EDPB Adopts Statement on PNR Directive Implementation
On March 14, 2025, the European Data Protection Board (EDPB) held a plenary meeting where it adopted a statement regarding the implementation of the Passenger Name Record (PNR) Directive. This statement comes in light of the Court of Justice of the EU (CJEU) judgment C-817/19, which provides important guidance to Passenger Information Units (PIUs) on how to adapt their processing of PNR data. PNR data encompasses personal information collected by air carriers, including passenger names, travel dates, itineraries, and contact details.
The EDPB’s statement includes practical recommendations for national laws that transpose the PNR Directive, ensuring compliance with the CJEU’s findings. Key aspects of the PNR judgment are addressed, such as the selection of flights for PNR data collection and the retention period for such data. The EDPB advises that the retention period for all PNR data should not exceed an initial six months, after which data may only be stored as necessary and proportionate to the objectives of the Directive.
EDPB Chair Anu Talus emphasized the significance of the PNR Directive in enhancing passenger security across Europe and aiding in the prevention and prosecution of serious crimes. The EDPB stresses the need for a harmonized approach to the transfer of PNR data while adhering to data protection principles.
While some European countries have begun adapting their laws in response to the PNR judgment, the EDPB has noted a substantial lack of implementation efforts among Member States. The Board urges the prompt enactment of necessary changes to national laws to align with the PNR Directive and the CJEU’s ruling.
