Filter By:

API-PNR

Latest update 14 December 2016

OVERVIEW

Please see the download section on the top right hand corner of this page to read the overview of this section and scroll down the page to read the latest updates on ERA's activities and position.

CONTACT

For further assistance please contact policy.technical@eraa.org

UPDATE

Latest update 14/12/2016: The terrorist attacks in Paris and Brussels during 2016 had a dramatic impact on the EU agenda which resulted in a decisive acceleration to the negotiations between the European Parliament and the Council on the adoption of a new Directive on PNR data.

The “EU directive regulating the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime”, was ultimately adopted on 21 April 2016.
The new directive (EU) 2016/681 aims to regulate the transfer of such PNR data to member states' law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
It will also oblige airlines to hand national authorities passengers' data for all flights from third countries to the EU and vice versa.

Member states will have to set up "Passenger Information Units" (PIUs) to manage the PNR data collected by air carriers. This information will have to be retained for a period of five years, but after six months, the data will be “masked out”, i.e., stripped of the elements, such as name, address and contact details that may lead to the identification of individuals.

Airlines will have to provide PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect  PNR data concerning selected intra-EU flights, provided that they notify the EU Commission.

EU countries may also choose to collect and process PNR data from travel agencies and tour operators (non-carrier economic operators), since they also manage flight bookings.
To protect the fundamental rights to protection of personal data, to privacy and to non-discrimination, the directive includes a series of other limitations for the transfer, processing and retention of PNR data:
• the directive prohibits the collection and use of sensitive data;
• member states must ensure that passengers are clearly informed about the collection of PNR data and of their rights;
• transfer of PNR data to third countries can only take place in very limited circumstances and on a case-by-case basis;
• explicit prohibition of processing personal data revealing a person's race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation;
• all processing of PNR data should be logged or documented;
• access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period.
Member states will have two years to bring into force the laws, regulations and administrative provisions necessary to comply with this directive.

The ERA Industry Affairs Group (IAG) meetings held in London on 21 June 2016 and in Brussels on 2 December 2016 extensively covered the subject of the EU PNR Directive and the impact of the new legislation on member airlines. Further information about the IAG and the presentations discussed at the meeting can be found here: http://www.eraa.org/events/era-groups

ERA is also monitoring the next steps by the European Commission to make sure that the PNR common protocols and supported data formats - which will have to be published by the Commission and applied by all Member States - are in line with existing international standards and best practices.

Due to the complexity and potential for divergent application of the new EU PNR Directive, in November 2016 the Commission published a Better Regulation Implementation document to provide preliminary guidance to EU members.