New EDPB statement on implementation of PNR directive: impact and recommendations

What is the PNR directive?

The PNR directive obliges airlines to collect specific personal data about passengers, such as name, travel route, payment information and contact information, and to provide this to the national Passenger Information Units (PIUs). This information is intended to aid in the detection and prosecution of terrorism and serious crime. However, on 21 June 2022, the CJEU ruled that this processing is subject to strict limits to guarantee the rights to privacy and data protection.

Key points from the EDPB statement

The EDPB urges member states to align their national regulations with the restrictions imposed by the ruling. The statement contains recommendations on the following topics:

1. Limited application of the PNR system

The processing of PNR data may only take place for terrorist offences and serious crime, and only if there is an objective connection with air transport.

2. Limitation of retention period

The data may not be retained for longer than is strictly necessary. Although the directive allows a period of six months and in certain cases up to five years, the CJEU emphasises that objective indications do not automatically justify five years' retention. Only when there is concrete evidence that certain passengers pose a risk can a link with the objectives of the PNR directive be established and longer retention be justified.

3. Intra-EU flights only under strict conditions

Extending the directive to domestic EU flights is only justified in the case of a current and real threat. Such risk analyses must be regularly evaluated by an independent administrative body.

4. Better information and protection for passengers

Travellers must be clearly informed of their rights, including the right to access and to object. If systems make automatic decisions based on PNR data, an individual human review must always follow. In case of a challenge, the competent authority must be given access to the assessment criteria used.

5. Independent prior review

Each request for access to the data for judicial purposes must first be assessed by an independent authority that is not involved in the investigation and has sufficient resources to carry out its task objectively.

Situation in Belgium

The Belgian law “Wet tot wijziging van de wet 25 december 2016 betreffende de verwerking van passagiersgegevens” of 16 May 2024 amended the PNR legislation following a ruling by the Constitutional Court on 12 October 2023, in which various provisions of the original 2016 law were declared null and void. This ruling came after the Court submitted preliminary questions to the CJEU in case C-817/19, seeking clarity on the interpretation of the PNR Directive in light of EU fundamental rights.

The new Belgian law justifies the general retention of PNR data for a maximum of five years based on the current, real and ongoing terrorist threat in Belgium. However, this appears to conflict with the position of the EDPB, which excludes general retention beyond six months. The law does include a safeguard: the five-year retention period is conditional upon the continued existence of the threat, and a formal evaluation of the law must take place by 12 October 2026, based on an updated threat analysis by OCAD.

The EDPB further emphasizes that the strict necessity principle, which calls for a clear assessment of the scope, timing, and evidence of a real or foreseeable terrorist threat, applies to all or a subset of intra-EU flights. Such broad application is not considered indiscriminate if based on individual assessments and regular review mechanisms. The Belgian Act of 16 May 2024 aligns with this, as the Constitutional Court justified the extension of the PNR system to all carriers and intra-EU routes based on the specific and current threat environment at the time of its ruling.

Situation in the Netherlands

The Dutch law implementing the PNR Directive is the "Wet gebruik van passagiersgegevens voor de bestrijding van terroristische en ernstige misdrijven". This law outlines the collection and processing of passenger data for flights to and from third countries, as well as intra-EU flights. The law mandates a retention period of five years, with depersonalisation after six months. However, the EDPB statement entails that the retention period beyond six months needs to be supported by concrete evidence, which does not follow from the Dutch implementation act. 

The Dutch law applies to intra-EU flights without clear evidence of a real and current threat, which might require further justification. Also, Dutch law provides for review mechanisms but needs clarification on whether an independent body is always involved in the decision-making process.

Conclusion

The EDPB's recent statement reaffirms the necessity of a uniform and legally sound PNR directive implementation across the EU. The application of the directive must respect fundamental rights, even though it is still an important tool in the fight against serious crime and terrorism. Clear limits have been set by the CJEU's decision in case C-817/19, and in order to guarantee compliance, national laws like those in Belgium and the Netherlands will need to be examined. In addition to highlighting the necessity of legislative reform, the EDPB offers specific suggestions to aid in this process. Not only member states, but also airlines, Passenger Information Units (PIUs), and other involved organisations need to ensure that data is processed lawfully, retention periods are strictly limited, and passenger rights are fully safeguarded. 
Do you have questions about how the judgement or the directive affects your organisation? The Privacy & Data Protection team at Stibbe will be happy to help.