EDPB Issues New Guidelines on PNR Data Processing Following Court Ruling

The European Data Protection Board (EDPB) has adopted a comprehensive statement providing new guidelines on the implementation of the Passenger Name Record (PNR) Directive, introducing significant restrictions on how air passenger data can be processed and stored across the European Union. The statement, published on March 13, 2025, comes just over two weeks ago as a direct response to a Court of Justice of the European Union (CJEU) judgment that found parts of current PNR data processing practices incompatible with fundamental privacy rights.

The EDPB statement represents the second set of guidelines issued on this matter following the landmark CJEU ruling in case C-817/19 delivered on June 21, 2022. While the court upheld the validity of the PNR Directive itself, it mandated substantial limitations on how personal data can be processed, particularly concerning retention periods, flight selection, and oversight mechanisms.

According to the newly published guidelines, EU Member States must now limit general PNR data retention to a maximum of six months, a significant reduction from the previously accepted five-year period. After this initial six-month window, data may only be retained in specific cases where there is "objective material capable of establishing a connection with the objectives pursued by processing under the PNR Directive."

The EDPB clarification comes amid growing concerns about mass surveillance and data protection across Europe, as Member States struggle to balance security needs with privacy rights. The new guidelines aim to establish a more harmonized implementation approach across the EU, focusing on several critical areas of interpretation.

Key Changes to PNR Data Processing

The EDPB statement addresses six primary areas where the CJEU judgment requires significant adjustments to current practices.

Among the most impactful changes is the requirement that PNR data collected from all air passengers cannot be retained beyond six months unless specific justification exists for individual data records. This represents a fundamental shift from the current practice where many Member States have been applying a general five-year retention period for all passenger data.

"According to the EDPB, the retention period for all PNR data may not be longer than 6 months. After this period, European countries may only store PNR data for as long as it is necessary and in proportion to the objectives of the PNR Directive," notes the announcement published on the Dutch Data Protection Authority website on March 26, 2025.

The statement also provides detailed guidance on which intra-EU flights can be subject to PNR data collection. Member States must conduct specific threat assessments to justify monitoring particular routes rather than indiscriminately collecting data on all flights within the EU. This assessment must be regularly reviewed, with the EDPB recommending reassessments at least every six months.

Independent Oversight Requirements

Another critical aspect of the new guidelines concerns who can authorize access to PNR data. The EDPB now mandates that access requests from law enforcement must undergo prior review by an independent court or administrative authority.

"The EDPB also recommends having a judge check in advance whether the competent authorities (for example, the police) are allowed to inspect certain data or not," the Dutch authority explains in its announcement.

The guidelines specifically state that this independent review cannot be conducted by the same authority involved in the criminal investigation, nor can it be performed by designated officers within law enforcement agencies. This represents a significant strengthening of oversight compared to current practices in many Member States.

Objective Link Requirement for Processing

The EDPB has also clarified that PNR data may only be processed for serious crimes that have an "objective link, even if only an indirect one, with the carriage of passengers by air." This means authorities must demonstrate a connection between air travel and the suspected crime to justify accessing the data.

The statement provides examples of what may constitute a direct link, such as "offences targeting the carriage of passengers by air as well as offences committed during or through travel by air," and what might represent an indirect link, including situations where "air transport is used as a means of preparing such offences or evading criminal prosecution."

This requirement aims to prevent the use of PNR data for investigating minor offenses or crimes unrelated to air travel, a practice that the CJEU found disproportionate.

Implications for Marketing and Travel Industries

The new PNR processing limitations will have significant implications for airlines, travel agencies, and marketing organizations that deal with traveler data. The stricter retention periods mean companies involved in the travel ecosystem must reassess their data handling practices, particularly regarding how they share information with authorities and how long they maintain customer records that might fall under PNR regulations.

For marketing professionals, the guidelines highlight the increasing importance of data minimization and purpose limitation principles. As European data protection authorities continue to tighten restrictions on surveillance and mass data collection, the broader trend suggests that marketing practices involving large-scale data retention will face growing scrutiny.

The guidelines also illustrate how court decisions are increasingly shaping data protection practices across Europe, creating a more complex compliance landscape for international organizations.

Implementation Timeline and Member State Responses

While some Member States have begun adapting their systems to comply with the CJEU judgment, the EDPB notes "a substantial lack of implementation efforts throughout the Member States." The board emphasizes the urgency of bringing national practices and legislation in line with the court's interpretation.

The European Commission is responsible for monitoring implementation of the PNR Directive in accordance with the CJEU judgment. However, the EDPB warns that "in case of incompatibility, national supervisory authorities reserve the right to take appropriate actions," suggesting potential enforcement actions against non-compliant Member States.

Member States must now review and potentially amend their national legislation implementing the PNR Directive, a process that could take months or even years to complete. This creates a complex interim period where airlines and authorities must navigate potentially conflicting legal frameworks.

Context and Background

The PNR Directive (Directive 2016/681), adopted on April 27, 2016, established a framework for the collection and processing of passenger data by airlines and its transfer to law enforcement authorities. The directive was implemented as part of counter-terrorism efforts following several attacks in Europe.

However, the directive has faced criticism from privacy advocates since its inception, culminating in the 2022 CJEU judgment that found aspects of its implementation incompatible with the EU Charter of Fundamental Rights.

The court's ruling did not invalidate the directive itself but required a more restrictive interpretation to ensure proportionality between security objectives and privacy rights. The EDPB's new statement provides the first comprehensive guidance on this interpretation, setting clear parameters for Member States to follow.

Timeline

• April 27, 2016: European Parliament and Council adopt the PNR Directive
• June 21, 2022: CJEU delivers judgment in case C-817/19, finding aspects of PNR implementation incompatible with fundamental rights
• December 13, 2022: EDPB adopts first statement on implications of the PNR Judgment
• March 13, 2025: EDPB adopts detailed statement on implementation of the PNR Directive
• March 26, 2025: Dutch Data Protection Authority announces the EDPB statement

As Member States work to implement these new guidelines, both travelers and the organizations that serve them will need to adapt to a new, more privacy-protective approach to passenger data processing across Europe.