Annexes to COM(2020)305 - Review of Directive 2016/681 on the use of passenger name record (PNR) data for prevention, detection, investigation and prosecution of terrorist offences and serious crime

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2020)305 - Review of Directive 2016/681 on the use of passenger name record (PNR) data for prevention, detection, investigation and ...
document COM(2020)305 EN
date July 24, 2020
agreements, including, in particular, a number of data protection principles and safeguards. 3 These formed the basis of the renegotiations of the PNR agreements with Australia, Canada and the U.S., leading to the conclusion of new PNR agreements with Australia 4 and the U.S. 5  

Further to a request by the European Parliament, on 26 July 2017 the Court of Justice of the EU issued an Opinion declaring that the envisaged agreement with Canada could not be concluded in its intended form because some of its provisions did not meet the requirements stemming from the Charter of Fundamental Rights. 6 To address the Court’s concerns, the EU and Canada proceeded to renegotiate the agreement. These negotiations concluded at the technical level in March 2019 and the finalisation of the agreement is currently pending Canada’s legal review and political endorsement of the text. 7 In addition, on 18 February 2020 the Council authorised the Commission to open negotiations with Japan for the conclusion of an agreement on the transfer of PNR data. 8 The negotiations with Mexico, launched in July 2015, are currently at a standstill.

At EU level, the adoption of the PNR Directive in April 2016 constituted an important milestone in the internal policy on PNR. As indicated above, the Directive lays down a harmonised framework for the processing of PNR data transferred by air carriers to the Member States. The Commission has supported the Member States in implementing the Directive by coordinating regular meetings, facilitating the exchange of best practices and peer-to-peer support, and providing financial assistance. In particular, the Budgetary Authority reinforced the 2017 Union budget with EUR 70 million for the Internal Security Fund-Police (ISF-Police), specifically for PNR-related actions. 9 The Commission has also funded four PNR-related projects under the Union Actions of the ISF-Police. These projects aimed to ensure that Passenger Information Units of the Member States developed the capabilities needed to exchange PNR data or the results of processing such data with each other and with Europol.

In 2016, the EU also modernised its legislation on the protection of personal data through the adoption of Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) 10 and Directive (EU) 2016/680 (the Directive on data protection in the law enforcement sector, also known as the Law Enforcement Directive). 11 On 24 June 2020, the Commission adopted a Communication on aligning the former third pillar instruments with the data protection rules 12 and published the results of the first review and evaluation of the GDPR. 13

In the context of this review, it should be noted that the Belgian Constitutional Court has made a reference for a preliminary ruling to the Court of Justice on the Directive’s compliance with the Charter of Fundamental Rights and the Treaty. 14 More recently, the Cologne District Court also made a request for a preliminary ruling relating to the PNR Directive. 15 The Commission has submitted observations in the first of these proceedings and will do the same in the second in due course.

At the global level, in December 2017 the United Nations adopted Security Council Resolution 2396 requiring all UN States to develop the capability to collect, process and analyse PNR data and to ensure PNR data are used by and shared with all their competent national authorities. 16 To support States in developing such capabilities, in March 2019 the International Civil Aviation Organisation (ICAO) launched the process to draft new PNR standards. These standards, which will be binding on all ICAO member countries unless they file a difference, were adopted by the ICAO Council on 23 June 2020. The Commission has actively engaged in this process, as an observer representing the EU, to ensure the compatibility of these standards with the EU legal requirements, so that they can contribute to facilitate transfers of PNR data.

3.Main findings

The main findings of the review process can be summarised as follows:

3.1.Establishment of an EU wide PNR system 

The Commission welcomes the efforts made by national authorities to implement the PNR Directive. At the end of the review period, 24 out of 26 Member States had notified the Directive’s full transposition to the Commission. Of the two remaining Member States, Slovenia has notified partial transposition and Spain, which has not notified any transposition measures, was referred to the Court of Justice on 2 July 2020 for failure to implement the Directive. The vast majority of Member States established fully operational Passenger Information Units, which are the designated units responsible for collecting and processing PNR data. These Passenger Information Units developed good levels of cooperation with other relevant national authorities and the Passenger Information Units of other Member States. All the Member States designated their competent authorities entitled to request and receive PNR data from their Passenger Information Unit only for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, such as the police and other authorities responsible for fighting against crime.

