This document is an excerpt from the EUR-Lex website
Document 52025PC0490
Recommendation for a COUNCIL DECISION authorising the opening of negotiations for an agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record data from the European Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Recommendation for a COUNCIL DECISION authorising the opening of negotiations for an agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record data from the European Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Recommendation for a COUNCIL DECISION authorising the opening of negotiations for an agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record data from the European Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
COM/2025/490 final
EUROPEAN COMMISSION
Brussels, 15.9.2025
COM(2025) 490 final
Recommendation for a
COUNCIL DECISION
authorising the opening of negotiations for an agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record data from the European Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Strengthening international cooperation on law enforcement, including information sharing, is essential to address the threats posed by terrorism and serious transnational crimes. The latest Serious Organised Crime Threat Assessment (SOCTA) report published by Europol 1 illustrates the international dimension of the activities of most serious crime organisations. Additionally, Europol’s latest Terrorism Situation and Trend Report (TE-SAT) 2 stresses not only the direct links between the transnational travel and the organisation of terrorist activities and serious crime, but also the importance of effectively detecting, investigating and prosecuting other serious criminal offences for preventing and fighting terrorist offences.
The collection and analysis of Passenger Name Record(PNR) data can provide the authorities with important elements allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement authorities. PNR data encompass information provided by passengers and collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes. The content of PNR data varies depending on the information given during the booking and check-in process and may include, for example, dates of travel and the complete travel itinerary of the passenger or group of passengers travelling together, contact details like address and phone number, payment information, seat number and baggage information.
Accordingly, the processing of PNR data has become a widely used law enforcement tool, in the EU and beyond, to detect terrorism and other forms of serious crime, such as drug-related offences, human trafficking and child sexual exploitation, and to prevent such crime from being committed.
While crucial for combating terrorism and serious crime, the transfer of PNR data to third countries as well as the processing by their authorities constitutes an interference with the protection of individuals’ rights with regard to their personal data. For this reason, the transfer of PNR data requires a legal basis under EU law and must be necessary, proportionate and subject to strict limitations and effective safeguards, as guaranteed by the Charter of Fundamental Rights of the EU, notably in its Articles 6, 7, 8, 21, 47 and 52. The achievement of these important objectives requires a fair balance to be struck between the legitimate objective to maintain public security and the individuals’ right to enjoy the protection of their personal data and private life.
In 2010, the EU and the Republic of Korea upgraded their broader relationship to a Strategic Partnership, based on shared values and common interests. The EU-Republic of Korea Framework Agreement signed in May 2010 provides the basis for cooperation on major political and global issues. The Republic of Korea is a like-minded and strategic partner of the European Union in the fight against terrorism and other serious transnational crime. Within the United Nations, the G20 and other multilateral fora, the European Union and the Republic of Korea work closely together to improve global security frameworks as well as to enhance the security of their citizens.
On 17 December 2021, the Commission adopted an adequacy decision in relation to the transfer of personal data from the EU to the Republic of Korea between commercial operators 3 , concluding that the Republic of Korea ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR). 4 In this context, the Commission also assessed the conditions and safeguards under which Korean public authorities, including law enforcement, can access data held by those operators. Although the adequacy assessment under this decision does not cover processing of PNR data as such, it nevertheless provides evidence that the foundations for essential data protection safeguards already exist in the Republic of Korea legal framework and should therefore also provide the basis for adducing the necessary corresponding safeguards in a PNR Agreement, in particular, enforceable data subject rights, judicial redress and independent oversight.
The Republic of Korea has clearly expressed their interest to the Commission in entering into negotiations with the aim of concluding a PNR Agreement with the European Union since 2008. Contacts intensified as of August 2024, and culminated in a series of written exchanges and meetings in May and June 2025. In particular, in the latter occasions, the Republic of Korea indicated a pressing need to acquire PNR data from EU air carriers, in the light of increasing drug trafficking, which can be linked to incoming European flights.
According to the legislation of the Republic of Korea, since 2006, air carriers are required to transmit Passenger Name Record (PNR) data to the Korean Customs Service (KCS). This legislation aims at enhancing the security of the Republic of Korea by obtaining PNR data prior to a passenger’s arrival or departure and therefore significantly enhances the ability to conduct efficient and effective advance travel risk assessment of passengers. In this context, the Republic of Korea has also shared relevant information both as regards the amount of scheduled flights between the EU and the Republic of Korea (approximately 12.000 in 2024) as well as regards the adherence of its legislation to the ICAO Standards on PNR.
