
Ref. Ares(2021)6679191 - 29/10/2021
EUROPEAN
COMMISSION
Brussels, 24.7.2020
COM(2020) 305 final
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND
THE COUNCIL
On the review of Directive 2016/681 on the use of passenger name record (PNR) data for
the prevention, detection, investigation and prosecution of terrorist offences and serious
crime
{SWD(2020) 128 final}
EN
EN
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND
THE COUNCIL
On the review of Directive 2016/681 on the use of passenger name record (PNR) data
for the prevention, detection, investigation and prosecution of terrorist offences and
serious crime
1. THE REVIEW –
SCOPE AND PROCESS
Directive 2016/681 on the use of passenger name record (PNR) data for the prevention,
detection, investigation and prosecution of terrorist offences and serious crime (henceforth
‘the PNR Directive’)1 was adopted by the European Parliament and the Council on 27 April
2016. The Directive regulates the collection, processing and retention of PNR data in the
European Union and lays down important safeguards for the protection of fundamental rights,
in particular the rights to privacy and the protection of personal data. The deadline for the
Member States to transpose the Directive into their national law was 25 May 2018.
This report is in response to the obligation of the Commission under Article 19 of the PNR
Directive to conduct a review by 25 May 2020 of all the elements of the Directive and to
submit that report to the European Parliament and the Council. The report sets the PNR
Directive in its general context and presents the Commission’s findings in reviewing its
application two years from the transposition deadline. As required by Article 19 of the
Directive, the review covers all the elements of the Directive, with a particular focus on the
compliance with the applicable standards of protection of personal data, the necessity and
proportionality of collecting and processing PNR data for each of the purposes set out in the
Directive, the length of the data retention period, the effectiveness of the exchange of
information between the Member States and the quality of the assessments including with
regard to the statistical information gathered pursuant to Article 20. It also draws a
preliminary analysis of the necessity, proportionality and effectiveness of extending the
mandatory collection of PNR data to intra-EU flights and the necessity of including non-
carrier economic operators within the scope of the Directive. In addition, the review describes
1
Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of
passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist
offences and serious crime, OJ L 119, 4.5.2016, p. 132.
1
the main issues and challenges encountered in the implementation and practical application of
the Directive.
In preparing the review, the Commission gathered information and feedback through a
variety of sources and targeted consultation activities. These include the deliverables of the
compliance assessment of the PNR Directive, based on the analysis of national transposition
measures; discussions with the national authorities responsible for the implementation of the
Directive and with the travel industry within the framework of regular meetings and
dedicated workshops; statistical data submitted by the Member States pursuant to Article 20
of the Directive; and field visits to six Member States.2 In order to illustrate how PNR data
are used in practice to combat terrorism and serious crime, where possible, the report refers to
real life examples provided by national authorities drawing on their operational experience.
The accompanying Staff Working Document provides more detailed information and a
comprehensive analysis of all the matters covered by this report.
2. GENERAL CONTEXT
In recent years, an increasing number of countries – not limited to the Member States – and
international organisations have recognised the value of using PNR data as a law enforcement
tool. The establishment of a PNR mechanism and the implementation of the PNR Directive
should be seen against the background of this broader international trend.
The use of PNR data has been an important element of the EU’s international cooperation
against terrorism and serious crime for almost twenty years. The 2010 Communication on the
global approach established a set of general criteria which were to be fulfilled by future
bilateral PNR agreements, including, in particular, a number of data protection principles and
safeguards.3 These formed the basis of the renegotiations of the PNR agreements with
Australia, Canada and the U.S., leading to the conclusion of new PNR agreements with
Australia4 and the U.S.5
2
Belgium, Bulgaria, France, Germany, Latvia and the Netherlands.
3
COM(2010) 492 final of 21 September 2010.
4
Agreement between the European Union and Australia on the processing and transfer of Passenger Name
Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, OJ L 186,
14.7.2012, p. 4. The joint review and evaluation of this agreement are currently ongoing.