3.2.Compliance with data protection standards in the Directive

The analysis of national transposition measures points to an overall compliance with the data protection requirements of the PNR Directive, even though some Member States have failed to fully mirror all of them in their national laws. 17 In addition, the overview of their application confirms the commitment of national authorities to respect these safeguards and to implement them in practice. The Commission will continue to encourage the dissemination of best practices developed in this regard through its regular meetings with the Member States and the projects financed under the ISF-P Union actions. At the same time, the Commission will not hesitate to use its powers as guardian of the treaties, including by launching infringement procedures if necessary, to ensure that Member States fully respect the requirements set out in the Directive, in particular on the protection of personal data.

The data protection safeguards contained in the Directive, where implemented correctly, which is the case in the majority of Member States, guarantee the proportionality of PNR data processing and aim to prevent abuse on the part of national authorities or other actors. The purpose limitation ensures that data processing is only carried out for the objectives of fighting terrorism and serious crime. The prohibition of the collection and processing of sensitive data constitutes an important safeguard to make sure that PNR will not be used in a discriminatory manner. The fact that Member States maintain records of processing operations, as required by the Directive, enhances transparency and allows to control the lawfulness of data processing in an effective manner. Data Protection Officers can independently control the lawfulness of data processing, in particular when they are not members of the staff of the Passenger Information Unit and are not subordinated to the Head of the Passenger Information Unit. In addition, their presence in the Passenger Information Unit ensures that a data protection perspective is embedded in the daily functioning of these units.

On a practical level, the interaction between the Passenger Information Units and their Data Protection Officers appears to be working well and the role of the Data Protection Officer is seen as adding value to the operations of the Passenger Information Unit. The Data Protection Officers play a particularly important role in monitoring data processing operations, approving and reviewing pre-determined criteria and providing advice on data protection matters to the staff of the Passenger Information Unit. In most Member States, the Data Protection Officers have been designated by law as the contact point for data subjects and contacting them is also facilitated in practice.

3.3.Other elements of the review

The necessity and proportionality of collecting and processing PNR data

The review shows several elements confirming the necessity and proportionality of collecting and processing PNR data for the purposes of the PNR Directive. In the limited time since the transposition deadline, PNR has proven to be effective in achieving its aims, which correspond to an objective of general interest, i.e. to protect public security by ensuring the prevention, detection, investigation and prosecution of serious crime and terrorism in the Union’s area without internal borders.

According to the Member States, the different means of processing of PNR data available to them (i.e. real time, reactive and proactive) have already delivered tangible results in the fight against terrorism and crime. Without claiming to be exhaustive, Member States have provided the Commission with qualitative evidence 18 that illustrates how the comparison of PNR data against databases and pre-determined criteria has contributed to the identification of potential terrorists or persons involved in other serious criminal activities, such as drug trafficking, cybercrime, human trafficking, child sexual abuse, child abduction and participation in organised criminal groups. In some instances, the use of PNR data has resulted in the arrest of persons previously unknown to the police services, or allowed for the further examination by the competent authorities of passengers who would not have been checked otherwise. The assessment of passengers prior to their departure or arrival has also helped to prevent crimes from being committed. National authorities highlight that these results could not have been achieved without the processing of PNR data, e.g. by using exclusively other tools such as Advance Passenger Information. 

Under the PNR Directive, the processing of PNR data concerns all passengers on inbound and outbound extra-EU flights. The assessment shows that such broad coverage is strictly necessary to achieve the Directive’s intended objectives. As to the data collected, the categories in Annex I reflect internationally agreed standards, in particular at the level of ICAO. National authorities have confirmed that the possibility to collect such categories of PNR data corresponds to what is strictly necessary to achieve the objectives pursued.