To allow for the transfer of PNR data from the EU to the Republic of Korea to effectively fight terrorism and other forms of serious transnational crime, an international agreement is needed, providing the necessary legal basis at EU level. Such type of future agreement should provide appropriate data protection safeguards within the meaning of Article 46(2)(a) of the General Data Protection Regulation 5 , including a system of independent oversight. A future agreement should respect fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the right to private and family life recognised in Article 7 of the Charter, the right to the protection of personal data recognised in Article 8 of the Charter and the right to effective remedy and fair trial recognised in Article 47 of the Charter.
For these reasons, the Commission considers it necessary to start negotiations with the Republic of Korea, which will allow the designated Korean competent authority to receive and process PNR data from the European Union, subject to appropriate safeguards. In addition, such an agreement would be a means to foster law enforcement cooperation through enhancing the possibilities to exchange PNR data as well as analytical information resulting from the processing of PNR, between the Republic of Korea and EU Member States competent authorities, for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
•Consistency with existing policy provisions in the policy area
In the European Union, in 2016, the European Parliament and the Council of the European Union adopted Directive (EU) 2016/681 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’) 6 . This Directive regulates the transfer and processing of PNR data in the European Union and lays down important safeguards for the protection of fundamental rights, in particular the rights to privacy and the protection of personal data. In June 2022, the Court of Justice of the EU (CJEU) confirmed the validity and compliance of this Directive with the Charter of Fundamental Rights of the EU and the Union Treaties, in its Judgment in case C-817/19 7 .
As regards the EU’s external PNR policy, the Commission first set out the broad lines of such policy in a 2003 Communication 8 , which were reviewed in a Communication adopted in 2010 9 . Three international agreements are currently in force between the EU and third countries, namely with Australia 10 , the United States 11 (2012) and the United Kingdom 12 (2020), covering the transfer and processing of PNR data from the EU. After negotiations which followed up on Opinion 1/15 of the CJEU of 26 July 2017, 13 a new PNR Agreement with Canada was signed on 4 October 2024 14 . In March 2024, following the Council’s authorization 15 , the Commission also launched negotiations with Switzerland, Iceland and Norway. On 12 June 2025, these negotiations resulted in Commission proposals to sign and conclude PNR Agreements with Iceland 16 and Norway 17 .
At international level, an increasing number of third countries have started developing their capabilities to collect PNR data from air carriers. This trend is further prompted by Resolutions adopted by United Nations Security Council (in 2017 and 2019), requiring all States to develop the capability to collect and use PNR data 18 , based on which Standards and Recommended Practices on PNR (SARPs) were adopted by the International Civil Aviation Organization (ICAO) in 2020, by means of Amendment 28 to Annex 9 to the Chicago Convention, which became applicable in February 2021 19 .
The Union position, as established by Council Decision (EU) 2021/121, welcomes the ICAO SARPs on PNR as laying down ambitious safeguards on data protection and therewith allowing significant progress to be made at international level. At the same time, this Council Decision considered, by means of requiring Member States to register a difference, that the requirements resulting from Union law (including relevant case-law), are more exacting than certain ICAO Standards, and that transfers from the EU to third countries require a legal basis establishing clear and precise rules and safeguards in relation to the use of PNR data by competent authorities of a third country 20 . Based on preliminary discussions held at technical level, the Republic of Korea informed the Commission services that their legal and administrative framework adheres to the ICAO Standards.
In this context, the negotiation and conclusion of this Agreement with the Republic of Korea constitutes part of a broader effort of the Commission to pursue a consistent and effective approach regarding the transfer of PNR data to third countries, building on the ICAO SARPs on PNR, and in line with the Union law. Such an approach was also requested by the Council with its Conclusions of June 2021 21 .
Herewith, the Commission also seeks to respond to calls from air carriers to ensure more legal clarity and foreseeability on PNR transfers to third countries 22 .
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
The procedural legal basis for this recommendation is Article 218(3) and (4) of the Treaty on the Functioning of the EU.
The proposal has two main aims and components, one relating to the necessity of ensuring public security by means of the transfer of PNR data to the Republic of Korea and the other concerning the protection of privacy and other fundamental rights and freedoms of individuals. Thus, the substantive legal basis is Article 16(2) and Article 87(2)(a) TFEU.
