Within the European Union (“EU”) regulations have existed for some time now, that aim to control and manage the transfer of the passenger name record (“PNR”) data of passengers on international flights from airlines to the EU Member States, as well as the means of processing of this data. The regulation is introduced with the adoption of Directive (EU) 2016/681 on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (the “Directive”), the application of which has become the subject of rulings by both the Court of Justice of the EU (“CJEU”) and the European Data Protection Board (“EDPB”, the “Board”).
Given the nature of the data covered by the scope of the Directive, which is essentially personal information, the CJEU has had the occasion to rule in its judgement on the compatibility of the Directive with the rights, that are granted and guaranteed by the EU Charter of Fundamental Rights (the “Charter”) (Judgement C-817/19). The Court, while interpreting the Directive’s provisions, holds that the same shall be interpreted restrictively and imposes some important limitations to their application. These limitations have been further supplemented by two statements adopted by the EDPB, the second of which has been adopted during the Board’s March 2025 plenary meeting (the “Statement”).
The Directive concerns PNR data of the passengers – information, that is related to the booking made with the airline and that includes travel dates and itinerary, ticket information, contact details of the ticket holder, means of payment used, and baggage information. The Directive provides that each Member State must establish a Passenger Information Unit (“PIU”), that should be responsible for the collection, storage and processing of the data; for transferring the data to the competent national authorities; and for the exchange of PNR data within the EU. In accordance with the Directive, the data may be processed only for the purpose of prevention, detection, investigation ad prosecution of terrorist offences and serious crimes, and the cases in which such processing is permitted are set out explicitly. With regard to the protection of the passengers’ data, the PIU must store the data, provided by the airlines, in a database for 5 years from the time of its transfer, and after 6 months from the time of the transfer the data must be “depersonalised”. The disclosure of the full PNR information of the passengers after this 6-month period has expired is allowed only in situations that are explicitly listed in the Directive.
In Bulgaria in 2016 A Passenger Information Unit of the Republic of Bulgaria has been created with the State Agency of National Security in relation to the legal regulations in the EU.
Although the mechanism established by the Directive imposes certain limitations in relation to the protection of the PNR data, the EDPB provides further recommendations for its application, which are in compliance with the interpretation of the CJEU and with the rights guaranteed by the Chart. The Board’s guidance cover some of the key aspects of the CJEU Judgement, such as:
- Persons – that are not passengers, whose data may be subject to collection, processing and storage – third parties may fall within the scope of the Directive only if their data is directly related to the flight operated and the passenger concerned. This personal data is limited to the payment information and billing address of a person that has purchased the ticket on behalf of the passenger; and the contact details of a parent or guardian who is dropping off or picking up a passenger who is an unaccompanied minor.
- Requirement of an objective link between the PNR data and the investigated offence – the link can be either direct or indirect, as long as it is based on objective criteria. The Statement gives guidance on when such a link is established.
- Application of the Directive only to intra-EU flights – the statement gives recommendations on how the Member States should select the flights from which PNR data is collected, and it encourages the introduction of both regular and ad-hoc procedures in the system.
- Respect of the data subject rights – the rights referred to in and guaranteed by the Directive, and the right to judicial redress in particular, should be respected by providing comprehensive information to the persons concerned and to the court, in order for them to be able to question and examine the lawfulness of the processing and the review of the data.
- Performing a prior review by an independent authority – it shall be carried out by a court or an administrative authority that is different than the authority involved in the conduct of the criminal investigation (in relation to which the data is reviewed).
- Retention period of the PNR data – the EDPB states that the retention period of all PNR data should not exceed an initial period of six months. After this period individual PNR data sets may be stored for processing only if and only as long as it can be justified that it is necessary and proportionate in view of the Directive’s objectives.
Along with the given recommendations, in its Statement the Board calls for the timely implementation of the Directive by the Member States, given that this process has not starter everywhere yet. It outlines the need to introduce the relevant amendments to the national legislation, while taking into account the limitations imposed by the CJEU
You can read the full text of the EDPB Statement here.
You can read the full text of the Directive here.
The news above is for information purposes only. It is not a (binding) legal advice. For a thorough understanding of the subjects covered and prior acting on any issue discussed we kindly recommend Readers consult Ilieva, Voutcheva & Co. Law Firm attorneys at law.
