The law will oblige airlines to hand passengers' data to national authorities for all flights from third countries to the EU and vice versa. Although the Directive only applies to 'extra-EU flights', EU countries can extend it to flights between one another. They must notify the European Commission that they are doing so. EU countries can also choose to collect and process PNR data from travel agencies and tour operators, the Parliament said.
PNR data can include any personal information collected during bookings for flights, including home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
Member of the European Parliament and author of the PNR legislation report Timothy Kirkhope said: "We have adopted an important new tool for fighting terrorists and traffickers. By collecting, sharing and analysing PNR information our intelligence agencies can detect patterns of suspicious behaviour to be followed up. PNR is not a silver bullet, but countries that have national PNR systems have shown time and again that it is highly effective."
While there have been concerns about the collection and storage of data, "I believe that the Directive puts in place data safeguards, as well as proving that the law is proportionate to the risks we face", Kirkhope said. "EU governments must now get on with implementing this agreement."
The parliament voted to accept the Directive by 461 votes to 179, with nine abstentions, it said.
Under the new laws each EU country will have to set up passenger information units (PIUs) to collect, store and process the data. These PIUs will also be responsible for transferring the data to the competent authorities and exchanging them with Europol and with their counterparts in other member states. Transfers will be made on a case-by-case basis and only for the specific purposes of "preventing, detecting, investigating or prosecuting terrorist offences or serious crime", the Parliament said.
PNR data will be able to be retained for five years in total, but after six months the data will be anonymised to remove names, addresses and any information that could identify individuals, the Parliament said.
The Parliament's vote was delayed last month. A group of Conservative MEPs claimed "left wing groups" within the Parliament blocked talks on the proposed Directive, with a knock-on delay to the final vote, , according to Reuters.
The Council of Ministers and the Parliament agreed on a compromise text for the directive in December 2015, after disagreement over how the data could be used.
The PNR Directive has been under discussion since it was proposed in 2011, to bring the EU into line with the US, Canada and Australia. In 2012, the European Parliament approved an agreement allowing the EU to exchange airline passenger information with the US.
The Directive still needs formal approval from the Council of Ministers, the Parliament said. Once it is published in the Official Journal of the EU, EU countries will have two years to transpose it into their national laws.
The Commission will review the Directive two years after it is transposed, paying "special attention to compliance with personal data protection standards, the necessity and proportionality of collecting and processing PNR data for each of the stated purposes, the length of the data retention period, and also the effectiveness of the sharing of data between the member states", the Parliament said.