•Proportionality
The Union’s objectives with regard to this proposal as set out above can only be achieved by establishing a valid legal basis at Union level to ensure that appropriate protection of fundamental rights is granted to transfers of personal data from the Union. The provisions of the agreement are limited to what is necessary to achieve its main objectives and strike a fair balance between the legitimate objective to maintain public security and the individuals’ right to enjoy the protection of their personal data and private life.
•Choice of the instrument
The appropriate safeguards required for the specific processing of PNR data received by the Republic of Korea from air carriers on flights operated by air carriers between the Union and the Republic of Korea must be established by means of a valid legal basis under EU law. The present Agreement constitutes such legal basis enabling PNR data transfers.
•Fundamental rights
The exchange of PNR data and its processing by the authorities of a third country constitutes an interference with the fundamental rights to privacy and data protection. However, such interference is justified, also because the Agreement pursues legitimate objectives i.e. to prevent, detect, investigate and prosecute terrorist offences and serious crime. The Agreement includes appropriate data protection safeguards to the personal data transferred and processed, in line with EU law, notably Articles 7, 8, 47 and 52 of the Charter of Fundamental Rights of the EU.
3.BUDGETARY IMPLICATIONS
There are no budgetary implications for the Union budget.
Recommendation for a
COUNCIL DECISION
authorising the opening of negotiations for an agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record data from the European Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) and Article 87(2), point (a), in conjunction with Article 218(3) and (4) thereof,
Having regard to the recommendation from the European Commission,
Whereas:
(1) Negotiations should be opened with a view to concluding an Agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record (PNR) data from the Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
(2) The Agreement should respect fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the European Union (“the Charter”), as interpreted by the Court of Justice of the European Union, in particular the right to private and family life recognised in Article 7 of the Charter, the right to the protection of personal data recognised in Article 8 of the Charter and the right to effective remedy and fair trial recognised in Article 47 of the Charter. The Agreement should be applied in accordance with those rights and principles and having due regard to the principle of proportionality, in accordance with Article 52(1) of the Charter.
(3) The provisions of the Agreement should be set out furtherto the applicable international Standards on PNR, as contained in the International Convention on Civil Aviation, namely in its Annex 9 (Facilitation), Chapter 9 (Passenger Data Exchange System), Section D (Passenger Name Record (PNR) data) 23 .
(4) In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Decision and is not bound by it or subject to its application.] OR [In accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Ireland has notified [, by letter of …,] its wish to take part in the adoption and application of this Decision.].
(5) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the TFEU, Denmark is not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(6) The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered its Opinion [xxx] on [xx.xx.xxxx].
HAS ADOPTED THIS DECISION:
Article 1
The European Commission is hereby authorised to negotiate, on behalf of the Union, an Agreement between the Union and the Republic of Korea on the transfer of Passenger Name Record (PNR) data from the Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
Article 2
The negotiating directives are set out in the Annex.
Article 3
The negotiations shall be conducted in consultation with [name of special committee to be inserted by the Council].
Article 4
This Decision is addressed to the Commission.
Done at Brussels,
For the Council
The President
EUROPEAN COMMISSION
Brussels, 15.9.2025
COM(2025) 490 final
ANNEX
to the
Recommendation for a COUNCIL DECISION
authorising the opening of negotiations for an agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record data from the European Union to the Republic of Korea for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
ANNEX
Directives for the negotiation of an Agreement between the European Union and the Republic of Korea on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
The negotiations should aim to achieve the following general objectives:
(1)The Agreement reflects the necessity and importance of the processing of Passenger Name Record (PNR) data in combating serious crime and terorrism by enabling the lawful transfer of PNR data from the Union to the Republic of Korea.
(2)In order to comply with the relevant requirements of EU law, including the Charter of Fundamental Rights of the European Union and the relevant case law of the Court of Justice of the European Union, the Agreement provides a legal basis, conditions and safeguards for the transfer to and processing by the Republic of Korea of PNR data, and ensures that an adequate level of personal data protection is provided.
(3)The Agreement encourages and facilitates cooperation between the Member States of the Union and the Republic of Korea by establishing arrangements for timely, effective and efficient exchanges of PNR data and of the results of processing of PNR data.
The negotiations should aim to achieve the following on substance:
(4)The Agreement identifies the designated Korean competent authority responsible for receiving from air carriers and further processing PNR data under the Agreement.
