The European Data Protection Board (EDPB) recently released a critical statement regarding the implementation of the Passenger Name Record (PNR) Directive, following the Court of Justice of the EU’s (CJEU) landmark judgment C-817/19. This judgment reiterates the need for stringent data protection measures and offers pivotal guidance for PIUs—entities responsible for the collection, storage, and processing of PNR data—on adapting their processes accordingly.
Key Recommendations for Data Protection:
– Retention Periods: The EDPB recommends that PNR data should be retained initially for no more than six months. Post this period, storage should align with the objectives of the PNR Directive and respect principles of necessity and proportionality. This nuance is crucial for compliance with GDPR principles.
– Flight Selection and Data Collection: European nations must refine their selection processes for flights from which PNR data is collected, ensuring harmonization with data protection regulations. This requires a detailed understanding of the criteria set out by the PNR Directive and its application solely to cases involving serious crime and terrorism.
– Implementation Challenges: The EDPB acknowledges partial progress among some Member States in implementing these adjustments but underscores the urgency for widespread adaptation. This is imperative to uphold the integrity of data protection mechanisms across Europe and fulfill the Directive’s security aims.
Anu Talus, EDPB Chair, emphasized the significance of the PNR Directive in bolstering passenger security while ensuring data protection laws are uniformly applied. This perspective is integral to striking a balance between public safety and privacy rights.
As data protection professionals, it is essential to comprehend these changes and their implications for cross-border data exchanges. The EDPB’s guidance offers a framework to assist privacy experts in advising PIUs and airline carriers on compliance matters, fostering a collective effort towards a secure yet privacy-compliant air travel ecosystem.
For further details and access to the full statement, please refer to the original source link below.
Original source link: [European Data Protection Board](https://www.edpb.europa.eu/news/news/2025/edpb-adopts-statement-implementation-pnr-directive_en).