Today, on 8 September 2016, the Advocate General of the Court of Justice of the European Union (CJEU) gave his Opinion confirming that the agreement between EU and Canada to share Passenger Name Records (PNR) data is not fully in compliance with European law. It’s shocking to note that all the EU’s others PNR instruments are significantly more questionable from the fundamental right perspective than the apparently illegal EU-Canada deal.
Once again, the European Court is confirming that the European Commission has failed to understand the law,
said Joe McNamee, Executive Director of European Digital Rights.
The European Commission has – again – failed in its basic function as the “guardian of the treaties”.
Passenger Name Record information, which generally contain data such as meal preferences and travel agent, is stored in order to use profiling to guess who might be a terrorist or a criminal. These data are separate from Advance Passenger Information data (the data passengers are required to provide to travel to or from certain countries) and the Visa Information System (database on visa applications to enter the Schengen area), which are also used for tracking of travellers.
Today’s Opinion, if followed by the Court, is expected to be significant for other EU legal acts, such as the recently adopted EU PNR Directive. Furthermore it will impact on planned international PNR agreements with other states. The ongoing negotiations with Mexico were put on hold, waiting for this assessment of the CJEU.
With an almost ideological determination, the European Commission has proposed and agreed measure after measure to stockpile personal data, creating privacy and security risks for every European at a cost of hundreds of millons of Euro. In relation to PNR, it has a deal with Canada for an arbitrary four-year period, with Australia for five and a half years, fifteen years for the EU-US agreement, and a newly-adopted EU PNR Directive that stores data for four years for serious crime and five years for terrorism. This creates a needless security risk, undermines privacy, and generates huge costs for taxpayers.
The specific points where the Agreement is out of line with EU law are detailed in the press release (PDF) from the Court.
In November 2014 the European Parliament referred the EU-Canada agreement on Passenger Name Records (PNR) to the European Court of Justice (CJEU), to assess the legality of the the agreement under EU law, in particular the Charter of Fundamental Rights of the European Union. In the Opinion of the CJEU declared that this retention of bulk data is being excessive and would therefore violates fundamental rights of EU citizens.
In its judgement in the case Digital Rights Ireland, the CJEU declared the EU Data Retention Directive invalid, for its violations of fundamental rights. In this ruling, the Court found that the data retention period, which was set between 6 and 24 months, “entails a serious interference with those fundamental rights in the legal order of the EU”. In the EU-Canada agreement retention periods of up to 5 years are planned, pending the outcome of this case.
The European Parliament decided to referred the Agreement to the CJEU before its final adoption, in order to prevent legal uncertainty and possible infringements of fundamental rights. Those concerns were also shared by many data protection analysts, including EDRi and the European Data Protection Supervisor (EDPS).
EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)