EU and Iceland Conclude Passenger Name Record Agreement to Counter Cross-Border Crime

The Council of the European Union has adopted a decision concluding an agreement with Iceland on the transfer of Passenger Name Record data, marking a step in the bloc’s efforts to extend cooperation on serious cross-border crime and terrorism prevention beyond its borders.

The agreement, formally adopted in early May, establishes the legal basis for the systematic transfer of Passenger Name Record data, commonly referred to as PNR, between European Union member states and Icelandic authorities. PNR data, collected by airlines from passengers during ticket bookings, includes information such as travel itineraries, contact details and payment methods, and has been used by law enforcement agencies for nearly two decades to identify suspicious travel patterns.

The negotiations with Iceland have been underway since September 2023, when the Commission first submitted its recommendation to the Council for the opening of talks. The resulting framework aligns closely with the bloc’s existing PNR directive, which has been applied internally since 2016 and which has survived multiple legal challenges before the Court of Justice of the European Union concerning fundamental rights safeguards.

Under the agreement, data sharing is intended to support the prevention, detection, investigation and prosecution of terrorist offences and other forms of serious transnational crime. Strict purpose limitation, retention period rules and proportionality safeguards are embedded in the agreement, reflecting jurisprudence requiring that data collection programmes be confined to what is strictly necessary to achieve their objectives.

Iceland is not a member of the European Union but participates in the Schengen Area and cooperates closely with EU agencies in justice and home affairs matters. The PNR agreement complements an existing dense network of arrangements covering police cooperation, judicial assistance and information exchange, and reinforces the principle of shared responsibility for the security of the wider European space.

Civil liberties organisations have historically expressed concern over the proliferation of bulk data collection programmes. They argue that even with safeguards in place, the routine retention of travel data on entire populations risks normalising mass surveillance. Defenders of the system counter that the alternative is intelligence-driven gaps that have repeatedly been exposed in the aftermath of terrorist incidents.

Looking forward, the EU is reportedly examining the scope for similar agreements with additional third countries. A separate proposal on the criteria and procedure for establishing the bloc’s position within the Council of Europe on accessions to the Budapest Convention on Cybercrime points to a parallel effort to strengthen the international legal architecture for cooperation on cybercrime, digital evidence and cross-border investigations.