Concerning the level of interference with the fundamental rights to privacy and to the protection of personal data, the following considerations are relevant. Importantly, the PNR Directive strictly prohibits the processing of sensitive data. While PNR data may reveal specific information on a person’s private life, such information is limited to a specific aspect of private life, namely, air travel. In addition, the PNR Directive contains strict safeguards to further limit the degree of interference to the absolute minimum and ensure the proportionality of the methods of processing available to national authorities, including as regards the performance of automated processing. As a result of these safeguards, only the personal data of a very limited number of passengers are transferred to competent authorities for further processing. This means that PNR systems deliver targeted results which limit the degree of interference with the rights to privacy and the protection of personal data. Finally, PNR data are not used to establish an individual profile of everyone, but to establish risk and anonymous scenarios or ‘abstract profiles’.

The length of the data retention period

The retention of PNR data of all passengers for a period of five years is necessary to achieve the objectives of ensuring security and protecting the life and safety of persons by preventing, detecting, investigating and prosecuting terrorist offences and serious crime.

Firstly, the need to retain data for five years stems from the nature of PNR as an analytical tool aimed not only at identifying known threats but also at uncovering unknown risks. Travel arrangements recorded as PNR data are used to identify specific behavioural patterns and make associations between known and unknown persons. By definition, the identification of such patterns and associations calls for the possibility of a long-term analysis. Indeed, such an analysis requires that a sufficient pool of data are available to the Passenger Information Unit for such a relatively long period. Such data can then be transferred to the competent authorities only in response to ‘duly reasoned’ requests, on a case-by-case basis, within the framework of criminal investigations.

Secondly, the retention of PNR data for five years is needed to ensure the effective investigation and prosecution of terrorist offences and serious crime. Investigating and prosecuting such offences usually involves months and, often, years of work. In this vein, Member States have confirmed that the five-year retention period is necessary from an operational point of view. The availability of historical data ensures that, when an individual is accused of having committed a serious crime or being involved in terrorist activities, it is possible to review the travel history and see who travelled with him or her, identifying potential accomplices or other members of a criminal group, as well as potential victims.

In addition, the safeguards provided in the PNR Directive concerning access by the competent authorities to the data stored by the Passenger Information Unit and in relation to the depersonalisation and re-personalisation of data have shown to be sufficiently robust to prevent abuses.

The Court of Justice examined the time limits for the retention of PNR data in its Opinion 1/15 on the envisaged EU-Canada PNR agreement and, to address the Court’s concerns, the Commission negotiated a new draft agreement with Canada. In this respect, it is important to note that the Commission considers the factual and legal circumstances of the PNR Directive are different from the ones considered by the Court of Justice in that case. In particular, the PNR Directive clearly seeks the objective of ensuring security in the Union and its area without internal borders, where the Member States share responsibility for public security. In addition, unlike the draft agreement with Canada, the Directive does not concern data transfers to a third country, but the collection of passenger data on flights to and from the EU by the Member States. In this respect, the nature of the PNR Directive as secondary law means that it is applied under the control of the national courts of the Member States and, in the final instance, of the Court of Justice. Furthermore, national laws implementing the Law Enforcement Directive also apply to the processing of data provided for in the PNR Directive, including any subsequent processing by competent authorities.

The effectiveness of exchange of information between the Member States

The cooperation and exchange of PNR data between the Passenger Information Units is one of the most important elements of the Directive. While the exchange of data between the Member States based on duly-reasoned requests functions effectively, the possibility to transfer PNR data on the Passenger Information Unit’s own initiative is much less prevalent. The information provided by the Member States suggests that law enforcement authorities are more willing to use cooperation procedures based on clear and precise regulations, such as those concerning transfers in response to a request. In contrast, the broad and relatively unclear formulation of the Directive’s provision on spontaneous transfers has led to a certain reticence in its application.

