Air Passenger Data [EU]
Obligation of air carriers to communicate passenger data
This Directive requires air carriers to collect and transmit passenger data to the authorities of the Member State of destination responsible for control. Non-compliance may lead to fines being imposed and even, in the case of serious infringement, confiscation of the means of transport or withdrawal of the operating licence.
Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data.
According to this Directive, air carriers * are required to communicate information concerning their passengers travelling to a European Union (EU) border crossing *. This information is supplied, at the request of the authorities responsible for carrying out checks * on persons at the external borders * of the EU, to improve border control and to combat illegal immigration more effectively.
These data are forwarded to these authorities for passenger registration purposes. In principle they are transmitted electronically to these authorities.
Carriers are required to transmit the following information: number and type of travel document used, nationality, name and date of birth of the passenger, border crossing point of entry into the EU, departure and arrival time of the transportation, total number of passengers carried.
In principle, these data are deleted by these authorities within 24 hours of transmission, provided that the passengers have arrived within the territory of the Member States. The personal data are deleted by the carrier within 24 hours of arrival of the means of transport.
Member States must adopt dissuasive, effective and proportionate sanctions, should carriers fail to comply with this obligation. Such sanctions are applicable to carriers which, as a result of fault, have not transmitted data or have transmitted incomplete or false data. The maximum amount of these sanctions is not less than EUR 5000 and their minimum amount is not less than EUR 3000 for each journey.
Member States may also provide for other types of sanctions in the event of serious infringement of the communication requirement. These sanctions may consist of:
immobilisation, seizure and confiscation of the means of transport;
temporary suspension or even withdrawal of the carrier’s operating licence.
Carriers may appeal against measures imposed against them. Member States adopt all the necessary measures for this right of appeal to be effective.
Background
This Directive was adopted following a request by the European Council of 25 and 26 March 2004, which met following the terrorist attacks in Madrid. The obligations provided for in this Directive are complementary to those laid down by Article 26 of the Convention implementing the Schengen Agreement, as supplemented by Council Directive 2001/51/EC, concerning the obligation of carriers to return third-country nationals who are refused entry by the Member State of destination.
Key terms used in the act
Carrier: any natural or legal person whose occupation it is to provide passenger transport by air.
External borders: external borders of the Member States with third countries.
Border control: check carried out at a border exclusively on account of crossing that border.
Border crossing point: any crossing point authorised by the competent authorities for crossing external borders.
References
Act
Entry into force
Deadline for transposition in the Member States
Official Journal
Directive 2004/82/EC
5.9.2004
5.9.2006
OJ L 261 of 6.8.2004
Use of passenger records to prevent terrorism and serious crime
Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
It aims to regulate the transfer of the passenger name record (PNR) data of passengers on international flights from airlines to the European Union (EU) countries.
It also regulates the processing of these data by EU countries’ competent authorities.
What are PNR data?
They consist of booking information stored by airlines in their reservation and departure control systems. The information collected includes:
travel dates;
travel itinerary;
ticket information;
contact details;
means of payment used;
baggage information.
Scope
Each EU country must establish a Passenger Information Unit (PIU). A PIU is responsible for:
collecting, storing and processing the data, as well as transferring the data or the results of the processing to the competent national authorities;
exchanging PNR data and the results of processing with other EU countries and Europol.
Airlines must provide PIUs in EU countries with the PNR data for flights entering or departing from the EU. It also allows — but does not require — EU countries to collect PNR data concerning selected intra-EU flights.
Processing
The data collected may only be processed to prevent, detect, investigate and prosecute terrorist offences and serious crime. Data should only be processed in the following cases:
for a pre-arrival assessment of passengers against pre-determined risk criteria and relevant law enforcement databases;
for use in specific investigations/prosecutions;
as input in the development of risk assessment criteria.
Transfer and exchange of data
EU countries should not be able to access the database of airline companies.
PNR data are sent by the airline to the PIU of the EU country concerned.
When necessary and relevant, an EU country must supply PNR data on an identified person to the competent authorities of another EU country.
PNR data may be transferred to a non-EU country under certain specific conditions.
Storage
Data provided by airline carriers must be stored in a database by PIU for 5 years from the time of its transfer to the EU country in which the flight is landing or departing.
After 6 months the transferred data must be ‘depersonalised’ to mask out certain information including;
name;
address and contact information;
all payment information including billing address.
Disclosure of the full PNR information after this 6-month period has expired is only permitted if:
it is reasonably believed to be necessary in order to respond to requests for PNR data made by competent authorities or Europol — on a case-by-case basis and;
it has been approved by a judicial or other national authority competent under national law to verify whether the conditions for disclosure are met.
Application & Background
The directive has applied since 24 May 2016. EU countries have to incorporate it into national law by 25 May 2018.
For more information, see:
‘Passenger Name Record (PNR)’ on the European Commission’s website
MAIN DOCUMENT
Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, pp. 132-149)