Brussels, 21 September 2010
The Passenger Name Record (PNR) - Frequently Asked Questions
What is PNR and what data does it contain?
The Passenger Name Record (PNR) is information provided by passengers and collected by air carriers in order to process reservations and carry out check-in process. They are stored in the airlines' reservation and departure control databases.
PNR allows law enforcement authorities and the air industry (from the travel agent and the computer reservation systems (CRS) to the carrier and the handling agents at the airports) to recognise each passenger and have access to relevant information related to his/her journey: departure and return flights, connecting flights (if any), etc.
PNR data have been used manually for almost 60 years by customs and law enforcement authorities around the world. However, only recent technology developments allow for an advance electronic transmission of the data. This makes PNR an even more useful tool to fight serious crime, including terrorism.
Which third countries have PNR agreements with the EU?
Currently there are PNR agreements with the US and Australia which are provisionally applicable. According to the Lisbon Treaty provisions', the European Parliament has to give its consent to these agreements. However, in May 2010, the European Parliament, under the new Treaty rules, postponed its vote for consent for formal conclusion of the EU-US and EU-Australia PNR agreements. At the same time, the European Parliament called for setting general standards which third countries requesting PNR from the EU need to respect. It wanted the US and Australia PNR agreements to be re-negotiated on the basis of such general standards.
A PNR agreement with Canada also exists. Due to the expiry, formally, of certain legal commitments on which that agreement is based, it should also be renegotiated.
What are PNR mainly used for?
PNR are used to examine past crimes, prevent new ones and to do trend analysis as well as travel and behaviour patterns of criminals. More in detail:
To make a risk assessment of passengers and identify persons potentially interesting to law enforcement authorities;
to identify specific addresses, credit cards and other items or evidence connected to criminal offences and find the person(s) they belong to;
to match PNR against other PNR for the identification of associates of criminals and terrorists, for example by finding who travels together.
Why do we need agreements with third countries on sharing the Passenger Names Record (PNR) data of air carriers?
The exchange of PNR is an increasingly important criminal intelligence tool to fight terrorism and serious transnational crime throughout the world.
Legislation in some third countries empower national authorities to require each air carrier operating passenger flights bound for that country, to provide it with electronic access to Passenger Name Record (PNR) data prior to the passenger's arrival.
At the same time the EU data protection legislation does not allow air carriers operating flights from the EU to transfer the PNR data of their passengers to third countries without a legal arrangement that ensures amongst others an adequate level of protection of the PNR data.
Therefore, the EU negotiates international agreements, recognising the necessity of the exchange of PNR for law enforcement and security purposes, whilst meeting data protection requirements.
Another advantage of this approach is that it provides a Europe-wide solution, legally binding in all Member States, thereby offering the necessary legal certainty for passengers and air carriers.
To summarise, PNR agreements are necessary to effectively fight serious transnational crime, including terrorism, and ensure full protection of personal data and providing legal certainty for air carriers and passengers.
What PNR data will be shared with third countries?
Air carriers make available the PNR data of all persons who fly to and from the interested third country, as contained in their reservation systems, but only the PNR data elements (data fields) listed in the Agreement will be used.
What about sensitive data?
The authorities receiving the data will filter them out and not use sensitive information contained in PNR data, except in very exceptional cases. Sensitive information means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or concerning the health or sex life of the individual. Experience shows that PNR rarely contain sensitive data of this kind.
Do third countries' authorities require access to PNR data on the types of meal that passengers request or on their medical condition?
This information is collected by airlines in order to provide special services to certain passengers and may therefore be contained in some PNR. Some of those may contain sensitive information, for example a meal preference indicating a health condition (see previous question). Third countries do generally require such information, and where it is part of PNR it may be used only in very exceptional cases.
How long can be the PNR data of the passengers retained?
The Communication on the global approach to transfers of PNR data to third countries says that PNR data could be stored "not longer than necessary". The length of the retention period depends on a number of elements: the security threat the receiving country is facing, the use of the data and the conditions under which the date are stored and can be accessed. Since these issues may differ from one country to the other, the final outcome of the data retention period may vary too. The length of the data retention period should be understood in this wider perspective.
What has been done so far?
On 16 January 2003 the Commission issued a Communication on the Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach, aimed at setting out the elements of a global EU approach on PNR. The Communication called for a legally secure framework for PNR transfers to the US Department of Homeland Security and the adoption of an internal policy on PNR. It also called for the development of the push system of transfers of data by the air carriers and an international initiative on PNR data transfers by International Civil Aviation Organisation (ICAO).
