On 2 February 2010 the European Commission put forward a proposal for an EU Passenger Name Record (PNR) Directive which aims to fight serious crime and terrorism. Under this proposal air carriers will be obliged to provide EU Member States with data on passengers entering or departing from the EU, whilst guaranteeing a high level of protection of privacy and personal data.

As announced in November 2010 when presenting EU Internal Security Strategy, the European Commission has presented the new proposal for an EU Passenger Name Record (PNR) Directive which establishes common rules on the requirements for the transfer and use of such data.

In practice many law enforcement authorities in Member States already collect PNR data on a case-by-case or on a flight-by-flight basis. The Commission proposal would allow for a more systematic use of the data for all relevant flights, and create a coherent approach across all Member States. This will avoid uneven levels of protection of passengers' personal data, as well as security gaps, increased costs, and legal uncertainty for air carriers and passengers.

Key aspects of EC's proposal for an EU Passenger Name Record (PNR) Directive

• Air carriers will transfer data on passengers on international flights held in the carriers' reservation systems to a dedicated unit in the Member State of arrival or departure.
• Strong protection of privacy and personal data. PNR data may not be used for any purpose except fighting serious crime and terrorist offences, they will have to be made anonymous one month after the flight, and data must not be retained for more than five years in total. Sensitive data may never be transferred or used. Data must be requested and sent under ‘push method’. Member States must set up dedicated units to handle the data and monitored by an independent supervisory. Clear rules on passengers' right to accurate information about the collection of PNR data are also introduced, as well as rules giving passengers the right to access, rectify, and delete their data, and to compensation and judicial remedies.
• Clear rules on how data should be transferred and the security of such transfers, aimed at limiting the impact on privacy and minimising the costs for air carriers.

The United States, Canada and Australia are currently obliging EU air carriers to make PNR data available for all persons who fly to and from these countries. These kind of data transfers are now ruled by some general principles set by the European Commission in September 2010 regarding the agreements on PNR. In Commission's point of view, the experience of those countries, and of the EU Member States that use PNR data, confirms that PNR data are necessary to fight serious crime and terrorism.

This Commission's proposal replaces de previous proposal for a Framework Decision on the use on PNR data from 2007, which had to be substituted after the entry into force of the Lisbon Treaty. It is expected to take approximately two years to negotiate the proposal in the Council of Ministers and the European Parliament.