EDPB adopts statement on CJEU PNR judgment

Dec 15, 2022

Source: European Data Protection Board

EDPB adopts Statement on CJEU PNR Judgment

During its latest plenary, the EDPB adopted a statement on the recent judgment C-817/19 of the Court of Justice of the European Union (CJEU) on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681.

On 21 June 2022, on a referral from the Belgian Constitutional Court, the CJEU rendered its judgment on the PNR Directive. While the Court found that the validity of the PNR Directive was not affected, it ruled that, in order to ensure compliance with the EU Charter of Fundamental Rights (the Charter), the PNR Directive needs to be interpreted as including important limitations to the processing of personal data. Some of these limitations are the application of the PNR system only to terrorist offences and serious crime, having an objective link with the carriage of passengers by air, and the non-indiscriminate application of the general retention period of five years to all passengers’ personal data.

The interpretation the CJEU puts forward significantly narrows the ways in which EU Member States may process PNR data. The EDPB considers it likely that the current processing of PNR data in many, if not most Member States, does not fully comply with the PNR Directive as interpreted by the CJEU. PNR systems across the EU may thus continue to interfere disproportionately with the fundamental rights of data subjects every day.

In its statement, the EDPB calls on EU Member States to  take all necessary steps at legislative and/or administrative level to ensure that their respective national transposition and implementation of the PNR Directive are in line with the Charter as interpreted by the CJEU. In this regard, the EDPB notes that Data Protection Authorities are fully competent to investigate compliance with EU data protection requirements at national level.

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more