism on privacy grounds. The European Data Protection Supervisor has also questioned the consistency of such PNR transfer requirements with individuals’ data protection rights, in particular the principle of proportionality.

The Commission maintains that access to PNR data is critical for combating serious crime and terrorism. The Commission also notes that several Member States already have or are implementing PNR transfer requirements. The Directive, the Commission says, will ensure a harmonized approach.

It is expected to take two years for a final agreement on the proposal to be reached with the Parliament and the Council, which represents Member States.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.