The Court of Justice of the European Union (“CJEU”) has rejected a proposed deal between the EU and Canada for the sharing of passenger data, claiming that it violates data protection and privacy laws. The purpose of the proposed Passenger Name Records (PNR) Agreement is to combat terrorism and transnational crime. However, the CJEU found that the PNR Agreement went beyond what was necessary to address those threats.
While the deal was initially agreed in 2014, it attracted a lot of debate in the European Parliament. In light of this, the Parliament, for the first time ever, exercised its right to refer the matter to the EU’s top court for an opinion on the deal’s compatibility with EU privacy laws and the EU Charter of Fundamental Rights (“Charter”).
What is PNR data?
PNR data includes a large amount of personal data collected when an individual books a flight. The data can include names, addresses, phone numbers, email addresses, financial information and travel itineraries. The PNR Agreement would have allowed for the systematic and automatic reciprocal transfer of this information across the Atlantic. In addition, the PNR Agreement would have allowed for the transfer of the information to third countries and permitted a data retention period of 5 years.
Opinion of the CJEU
The CJEU found that the sharing of PNR data could be permissible, but in this particular instance violated fundamental privacy rights. The CJEU took the view that the PNR Agreement violated restrictions in relation to sensitive personal data, as the rules were “not limited to what was strictly necessary” to combat terrorism.
The CJEU held that to transfer sensitive personal data outside of the EU would require a “precise and particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime”, in line with the Charter. In the CJEU’s view, no such justification was present.
The CJEU also noted that the retention period of up to 5 years was excessive. The CJEU observed that the 5-year retention period applied indiscriminately to all passengers, and the EU had given no justification for the lengthy retention period. The CJEU indicated that, where a passenger had departed Canada, and had been subject to checks on entry and departure (revealing no terrorist or criminal threat), then there would be no justification for retaining their PNR data in the context of combatting terrorism.
The CJEU’s opinion listed a number of steps to bring the PNR Agreement to compatibility with data protection and privacy laws. They included the following:
- Determine, in a clear and precise manner, the PNR data to be transferred.
- Ensure that the criteria used in the context of automated processing of PNR data will be specific, reliable and non-discriminatory.
- Provide that the databases used will be limited to those used by Canada for the fight against terrorism and serious transnational crime.
- Limit the retention of PNR data after the air passengers' departure to information relating to passengers where there is objective evidence that they may present a risk in terms of the fight against terrorism and serious transnational crime.
- Require that any planned disclosures by the Canadian authorities to a third country, which is not an “adequate jurisdiction”, is subject to an agreement between the EU and the third country, equivalent to the PNR Agreement.
Back to the drawing board
Following the opinion of the CJEU, the European Commission issued a statement noting that it is “ready to engage with Canada about ways of addressing the concerns raised by the European Court of Justice on the envisaged EU-Canada PNR Agreement.”
The Commission and its Canadian counterparts will need to return to the negotiating table in order to implement the necessary changes.
Digital rights groups have been quick to claim that this decision throws into doubt pre-existing PNR agreements that are in force between the EU and the US and Australia. For instance, the EU-US PNR agreement provides for a retention period of up to 15 years, the enforceability of which could be questioned in light of the CJEU’s opinion. It remains to be seen how this opinion will affect such existing deals and other prospective data sharing proposals.