EU Privacy Supervisor Blasts Air Passenger Data Plan

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Sept. 25 — A proposed European Union directive that would create a harmonized system for transfer of airline passenger name records (PNR) to law enforcement agencies would result in the unnecessary and disproportionate processing of personal data and would likely violate EU privacy rights, the European Data Protection Supervisor said in a Sept. 25 opinion.

The draft PNR scheme also falls short over other issues, including excessive data retention periods, lack of clarity over permitted uses of PNR data, imprecise criteria on who would be allowed to access the data and data security concerns, the EDPS opinion said.

The proposed directive, which was narrowly approved in July by the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE), would require airlines entering and exiting the EU to provide PNR data to EU law enforcement agencies for the purposes of combating terrorism and serious crime (136 PRA, 7/16/15). The proposed directive would allow the retention of data for up to five years.

The European Parliament's lead lawmaker on the issue, British Conservative Timothy Kirkhope, told Bloomberg BNA Sept. 25 that the PNR directive would “put in place a framework of robust data protection rules and rights for passengers,” and would be “an effective and proportionate measure” against terror attacks and serious crime.

But in a Sept. 25 statement, EDPS Giovanni Buttarelli said that although the EU faced a risk of terrorism, it should consider “more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries.”

Renewed Attempt 

The European Commission, the EU's executive arm, originally proposed the PNR directive in 2011, but it was blocked in LIBE in mid-2013 because of privacy concerns.

However, after terrorist attacks in Paris in January, the leaders of the EU's 28 member states said the directive should be brought back as part of counterterrorism efforts.

Following the July LIBE vote, the PNR directive is presently being discussed by representatives from the European Parliament and the Council of the EU, which is made up of representatives from the EU member states, with a view to finalizing the law by the end of 2015. A finalized draft text would require ratification from the European Parliament and council before it can be adopted.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor on this story: Donald G. Aplin at

EDPS Opinion 5/2015 on the proposed EU PNR directive is available at


Request Bloomberg Law Privacy and Data Security