Page contentsPage contents Passenger name record (PNR) PNR data consists of information provided by passengers, which are collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes.The content of PNR data varies, depending on the information given during the booking and check-in process. It may include dates of travel and the complete travel itinerary of the passenger or group of passengers travelling together, contact details like address and phone number, payment information, seat number and baggage information.The collection and analysis of PNR data allow the authorities to detect suspicious travel patterns and identify criminals and terrorists, in particular those previously unknown to law enforcement authorities.The processing of PNR data has become a widely used law enforcement tool, in the EU and beyond. It enables to detect and prevent terrorism and other forms of serious crime, such as drug-related offences, trafficking in human beings and child sexual exploitation.The EU PNR DirectiveIn 2016, the European Parliament and Council adopted Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crimes.It defines the responsibilities of EU countries for the processing and protection of PNR data, requiring them to:Establish specific entities responsible for the receipt, storage, and processing of PNR data, so-called Passenger Information Units (PIUs);Adopt a list of competent authorities entitled to request or receive PNR data on a case-by-case basis;Respect clear and defined rules and conditions for the storage and protection of PNR data by the Passenger Information Units, as well as for their sharing, on a case-by-case basis, with other Passenger Information Units or third countries’ authorities competent to fight terrorism and serious crime.These rules apply to flights between third countries and the EU countries. However, EU countries can decide to apply them to flights departing from or arriving in another EU country (intra-EU flights) under certain conditions.The Commission also put in place the appropriate framework for connectivity between air carriers and EU Member States in an implementing decision on the data formats and common protocol, which was reviewed in 2021.Role of the Passenger Information Units include:Receiving PNR data from air carriers,Comparing PNR data against relevant law enforcement databases and processing them against pre-determined criteria, to identify persons potentially involved in a terrorist offence or serious crime,Disseminating PNR data to national competent authorities, Europol, and Passenger Information Units of other EU countries, either spontaneously or in response to duly reasoned requests.Data protection safeguardsThe PNR Directive provides data protection safeguards, such as:Sensitive data must not be processed,Data must be depersonalised (temporarily anonymised) after 6 months, and may only be re-personalised under strict conditions,Data must be deleted after 5 years,A data protection officer is appointed in each Passenger Information Unit,Independent national supervisory authorities must oversee the processing activities.In July 2020, the Commission adopted the PNR Directive Review Report, which reviewed its first two years of application. The review shows tangible results in the fight against terrorism and serious crime.Relevant case law of the EU Court of JusticeOn 26 July 2017, the Court of Justice issued its Opinion 1/15, addressing the compatibility of the – at the time – envisaged EU-Canada PNR agreement with EU law, in particular regarding the protection of personal data.On 21 June 2022, the Court of Justice delivered its Judgement on a series of preliminary reference questions from the Belgian Constitutional Court (Case C-817/19, Ligue des droits humaines) relating to the PNR Directive. In this Judgment, the Court has confirmed the validity of the PNR Directive, provided that some of its provisions are strictly interpreted in line with the EU’s fundamental rights.Transfer of PNR data to third countriesWhile crucial for combating terrorism and serious crime, the transfer of PNR data to third countries as well as the processing by their authorities constitutes an interference with the protection of individuals’ rights with regard to their personal data. For this reason, it requires a legal basis under EU law and must be necessary, proportionate, and subject to strict limitations and effective safeguards, as guaranteed by the Charter of Fundamental Rights of the EU. It also requires fair balance between the public security and the right of everyone to enjoy the protection of their personal data and private life.It is in this context that the Commission first set out the broad lines of the EU's external PNR policy in a 2003 Communication on the EU approach towards transfers of PNR data from the EU to third countries, which were reviewed in a Communication adopted in 2010.Currently, three international agreements are in force between the EU and third countries, namely with Australia (2012), the United States (2012), and the United Kingdom (2021), which cover the transfer and processing of PNR data from the EU. New PNR negotiations have resulted in the signing of an EU-Canada PNR Agreement in October 2024, the conclusion of which will require consent from the European Parliament. PNR agreements in force AustraliaAgreement signed in September 2011, entered into force in June 20122013: Joint review of the EU-Australia PNR Agreement2019: Joint review and joint evaluation of the EU-Australia PNR AgreementUnited States of AmericaAgreement signed in December 2011, entered into force in July 20122015: Joint review of the U.S - EU PNR Agreement2019: Joint evaluation U.S - EU PNR AgreementUnited KingdomThe transfer, processing, and use of PNR data by the United Kingdom’s competent authorities for flights between the EU and the United Kingdom are regulated by EU-UK Trade and Cooperation Agreement .EU-UK Trade and Cooperation Agreement was signed in December 2020, and entered into force in May 2021. PNR agreements under ratification CanadaNegotiations concluded on 27 November 2023.Council Decision to sign adopted on 13 June 2024.Agreement signed on 4 October 2024.The negotiated agreement sets a high standard for data protection and addresses all the requirements established by the Court of Justice in its Opinion 1/15 of 26 July 2017. Ongoing negotiations for PNR agreements Schengen Associated CountriesUpon Recommendation of the Commission, on 4 March 2023, the Council adopted three decisions authorising the opening of negotiations between the EU and Iceland, Norway, and Switzerland for agreements on the transfer and use of PNR data by these Schengen Associated