2
Further to a request by the European Parliament, on 26 July 2017 the Court of Justice of the
EU issued an Opinion declaring that the envisaged agreement with Canada could not be
concluded in its intended form because some of its provisions did not meet the requirements
stemming from the Charter of Fundamental Rights.6 To address the Court’s concerns, the EU
and Canada proceeded to renegotiate the agreement. These negotiations concluded at the
technical level in March 2019 and the finalisation of the agreement is currently pending
Canada’s legal review and political endorsement of the text.7 In addition, on 18 February
2020 the Council authorised the Commission to open negotiations with Japan for the
conclusion of an agreement on the transfer of PNR data.8 The negotiations with Mexico,
launched in July 2015, are currently at a standstill.
At EU level, the adoption of the PNR Directive in April 2016 constituted an important
milestone in the internal policy on PNR. As indicated above, the Directive lays down a
harmonised framework for the processing of PNR data transferred by air carriers to the
Member States. The Commission has supported the Member States in implementing the
Directive by coordinating regular meetings, facilitating the exchange of best practices and
peer-to-peer support, and providing financial assistance. In particular, the Budgetary
Authority reinforced the 2017 Union budget with EUR 70 million for the Internal Security
Fund-Police (ISF-Police), specifically for PNR-related actions.9 The Commission has also
funded four PNR-related projects under the Union Actions of the ISF-Police. These projects
aimed to ensure that Passenger Information Units of the Member States developed the
capabilities needed to exchange PNR data or the results of processing such data with each
other and with Europol.
In 2016, the EU also modernised its legislation on the protection of personal data through the
adoption of Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR)10
5
Agreement between the United States of America and the European Union on the use and transfer of
passenger name records to the United States Department of Homeland Security, OJ L 215, 11.8.2012, p. 5.
The joint evaluation of this agreement is currently ongoing.
6
Opinion 1/15 of the Court (Grand Chamber), ECLI:EU:C:2017:592.
7
EU-Canada Summit joint declaration, Montreal 17-18 July 2019.
8
Council Decision authorising the opening of negotiations with Japan for an agreement between the
European Union and Japan on the transfer and use of Passenger Name Record (PNR) data to prevent and
combat terrorism and serious transnational crime, Council document 5378/20.
9
This financial assistance has been distributed among the Member States according to the ISF-Police
standard distribution key – i.e. 30% in relation to population, 10% in relation to territory, 15% in relation
to number of sea and air passengers, 10% tons of cargo (air and sea), 35% as inverse proportion to GDP.
10 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
3
and Directive (EU) 2016/680 (the Directive on data protection in the law enforcement sector,
also known as the Law Enforcement Directive).11 On 24 June 2020, the Commission adopted
a Communication on aligning the former third pillar instruments with the data protection
rules12 and published the results of the first review and evaluation of the GDPR.13
In the context of this review, it should be noted that the Belgian Constitutional Court has
made a reference for a preliminary ruling to the Court of Justice on the Directive’s
compliance with the Charter of Fundamental Rights and the Treaty.14 More recently, the
Cologne District Court also made a request for a preliminary ruling relating to the PNR
Directive.15 The Commission has submitted observations in the first of these proceedings and
will do the same in the second in due course.
At the global level, in December 2017 the United Nations adopted Security Council
Resolution 2396 requiring all UN States to develop the capability to collect, process and
analyse PNR data and to ensure PNR data are used by and shared with all their competent
national authorities.16 To support States in developing such capabilities, in March 2019 the
International Civil Aviation Organisation (ICAO) launched the process to draft new PNR
standards. These standards, which will be binding on all ICAO member countries unless they
file a difference, were adopted by the ICAO Council on 23 June 2020. The Commission has
actively engaged in this process, as an observer representing the EU, to ensure the
compatibility of these standards with the EU legal requirements, so that they can contribute to
facilitate transfers of PNR data.
