The European Union directive on “passenger name records” will be finalised by the end of the year – along with new regulations governing data protection.
The proposed new EU laws were complicated last year when the European Court of Justice annulled the 2006 Data Retention Directive – upon which the UK’s own failed Communications Data Bills were based.
A passenger name record directive has been on the cards since 2011, when the EU decided to bring the 27-member organisation into line with the US, Canada and Australia. The following year, the EU finalised an agreement with the US for the exchange of airline passenger information with the US.
A sticking point had been how the data would be used. The agreement with the US restricts US use of EU citizens’ data to the “prevention, detection, investigation and prosecution” of terrorism and particular transnational crimes, as well as to prevent the spread of communicable diseases, according to legal website Outlaw.com, part of law firm Pinsent Masons.
The agreement with the US also contains rules governing how long the data can be retained “in an identifying format”. According to Pinsent Masons, it can be held in an “active database” for five years, but with information de-personalised after six months so that names and addresses cannot be found with a simple look-up by ordinary members of staff.
The new passenger name record directive will include personal information collated during the booking process for flights, such as home address, telephone numbers, email addresses and even credit card details.
However, MEPs have asked the European Commission to first “assess the consequences of the EU Court of Justice’s annulment of the Data Retention Directive and to seek the views of independent experts on the “necessity and proportionality” of the passenger name record proposal”.
The EU is also planning to enhance information-sharing between EU countries.