This document is an excerpt from the EUR-Lex website
A global approach to PNR data transfers
The communication sets out general criteria for European Union’s (EU) bilateral agreements with non-EU countries on transfers of Passenger Name Record (PNR) data in order to harmonise transmission modalities and provisions on data protection.
ACT
Communication from the Commission of 21 September 2010 on the global approach to transfers of Passenger Name Record (PNR) data to third countries [COM(2010) 492 final – Not published in the Official Journal].
SUMMARY
The European Union (EU) has adopted new measures against the threats of terrorism and organised crime, which are presented in the Commission’s communication on information management in the area of freedom, security and justice. These measures include the use of Passenger Name Record (PNR) data * for law enforcement purposes. PNR data is used increasingly, which also raises concerns regarding personal data protection. Due to these challenges, the Commission has reconsidered its global approach to PNR data transfers to non-EU countries. Consequently, this communication sets out general criteria for future bilateral PNR agreements, with a view to contributing towards the fight against terrorism and transnational serious crime, while guaranteeing respect for fundamental rights and ensuring coherence between the various PNR agreements.
Passenger Name Record (PNR) data
PNR data are principally used as a criminal intelligence tool with a view to:
PNR data are used in investigations and prosecutions. They are also used to prevent crimes and to arrest persons when a crime has been committed, as well as to create travel and behaviour assessments to facilitate crime prevention.
However, under EU data protection laws, carriers may not transmit PNR data to non-EU countries, unless these countries provide an adequate level of protection for personal data. For this reason, the EU signed international PNR agreements with the United States, Canada and Australia. However, these agreements were negotiated on a case-by-case basis, as a result of which their provisions on rules for carriers and data protection are not coherent. As the number of such agreements is likely to increase in the near future, there is a need to set out general standards, content and criteria for them.
Global approach on PNR
Through the global approach on PNR, greater coherence should be achieved between non-EU countries’ data protection guarantees and between air carriers’ data transmission modalities.
A large number of persons and their personal data are affected by the collection and transfer of PNR data to non-EU countries. Since these countries’ data protection regimes may differ from that of the EU, it is essential that they ensure adequate legal protection for the transferred PNR data. Consequently, non-EU countries should apply the following basic principles for the protection of personal data:
The rules governing the transmission of data to non-EU countries by carriers should be streamlined to increase legal certainty and minimise the financial burden on these carriers. At least the following modalities of transmission should be standardised:
Furthermore, PNR agreements with non-EU countries should be concluded for fixed periods of time and be reviewable. Mechanisms should be put in place for monitoring their implementation, as well as for resolving any disputes regarding their interpretation and application. It is also essential to ensure reciprocity between EU and non-EU countries, in particular as regards the transfers of analytical information stemming from PNR data.
Finally, in the long term, if more countries start using PNR data, the EU should examine the possibility of setting out standards at the international level for transmitting and using such data, and consequently of replacing its bilateral PNR agreements with a multilateral one.
Key terms used in the act
Last updated: 19.11.2010