We’ve heard it before, and we’ll hear it again… ‘How can interference with fundamental EU rights to privacy and personal data protection be justified when it comes to mass-automated data processing?’ In other words, to what extent will the EU Charter of Fundamental Rights keep this international agreement grounded before it can take flight?
Earlier this month, Advocate General (AG) Mengozzi to the Court of Justice of the EU (CJEU) delivered his Opinion (case C-1/15) on the draft EU-Canada Agreement on the transfer and processing of Passenger Name Record (PNR) data. This bilateral document regulates how PNR data may be collected, used, and stored for the purposes of combatting terrorism and other serious crime. It aims to allow the transfer of PNR data, collected from passengers booking flights between Canada and the EU, to the Canadian authorities for its use, retention and, where appropriate, subsequent transfer. While the Agreement was signed by the EU and Canada in June 2014, it has not yet been concluded by the Council of the EU.
The AG’s Opinion is especially interesting as it was delivered in the light of the ECJ’s rulings in Digital Rights Ireland (DRI) (C-293/12 and C-594/12) and in Schrems (C-362/14) which declared the EU-US Safe Harbour Agreement invalid (see our previous posts here and here), as well as the introduction of the new EU-US Privacy Shield (see here). They all involved intense consideration of data protection/privacy points of law arising in the context of cross-border transfers of personal data, and the tension between mass-automated surveillance and ensuring necessity and proportionality to the achievement of public interest purposes. In particular, the examination of the proportionality of such measures went to the heart of each discourse, as well as the type of minimum requirements needed so that persons under surveillance have sufficient guarantees that their data will be afforded effective protection against the risks of abuse, and also against any unlawful access to and any unlawful use of that data.
First, let’s remind ourselves, what is PNR? A refresher on the subject can be found in a post I wrote earlier this year about PNR data here. That was in the context of describing the new EU PNR Directive on the use of such data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, (officially ‘Directive 2016/681’), which must be transposed into domestic law by EU Member States by 25 May 2018. In that Directive, which aims to harmonise Member State provisions on obligations for air carriers operating flights between a third country and the territory of at least one Member State to transmit PNR data to the competent authorities, the following definition of PNR is provided:
“a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, departure control systems used to check passengers onto flights, or equivalent systems providing the same functionalities”.
As such, PNR data, collectively, may be highly insightful of a passenger’s private life! Compare, both in DRI (para. 39) and in Schrems (para. 94) the CJEU held that: “….permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life…”.
How did this Opinion come about? The Opinion followed a request for a CJEU Opinion submitted by the European Parliament pursuant to Article 218(11) of the TFEU, in advance of it approving the EU Canada PNR Agreement (which must happen before it can be concluded by the Council). In fact, this was the first time that the Parliament asked that a PNR agreement be given a preliminary check by the CJEU before the final vote on the deal. The Parliament asked the CJEU, inter alia, whether the Agreement is compatible with certain provisions of the EU Treaties, in particular Article 16 of the TFEU (regarding data protection), as well as the Charter of Fundamental Rights of the EU. The relevant Charter provisions are: Article 7 regarding respect for private and family life; Article 8 regarding protection of personal data; as well as the general limitation clause contained in Article 52(1) (“Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”, emphasis added).
For background, in 2013, the European Data Protection Supervisor (EDPS) questioned the necessity and proportionality of PNR schemes and bulk transfers of PNR data to third countries (see here for an executive summary of his Opinion). The EDPS commented that he had not seen “convincing elements showing the necessity and proportionality of the massive and routine processing of data of non-suspicious passengers for law enforcement purposes” (para. 3). Concerns arose especially “about the limited availability of independent administrative redress and full judicial redress for EU citizens not present in Canada” and “recommends requiring confirmation that no other Canadian authority can directly access or request PNR data to the carriers covered by the agreement.” (para. 48). Such concerns arose despite the fact that the Agreement provides for: PNR data security and integrity requirements; an immediate masking of sensitive personal data; the right of access to data; the rectification and erasure of data; the possibility of administrative and judicial redress; and a time limit of the storage of data (albeit what might be considered a very lengthy period, up to a maximum of 5 years from PNR data collection, where such data “is required for any specific action, review, investigation, enforcement action, judicial proceeding, prosecution, or enforcement of penalties, until concluded”). These type of criticisms are all starting to sound very familiar… see here and here.
