The Working Party 29 (WP29) is an advisory body composed of representatives from the data protection authority of each EU Member State, the European Data Protection Supervisor (EDPS) and the European Commission.
On 11 April, the WP29 has requested the Commission to take action and revise Passenger Name Records (PNR), policies based on the Opinion 01/15 of the Court of Justice of the European Union (CJEU). The CJEU found in its opinion on the EU PNR agreement with Canada that the envisaged agreement is in part not compatible with Articles 7, 8, 21 and 52 of the Charter of Fundamental Rights of the European Union. However, no relevant progress has been made concerning this agreement, nor with the PNR agreements with Australia and the US, nor the EU PNR Directive.
The WP29 expressed the concern that there were a number of issues highlighted by the CJEU that need urgent review:
1. Need for clear and precise description of the personal data collected
The PNR Directive, and particularly the PNR agreements with Australia and the US, contain language which is not specific enough and which does not sufficiently describe what kind of data will be collected. This can lead to excessive amounts of data which are not necessary or proportionate for the purposes of the Directive.
2. Exclusion of sensitive data
The Court points out that the transfer of sensitive data requires a precise and particularly solid justification, based on grounds other a simple reference to the protection of public security against terrorism and serious transnational crime. The processing of sensitive data has been prohibited by the EU legislator regarding the PNR Directive, but the agreement with the US allows for sensitive data to be retained and processed.
3. An independent authority needed to monitor disclosure of personal data
The retention of the data for as long as the passengers are in the third country has been considered to be in compliance with the Charter. However, the CJEU held that the access to the retained PNR data must be subject to a prior review either by a court or by an independent administrative body. Neither the PNR agreement with the US nor with Australia includes an obligation in line with the Court’s holding. With regard to the EU PNR Directive, Article 12 (3) makes disclosure of the full PNR data subject to approval by a judiciary authority or an undefined “another national authority competent under national law” after a period of six months.
4. Deletion of PNR data after departure if there is no evidence of risks
The CJEU stated that PNR data could not be stored after the passengers’ departure from the third country except for specific cases for which objective evidence can demonstrate a risk of a passenger. However, none of the instruments includes an obligation to delete it after the departure of the passenger if no objective evidence demonstrates this potential risk. Furthermore, the data retention periods are different in the Directive and PNR agreements for no obvious reason.
5. Limits to disclosures to third countries
The CJEU held that third country authorities which have received PNR data may only transfer that data to another country if the EU has made a PNR agreement with that country or if it has found it to uphold adequate data protection norms. Nonetheless, in the cases of the agreements with Australia and the U, there are no such limitations.
6. Oversight by an independent supervisory authority
The CJEU stressed the necessity of independent oversight of the PNR data protection safeguards of the EU/Canada agreement. This issue does not appear as problematic with a view to the PNR directive and the agreement with Australia, but it is particularly relevant for the agreement with the US. This agreement provides that compliance with the data protection safeguards is primarily subject to review by the Privacy Officers of the Department of Homeland Security, and thus not by an independent administrative body.
Therefore, further protection of passengers’ privacy must be ensured. The PNR agreements with the US and with Australia suffer from a range of deficiencies. As for the EU PNR Directive, it seems clear that it is at least partly not in compliance with the requirements expressed by the CJEU. The European Commission, as Guardian of the Treaties, needs to take urgent action in order to ensure compliance with the Charter of Fundamental Rights, of both the EU PNR Directive and the agreements.
Letter of the Chair of the Article 29 Working Party to EU Commissioners (11.04.2018)
Charter of Fundamental Rights of the European Union
EU PNR Directive (27.04.2018)
FAQ: Passenger Name Records (PNR) (09.12.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
(Contribution by María Roson, EDRi intern)