The quality of the assessments including with regard to the statistical information gathered pursuant to Article 20

Article 20 of the PNR Directive requires Member States to collect, as a minimum, statistical information on the total number of passengers whose PNR data have been collected and exchanged, and the number of passengers identified for further examination. The analysis of this information shows that only the data of a very small fraction of passengers are transferred to competent authorities for further examination. Thus, the statistics available indicate that, overall, PNR systems are working in line with the objective of identifying high risk passengers without impinging on bona fide travel flows.

In this respect, it should be noted that the statistics provided to the Commission are not fully standardised and therefore not amenable to hard quantitative analysis. In a similar vein, it is also necessary to recall that in most investigations PNR data constitutes a tool, or a piece of evidence, among others, and that it is often not possible to isolate and quantify the results attributable specifically to the use of PNR alone. In the present analysis, the Commission has mitigated these difficulties by collecting various types of evidence to establish a solid evidence base for the review. The Commission will also continue working closely with the Member States to improve the quality of the statistical information collected under the Directive.

Feedback from the Member States on the possible extension of the obligations and the use of data under the PNR Directive

All Member States except one have extended the collection of PNR data to intra-EU flights. National authorities see the collection of PNR data for intra-EU (and in particular intra-Schengen) flights as an important law enforcement tool to track the movements of known suspects and to identify suspicious travel patterns of unknown individuals who may be involved in criminal/terrorist activities travelling within the Schengen zone. As Member States already effectively collect PNR data on intra-EU flights, the Commission does not consider it essential to make the collection of PNR data in intra-EU flights mandatory at this stage.

The review has shown that, from the operational point of view, Member States would consider information from non-carrier economic operators of crucial added value. Given the number of reservations made by tour operators and travel agencies, an important share of passengers’ data are currently not collected and processed by the Passenger Information Units, which creates an important security gap. The Commission recognises this challenge. Nevertheless, any possible extension of the obligation to collect PNR data to non-carrier economic operators will require a thorough assessment of the legal, technical and financial impact of such collection, including a fundamental rights’ check, in particular in the light of lack of standardisation of data formats.

The review has also shown that some Member States collect PNR data from other modes of transportation, such as maritime, rail and road carriers, on the basis of their national law. Despite the operational value of collecting such data, this issue raises significant legal, practical and operational questions. Before taking any steps to extend the obligation to collect PNR data under the Directive, the Commission will conduct a thorough impact assessment, as also recommended by the Council in its conclusions of December 2019, on ‘widening the scope of passenger name records (PNR) data legislation to transport forms other than air traffic’. 19

While the PNR Directive only allows the processing of PNR data for the fight against terrorism and serious crime, several Member States have also pointed out that the use PNR data could constitute a valuable tool to protect public health and prevent the spread of infectious diseases, for example by facilitating contact tracing as regards persons who have been sitting near an infected passenger. This issue has gained even more prominence since the emergence of the COVID-19 pandemic, with more Member States indicating that there is a need to allow for the use of PNR data to tackle such health-related emergencies.

3.4.Key operational challenges

The Commission takes stock of the challenges reported by Member States based on the limited experience gained in the application of the PNR Directive over the first two years of application. In particular, additional measures, such as the mandatory collection of the passengers’ date of birth by air carriers, may be necessary to enhance data quality, which is important to allow for an even more targeted and efficient data processing. Data quality improvements, as well as a careful reconsideration of the purposes for which PNR data may be used, may also be required to better align the PNR Directive with other EU instruments for law enforcement cooperation. Any changes to this effect to the Directive will require a thorough impact assessment, in particular as regards their impact on fundamental rights.

To avoid that air carriers are faced with conflict of law situations preventing them from transferring PNR data to and from the Member States, ways to allow the transfer of PNR data to third countries, in compliance with EU law requirements, will need to continue to be addressed in the context of the Commission’s external PNR policy. 