3. MAIN FINDINGS
The main findings of the review process can be summarised as follows:
such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA
relevance), OJ L 119, 4.5.2016, p. 1.
11
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data by competent authorities for the purposes
of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal
penalties, and on the free movement of such data, and repealing Council Framework Decision
2008/977/JHA, OJ L 119, 4.5.2016, p. 89.
12 COM (2020) 262 final of 24 June 2020.
13 COM(2020) 264 final of 24 June 2020.
14
Request for a preliminary ruling in Case C-817/19
Ligue des droits humains, OJ C 36, 3.2.2020, p. 16–17
(pending).
15
Request for a preliminary ruling in joined Cases C-148/20, C-149/20 and C-150/20
Deutsche Lufthansa,
not yet published (pending).
16 Resolution 2396 (2017) - Adopted by the Security Council at its 8148th meeting, on 21 December 2017.
4
3.1.
Establishment of an EU wide PNR system
The Commission welcomes the efforts made by national authorities to implement the PNR
Directive. At the end of the review period, 24 out of 26 Member States had notified the
Directive’s full transposition to the Commission. Of the two remaining Member States,
Slovenia has notified partial transposition and Spain, which has not notified any transposition
measures, was referred to the Court of Justice on 2 July 2020 for failure to implement the
Directive. The vast majority of Member States established fully operational Passenger
Information Units, which are the designated units responsible for collecting and processing
PNR data. These Passenger Information Units developed good levels of cooperation with
other relevant national authorities and the Passenger Information Units of other Member
States. All the Member States designated their competent authorities entitled to request and
receive PNR data from their Passenger Information Unit only for the purposes of preventing,
detecting, investigating and prosecuting terrorist offences and serious crime, such as the
police and other authorities responsible for fighting against crime.
3.2.
Compliance with data protection standards in the Directive
The analysis of national transposition measures points to an overall compliance with the data
protection requirements of the PNR Directive, even though some Member States have failed
to fully mirror all of them in their national laws.17 In addition, the overview of their
application confirms the commitment of national authorities to respect these safeguards and
to implement them in practice. The Commission will continue to encourage the dissemination
of best practices developed in this regard through its regular meetings with the Member
States and the projects financed under the ISF-P Union actions. At the same time, the
Commission will not hesitate to use its powers as guardian of the treaties, including by
launching infringement procedures if necessary, to ensure that Member States fully respect
the requirements set out in the Directive, in particular on the protection of personal data.
The data protection safeguards contained in the Directive, where implemented correctly,
which is the case in the majority of Member States, guarantee the proportionality of PNR data
17 A comprehensive assessment of the completeness and conformity of the national transposing measures and
their practical implementation has been carried out in the framework of the compliance assessment,
conducted by an external contractor, under the supervision of the Commission. With regard to the 23
Member States which had notified full transposition by 10 June 2019, the assessment has been completed.
With regard to three Member States which notified after this date, only the initial assessment has been
concluded.
5
processing and aim to prevent abuse on the part of national authorities or other actors. The
purpose limitation ensures that data processing is only carried out for the objectives of
fighting terrorism and serious crime. The prohibition of the collection and processing of
sensitive data constitutes an important safeguard to make sure that PNR will not be used in a
discriminatory manner. The fact that Member States maintain records of processing
operations, as required by the Directive, enhances transparency and allows to control the
lawfulness of data processing in an effective manner. Data Protection Officers can
independently control the lawfulness of data processing, in particular when they are not
members of the staff of the Passenger Information Unit and are not subordinated to the Head
of the Passenger Information Unit. In addition, their presence in the Passenger Information
Unit ensures that a data protection perspective is embedded in the daily functioning of these
units.
On a practical level, the interaction between the Passenger Information Units and their Data
Protection Officers appears to be working well and the role of the Data Protection Officer is
seen as adding value to the operations of the Passenger Information Unit. The Data Protection
Officers play a particularly important role in monitoring data processing operations,
approving and reviewing pre-determined criteria and providing advice on data protection
matters to the staff of the Passenger Information Unit. In most Member States, the Data
Protection Officers have been designated by law as the contact point for data subjects and
contacting them is also facilitated in practice.
