EU data protection/privacy laws continue to keep this international Air Passenger data agreement ‘grounded from taking flight’, but what effect could the decision have on similar data agreements already concluded with the EU?
On 26 July, the European Court of Justice (CJEU) declared that the EU-Canada Passenger Name Record (PNR) Agreement is incompatible with EU privacy and personal data protection laws and cannot be concluded in its current form.
Per my earlier post summarising Attorney General Mengozzi’s Opinion criticising this agreement at the end of last year, this bilateral document brokered in 2014 is intended to regulate how PNR data may be collected, used, and stored for the purposes of combatting terrorism and other serious crime. In particular, it aims to allow the transfer of PNR data, collected from passengers booking flights between Canada and the EU, to the Canadian authorities for its use, retention and, where appropriate, subsequent transfer. More information about the PNR Directive coming into effect in 2018, can also be found in my post here.
In 2014, the European Parliament asked the CJEU, inter alia, whether the Agreement is compatible with certain provisions of the EU Treaties, in particular Article 16 of the TFEU (regarding data protection), as well as the Charter of Fundamental Rights of the EU (Articles 7 and 8, as well the general limitation clause contained in Article 52(1)). Article 52(1) prescribes that, pursuant to the EU principle of proportionality, limitations (to the rights to personal data protection and privacy) may be made only if they are necessary and genuinely meet objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others. In particular, much concern has been raised about the necessity and proportionality of PNR schemes, and bulk transfers of PNR data to third countries, as a form of mass-automated processing of data potentially highly sensitive and insightful of people’s personal lives (including people not obviously under suspicion of criminal behaviour).
So, what does the CJEU say? Broadly, as it stands, the wide-ranging agreement would violate flight passengers’ privacy/data protection rights because it allows authorities to exchange data that could reveal “a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health, and may even provide sensitive information”. Furthermore, the CJEU highlights the fact that the PNR data transferred is intended to be analysed “systematically by automated means, based on pre-established models and criteria”. These factors contribute to the CJEU’s overall view that, “although the systematic transfer, retention and use of all passenger data are, in essence, permissible, several provisions of the draft agreement do not meet requirements stemming from the fundamental rights of the European Union”.
Per AG Mengozzi’s Opinion, the Court specifically criticises various measures in the agreement for lack of proportionality, including the following:
- a requirement to store data for no longer than five years is too long;
- too broad categories of PNR data listed for collection;
- no guarantee that data collected is only used to fight terrorism or serious crimes; and,
- a lack of a precise and particularly solid justification for transfer of sensitive data to Canada, specifically grounds other than the protection of public security against terrorism and serious transnational crime.
Accordingly, the Court sets out a list of ‘standards’ that the agreement should meet. It should:
- determine in a more clear and precise manner certain of the PNR data to be transferred;
- provide that the models and criteria used for the automated processing of PNR data will be specific, reliable and non-discriminatory;
- provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;
- provide that PNR data may be disclosed by the Canadian authorities to the government authorities of a non-EU country only if there is an agreement between the EU and that country equivalent to the envisaged agreement/decision of the European Commission in that field;
- provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data to other authorities or to individuals;
- guarantee that the oversight of the rules relating to the protection of air passengers with regard to the processing of their PNR data is carried out by an independent supervisory authority.
While this decision is a blow for the European Commission, who will have to go back to the drawing-board in renegotiating the deal with the Canadian authorities to agree a changed version that will comply with EU laws, the impact for other existing PNR international agreements concluded with the EU could be far-reaching. These include the EU-Australia PNR Agreement, as well as the EU-US PNR Agreement, both of which entered into force in 2012. In particular, compared with these other agreements, the Canadian agreement had been perceived as being less restrictive. For example, PNR data shared under the EU-US agreement can be stored for up to 15 years, the Australian agreement allows authorities to store data for up to five-and-a-half years. This has led the NGO European Digital Rights (EDRi), for example, to call for the EU to now immediately suspend its deals with both of these other countries in light of this ruling.
Finally, as readers of this blog will be aware, the CJEU’s decision is another blow to the European Commission in light of the CJEU’s rulings in Digital Rights Ireland (DRI) (C-293/12 and C-594/12), Schrems (C-362/14) which declared the EU-US Safe Harbour Agreement invalid, as well as the introduction of the new EU-US Privacy Shield (see here). They all involved intense consideration of data protection/privacy points of law arising in the context of cross-border transfers of personal data, and the tension between mass-automated surveillance and ensuring necessity and proportionality to the achievement of public interest purposes. In particular, the examination of the proportionality of such measures went to the heart of each discourse, as well as the type of minimum requirements needed so that persons under surveillance have sufficient guarantees that their data will be afforded effective protection against the risks of abuse, and also against any unlawful access to and any unlawful use of that data.
The CJEU already has other cases lined up following complaints against the EU-US privacy Shield that it still does not meet up to EU standards. These include another case brought by Digital Rights Ireland here, which is an action of annulment – that is, if successful, it would invalidate the Commission’s Adequacy Decision, which approved and adopted the Privacy Shield one year ago this month. Watch this space!