Air passengers entering or leaving the European Union could soon have their personal details stored and shared among EU countries, after lawmakers voted Wednesday to move forward with the proposal.
The creation of the passenger name record (PNR) system, recording such details as who flew where, when, and how they booked, is intended to help law enforcers fight terrorism and serious crime, but civil rights groups say it is disproportionate and undermines fundamental privacy rights.
The European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) quickly dealt with almost 900 amendments filed on the proposal, including two calling for its outright rejection, before agreeing to enter negotiations on a final text with the European Commission and the Council of the EU, composed of representatives of national governments.
Under the committee's proposal, PNR data would be retained in national databases for an initial period of 30 days, after which all data used to identify a passenger would be "masked out" and then stored for up to four years in serious transnational crime cases and five years for terrorism ones. After that period, the data should be deleted unless authorities need it for specific criminal investigations or prosecutions.
The proposed rules would apply to air carriers and companies like travel agencies and tour operators that handle international flights to and from the EU. The rules would not apply to flights between EU member states.
The data could be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime," Parliament representatives said in a news release. The offenses covered by the proposal include drug trafficking, sexual exploitation of children, money laundering and cybercrime.
EU countries would also be required to share data with each other and with Europol under conditions that still need to be determined. They would use Europol's Secure Information Exchange Network Application system to do so.
The committee proposed to let the data be handled by national "passenger information units" (PIUs). They would have to appoint a data protection officer to monitor data processing. Passengers would also have to be clearly and precisely informed about their rights. The committee also backed provisions that prohibit the use of sensitive data and the transfer of data to private parties.
The Commission first proposed a PNR system in 2007, mirroring an agreement already in place to send U.S. authorities details of passengers flying there from the EU. The Commission reiterated its proposal in 2011, and EU member states approved a version of the text in 2012. The following year, however, Parliament's LIBE committee rejected the proposal out of concern that it would violate fundamental privacy rights.
Sign up for CIO Asia eNewsletters.