Passenger Name Records, commonly referred to as PNRs, have become one of the most contested elements of modern air travel. Designed initially as booking tools to help airlines manage reservations, they are now central to border control, intelligence sharing, and law enforcement systems around the world.
Each PNR can contain dozens of personal details about a traveler, ranging from names and dates of birth to payment methods, travel companions, and even special requests such as dietary restrictions.
As international travel has grown more complex, governments have steadily expanded the range of agencies entitled to access and store PNRs, often for years after a trip has ended. Airlines, caught between customer expectations of privacy and legal mandates from governments, must hold and transmit these records under strict protocols.
But the length of time for which PNRs are retained, and the way they are used, are facing renewed scrutiny in 2025. Civil society organizations, privacy regulators, and courts across several jurisdictions are questioning whether current retention practices are proportionate, lawful, and transparent.
Amicus International Consulting has analyzed these trends, identified the most significant developments, and guided individuals, families, and businesses who seek lawful ways to protect their privacy while continuing to travel internationally.
What Is a Passenger Name Record?
PNRs are electronic files generated whenever a passenger books a flight. They originated in the 1960s when airlines needed centralized records of reservations. Over time, these records became standardized through global distribution systems and were later integrated into security frameworks.
Today, PNRs are shared not only with airlines but also with customs authorities, immigration services, counterterrorism task forces, and sometimes even marketing teams within airline groups.
A typical PNR may contain:
- Traveler’s full name, sometimes gender, and date of birth
- Contact information, including phone numbers, addresses, and emails
- Payment method details and transaction references
- Itinerary, including all flight segments, layovers, and connecting carriers
- Travel companions booked under the same record
- Loyalty program information
- Special service requests, such as medical assistance or meal preferences
- Ticketing status and changes
In essence, a PNR can function as a compressed biography of a traveler’s movements and preferences. When multiplied across dozens of trips, the information can reveal patterns that are valuable to both commercial entities and government agencies.
Why Retention Is Controversial
Airlines are generally obliged to store and share PNRs under national or regional laws. These laws often require airlines to transmit records in advance of a flight so that border agencies can perform risk assessments. However, the retention of these records after travel has ended is increasingly controversial.
- Length of Storage: In the European Union, PNRs are retained for five years, with partial depersonalization after six months. In the United States, retention can stretch up to 15 years under Department of Homeland Security programs. Critics argue that such long periods are unnecessary for counterterrorism or border management.
- Cross-Border Sharing: PNRs are regularly shared with foreign governments under bilateral agreements. This means that data submitted in one jurisdiction may be stored and used in another where oversight is weaker.
- Data Quality Issues: Mistakes in PNRs can lead to false positives during security screening. A misspelled name or incorrect date of birth may cause delays or detentions.
- Profiling Risks: Because PNRs can include sensitive details such as meal preferences or group bookings, they can be used to infer religion, health status, or social associations.
The combination of long-term storage, wide sharing, and sensitive content has led privacy regulators to scrutinize whether PNR practices comply with data protection laws and constitutional rights.
Renewed Scrutiny in 2025
Several developments have brought PNR retention back into public debate this year.
European Union Court Cases
The European Court of Justice has received challenges from civil liberties groups claiming that the five-year retention period violates principles of proportionality under EU law. In particular, litigants argue that depersonalization after six months is too easily reversed by law enforcement agencies, making the safeguard ineffective. Some member states have resisted shortening the retention period, arguing that five years is necessary for long-term investigations into organized crime.
Canadian Privacy Investigations
The Office of the Privacy Commissioner of Canada has launched an inquiry into how long the Canada Border Services Agency retains PNR data shared by airlines. Early findings suggest that depersonalization procedures are not uniformly applied, and that Canadian travelers’ data may be accessible to U.S. agencies for longer than domestic law allows.
Australian Parliamentary Review
In Australia, a parliamentary committee has begun reviewing the retention practices under the country’s PNR framework, prompted by concerns that the data is being used for secondary purposes unrelated to aviation security.
U.S. Intelligence Demands
The United States continues to demand extended access to PNRs, citing terrorism concerns and the need for long-term intelligence analysis. Privacy advocates in Congress have questioned whether a 15-year retention period is excessive, particularly when other forms of data are subject to shorter timelines.
The Role of Biometrics
The integration of biometrics with PNRs has raised the stakes considerably. Airlines around the world are deploying biometric boarding, where a facial recognition scan substitutes for a boarding pass.
These biometric markers are linked directly to PNRs, creating records that tie physical identity to travel itineraries. This amplifies privacy risks, as any breach or misuse could involve sensitive biometric identifiers that cannot be easily changed.