4.Conclusions

The Commission’s assessment of the first two years of application of the Directive is overall positive. The main conclusion of the review is that the Directive is contributing positively to its key objective of ensuring the establishment of effective PNR systems in the Member States, as an instrument to combat terrorism and serious crime. The Commission has supported Member States throughout the implementation process by coordinating regular meetings, facilitating cooperation between national authorities and providing financial assistance. At the same time, the Commission has not hesitated in launching infringement proceedings against Member States which failed to transpose the Directive on time.

The Commission will continue to work closely with the Member States to ensure that all the issues and challenges identified above are duly addressed so that the EU PNR mechanism becomes even more efficient, while ensuring full respect of fundamental rights. The Commission’s monitoring of the implementation of the PNR Directive will continue beyond the completion of the present review. This report, which should not be considered as a definitive assessment of compliance of the national transposition measures, will facilitate dialogue with the Member States in addressing any deviations from the Directive’s requirements. In that context, the necessity to launch infringement proceedings for non-conform implementation will also be assessed.

The Commission takes the view that no amendments to the PNR Directive should be proposed at this stage. After a first period in which the priority was to achieve full transposition, it is now time to focus on ensuring that the Directive has been implemented correctly. Moreover, some of the issues arising from the PNR Directive’s practical application, described above, will require further assessment. This is the case, for example, for the aspects related to a possible extension in the Directive’s scope. Such assessment should also take into account the additional evidence stemming from the on-going evaluation of the Advance Passenger Information Directive. The decision of whether to propose a revision of the PNR Directive will also be informed by the outcome of the preliminary ruling requests currently before the Court of Justice. 20  

(1)

     Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ L 119, 4.5.2016, p. 132.

(2)

     Belgium, Bulgaria, France, Germany, Latvia and the Netherlands.

(3)

     COM(2010) 492 final of 21 September 2010.

(4)

     Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, OJ L 186, 14.7.2012, p. 4. The joint review and evaluation of this agreement are currently ongoing.

(5)

     Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ L 215, 11.8.2012, p. 5. The joint evaluation of this agreement is currently ongoing.

(6)

     Opinion 1/15 of the Court (Grand Chamber), ECLI:EU:C:2017:592.

(7)

     EU-Canada Summit joint declaration, Montreal 17-18 July 2019.

(8)

     Council Decision authorising the opening of negotiations with Japan for an agreement between the European Union and Japan on the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and serious transnational crime, Council document 5378/20.

(9)

     This financial assistance has been distributed among the Member States according to the ISF-Police standard distribution key – i.e. 30% in relation to population, 10% in relation to territory, 15% in relation to number of sea and air passengers, 10% tons of cargo (air and sea), 35% as inverse proportion to GDP.

(10)

     Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016, p. 1.

(11)

   Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89.

(12)

     COM (2020) 262 final of 24 June 2020.

(13)

     COM(2020) 264 final of 24 June 2020.

(14)

   Request for a preliminary ruling in Case C-817/19 Ligue des droits humains, OJ C 36, 3.2.2020, p. 16–17 (pending).

(15)

   Request for a preliminary ruling in joined Cases C-148/20, C-149/20 and C-150/20 Deutsche Lufthansa, not yet published (pending).

(16)

     Resolution 2396 (2017) - Adopted by the Security Council at its 8148th meeting, on 21 December 2017.

(17)

     A comprehensive assessment of the completeness and conformity of the national transposing measures and their practical implementation has been carried out in the framework of the compliance assessment, conducted by an external contractor, under the supervision of the Commission. With regard to the 23 Member States which had notified full transposition by 10 June 2019, the assessment has been completed. With regard to three Member States which notified after this date, only the initial assessment has been concluded.

(18)

     Some of the examples can be found in Sections 5.1 and 5.2 of the Staff Working Document.

(19)

     Council document 14746/19, adopted on 2 December 2019.

(20)

     Referred to above in footnotes 15 and 16.