Explanatory Memorandum to COM(2025)295 - Conclusion of the Agreement with Iceland on the transfer of Passenger Name Record (PNR) data to prevent, detect, investigate and prosecute terrorist offences and serious crime

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2025)295 - Conclusion of the Agreement with Iceland on the transfer of Passenger Name Record (PNR) data to prevent, detect, investigate ...
source COM(2025)295 EN
date 12-06-2025


The present proposal concerns the conclusion of the Agreement between the European Union and Iceland on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘the Agreement’).

1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

Strengthening international cooperation on law enforcement, including on information sharing, is essential to address the threats posed by terrorism and serious transnational crimes. The latest Serious Organised Crime Threat Assessment (SOCTA) report published by Europol 1 illustrates the international dimension of the activities of most serious crime organisations. Additionally, its latest Terrorism Situation and Trend Report (TE-SAT) 2 stresses not only the direct links between transnational travel and the organization of terrorist activities and serious crime, but also the importance of effectively detecting, investigating and prosecuting other serious criminal offences for preventing and detecting terrorist offences.

Passenger name record (PNR) data is information provided by passengers and collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes. The content of PNR data varies depending on the information given during the booking and check-in process and may include, for example, dates of travel and the complete travel itinerary of the passenger or group of passengers travelling together, contact details like address and phone number, payment information, seat number and baggage information.

The collection and analysis of PNR data can provide the authorities with important elements allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement authorities. Accordingly, the processing of PNR data has become a widely used law enforcement tool, in the EU and beyond, to detect terrorism and other forms of serious crime, such as drug-related offences, human trafficking and child sexual exploitation, and to prevent such crime from being committed. It has also proven to constitute an important source of information to support the investigation and prosecution of cases where such illegal activities have been committed 3 .

While crucial for combating terrorism and serious crime, the transfer of PNR data to third countries as well as the processing by their authorities constitutes an interference with the protection of individuals’ rights with regard to their personal data. For this reason, it requires a legal basis under EU law and must be necessary, proportionate and subject to strict limitations and effective safeguards, as guaranteed by the Charter of Fundamental Rights of the EU, notably in its Articles 6, 7, 8, 21, 47 and 52. The achievement of these important objectives requires striking a fair balance between the legitimate objective to maintain public security and the right of everyone to enjoy the protection of their personal data and private life.

In 2016, the European Parliament and the Council of the European Union adopted Directive (EU) 2016/681 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’) 4 . This Directive regulates the transfer and processing of PNR data in the European Union and lays down important safeguards for the protection of fundamental rights, in particular the rights to privacy and the protection of personal data. In June 2022, the Court of Justice of the EU (CJEU) confirmed the validity and compliance of this Directive with the Charter of Fundamental Rights of the EU and the Union Treaties, in its Judgment in case C-817/19 5 .

Iceland and the Member States of the Union which are Contracting Parties to the Schengen Convention 6 have a shared responsibility to ensure internal security within a common area without internal border controls, including by exchanging relevant information. PNR data processing has demonstrated the potential to enhance the security of the Schengen area, by improving the prevention and detection of serious crime and terrorism at the external borders and by providing a risk-based data-driven approach for Member States to use within the Schengen area as a compensatory measure for the absence of internal border controls 7 .

Iceland adopted a domestic legislation on PNR and its competent authority designated to receive and process PNR data on flights landing or departing from its airports started operating in November 2021.

Under Union law, the transfer of any personal data from the Union to a third country may take place only if that country ensures a level of protection of personal data that is essentially equivalent to that guaranteed to those personal data within the Union. In this respect, it is to be noted that Iceland is not a third country within the meaning of Chapter V of Regulation 2016/679 8 since that Regulation has been incorporated with adaptations in Annex XI to the European Economic Area (EEA) Agreement. However, the framework of rules set out in that Regulation does not apply to the processing of personal data, including PNR data, by Icelandic law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. At the same time, since pursuant to the Schengen Association Agreement between the EU and Iceland of 1999, Iceland is bound by the Union acts which constitute a development of the provisions of the Schengen acquis, it is supposed to apply Directive (EU) 2016/680 in a similar manner as EU Member States. However, the PNR Directive does not constitute a development of the Schengen acquis, hence Iceland does not participate in the implementation of this legal instrument.

In these circumstances, namely in the absence of appropriate safeguards in relation to the specific processing of PNR data, that are to be established by means of a valid legal basis as required by EU law, Iceland may not lawfully receive and process PNR data on flights operated by air carriers between the Union and Iceland.

