On 26 July 2017, the Court of Justice of the EU (“Court”) issued its Opinion on the proposed EU-Canada Agreement on the transfer and processing of Passenger Name Record data (“PNR Data”). The opinion, issued by the Court’s Grand Chamber, confirms that the Court accepts the necessity of processing large amounts of personal data to protect against terrorism in general. However, in order to ensure compliance with the EU Charter of Fundamental Rights (“the Charter”), the Court will scrutinize the details of any EU legislative act to ensure that no data are retained or accessed without a clear link to the underlying justification of combating terrorism.

Implications

The opinion will have important implications for the proposed Agreement with Canada, but also for the Agreements that the EU had previously concluded with the US and Australia, as well as for upcoming cases dealing with surveillance.

The implications of the Court’s rulings, set out in more detail below, are clear. First, third countries negotiating with the EU are facing a “moving target”: the Court took into account various judgments and a Directive adopted after the EU-Canada Agreement was agreed and submitted to the Court for review. Second, the opinion helpfully confirms that the Court recognizes the need to combat terrorism, noting in particular that Article 6 of the Charter (the “right to liberty and security of person”) can justify the processing of personal data. Third, the Court nevertheless will not hesitate to scrutinize every detail of an EU act submitted to it for review as a potential violation of fundamental rights under the Charter.

Background

In line with earlier judgments on data protection, the Court recognized that the transfer of PNR data and the conditions concerning its retention, use and transfer to other EU or foreign authorities constitute interference with the right to privacy and data protection guaranteed in Articles 7 and 8 of the Charter. The Court, however, noted that the purpose of the PNR Agreement is to ensure the security and the safety of the public through facilitating the transfer and use of PNR data by Canadian authorities, and prescribes the means to protect the PNR data during such processing. The Agreement aims to achieve the objective of security and safety by seeking to “prevent, combat, repress and eliminate terrorism and terrorist-related offences, as well as serious transnational crime.” This, according to the Court, is an objective of general interest of the EU that is capable of justifying even serious interferences with the fundamental rights enshrined in the Charter.

In assessing whether the Agreement does justify interferences with the right to privacy, the Court considered that the nature of the information is limited to certain aspects of private life, that the Agreement limits the purposes for which PNR data may be processed, and that rules are provided to ensure the security, confidentiality and integrity of the data and to protect it against unlawful access and processing.

The Court then reviewed the necessity and proportionality of various interferences contemplated by the Agreement. It concluded that:

  • The Agreement is incompatible with Charter insofar as it does not preclude the transfer, use and retention of “sensitive data” within the meaning of the Agreement (information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about a person’s health or sex life). In reaching this conclusion, the Court took into account that EU’s own Directive on PNR data (Directive (EU) 2015/681) does not permit the retention of sensitive data.
  • In order to be compatible with the Charter, the Agreement must be amended on a number of points. This includes determining precisely the PNR data subject to processing; ensuring that an “individual re-examination” takes place before an individual measure is taken against any individual who is selected on the basis of automated processing of PNR data; making the use of the data by the Canadian Competent Authority and its disclosure to other authorities subject to substantive and procedural conditions, generally limiting the retention of PNR data; subjecting the disclosure of PNR data to a third country to the condition that there be either an agreement between the EU and the third country equivalent to the Canada-EU Agreement (or a decision of the European Commission finding that the third-country ensures an “adequate level of protection”); providing for a right to individual notification for air passengers after completion of investigations; and guaranteeing that the oversight of the rules of the Agreement will be carried out by an independent supervisory authority. The Court’s review was remarkably detailed in this respect. For example, the Court criticized every single open-ended item on a list of data to be transferred.

The opinion is available here.