3.3.
Other elements of the review
The necessity and proportionality of collecting and processing PNR data
The review shows several elements confirming the necessity and proportionality of collecting
and processing PNR data for the purposes of the PNR Directive. In the limited time since the
transposition deadline, PNR has proven to be effective in achieving its aims, which
correspond to an objective of general interest, i.e. to protect public security by ensuring the
prevention, detection, investigation and prosecution of serious crime and terrorism in the
Union’s area without internal borders.
According to the Member States, the different means of processing of PNR data available to
them (i.e. real time, reactive and proactive) have already delivered tangible results in the fight
against terrorism and crime. Without claiming to be exhaustive, Member States have
6
provided the Commission with qualitative evidence18 that illustrates how the comparison of
PNR data against databases and pre-determined criteria has contributed to the identification
of potential terrorists or persons involved in other serious criminal activities, such as drug
trafficking, cybercrime, human trafficking, child sexual abuse, child abduction and
participation in organised criminal groups. In some instances, the use of PNR data has
resulted in the arrest of persons previously unknown to the police services, or allowed for the
further examination by the competent authorities of passengers who would not have been
checked otherwise. The assessment of passengers prior to their departure or arrival has also
helped to prevent crimes from being committed. National authorities highlight that these
results could not have been achieved without the processing of PNR data, e.g. by using
exclusively other tools such as Advance Passenger Information.
Under the PNR Directive, the processing of PNR data concerns all passengers on inbound
and outbound extra-EU flights. The assessment shows that such broad coverage is strictly
necessary to achieve the Directive’s intended objectives. As to the data collected, the
categories in Annex I reflect internationally agreed standards, in particular at the level of
ICAO. National authorities have confirmed that the possibility to collect such categories of
PNR data corresponds to what is strictly necessary to achieve the objectives pursued.
Concerning the level of interference with the fundamental rights to privacy and to the
protection of personal data, the following considerations are relevant. Importantly, the PNR
Directive strictly prohibits the processing of sensitive data. While PNR data may reveal
specific information on a person’s private life, such information is limited to a specific aspect
of private life, namely, air travel. In addition, the PNR Directive contains strict safeguards to
further limit the degree of interference to the absolute minimum and ensure the
proportionality of the methods of processing available to national authorities, including as
regards the performance of automated processing. As a result of these safeguards, only the
personal data of a very limited number of passengers are transferred to competent authorities
for further processing. This means that PNR systems deliver targeted results which limit the
degree of interference with the rights to privacy and the protection of personal data. Finally,
PNR data are not used to establish an individual profile of everyone, but to establish risk and
anonymous scenarios or ‘abstract profiles’.
18 Some of the examples can be found in Sections 5.1 and 5.2 of the Staff Working Document.
7
The length of the data retention period
The retention of PNR data of all passengers for a period of five years is necessary to achieve
the objectives of ensuring security and protecting the life and safety of persons by preventing,
detecting, investigating and prosecuting terrorist offences and serious crime.
Firstly, the need to retain data for five years stems from the nature of PNR as an analytical
tool aimed not only at identifying known threats but also at uncovering unknown risks.
Travel arrangements recorded as PNR data are used to identify specific behavioural patterns
and make associations between known and unknown persons. By definition, the identification
of such patterns and associations calls for the possibility of a long-term analysis. Indeed, such
an analysis requires that a sufficient pool of data are available to the Passenger Information
Unit for such a relatively long period. Such data can then be transferred to the competent
authorities only in response to ‘duly reasoned’ requests, on a case-by-case basis, within the
framework of criminal investigations.
