According to the EU Parliament:
Member states will have to set up "Passenger Information Units" (PIUs) to manage the PNR data collected by air carriers. This information will have to be retained for a period of five years, but after six months, the data will be “masked out”, i.e., stripped of the elements, such as name, address and contact details that may lead to the identification of individuals. PIUs will be responsible for collecting, storing and processing PNR data, for transferring them to the competent authorities and for exchanging them with the PIUs of other member states and with Europol. The directive states that such transfers shall only be made “on a case-by-case basis” and exclusively for the specific purposes of “preventing, detecting, investigating or prosecuting terrorist offences or serious crime”.
The directive is to apply to “extra-EU flights”, but member states could also extend it to “intra-EU” ones (i.e. from an EU country to one or more other EU countries), provided that they notify the EU Commission. EU countries may also choose to collect and process PNR data from travel agencies and tour operators (non-carrier economic operators), since they also manage flight bookings.
- Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime