The European Parliament adopted the Passenger Name Record Directive, with the purpose of prevention, detection, investigation and prosecution of terrorist offences and serious crime. The directive will apply to flights to and from the EU, but Member States may extend its application to intra-EU flights (from one EU Member State to another), provided they previously notify the European Commission. Member States may also decide to collect and process PNR data from travel agencies and tour operators who provide services, related to travel.
This information will be retained for a period of five years; six months after its collection, the data will be depersonalized. This means disguising – the data elements which can be used for immediate identification (such as name, address or contact person).
The Carriers are obliged to transmit – passenger data for flights from third countries to the EU to the national authorities and vice versa. Every Member Statewill be required to set up “Passenger Information Units” (PIU), which will be responsible for – retaining and processing of these data and – their transfer to the competent authorities, as well as for the exchange with the PIU of the other Member States and Europol. The directive states that such transfers can only be accomplished – after considering of each case and exclusively for the specific purposes of prevention, detection, investigation and prosecution of terrorism and serious crimes.
Along with the development of the discussions in the European Parliament, a number of Member States, including Bulgaria, began the development of the national systems for collecting PNR data with European funding. As a result of the accomplished project in Bulgaria, the National Assembly adopted amendments to the Law on State Agency "National Security", which introduced the legal framework for the functioning of such a system in Bulgaria, on 17 February 2016.
