European Commission wants personal data on air passengers

A new proposal could see huge amounts of private data collected by the EU

If the European Commission has its way, all air travelers regardless of nationality will have to give their personal details to national authorities when they fly in or out of the European Union.

The Commission presented its proposals on Wednesday for a European Union-wide Passenger Name Record (PNR) Directive to fight serious crime and terrorism. Under the proposal, passengers flying to and from destinations in the E.U. would have their data, including home address, mobile phone number, credit card information and e-mail address, checked and stored by national police.

This PNR data is already collected by airlines as a by-product of their business and there are currently agreements to share this data between the E.U. and the U.S., Canada and Australia. However, the Commission’s proposal will greatly widen the scope and increase the amount of data collected.

The Commission said that such a measure was needed in order to crack down on terrorism, in particular. “While terrorism decreased in the EU during 2009, according to Europol’s E.U. Terrorism Situation and Trend Report 2010, the threat of terrorism remains real and serious. Most terrorist activities are transnational in character and involve international travel,” according to a Commission statement. However, concerns have already been raised about a possible expansion of the stated goals of the initiative, since the new directive would include ‘serious crimes’ as justification for accessing stored data.

This is just the first step in what will be a long battle for such a directive. The proposal must be approved by member states and the broadly pro-civil liberties European Parliament. Already some parliamentarians have questioned the need for a new system.

"We are skeptical about the absolute necessity of a European system of flight data storage," said German member of the European Parliament, Manfred Weber. "So far, the U.S. and other countries using the PNR system have failed to convince us about its necessity.”

The Commission promises strong protection of privacy, with personal information stored nationally for only 30 days after passengers' flights. However, given recent breaches of other E.U. data systems such as E.U. emission trading records, concerns have been raised regarding security. National police will not have direct access to the airlines’ databases, but the air carriers concerned are obliged to send the data to them.

After 30 days, law enforcement authorities must make the data anonymous and can then retain it for no more than five years. The information, however, could be "re-personalized" on a case-by-case basis if there are suspicions of a serious crime or terrorist offense.

According to Wednesday’s proposal, passengers will have the right to “effective administrative and judicial redress where data protection rules have been violated, as well as the right to compensation.” But it is unclear how private individuals would find out if there have been violations.

Another matter that concerns some civil liberties groups is that the Commission would ideally like to see its directive extended to cover all E.U. internal flights. “Given that the objectives pursued by the collection of PNR data are the same inside and outside of the E.U., there would be an added value in including internal flights,” said the Commission adding that, currently the cost is prohibitive.

It is likely to take at least two years to negotiate the proposal in the Council of Ministers and the European Parliament – longer, if, as expected, the parliament refuses to play ball.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernmentprivacy

More about EUEuropean CommissionEuropean ParliamentEuropol

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jennifer Baker

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts