Legislative Observatory
European Parliament
Please fill in this field to find a procedure

EU-Iceland agreement on transfer of passenger name record (PNR) data to prevent, detect, investigate and prosecute terrorist offences and serious crime

2025/0156(NLE)

PURPOSE: to conclude, on behalf of the European Union, the Agreement between the European Union and Iceland on the transfer of Passenger Name Record (PNR) data to prevent, detect, investigate and prosecute terrorist offences and serious crime.

PROPOSED ACT: Decision of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: Council may adopt the act only if Parliament has given its consent to the act.

BACKGROUND: Passenger name record (PNR) data is information provided by passengers and collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes.

Iceland and the Member States of the Union which are Contracting Parties to the Schengen Convention have a shared responsibility to ensure internal security within a common area without internal border controls, including by exchanging relevant information. PNR data processing has demonstrated the potential to enhance the security of the Schengen area, by improving the prevention and detection of serious crime and terrorism at the external borders.

Since November 2021, Iceland has implemented national legislation on Passenger Name Record (PNR) data. Although Iceland is not considered a third country under the European General Data Protection Regulation (GDPR), this regulation does not apply to the processing of PNR data for law enforcement purposes. Furthermore, Iceland is not participating in the PNR Directive, which does not constitute a development of the Schengen acquis. Without appropriate safeguards regarding the specific processing of PNR data, Iceland cannot lawfully receive and process PNR data relating to flights operated by air carriers between the EU and Iceland.

Consequently, on 6 September 2023, the Commission proposed that the Council authorise the opening of negotiations for an agreement between the European Union and Iceland on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Negotiations with Iceland (as well as Norway and Switzerland) opened on 21 March 2024. On 9 April 2025, the negotiators initialled the text of the agreement, thus formally concluding the negotiations.

CONTENT: this proposal concerns the conclusion between the European Union and Iceland of the Agreement on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The agreement aims to authorise EU air carriers to transfer Passenger Name Record (PNR) data to Iceland and to lay down the rules and conditions applicable to the processing of such data by Iceland. It also aims to intensify police and judicial cooperation between the EU and Iceland on PNR data.

In particular, the Agreement:

- regulates method and frequency of PNR data transfers by airlines to the Icelandic PIU with a view to ensuring that PNR data transfers are kept to the minimum necessary and are proportionate to the purpose specified in the Agreement;

- sets out the purpose limitation – i.e. prevention, detection, investigation and prosecution of terrorist offences and serious crime – in an exhaustive manner to all PNR processing covered by the Agreement;

- sets out the three specific modalities for the processing of PNR data received under the Agreement by the Icelandic PIU;

- provides additional safeguards for carrying out ‘real-time assessment’ and limits automated processing of PNR data;

- provides for a prohibition to process special categories of PNR data in line with how this concept has been defined in the EU data protection acquis;

- provides for a high level of security of PNR data received under the Agreement and ensures notifications of data security breaches to the designated Icelandic data protection supervisory authority;

- provides for the keeping of logs and documentation of all PNR processing;

- includes rules for restricted storage of PNR data with a view to ensuring that such data are not stored longer than what is necessary for and proportionate to the objective pursued by this Agreement;

- requires the Icelandic PIU to depersonalise PNR data at the latest after 6 months;

- includes rules and conditions for the disclosure of PNR data outside Iceland and the EU;

- fosters police and judicial cooperation through the exchange of PNR data or the results of processing of PNR data between the Icelandic PIU and the PIUs of Member States of the Union, as well as between the Icelandic PIU, on the one hand, and Europol or Eurojust within their respective competences, on the other hand;

- requires Iceland to apply the same rights and obligations as Directive (EU) 2016/680 to the processing of personal data under this Agreement and that such processing shall be overseen by an independent authority;

- includes transparency and information obligations, including a requirement to notify individuals of the disclosure of their PNR data.