In light of this, on 6 September 2023, the Commission adopted a Recommendation, proposing that the Council authorises the opening of negotiations of an agreement between the European Union and the Iceland on the transfer of Passenger Name Record (PNR) data for preventing, detecting, investigating and prosecuting terrorist offences and serious crime. 9 In parallel, it also recommended the opening of negotiations of such agreements with the Swiss Confederation 10 and Norway. 11 On 4 March 2024, the Council provided its authorisation to open negotiations and adopted negotiating directives. 12

The purpose of this Agreement is to bridge this security gap existing in the Schengen area and enable the transfer of PNR data from the Union to Iceland in recognition of the necessity to use PNR data as an essential tool in the fight against terrorism and other forms of serious crime.

Negotiations with Iceland as well as with Norway and the Swiss Confederation, began on 21 March 2024. On 9 April 2025, the lead negotiators initialled the agreement text and thus formally concluded negotiations.

The co-legislators have been informed throughout the negotiations process and consulted at all stages of the negotiations, notably by reporting to the Council’s Working Party on Justice and Home Affairs Information Exchange (IXIM) and the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE).

Consistency with existing Union policies

The Commission first set out the broad lines of the EU's external PNR policy in a 2003 Communication 13 on the EU approach towards transfers of PNR data from the EU to third countries, which were reviewed in a Communication adopted in 2010 14 . There are currently three international agreements in force between the EU and third countries namely Australia 15 , the United States 16 (2012) and the United Kingdom 17 (2020) which cover the transfer and processing of PNR data from the EU. After negotiations which followed up on Opinion 1/15 of the CJEU of 26 July 2017, 18 a new PNR Agreement with Canada was signed on 4 October 2024. 19

At international level, an increasing number of third countries have started developing their capabilities to collect PNR data from air carriers. This trend is further prompted by Resolutions adopted by United Nations Security Council (in 2017 and 2019), requiring all States to develop the capability to collect and use PNR data 20 , based on which Standards and Recommended Practices on PNR (SARPs) were adopted by the International Civil Aviation Organization (ICAO) in 2020, by means of Amendment 28 to Annex 9 to the Chicago Convention which became applicable in February 2021. 21

The Union position, as established by Council Decision (EU) 2021/121, welcomes the ICAO SARPs on PNR as laying down ambitious safeguards on data protection and therewith allowing significant progress to be made at international level. At the same time, this Council Decision considered, by means of requiring Member States to register a difference, that the requirements resulting from Union law (including relevant case-law), are more exacting than certain ICAO Standards, and that transfers from the EU to third countries require a legal basis establishing clear and precise rules and safeguards in relation to the use of PNR data by competent authorities of a third country 22 .

In this context, the negotiation and conclusion of this Agreement constitutes part of a broader effort of the Commission to pursue a consistent and effective approach regarding the transfer of PNR data to third countries, as announced in the Security Union Strategy 2020-2025 23 , building on the ICAO SARPs on PNR, and in line with the Union law and case-law. Such an approach was also requested by the Council with its Conclusions of June 2021 24 .

Herewith, the Commission also seeks to respond to calls from air carriers to ensure more legal clarity and foreseeability on PNR transfers to third countries 25 .

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

Article 218(6) of the Treaty on the Functioning of the European Union (TFEU) provides for decisions ‘concluding the agreement.’ Since the proposal concerns areas where the ordinary legislative procedure is applied, the consent of the European Parliament is required and, therefore, the procedural legal basis is Article 218(6), point (a)(v) TFEU.

The proposal has two main aims and components, one relating to the necessity of ensuring public security by means of the transfer of PNR data to Iceland and the other to the protection of privacy and other fundamental rights and freedoms of individuals. Thus, the substantive legal basis is Article 16(2) and Article 87(2)(a) of the Treaty on the Functioning of the European Union.

Proportionality

The Union’s objectives with regard to this proposal as set out above can only be achieved by establishing a valid legal basis at Union level to ensure that appropriate protection of fundamental rights is granted to personal data transfers from the Union. The provisions of the agreement are limited to what is necessary to achieve its main objectives and strike a fair balance between the legitimate objective to maintain public security and the right of everyone to enjoy the protection of their personal data and private life.

Choice of the instrument

The appropriate safeguards required for the specific processing of PNR data received by Iceland from air carriers on flights operated by air carriers between the Union and Iceland must be established by means of a valid legal basis under EU law. The present Agreement constitutes such legal basis enabling PNR data transfers.