It is worth reflecting again here on the fact that interpretation of the concepts of necessity and proportionality have evolved in the wider context of the privacy case law of the European Court of Human Rights (ECtHR) , but they also have a relationship with data protection. In effect, the CJEU has effectively transposed the existing case-law of the ECtHR on the need for safeguards and guarantees in the field of privacy and data protection. Remember also that the pan-EU Article 29 Working Party published an Opinion in 2014 on the application of necessity and proportionality concepts and data protection within the law enforcement sector. This guidance was aimed at helping those who are tasked to review the concepts of necessity and proportionality in the areas of freedom, security and justice within the EU. However, this Opinion was published before the DRI and Schrems final judgements, which have been heralded as signalling more intense scrutiny of public measures against the test of necessity and proportionality-to-purpose where personal data is subjected to automatic processing and where there is a significant risk of unlawful access to that data. [Wasn’t it just a month or so ago that AG Saugmandsgaard Øe opined that the Charter allowed Member States to impose general data retention obligations on providers of electronic communications services for the purpose of fighting serious crime provided that a number of conditions are satisfied, including the safeguards described by the CJEU in the DRI judgement? And yet he also deemed it necessary to examine in great detail “the requirements concerning the legal basis for, and the necessity and proportionality within a democratic society of general data retention obligations”…].
So what does AG Mengozzi say? To get to the point, the Agreement cannot be entered into in its current form without breaching the Charter.
- First, he says it is necessary to follow the route outlined by the DRI and Schrems judgments and to subject the Agreement envisaged to a strict review as regards the right to respect for private and family life and the right to protection of personal data. To this end, “the Court should ensure that the proposed measures…reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data” (para 8). Moreover, “the Court cannot decline to carry out a strict review of compliance with the requirements resulting from the principle of proportionality and more particularly from the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged” (para 200).
- Second, in order to be compatible with Articles 7, 8 and 52(1) of the EU Charter, the Agreement will have to be strictly reviewed and updated as many of its provisions need amendment before adoption “so that it does not exceed what is strictly necessary in order to achieve its security objective”. These include: setting out in clear and precise detail what categories of PNR data are relevant (and excluding sensitive data from the Agreement’s scope); listing what offences are within the definition of serious transnational crime (by way of more carefully scoping what individuals are liable to be scrutinised most closely); specifying which officials can access the data and under what conditions; identifying the Canadian authority responsible for processing PNR data; and, stipulating the clear and precise rules by which an independent authority can monitor the level of passenger protection afforded in the processing of personal data as relevant, as well as adjudicating passenger requests for access, rectification and annotation of their data.
- Third, some present terms in the Agreement should be deleted so that it does not exceed what is strictly necessary in order to achieve its public security objective. An example is the provision in the Agreement that confers to the Canadian authorities “beyond what is strictly necessary, the right to make any disclosure of information without a requirement for any connection with the public security objective pursued by the agreement”. Also for scrapping is a clause that authorises Canada to retain PNR data for up to 5-years without a requirement for any connection with the public security objective pursued by the agreement. In that context, the AG opines that that the Agreement must states the reasons, precisely, why it is objectively necessary to retain all PNR data for a maximum period of 5 years and – where a 5-year retention period is considered necessary – the Agreement should ensure that the PNR “that would enable an airline passenger to be directly identified is ‘depersonalised’ by masking”. [Remember, by comparison, the DRI judgement found that the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in particular in respect of data retention time periods that were for a maximum of 24 months only. The CJEU made the comment in that judgement that, “the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary” (see para. 64).]
- Finally, the AG comments that the Agreement pursues twin objectives of equal and inseparable importance (combating terrorism and serious transnational crime provided for in Article 87 TFEU, and the protection of personal data provided for in Article 16 TFEU). For that reason, he opines that the Agreement must be based on both these Treaty Articles as substantive legal bases.
Per standard practice, the AG’s Opinion is not binding on the final judgement of the CJEU but it will be influential not least because this is the first time that the CJEU will rule on the compatibility of an international agreement with the Charter.
As we await the final judgment at a later date, it will be interesting to consider what impact this could have on other existing PNR international agreements concluded with the EU, including the EU-Australia PNR Agreement, as well as the EU-US PNR Agreement, both of which entered into force in 2012. Will the EU-Canadian Agreement set the benchmark for EU international agreements that involve the mass collection of European citizens’ personal data?