This data must only be used to prevent, detect, investigate and prosecute terrorism and serious transnational crime, said MEPs, inserting safeguards to ensure "the lawfulness of any storage, analysis, transfer and use of PNR data," an announcement on the European Parliament's website reads.
Under the rules, PNR data could be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime". The list approved by MEPs includes human trafficking, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering, and cybercrime.
The PNR rules would apply to air carriers and non-carriers such as travel agencies and tour operators operating "international flights", i.e. those to or from the EU. They would not apply to "intra-EU" flights between EU member states.
"Without this EU system in place, a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called 'foreign fighters' has made this system even more essential," Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK) said.
"The PNR is not a 'silver bullet' but it can be an invaluable weapon in the armory. We will now open talks with national governments with a view to reaching a final agreement before the end of the year", he added.
The amended rules were approved by 32 votes to 27. The mandate to open negotiations with the EU Council of Ministers was approved by 36 votes to 14, with 8 abstentions.
PNR data transferred by air carriers and non-carriers would be retained in the national "Passenger Information Units" (PIUs) for an initial period of 30 days, after which all data elements which could serve to identify a passenger would have to be "masked out," and then for up to five years.
The "masked out" data would be accessible only to a limited number of PIU staff, with security training and clearance, for up to four years in serious transnational crime cases and five years for terrorism ones.
After the five years, PNR data would have to be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).