Secondly, the retention of PNR data for five years is needed to ensure the effective
investigation and prosecution of terrorist offences and serious crime. Investigating and
prosecuting such offences usually involves months and, often, years of work. In this vein,
Member States have confirmed that the five-year retention period is necessary from an
operational point of view. The availability of historical data ensures that, when an individual
is accused of having committed a serious crime or being involved in terrorist activities, it is
possible to review the travel history and see who travelled with him or her, identifying
potential accomplices or other members of a criminal group, as well as potential victims.
In addition, the safeguards provided in the PNR Directive concerning access by the
competent authorities to the data stored by the Passenger Information Unit and in relation to
the depersonalisation and re-personalisation of data have shown to be sufficiently robust to
prevent abuses.
The Court of Justice examined the time limits for the retention of PNR data in its Opinion
1/15 on the envisaged EU-Canada PNR agreement and, to address the Court’s concerns, the
Commission negotiated a new draft agreement with Canada. In this respect, it is important to
note that the Commission considers the factual and legal circumstances of the PNR Directive
are different from the ones considered by the Court of Justice in that case. In particular, the
PNR Directive clearly seeks the objective of ensuring security in the Union and its area
8
without internal borders, where the Member States share responsibility for public security. In
addition, unlike the draft agreement with Canada, the Directive does not concern data
transfers to a third country, but the collection of passenger data on flights to and from the EU
by the Member States. In this respect, the nature of the PNR Directive as secondary law
means that it is applied under the control of the national courts of the Member States and, in
the final instance, of the Court of Justice. Furthermore, national laws implementing the Law
Enforcement Directive also apply to the processing of data provided for in the PNR
Directive, including any subsequent processing by competent authorities.
The effectiveness of exchange of information between the Member States
The cooperation and exchange of PNR data between the Passenger Information Units is one
of the most important elements of the Directive. While the exchange of data between the
Member States based on duly-reasoned requests functions effectively, the possibility to
transfer PNR data on the Passenger Information Unit’s own initiative is much less prevalent.
The information provided by the Member States suggests that law enforcement authorities are
more willing to use cooperation procedures based on clear and precise regulations, such as
those concerning transfers in response to a request. In contrast, the broad and relatively
unclear formulation of the Directive’s provision on spontaneous transfers has led to a certain
reticence in its application.
The quality of the assessments including with regard to the statistical information gathered
pursuant to Article 20
Article 20 of the PNR Directive requires Member States to collect, as a minimum, statistical
information on the total number of passengers whose PNR data have been collected and
exchanged, and the number of passengers identified for further examination. The analysis of
this information shows that only the data of a very small fraction of passengers are
transferred to competent authorities for further examination. Thus, the statistics available
indicate that, overall, PNR systems are working in line with the objective of identifying high
risk passengers without impinging on bona fide travel flows.
In this respect, it should be noted that the statistics provided to the Commission are not fully
standardised and therefore not amenable to hard quantitative analysis. In a similar vein, it is
also necessary to recall that in most investigations PNR data constitutes a tool, or a piece of
evidence, among others, and that it is often not possible to isolate and quantify the results
9
attributable specifically to the use of PNR alone. In the present analysis, the Commission has
mitigated these difficulties by collecting various types of evidence to establish a solid
evidence base for the review. The Commission will also continue working closely with the
Member States to improve the quality of the statistical information collected under the
Directive.
Feedback from the Member States on the possible extension of the obligations and the use
of data under the PNR Directive
All Member States except one have extended the collection of PNR data to intra-EU flights.
National authorities see the collection of PNR data for intra-EU (and in particular intra-
Schengen) flights as an important law enforcement tool to track the movements of known
suspects and to identify suspicious travel patterns of unknown individuals who may be
involved in criminal/terrorist activities travelling within the Schengen zone. As Member
States already effectively collect PNR data on intra-EU flights, the Commission does not
consider it essential to make the collection of PNR data in intra-EU flights mandatory at this
stage.
The review has shown that, from the operational point of view, Member States would
consider information from non-carrier economic operators of crucial added value. Given the
number of reservations made by tour operators and travel agencies, an important share of
passengers’ data are currently not collected and processed by the Passenger Information
Units, which creates an important security gap. The Commission recognises this challenge.
