EU and Iceland Conclude Passenger Name Record Agreement to Counter Cross-Border Crime
The Council of the European Union has adopted a decision concluding an agreement with Iceland on the transfer of Passenger Name Record data, marking a further step in the bloc’s efforts to extend co-operation on serious cross-border crime and terrorism prevention beyond its borders.
The agreement, formally adopted in early May, establishes the legal basis for systematic transfer of Passenger Name Record data, commonly referred to as PNR, between European Union member states and Icelandic authorities. PNR data, which airlines collect from passengers during ticket bookings, includes information such as travel itineraries, contact details and payment methods, and has been utilised by law enforcement agencies for nearly two decades to identify suspicious travel patterns.
Negotiations with Iceland have been under way since September 2023, when the Commission first submitted its recommendation to the Council for the opening of talks. The resulting framework aligns closely with the bloc’s existing PNR directive, applied internally since 2016 and which has survived multiple legal challenges before the Court of Justice of the European Union concerning fundamental rights safeguards.
Under the agreement, data sharing is intended to support the prevention, detection, investigation and prosecution of terrorist offences and other forms of serious transnational crime. Strict purpose limitation, retention period rules and proportionality safeguards are embedded within the agreement, reflecting jurisprudence requiring that data collection programmes be confined to what is strictly necessary to achieve their objectives.
Iceland is not a member of the European Union but participates in the Schengen Area and co-operates closely with EU agencies in justice and home affairs matters. The PNR agreement complements an existing dense network of arrangements covering police co-operation, judicial assistance and information exchange, whilst reinforcing the principle of shared responsibility for the security of the wider European space.
Civil liberties organisations have historically expressed concern over the proliferation of bulk data collection programmes. They argue that even with safeguards in place, the routine retention of travel data on entire populations risks normalising mass surveillance. Defenders of the system counter that the alternative is intelligence-driven gaps that have repeatedly been exposed in the aftermath of terrorist incidents.
Looking forward, the EU is reportedly examining the scope for similar agreements with additional third countries. A separate proposal on the criteria and procedure for establishing the bloc’s position within the Council of Europe on accessions to the Budapest Convention on Cybercrime points to a parallel effort to strengthen the international legal architecture for co-operation on cybercrime, digital evidence and cross-border investigations.
