The Cyprus Parliament has, on November 30th, 2018, approved the law which transposes the provisions of the Passenger Name Record (PNR) Directive of the EU (2016/681) into the national legislation.
In short, the provisions of the PRN Directive require air carriers to transfer to Member States the passenger name record they have collected in the normal course of their business. PRN also includes all data which is information provided by passengers and collected by air carriers for enabling reservations and carrying out the check-in process. More specifically, it is a record of each passenger's travel requirements held in carriers' reservation and departure control systems. It may contain a wide range of information, such as dates of travel, travel itinerary, ticket information, contact details, travel agent, means of payment, seat number and baggage information.
It should also be noted that the Cyprus Parliament also passed an amendment increasing the penalties for violations relating to the mismanagement of the data. The prison sentence was raised from three to five years and the fine from €17,000 to €30,000.
Main provisions of the PNR Directive:
- Air carriers must transfer PNR data to the Member States, provided that such data are collected by air carriers in the normal course of their business;
- Member States must establish or designate special entities (Passenger Information Unit) responsible to collect, store and process the PNR data received from air carriers. Member States must also adopt a list of authorities entitled to request or receive PNR data ("competent authorities").
- The Passenger Information Units must compare PNR data against relevant law enforcement databases and process them against pre-determined criteria, in order to identify persons that may be involved in a terrorist offence or serious crime. The Passenger Information Units must also reply, on a case-by-case basis, to duly reasoned requests for PNR data originating from the above-mentioned competent authorities, Europol, other Member States or third countries.
- The PNR data or the result of processing PNR data can be exchanged between Member States and with Europol, on a case-by-case basis, to enhance the effectiveness of PNR processing at the level of the European Union.
- The Directive applies primarily to extra-EU flights. Member States can however decide to apply it also to intra-EU flights, or to selected intra-EU flights, subject to a notification in this respect to the Commission.
- The Directive provides for a number of data protection safeguards, such as:
- PNR data can be processed only for the fight against terrorism and the offences exhaustively listed in annex II
- the PNR data must be deleted after 5 years and must be depersonalised through masking out after 6 months
- prohibition of the processing of data that could reveal a person's race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life or sexual orientation
- oversight of the processing of PNR data an independent national supervisory authority
- recognition of the data subjects' rights of access, rectification, erasure and restriction, as well as the rights to compensation and judicial redress
Third country agreements
An increasing number of third countries are requesting PNR data from air carriers operating flights from the territory of the European Union. The EU has so far concluded international PNR agreements with the United States, Canada and Australia, allowing air carriers to transfer PNR data to these third countries.
In 2010 the Commission issued a Communication "On the global approach to transfers of Passenger Name Record data to third countries" to set out the elements of the EU's external PNR policy. This Communication established a set of general criteria that must be fulfilled by future bilateral PNR agreements, including, in particular, a number of data protection principles and safeguards. These general criteria formed the basis of the renegotiations of the PNR Agreements with the US, Australia and Canada, leading to the conclusion of new PNR Agreements with the two first mentioned countries, which are subject to regular reviews and evaluation. The envisaged new EU-Canada Agreement has, however, not entered into force because in November 2014 the Parliament voted to seek the opinion of Court of Justice as to whether the draft Agreement is compatible with the Treaties and the Charter of Fundamental Rights.
Once the European Court of Justice has issued its opinion on the envisaged PNR Agreement with Canada, the Commission intends to review the current approach towards transfers of PNR data to third countries, to address the increasing third country requests in a clear and coherent way, including by considering a model agreement setting out the requirements third countries have to meet to be able to receive PNR data from the EU.
Our Office remains at your disposal to assist with any enquiries you might have in connection to your Personal Data Protection Rights or otherwise.