EU Ministers Finalize Air Passenger Data Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

April 21 — Justice ministers from the 28 European Union member states April 21 signed off on a law that will harmonize systems across the bloc for the collection and processing of airline passenger name record (PNR) data, for the purposes of tackling terrorism and serious crime.

The ministers' approval of the EU PNR Directive finalizes a process dating back to 2011, marked by disagreements over whether the collection and screening of PNR records for law enforcement purposes clashes with data protection principles of proportionality and necessity (10 PVLR 193, 2/7/11).

Following the ministers' approval, the PNR Directive will enter into force 20 days after its publication in the EU Official Journal, after which EU countries must adopt its provisions within two years.

Erik Valgaeren, a data protection lawyer at Stibbe in Brussels, told Bloomberg BNA April 21 that the PNR Directive “comes at the worst possible time” because of tensions around government access to data, as expressed through the invalidation of the U.S.-EU Safe Harbor framework (14 PVLR 1825, 10/12/15).

“There is a high risk” that the PNR Directive “will come under further scrutiny and could be challenged,” Valgaeren said.

The European Court of Justice April 2014 invalidated the EU Data Retention Directive, a law that required Internet and telecommunications companies to provide customer data to law enforcement agencies (13 PVLR 660, 4/14/14), similar to the way the PNR directive would require airlines to supply data.

European Parliament lawmakers blocked the draft PNR Directive in 2013, but subsequent terrorist attacks led some lawmakers and EU member state ministers to push again for the law. It was finally approved by the European Parliament April 14 (15 PVLR 791, 4/18/16).

The Council of the EU, which represents the governments of EU member states, said in an April 21 statement that the collection and processing of PNR data would apply to all flights into and out of the EU.

The PNR Directive leaves the collection and processing of PNR data from intra-EU flights optional, but justice ministers from all countries had committed to “make full use of the possibility” to require transfer to law enforcement agencies of data from intra-EU flights, the council statement said.

‘Single Interface' Planned

Ard van der Steur, security and justice minister of the Netherlands, which presently chairs the EU council, said that ministers also wanted to be able to exchange PNR data using a “single interface which would have access to different databases.”

According to a recent council briefing note, justice ministers discussed the “systematic feeding, consistent use and interoperability of European and international databases in the fields of security, travel and migration by making full use of technological developments and including privacy safeguards from the outset.”

Van der Steur, speaking after the justice ministers' meeting in Luxembourg, said “if you want to be effective in sharing information,” it was necessary “to have a system that will access that data in a very easy and effective way.”

However, “this is something we need to develop further because we will encounter practical and legal problems,” van der Steur said, without adding further details.

Privacy Safeguards

A number of EU lawmakers have said the PNR Directive could be vulnerable to legal challenge because it involves disproportionate data collection and retention. European Data Protection Supervisor Giovanni Buttarelli was particularly critical of the directive in a September 2015 opinion because, in his view, the PNR Directive was unclear over the permitted uses of data and who would be allowed to access it (14 PVLR 1761, 9/28/15).

Among the data protections included in the PNR Directive are a data retention period of five years with data anonymized after six months, the appointment by EU member states of data protection officers to oversee PNR data processing, limitations on transfers of PNR data to non-EU countries and an obligation to notify data subjects of high-risk data breaches.

PNR data covers 19 fields of information, including personal identity details, payment information, baggage information and travel itineraries.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Jimmy H. Koo at

For More Information

Text of the PNR Directive is available at

Request Bloomberg Law: Privacy & Data Security