Secondary Access to European Passenger Name Records

This article intends to demonstrate that access to the EU PNR data for further use, as defined by Directive 2016/681, is not limited to Member States’ competent authorities for the prevention, detection, investigation or prosecution of terrorist offences and of serious crime, Europol and third countries competent authorities, as was probably the legislators’ intention. Through other legal instruments, based on a duty of information exchange and sincere collaboration, several Union bodies, agencies and even international organisations may have access to EU PNR data, although limited by their mandate and to the extent necessary for the accomplishment of their tasks. The paper further examines the safeguards and data protection guarantees established in the PNR Directive and, where relevant, compares them to the Law Enforcement Data Protection Directive (LE Directive), the General Data Protection Regulation (GDPR) and the Europol Regulation, focusing on the data subject rights. Depending on the entity that processes EU PNR data, the legal regime of data protection will change. In the area of law enforcement, striking the right balance between the right to privacy and protection of personal data vis-à-vis public security is the cornerstone. The increasing systematic mass collection and processing of personal data by public authorities is cause for concern and sufficient substantive and procedural structures need to be put in place to scrutinise those activities in detail.