Topics Events Updates Resources Actors

The EDPB’s new statement on the PNR directive

The EDPB’s latest statement, adopted in March 2025, provides detailed guidance to align member states’ practices with these legal requirements.
The EDPB’s new statement on the PNR directive

The European Data Protection Board (EDPB) ts March 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on the implementation of the Passenger Name Record Directive (PNR) in light of the Court of Justice of the EU (CJEU) judgment C-817/19. This ruling, delivered in June 2022, upheld the validity of the PNR Directive but introduced significant limitations to ensure compliance with the EU Charter of Fundamental Rights.

Key changes introduced by the EDPB

The EDPB’s recommendations focus on six critical areas:

  1. Retention periods: The general retention period for PNR data has been reduced from five years to six months. Beyond this, data can only be retained if it serves specific and proportionate objectives under the PNR Directive.
  2. Flight selection: member states must justify the collection of PNR data based on detailed threat assessments, avoiding indiscriminate data collection across all flights.
  3. Independent oversight: Access to PNR data by law enforcement must be authorised by an independent body, such as a court or administrative authority, to ensure impartiality and compliance with privacy rights.
  4. Intra-EU flights: The guidelines clarify that intra-EU flights should not be subject to blanket data collection unless justified by specific threats.
  5. Data subject rights: Passengers must be informed of their rights, including access to their data and the ability to contest its use. Automated processing must always involve human oversight.
  6. Objective link: The use of PNR data is restricted to cases with a clear and objective link to terrorist offences or serious crimes.

Why does It matter?

The EDPB’s statement is a pivotal development for both privacy advocates and security policymakers. Here’s why:

  1. Balancing orivacy and security: The new guidelines aim to strike a balance between combating terrorism and serious crime while safeguarding fundamental rights like privacy and data protection. This is particularly important as mass surveillance concerns grow across Europe.
  2. Legal harmonisation: By providing uniform guidelines, the EDPB ensures that Member States implement the PNR Directive consistently, reducing disparities in how privacy rights are protected across the EU.
  3. Strengthening oversight: Independent review mechanisms enhance accountability and reduce potential misuse of sensitive passenger data by law enforcement agencies.
  4. Protecting fundamental rights: The reduced retention periods and stricter criteria for data processing directly address concerns about disproportionate interference with individuals’ rights under Articles 7 (privacy) and 8 (data protection) of the EU Charter.

By implementing these changes, member states can ensure that their use of PNR data remains both effective in addressing security threats and respectful of citizens’ privacy rights – a balance that is essential for maintaining public trust in democratic institutions.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top