The conclusions of that Communication have been implemented to a large extent:
the EU signed an agreement with the U.S. Department of Homeland Security for the transfer of PNR data in the interest of the fight against terrorism and serious transnational crime and which ensures transfer of PNR data whilst providing for the protection of personal data;
the Commission adopted a proposal for a Framework Decision for the use of PNR data for law enforcement purposes. Due to the entry into force of the Treaty of Lisbon, the Commission is currently preparing, on the basis of an impact assessment, a proposal for a Directive on the use of PNR data for law enforcement purposes;
a push system of transfers of data has been adequately developed by most carriers while ICAO developed a series of guidelines for PNR transfers to governments.
In addition to the agreement with the US, the EU signed similar agreements with Canada and Australia.
Examples of PNR analysis yielding information for investigating serious cross-border crime
Child trafficking: PNR analysis revealed that three unaccompanied children were travelling from an EU Member State to a third country, with no indication of who would meet them upon arrival. Alerted by the Member State’s police after departure, the third country’s authorities arrested the person who turned up to receive the children: a sex offender registered in the Member State.
Trafficking in human beings: PNR analysis uncovered a group of human traffickers always travelling on the same route. Using fake documents to check in for an intra-EU flight, they would use authentic papers to simultaneously check in for another flight bound for a third country. Once in the airport lounge, they would board the intra-EU flight.
Credit card fraud: Several families travelled to a Member State with tickets purchased by stolen credit cards. Research showed that a criminal group used these cards to purchase the tickets, selling them over the counter in long-distance call centres. It was PNR data that linked the travellers to the credit cards and vendors.
Drug trafficking: A Member State police authority had information suggesting that a man was involved in drug trafficking from a third country, but border guards never found anything on him when he arrived in the EU. PNR analysis revealed that he always travelled with an associate. An inspection of his associate yielded large quantities of drugs.
What are the basic principles for the protection of personal data that the requesting third countries should apply?
Purpose limitation – use of data: The scope of the use of the data by a third country should be spelt out clearly and precisely in the agreement and should be no wider than what is necessary in view of the aims to be achieved. Experience with current PNR agreements shows that PNR data should be used only for law enforcement and security purposes to fight terrorism and serious transnational crime. Key notions like terrorism and serious transnational crime should be defined based on the approach of definitions laid down in relevant EU instruments.
Purpose limitation – scope of data: The exchange of data should be limited to the minimum and should be proportionate. Any agreement should list exhaustively the categories of PNR data to be transferred.
Special Categories of Personal Data (sensitive data): PNR data revealing racial or ethnic origins, political opinions or religious or philosophical beliefs, trade union membership, health or sexual life shall not be used unless under exceptional circumstances where there is an imminent threat to loss of life and provided that the third country provides appropriate safeguards, for example that such data may be used only on a case-by-case basis, under the authorisation of a high-ranking official and strictly limited to the purposes of the original transfer.
Data Security: PNR data must be protected against misuse and unlawful access by all appropriate technical, security procedures and measures to guard against risks to the security, confidentially or integrity of the data.
Oversight and accountability: A system of supervision by an independent public authority responsible for data protection with effective powers of intervention and enforcement shall exist to exercise oversight over those public authorities that use PNR data. The latter shall be accountable for complying with the established rules on the protection of personal data, and should have powers to hear complaints from individuals concerning the processing of PNR data.
Transparency and Notice: Every individual shall be informed at least as to the purpose of processing of personal data, who will be processing that data, under what rules or laws, the types of third parties to whom data is disclosed and how and from whom redress can be sought.
Access, rectification and deletion: Every individual shall be provided with access to his or her PNR data as well as, where appropriate, the right to seek rectification and deletion of his or her PNR data.
Redress: Every individual shall have the right to effective administrative and judicial redress where his or her privacy has been infringed or data protection rules have been violated, on a non discriminatory basis regardless of nationality or place of residence. Any such infringement or violation shall be subject to appropriate and effective sanctions and/or remedies.
Automated Individual Decisions: Decisions producing adverse actions or effects on an individual may not be based solely on the automated processing of personal data without human involvement.
Retention of data: the period of retention of the PNR data should not be longer than necessary for the performance of the defined tasks. The period of retention should take into account the different ways in which PNR data are used and the possibilities of limiting access rights over the period of retention, for example by gradual anonymisation of the data.
Restrictions on onward transfers to other government authorities: PNR data should only be disclosed to other government authorities with powers in the fight against terrorism and serious transnational crime, and which should undertake to afford the same protections as those afforded by the recipient agency under the agreement in accordance with an undertaking to the latter. PNR data should never be disclosed in bulk but only on a case-by-case basis.
For more information
Homepage of Cecilia Malmström, EU Commissioner for Home Affairs: