In 2014, the European Parliament asked the Court of Justice of the European Union (“CJEU”) whether an agreement on the transfer of processing of Passenger Name Record data (“PNR agreement”) between the European Union (“EU”) and Canada was compatible with certain provisions of the EU treaties. In particular, article 16 of the Treaty on the Functioning of the EU (in regards to data protection inquiries) and articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the EU.
The CJEU held, on 26 July, that the PNR Agreement is not compatible with EU privacy and personal data protection law, fundamental EU rights, which means that the agreement cannot be concluded in its current form. Although technically speaking this has no legal impact on the current transfer of PNR data with the United States (“US”), the Court’s decision has opened ways for its potential challenges and, in policy terms, is forcing its revision.
The PNR agreement
The agreement would enable, by way of an automated and systematic process, the transfer of PNR data of all air passengers to the competent Canadian authority: the Canada Border Services Agency (“CBSA”). In turn, the CBSA would retain the PNR data for a maximum period of five years and even transfer the data to other authorities and authorities from third countries.
The PNR data would include a complete travel itinerary, travel habits, relationships between two or more individuals, information about the person’s health and financial situation; it could go so far as to provide sensitive data (information revealing “racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership or a person’s health or sex life”) of air passengers booking flights between Canada and the EU. In addition, due to the fact that the information would be analyzed by automated means, according to pre-established models and criteria, some additional private information could be provided and retained for a lengthy period.
The CJEU recognized that the transfer, use and retention of PNR data constituted an “interference with the fundamental rights to respect for private life” and to the protection of personal data, thereby breaching fundamental EU rights.
The CJEU considered whether those interferences could be justified in light of the objective of the PNR agreement. Indeed, the agreement has dual objectives: i) to ensure public security by means of transfer of PNR data to Canada; and ii) the use of that data within the framework of the fight against terrorist offences and serious transnational crime. The CJEU concluded that the transfer, use and retention of the sensitive information cited above were incompatible with fundamental EU rights due to the too broad categories of PNR data listed for collection, the absence of guarantee that the collection of such data will only be used to fight terrorism or transnational crime, the 5-year retention period and a lack of precise and clear justification for the transfer of PNR data to Canada or other authorities.
A revised agreement
In order for the PNR agreement to be compatible with the fundamental EU rights, the court set out a list of “standards” that the agreement should meet:
- Determine in a more clear and precise manner certain of the PNR data to be transferred;
- Provide that the models and criteria used for the automated processing of PNR data will be specific, reliable and non-discriminatory;
- Provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;
- Provide that PNR data may be disclosed by the Canadian authorities to the government authorities of a non-EU country only if there is an agreement between the EU and that country equivalent to the envisaged agreement/decision of the European Commission in that field;
- Provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data to other authorities or to individuals;
- Guarantee that the oversight of the rules relating to the protection of air passengers with regard to the processing of their PNR data is carried out by an independent supervisory authority.
What happens next?
Following this opinion a new deal will have to be negotiated with the Canadian authorities to comply with fundamental EU laws and rights as interpreted by the CJEU.
In addition, the EU rapporteur of the PNR agreement highlighted the direct connection between the content of this opinion and other even less restrictive PNR agreements previously concluded in 2012 (with Australia and with the the US), leading to calls for their suspension.