Countries. The negotiations are currently ongoing.JapanIn February 2020, the Council adopted a decision authorising the opening of negotiations between the EU and Japan for an agreement on the transfer and use of PNR data.MexicoIn June 2015, the Council adopted a decision authorising the opening of negotiations between the EU and Mexico for an agreement on the transfer and use of PNR data. Advance Passenger Information (API) API data is information on air passengers (number and type of travel document, nationality, full name, date of birth, border crossing point of entry into a Member State, code of transport, departure and arrival time, total number of passengers carried, initial point of embarkation) collected by air carriers during check-in and transmitted by these carriers after check-in closure to the border control authorities of the country of destination.The use of API enables a risk-based data-driven approach to border security, thus allowing the identification of travellers who may need further investigation and speeding up border checks for the majority of travellers.In the EU, the transmission of API data is regulated by Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data. The main objectives of the Directive are to combat irregular immigration and to improve border control.In December 2022, the Commission presented proposals for two Regulations to revise the rules on the collection and transfer of API data for border management and law enforcement purposes. On 1 March 2024, a political agreement was reached between the European Parliament and the Council on the two legislative proposals. Formally adopted in December 2024, the new rules will be implemented by the Commission, eu-LISA and Member States, in close coordination with the air transport industry, over the next years.The new API Regulations strengthen and step up the collection and transfer of API data and the transfer of PNR data by:Improving data availability for border and law enforcement authorities, in full respect of EU data protection standards;Providing an exhaustive list of what constitutes API data (data on the passenger and/or crew member - full name; date of birth, sex and nationality; type and number of the travel document; date of expiry of the travel document; PNR record locator; seating information; baggage information. Flight information of the passenger and/or crew member - flight identification number; border crossing point of entry; code of airports of arrival and departure; local date and time of departure and arrival; contact information of the air carrier);Providing uniform requirements for the collection of API data by air carriers;Setting up a central router at Union level for the seamless and secure transfer of API data and PNR data from air carriers to the competent authorities.For border management purposes, air carriers will have to transfer the API data of all passengers on flights into the Union (inbound traffic) to the competent border authorities via the EU-level router.For law enforcement purposes, air carriers will have to transfer the API data of all passengers and crew members on extra-EU flights and selected intra-EU flights on which PNR data is collected to the Passenger Information Units (PIUs) via the EU-level router.The API Regulation for law enforcement also introduces the obligation for air carriers to transfer PNR data via the EU-level router with a phased approach.Other modes of transportIn line with the 2019 Council Conclusions on Passenger Name Record (PNR) data, the European Commission is exploring the use of travel information across other modes of transport beyond air travel. Building on these conclusions, feasibility studies conducted in 2024 have examined the potential application of API and PNR-like systems in the maritime and land transport sectors. These efforts align with the findings of the joint Europol-Frontex report on the travel continuum, which underscores the importance of comprehensive travel data across all transport modes to enhance border management and internal security.The Commission is committed to assessing these possibilities in close collaboration with Member States and relevant stakeholders, with a view to ensuring proportionality, data protection, and operational effectiveness. Related documents Study on harmonising reporting obligations of travel data on maritime transport, with a view to use such data for law enforcement purposesStudy on harmonising access to information related to cross-border travel taking place via road or rail, including obligations on transport operators and the use of such information for law enforcement purposesCouncil conclusions on widening the scope of the use of passenger name record (PNR) data to forms of transport other than air trafficAPICouncil Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (API Directive)Regulation (EU) 2025/12 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for enhancing and facilitating external border checks, amending Regulations (EU) 2018/1726 and (EU) 2019/817, and repealing Council Directive 2004/82/ECRegulation (EU) 2025/13 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818Study on Advance Passenger Information (API)Proposals for Regulations on collection and transfer of advance passenger informationCommission welcomes political agreement on Advance Passenger InformationEU PNRDirective (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (PNR Directive)National Transposition measures of the PNR DirectivePNR implementation plan (2016)Commission implementing decision on data formats and common protocols to be used by air carriers for the transfer of PNR data to PIUs (2017)Commission Staff Working Document on the review of the Commission Implementing Decision (EU) 2017/759 on the common protocols and data formats to be used by air carriers when transferring PNR data to Passenger Information UnitsReport on the review of the PNR Directive and its accompanying Staff Working Document (July 2020)Updated list of Member States who decided to apply the PNR Directive to intra-EU flights (26 October 2020)Corrigendum to the list of Member States who decided to apply the PNR Directive to intra-EU flights (08 September 2021)List of Passenger Information Units (PIUs)Corrigendum to the list of PIUs (19 September 2018)Corrigendum to the list of PIUs (08 September 2021)List of competent authorities entitled to request and/or receive PNR data or the result of processing those data from their national PIUCorrigendum to the list of competent authorities (25 June 2018)Corrigendum to the list of competent authorities (22 February 2019)Corrigendum to the list of competent authorities (30 October 2020)
