Thought leadership from our experts

Airlines and PNR: how does the GDPR come into play?

Directive 2016/681/EU1, to be implemented by the EU Member States at the latest on 25 May 2018, provides for the creation, in each Member State, of an authority competent for the prevention, detection, investigation or prosecution of terrorist offences and of serious crime, to act as its passenger information unit ('PIU'). The PIU shall be responsible for the collection of PNR data2 from air carriers, the storage and the processing of these data, and the transfer to the relevant competent authorities. The PIU also exchanges PNR data with PIUs of other Member States and with Europol.3

EU Member States from now on must oblige air carriers operating extra-EU flights to transfer PNR data to the PIU of the Member States where they land or depart from.4 Member States may extend this obligation to carriers operating intra-EU flights.

The PNR Directive concerns different categories of processing: (a) the transfer by the carriers of the data to the PIU, (b) the processing of the data by the PIU (collection, storage, transfer to authorities in charge of crime investigation and prosecution).

The sole purpose of this processing is "preventing, detecting, investigating and prosecuting terrorist offences and serious crime".5

The personal data processed must be minimal and proportionate: the PNR Directive refers to the EU Charter of Fundamental Rights, underlining the proportionality and data minimization principles, as does the GDPR6.

The PNR data of which Member States must impose the transfer to the PIU, are listed in Annex 1 to the PNR Directive. This annex contains headings as "frequent flyer information" and "general remarks", without specifying which data segments thereof are exactly needed and why: it may not as such stand the proportionality test as required under the EU Charter of Fundamental Rights.

As the Court of Justice of the EU has determined, the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights to privacy and protection of personal data whatever the subsequent use of this information"7. The Court has recognized that these rights are not absolute and must be considered in relation to their function in society8, but a proportionality test must be effectuated.

Even if the enumeration in Annex 1 to the PNR Directive shows similarities with the overview of ICAO9, it remains required for the PNR legislation to define in a clear and precise manner which PNR data are strictly necessary for the PIUs to receive10, thereby taking into consideration that PNR data may reveal a travel itinerary, travel habits, relationships between air passengers, the financial situation of passengers, dietary habits or state of health, hence sensitive information11. The reference in the PNR Directive to the "frequent flyer information" e.g., may be considered as not sufficiently precise: "it is not clear whether this concerns merely the status of the passenger in the customer loyalty programs or whether, on the contrary, it covers all information relating to air travel and transactions carried out in the context of such programs".12

Where the enumeration in the PNR Directive is not sufficiently precise according to the proportionality principle as described by the CJEU, Member States could further specify same data segments. The implementing Member States' legislation however tends to simply take over the enumeration from the PNR Directive. The PNR Directive seems to be understood as an obligation for the air carriers to simply transfer all PNR data that they have on their systems, without filtering, but only these data13. It is the view that the PNR legislation does not require carriers to collect data (the nature of PNR data collected may depend on the exact activity of an operator), but requires them to transfer all of the PNR data that they possess.

Whereas filtering of the PNR data before transferring them to the PIU could be an option to comply with the data minimization and proportionality principles14, Member States' legislation that refers to the enumeration in the PNR Directive does not allow filtering by the carriers before the push to the PIU15.

The PNR Directive aims at increasing security and safety. It considers that "effective use of PNR data, for example by comparing PNR data against various databases on persons and objects sought, is necessary to prevent, detect, investigate and prosecute terrorist offences and serious crime and thus enhance internal security, to gather evidence and, where relevant, to find associates of criminals and unravel criminal networks."16 This is an objective of general interest of the EU that is indeed capable of justifying even serious interferences with the fundamental rights of privacy and data protection. The data to be transferred to the PIU, for the transfer to stand the proportionality test, should nevertheless be limited to what is strictly necessary. Assessment criteria should be defined, in a manner which keeps to a minimum the number of innocent people wrongly identified by the system.

In so far that Member States impose carriers – without obliging them to collect other data than those collected in their normal course of business17- to transfer to the PIUs all PNR information that they have, and apply penalties for not transferring all such data, the question remains to what extent such legal obligation alleviates the carriers' liability under the GDPR if the data transferred to the PIU are excessive.

The carriers, when processing PNR data for their normal course of business, need to comply with the accountability principle provided for by the GDPR18. They need to make sure that the PNR data collected do not exceed what is necessary for booking and reservation. As accountable controllers, the carriers need to comply with the transparency principle. Since the carriers will have to further transfer the data to the PIUs, and hence will have to process the data "for a purpose other than that for which the personal data were collected", they should provide the passengers "prior to that further processing" with information on the transfer to the PIUs.19

Carriers on the one hand may be subject to penalties if they do not transfer all PNR data that they have to the PIU, and on the other hand may be subject to fines where their collection of PNR data is not GDPR-compliant: e.g. if such collection is not limited to what is necessary for the purpose of reservation and booking, or if the processing is not sufficiently transparent.

Air carriers from now on, when collecting PNR data, must take into consideration that they will have to further transfer such data to the PIUs.

It is thus important, in the framework of the accountability principle, that they do not collect unnecessary PNR data, that they make sure that passengers are aware of what is happening to their data; in other words, "a data subject should not be taken by surprise at the purpose of processing of their personal data".20

It remains to be seen whether other obligations will be imposed upon the carriers in the framework of the PNR legislation, such as filtering of data, additional checks on correctness of data, additional controls of travel and identity documents. Financial and technical burdens for air carriers do not seem to be avoided by the EU PNR legislation, notwithstanding the ICAO Guidelines.

  1. Directive (EU) 2016/681 of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime ("the PNR Directive")
  2. PNR means the records of passengers' travel requirements with information necessary to enable reservations: PNR Directive, Article 3 (5). "A PNR is built up from data supplied by or on behalf of the passenger concerning all flight segments of a journey": ICAO Guidelines on PNR data, Doc. 9944
  3. Article 4, 1° and 2° PNR Directive
  4. Article 8, 1° PNR Directive
  5. Articles 1, 2° and 6, 2° PNR Directive
  6. Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("the GDPR")
  7. CJEU (Grand Chamber), Opinion 1/15 of 26 July 2017, consideration 124 (Opinion on the EU-Canada PNR Agreement)
  8. Ibid., consideration 136
  9. Appendix I to the ICAO Guidelines on PNR data
  10. CJEU, Opinion 1/15, consideration 156
  11. The CJEU takes this into consideration in its Opinion 1/15; also ICAO refers to these privacy risks: ICAO Guidelines on PNR data, 2.1.10
  12. CJEU, Opinion 1/15, consideration 157
  13. Cf. Carpanelli E. and Lazzerini N., PNR: Passenger Name Record, problems not resolved? The EU PNR Conundrum after Opinion 1/15 of the CJEU, Air & Space Law, 42, n° 4&5 (2017), 393
  14. Also ICAO takes into account that carriers may be required to filter PNR data, and asks States to put them in a position where such requirement would not create unnecessary technical or financial difficulties for them: ICAO Guidelines on PNR data
  15. E.g. Belgian law of 25 December 2016 on the processing of passengers data, Article 7 § 1 and implementing Royal Decree of 18 July 2017, Article 3 § 2
  16. Recital (6) PNR Directive
  17. Article 8, 1° PNR Directive
  18. Article 5, 2° GDPR
  19. Article 13, 3° GDPR
  20. WP29 Guidelines on transparency, p.20