Practical Privacy Measures That Still Work
Despite the complex environment, travelers can take lawful steps to protect themselves.
Use Dedicated Travel Contact Information
By creating a separate email and phone number solely for bookings, travelers can prevent unnecessary linking of their travel data with personal or professional accounts. Families often benefit from using a single-family travel account to shield children from long-term profiling.
Limit Loyalty Program Enrollment
While loyalty programs offer benefits, they also create extensive travel histories. Travelers may choose to restrict enrollment to a single alliance, use corporate loyalty accounts for work-related travel, or forego enrollment entirely for personal trips.
Structure Payments Strategically
Prepaid travel cards, virtual cards, or dedicated business accounts help keep financial details compartmentalized. This ensures that retained records do not expose primary personal credit card numbers.
Submit Data Access Requests
Under laws like the EU’s GDPR or Canada’s privacy statutes, individuals can request copies of their PNR data. This allows travelers to verify what information is being stored, check for inaccuracies, and confirm whether depersonalization has been applied.
Minimize Special Service Requests
Although convenient, special requests often disclose sensitive data. Travelers who prefer not to record dietary or medical details in PNRs may handle accommodations directly with cabin crew or at the gate.
Case Studies
Canadian Family Limiting Children’s Exposure
A Canadian family planning repeated European trips discovered through Amicus consultations that their children’s records would remain in EU systems for years. By creating a dedicated family travel email and restricting loyalty enrollments, they minimized exposure. They also submitted PNR access requests after each trip, confirming eventual depersonalization.
Executive Traveler Separating Work and Personal Itineraries
A North American executive concerned about sensitive meetings in Asia adopted a dual-channel booking system. Corporate trips were booked under a business account, while personal vacations were managed separately. This separation created a clear legal boundary, ensuring corporate travel data was not cross-linked with individual records.
Humanitarian Worker Reducing Sensitive Data Trails
A humanitarian worker traveling to conflict zones faced risks if missions were visible in shared PNR systems. Amicus helped structure bookings through nonprofit channels, used regionally appropriate payment methods, and submitted deletion requests post-travel. These measures reduced exposure while complying with booking requirements.
Retiree Balancing Convenience and Privacy
A retiree making frequent leisure trips to Europe adopted privacy-friendly practices such as prepaid travel cards and minimal loyalty engagement. This allowed continued enjoyment of travel without long-term profiling risks.
Student Traveler Using Compartmentalization
An international student traveling between North America and Europe used a separate travel account and avoided linking social media handles to PNR contact fields. This limited profiling and ensured academic and personal travel histories remained distinct.
Comparative Jurisdictional Analysis
- European Union: Retention is five years, with depersonalization after six months. Critics argue that the ease of re-identification undermines this safeguard. Pending litigation may shorten timelines.
- United States: Retention is up to 15 years. Access to older records is restricted to specific purposes, but privacy advocates argue the length is disproportionate.
- Canada: Retention is five years. Recent investigations suggest inconsistent depersonalization and potential over-sharing with U.S. agencies.
- Australia: Retention is five years. A parliamentary review is considering whether broader uses beyond aviation security are justified.
- Japan: Retention aligns with EU principles, with depersonalization required after six months. Stronger oversight has limited misuse.
- Middle East: Some jurisdictions retain PNR data indefinitely under national security laws, raising concerns about cross-border travelers.
This global comparison highlights a fragmented environment, where travelers must adapt to varying rules depending on jurisdiction.
Policy Outlook
The growing legal and political scrutiny suggests that reforms are likely. Possible directions include:
- Shorter retention periods: Courts or regulators may push for two to three years rather than five or fifteen.
- Stronger anonymization: New standards could require irreversible depersonalization after a shorter timeframe.
- Passenger transparency rights: More jurisdictions may require airlines to inform passengers directly of retention timelines.
- Independent oversight: Privacy commissioners or ombudspersons could gain stronger audit powers.
For now, airlines must navigate compliance obligations while maintaining customer trust. Many may publish transparency reports on data retention to demonstrate accountability.
Amicus International Consulting’s Guidance
Amicus continues to advise individuals, families, and organizations on how to navigate PNR retention lawfully. By structuring bookings carefully, exercising data rights, and adopting compartmentalization strategies, travelers can significantly reduce exposure.
As scrutiny grows, proactive measures will provide a tangible advantage, allowing travelers to retain privacy without compromising legality or convenience.
Contact Information
Phone: +1 (604) 200-5402
Email: info@amicusint.ca
Website: www.amicusint.ca