• Fundamental rights

The exchange of PNR data and its processing by the authorities of a third country constitutes an interference with the fundamental rights to privacy and data protection. However, such interference is justified also because the Agreement pursues legitimate objectives i.e. to prevent, detect, investigate and prosecute serious crime and terrorism. The Agreement includes appropriate data protection safeguards to the personal data transferred and processed, in line with EU law, notably Articles 7, 8, 47 and 52 of the Charter of Fundamental Rights of the EU.

3. BUDGETARY IMPLICATIONS

There are no budgetary implications for the Union budget.

4. OTHER ELEMENTS

Detailed explanation of the specific provisions of the proposal

The Agreement, in full alignment with the the Charter of Fundamental Rights of the EU, the relevant caselaw of the Court of Justice of the EU and the negotiating directives, provides a legal basis, conditions and safeguards for the transfer to and processing by Iceland of PNR data received from air carriers from the Union:

Article 1 sets out the scope and objectives the Agreement.

Article 2 includes key definitions of the Agreement, inter alia of the ‘Passenger Information Unit’ (PIU) of Iceland as the designated competent authority responsible for processing PNR data and of the terms ‘serious crime’ and ‘terrorism’, in line with how these concepts have been defined in other relevant EU law instruments;

Article 3 regulates method and frequency of PNR data transfers by airlines to the Icelandic PIU with a view to ensuring that PNR data transfers are kept to the minimum necessary and are proportionate to the purpose specified in the Agreement.

Article 4 provides for a common technical solution by including the possibility for Iceland to make use of the API-PNR router set up according to Regulation (EU) 2025/13 26 and as envisaged by Article 10(c) of that Regulation.

Article 5 sets out the purpose limitation – i.e. prevention, detection, investigation and prosecution of terrorist offences and serious crime – in an exhaustive manner to all PNR processing covered by the Agreement.

Article 6 sets out the three specific modalities for the processing of PNR data received under the Agreement by the Icelandic PIU.

Article 7 provides additional safeguards for carrying out ‘real-time assessment’ and limits automated processing of PNR data.

Article 8 provides for a prohibition to process special categories of PNR data in line with how this concept has been defined in the EU data protection acquis.

Article 9 provides for a high level of security of PNR data received under the Agreement and ensures notifications of data security breaches to the designated Icelandic data protection supervisory authority.

Article 10 provides for the keeping of logs and documentation of all PNR processing.

Article 11 includes rules for restricted storage of PNR data with a view to ensuring that such data are not stored longer than what is necessary for and proportionate to the objective pursued by this Agreement. In line with the relevant caselaw of the Court of Justice of the European Union, this provision requires an objective connection between the PNR data to be retained and the objectives of the agreement, and make storage periods subject to regular reviews by the Icelandic PIU.

Article 12 requires the Icelandic PIU to depersonalise PNR data at the latest after 6 months.

Article 13 includes rules and conditions for the disclosure of PNR data within Iceland, e.g. by limiting such disclosures to authorities with functions related to the purposes of the Agreement and by requiring prior approval by a judicial authority or another independent body for such disclosures.

Article 14 includes rules and conditions for the disclosure of PNR data outside Iceland and the EU, e.g. by limiting such disclosures to third countries with which the EU has concluded a comparable agreement or for which the EU has adopted a relevant adequacy decision and by requiring prior approval by a judicial authority or another independent body for such disclosures.

Article 15 fosters police and judicial cooperation through the exchange of PNR data or the results of processing of PNR data between the Icelandic PIU and the PIUs of Member States of the Union, as well as between the Icelandic PIU, on the one hand, and Europol or Eurojust within their respective competences, on the other hand.

Article 16 requires Iceland to apply the same rights and obligations as Directive (EU) 2016/680 to the processing of personal data under this Agreement and that such processing shall be overseen by an independent authority established in accordance with the implementation by Iceland of this Directive.

Article 17 includes transparency and information obligations, including a requirement to notify individuals of the disclosure of their PNR data.

Article 18 provides for an obligation for Iceland to notify the identity of the Icelandic PIU and of the national supervisory authority.

Article 19 provides for the entry into force of the Agreement.

Article 20 provides for dispute settlement and suspension mechanisms.

Article 21 provides for the possibility for either Party to terminate the Agreement at any time.

Article 22 provides for the rules for amendments of the Agreement.

Article 23 provides the joint evaluation of the implementation of the Agreement.

Article 24 contains a clause regarding the territorial application of the Agreement.