PNR data can include any personal information collected during bookings for flights, including home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
The approved compromise text of a directive agreed with the Parliament establishes that PNR data collected may only be processed for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, the Council said.
"The compromise agreed today will enable the EU to set up an effective PNR system which fully respects fundamental rights and freedoms", said Etienne Schneider, president of the Council.
Under the new directive, airlines will be obliged to provide member states' authorities with the PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PNR data concerning selected intra-EU flights, the Council said.
Each member state will be required to set up a Passenger Information Unit (PIU) to receive the PNR data. PIUs will have to appoint a data protection officer to monitor data protection and safeguards, and to act as a contact point for passengers with concerns.
The European Parliament added data projection safeguards to draft PNR rules in July, to ensure "the lawfulness of any storage, analysis, transfer and use of PNR data". The data "must only be used to prevent, detect, investigate and prosecute these crimes", it said.
Data protection safeguards include rules stating that national PUIs will only be allowed to process PNR data for specific purposes, such as identifying a passenger who "may be involved in a terrorist offence or serious transnational crime and who requires further examination", the Parliament said.
The PNR directive has been under discussion since it was proposed in 2011, to bring the EU into line with US, Canada and Australia. In 2012, the European Parliament approved an agreement allowing the EU to exchange airline passenger information with the US.
In February, MEPs called on EU countries to make faster progress on a package of data protection reforms so that talks could continue alongside discussions of proposals on the communication of PNR.
The UK and Ireland have opted in to the EU PNR directive, while Denmark has not.
After a vote by the Parliament's Civil Liberties, Justice and Home Affairs Committee, the directive will be submitted to the Parliament for a vote and to the Council for adoption. Once it is adopted member states will have two years to being it into force.