(5)The Agreement specifies exhaustively and in a clear manner the PNR data elements to be transferred, in line with international standards. Data transfers are kept to the minimum necessary and are proportionate to the purpose specified in the Agreement.
(6)The Agreement ensures that PNR data is transferred exclusively to the Korean competent authority by pushing the required PNR data into the receiving authority’s system (‘push method’). The frequency and the timing of such transfers do not create an unreasonable burden on air carriers and are limited to what is strictly necessary.
(7)The Agreement ensures that air carriers are not required to collect and transfer any additional PNR data compared to what they already collect as part of their business.
(8)The Agreement includes the obligation to ensure security of personal data through appropriate technical and organisational measures, including by allowing only authorised persons to have access to personal data and keeping records in the form of access logs. It should also include the obligation to notify the competent authorities and, wherever necessary and possible, data subjects, in the event of a personal data breach affecting data transferred under the Agreement.
(9)The Agreement sets out the purposes of PNR data processing in an exhaustive manner, notably by establishing that PNR data is transferred and processed solely for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, based on the definitions laid down in relevant EU law instruments.
(10)The Agreement provides that sensitive data within the meaning of Union law, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, are not to be processed under the Agreement.
(11)The Agreement includes safeguards for the automated processing of PNR data to ensure it is based on non-discriminatory, specific, objective, and reliable, pre-established criteria and that such automated processing is not used as a sole basis for any decisions with adverse legal effects or seriously affecting an individual. It also ensures that the databases against which PNR data are compared are only those relevant for purposes covered by the Agreement.
(12)The Agreement provides that PNR data received under the Agreement is subject to periods of retention that are restricted and not longer than what is necessary for and proportionate to the objective pursued, that is, for the purposes of preventing, detecting, investigating and prosecuting of terrorist offences and serious crime. These retention periods ensure that, in line with the relevant case law of the Court of Justice of the European Union, PNR data can be retained under the Agreement only if an objective connection between the PNR data to be retained and the objective pursued is established. The Agreement requires that the PNR data is deleted upon expiry of the relevant retention period or rendered anonymous in such a manner that the individuals concerned are no longer identifiable.
(13)The Agreement ensures that disclosure of PNR data by the designated Korean competent authority to other competent authorities of the Republic of Korea or to competent authorities of other States, may only take place on a case-by-case basis and under certain conditions and safeguards. In particular, such disclosures may only take place if the recipient authority exercises functions related to the fight against terrorist offences and serious crime and ensures the same protections as those set out in the Agreement and should be subject to a prior review by a court or by an independent administrative body, except in cases of validly established urgency. Onward transfers to competent authorities of other third countries are limited to those countries with which the Union has an equivalent PNR Agreement or for which the Union has adopted an adequacy decision under its personal data protection law covering the relevant authorities to which the PNR data is intended to be transferred.
(14)The Agreement ensures a system of oversight by an independent public authority responsible for personal data protection, with effective powers of investigation, intervention and enforcement, to exercise oversight over the designated competent authorities and other competent authorities that process PNR data under the Agreement. That independent public authority has powers to hear complaints from individuals, in particular concerning the processing of PNR data relating to them.
(15)The Agreement ensures the rights of effective administrative and judicial redress on a non-discriminatory basis, regardless of nationality or place of residence, for any person in respect of whom PNR data relating to that person is processed under the Agreement, in line with Article 47 of the Charter of Fundamental Rights of the EU.
(16)The Agreement contains provisions to ensure enforceable rights for individuals whose personal data are processed, in the form of rules on the right to information, access, rectification and erasure, including the specific grounds that may allow for any necessary and proportionate restrictions to those rights.
(17)The Agreement fosters police and judicial cooperation through the exchange of PNR data, or results of processing of PNR data, between the designated Korean competent authority and the competent police and judicial authorities of Member States of the Union, as well as between the designated Korean competent authority, on the one hand, and Europol within their respective competences, on the other hand.
(18)The Agreement shall provide for an effective dispute settlement mechanism with respect to its interpretation and application to ensure that the parties observe mutually agreed rules.
(19)The Agreement shall include provisions on the monitoring and periodic evaluation of the Agreement.
(20)The Agreement shall include a provision on the entry into force and application and a provision whereby a Party may terminate or suspend it, in particular where the third country no longer effectively ensures the level of protection of fundamental rights and freedoms required under this Agreement.
(21)The Agreement is equally authentic in the Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish, and Swedish languages and will include a language clause to that effect.