On 24 July 2020, the Commission presented its review of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crime (the 2016 “EU PNR Directive” – see eucrim 2/2016, p. 78). The Directive notably provides for the obligation of air carriers to transfer to Member States the PNR data they have collected in the normal course of their business. PNR are pieces of information such as data on travel, travel itinerary, ticket information, contact details, travel agent, means of payment, seat number, and baggage information. Member States must establish specific entities responsible for the storage and processing of PNR data (Passenger Information Units (PIUs)). The Directive regulates the way Member States can use PNR data and provides for the necessary data protection safeguards. Member States had to transpose the Directive by 25 May 2018.

The Commission’s review report is accompanied by a Staff Working Document that contains more detailed information and a comprehensive analysis of all matters supporting the findings of the review report. The documents set the Directive in its general context and present the main evaluation findings after two years of application of the Directive’s provisions. The main findings are:

• In general, the establishment of an EU-wide PNR system has worked well. In particular, the vast majority of Member States established fully operational PIUs. These reached a good level of cooperation. However, two Member States have not (fully) transposed the Directive at the end of the review period. Slovenia has notified partial transposition, whereas the Commission referred Spain to the CJEU on 2 July 2020 for failure to implement the Directive;
• National transposition measures overall comply with the Directive’s data protection safeguards. However, some Member States have failed to mirror all safeguards in their national laws. National authorities implement them in practice. The safeguards ensure the proportionality of PNR processing and aim at preventing abuse. In practice, the cooperation between PIUs and data protection officers responsible for monitoring data processing operations apparently works well;
• The use of PNR data has delivered tangible results in the fight against terrorism and serious crime: law enforcement authorities report that PNR data has been successfully used to plan their interventions in advance, to identify previously unknown suspects, to establish links between members of crime groups, and to verify the assumed “modus operandi” of serious criminals;
• The broad coverage of the Directive, which concerns all passengers on inbound and outbound extra-EU flights, proved necessary;
• The retention period of five years for PNR data is necessary in order to achieve the objectives of ensuring security and protecting lives and safety of persons.
• Since only a small fraction of passengers’ data was transferred to law enforcement authorities for examination, the PNR system is working in line with the objective of identifying high-risk passengers without impinging on bona fide travellers.

The Commission’s review also tackles the question of a possible extension of the obligations under the PNR Directive. It states that all Member States except one extended PNR data collection to intra-EU flights, which is set out as an option in the Directive. From an operational point of view, Member States wish an extension to information from non-carrier economic operators. The Commission also notes that some Member States additionally collect PNR data from other modes of transportation, e.g. maritime, rail and road carriers, on the basis of their national laws (for the discussion on widening the scope of the PNR Directive, see eucrim 4/2019, pp. 235-236). However, the Commission is hesitant to establish EU-wide rules in this regard and points out that a thorough impact assessment is needed first, since an extension raises significant legal, practical and operational questions. Ultimately, several Member States pointed out that PNR data could also be useful to protect public health and to prevent the spread of infectious diseases, e.g. the coronavirus, by facilitating contact tracing.

In conclusion, the Commission’s assessment on the application of the EU PNR Directive during its first two years is overall positive. The Commission believes that there is currently no need for amendments. In this context, it is stressed that amendments need thorough impact assessments, and the outcome of the pending preliminary ruling procedures before the CJEU should be awaited (see in particular Case C-817/19, Ligue des droits humains, and Joint Cases C-148/20, C-149/20 and C-150/20, Deutsche Lufthansa AG).