Nevertheless, any possible extension of the obligation to collect PNR data to non-carrier
economic operators will require a thorough assessment of the legal, technical and financial
impact of such collection, including a fundamental rights’ check, in particular in the light of
lack of standardisation of data formats.
The review has also shown that some Member States collect PNR data from other modes of
transportation, such as maritime, rail and road carriers, on the basis of their national law.
Despite the operational value of collecting such data, this issue raises significant legal,
practical and operational questions. Before taking any steps to extend the obligation to collect
PNR data under the Directive, the Commission will conduct a thorough impact assessment,
as also recommended by the Council in its conclusions of December 2019, on ‘widening the
10
scope of passenger name records (PNR) data legislation to transport forms other than air
traffic’.19
While the PNR Directive only allows the processing of PNR data for the fight against
terrorism and serious crime, several Member States have also pointed out that the use PNR
data could constitute a valuable tool to protect public health and prevent the spread of
infectious diseases, for example by facilitating contact tracing as regards persons who have
been sitting near an infected passenger. This issue has gained even more prominence since
the emergence of the COVID-19 pandemic, with more Member States indicating that there is
a need to allow for the use of PNR data to tackle such health-related emergencies.
3.4.
Key operational challenges
The Commission takes stock of the challenges reported by Member States based on the
limited experience gained in the application of the PNR Directive over the first two years of
application. In particular, additional measures, such as the mandatory collection of the
passengers’ date of birth by air carriers, may be necessary to enhance data quality, which is
important to allow for an even more targeted and efficient data processing. Data quality
improvements, as well as a careful reconsideration of the purposes for which PNR data may
be used, may also be required to better align the PNR Directive with other EU instruments for
law enforcement cooperation. Any changes to this effect to the Directive will require a
thorough impact assessment, in particular as regards their impact on fundamental rights.
To avoid that air carriers are faced with conflict of law situations preventing them from
transferring PNR data to and from the Member States, ways to allow the transfer of PNR data
to third countries, in compliance with EU law requirements, will need to continue to be
addressed in the context of the Commission’s external PNR policy.
4. CONCLUSIONS
The Commission’s assessment of the first two years of application of the Directive is overall
positive. The main conclusion of the review is that the Directive is contributing positively to
its key objective of ensuring the establishment of effective PNR systems in the Member
States, as an instrument to combat terrorism and serious crime. The Commission has
supported Member States throughout the implementation process by coordinating regular
19 Council document 14746/19, adopted on 2 December 2019.
11
meetings, facilitating cooperation between national authorities and providing financial
assistance. At the same time, the Commission has not hesitated in launching infringement
proceedings against Member States which failed to transpose the Directive on time.
The Commission will continue to work closely with the Member States to ensure that all the
issues and challenges identified above are duly addressed so that the EU PNR mechanism
becomes even more efficient, while ensuring full respect of fundamental rights. The
Commission’s monitoring of the implementation of the PNR Directive will continue beyond
the completion of the present review. This report, which should not be considered as a
definitive assessment of compliance of the national transposition measures, will facilitate
dialogue with the Member States in addressing any deviations from the Directive’s
requirements. In that context, the necessity to launch infringement proceedings for non-
conform implementation will also be assessed.
The Commission takes the view that no amendments to the PNR Directive should be
proposed at this stage. After a first period in which the priority was to achieve full
transposition, it is now time to focus on ensuring that the Directive has been implemented
correctly. Moreover, some of the issues arising from the PNR Directive’s practical
application, described above, will require further assessment. This is the case, for example,
for the aspects related to a possible extension in the Directive’s scope. Such assessment
should also take into account the additional evidence stemming from the on-going evaluation
of the Advance Passenger Information Directive. The decision of whether to propose a
revision of the PNR Directive will also be informed by the outcome of the preliminary ruling
requests currently before the Court of Justice.20
20 Referred to above in footnotes 15 and 16.
12
Document Outline