Legislative Observatory
European Parliament
Please fill in this field to find a procedure

EU–Norway Agreement on transfer of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

2025/0145(NLE)

PURPOSE: to conclude, on behalf of the European Union, the Agreement between the European Union and the Kingdom of Norway on the transfer of Passenger Name Record (PNR) data to prevent, detect, investigate and prosecute terrorist offences and serious crime.

PROPOSED ACT: Decision of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: Council may adopt the act only if Parliament has given its consent to the act.

BACKGROUND: Passenger name record (PNR) data is information provided by passengers and collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes.

Norway and the Member States of the Union which are Contracting Parties to the Schengen Convention have a shared responsibility to ensure internal security within a common area without internal border controls, including by exchanging relevant information. PNR data processing has demonstrated the potential to enhance the security of the Schengen area, by improving the prevention and detection of serious crime and terrorism at the external borders.

Since September 2022, Norway has implemented national legislation on Passenger Name Record (PNR) data. Although Norway is not considered a third country under the European General Data Protection Regulation (GDPR), this regulation does not apply to the processing of PNR data for law enforcement purposes. Furthermore, Norway is not participating in the PNR Directive, which does not constitute a development of the Schengen acquis. Without appropriate safeguards regarding the specific processing of PNR data, Norway cannot lawfully receive and process PNR data relating to flights operated by air carriers between the EU and Norway.

Consequently, on 6 September 2023, the Commission proposed that the Council authorise the opening of negotiations for an agreement between the European Union and Norway on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Negotiations with Norway (as well as Iceland and Switzerland) opened on 21 March 2024. On 9 April 2025, the negotiators initialled the text of the agreement, thus formally concluding the negotiations.

CONTENT: this proposal concerns the conclusion between the European Union and Norway of the Agreement on the transfer of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The agreement aims to authorise EU air carriers to transfer Passenger Name Record (PNR) data to Norway and to lay down the rules and conditions applicable to the processing of such data by Norway. It also aims to intensify police and judicial cooperation between the EU and Norway on PNR data.

In particular, the Agreement:

- regulates method and frequency of PNR data transfers by airlines to the Norwegian PIU with a view to ensuring that PNR data transfers are kept to the minimum necessary and are proportionate to the purpose specified in the Agreement;

- sets out the purpose limitation – i.e. prevention, detection, investigation and prosecution of terrorist offences and serious crime – in an exhaustive manner to all PNR processing covered by the Agreement;

- sets out the three specific modalities for the processing of PNR data received under the Agreement by the Norwegian PIU;

- provides additional safeguards for carrying out ‘real-time assessment’ and limits automated processing of PNR data;

- provides for a prohibition to process special categories of PNR data in line with how this concept has been defined in the EU data protection acquis;

- provides for a high level of security of PNR data received under the Agreement and ensures notifications of data security breaches to the designated Norwegian data protection supervisory authority;

- provides for the keeping of logs and documentation of all PNR processing;

- includes rules for restricted storage of PNR data with a view to ensuring that such data are not stored longer than what is necessary for and proportionate to the objective pursued by this Agreement;

- requires the Norwegian PIU to depersonalise PNR data at the latest after 6 months;

- includes rules and conditions for the disclosure of PNR data outside Norway and the EU;

- fosters police and judicial cooperation through the exchange of PNR data or the results of processing of PNR data between the Norwegian PIU and the PIUs of Member States of the Union, as well as between the Norwegian PIU, on the one hand, and Europol or Eurojust within their respective competences, on the other hand;

- requires Norway to apply the same rights and obligations as Directive (EU) 2016/680 to the processing of personal data under this Agreement and that such processing shall be overseen by an independent authority;

- includes transparency and information obligations, including a requirement to notify individuals of the disclosure of their PNR data.