CJEU Advocate General states that PNR Directive does not violate fundamental rights despite mass surveillance concerns from civil society

In 2016, the European Union adopted the Passenger Name Record (PNR) Directive which obliges Member States to collect PNR data on all flights to third countries and exchange this information with other Member States through the Passenger Information Units (PIUs). Member States can decide to apply the PNR Directive to intra-EU flights as well, an option which almost all Member States have used. Before arrival or departure, the PNR data is used to profile passengers, and this data is subsequently retained for five years.

The PNR Directive amounts to mass surveillance similar to general and indiscriminate data retention of telecommunications metadata. The latter has repeatedly been ruled illegal under EU law by the Court of Justice of the European Union (CJEU). In July 2017, the CJEU decided that the EU-Canada PNR agreement was incompatible with the Charter of Fundamental Rights.

Against this backdrop, the implementation of the PNR Directive has been challenged by civil society organisations in Belgium as well as in Germany and Austria by EDRi members GFF and Epicenter.works. So far, only the Belgian and German courts have referred cases to the CJEU. These cases are of significance as the European Commission and the Council of the EU already identified appetite among the Member States to extend the scope of data collection to other types of transportation like trains, buses and ships, thus covering many more travellers.

Senseless attempt to patch a failing system

On 27 January, the Advocate General (AG) delivered his long awaited (non-binding) opinion in the Belgian case C-817/19. The legal analysis of the AG follows the EU-Canada PNR ruling quite closely, but the conclusion is very different since the Advocate General proposes that the PNR Directive should be declared compatible with the Charter of Fundamental Rights. The AG’s conclusion is a disappointment to civil society organisations hoping for the invalidation of the PNR Directive, but also surprising since the AG Opinion identifies the same deficiencies in the PNR Directive which led the CJEU to rule against the EU-Canada PNR agreement in 2017.

Some of these problems are: First, the “General remarks” data category is not defined with sufficient precision in Annex I, which lists all the categories of information to be transferred under the Directive, and therefore cannot be transferred to PIUs. This is important because the “General remarks” field may contain sensitive personal data, e.g. meal requests that indirectly reveal the passenger’s religious practices or political orientations. Secondly, while the collection and analysis of PNR data for all passengers is compatible with the Charter, it is not the case for the subsequent retention for five years which exceeds the limits of what is strictly necessary. Thirdly, the case law of the CJEU requires prior authorisation by a court or independent administrative authority before retained PNR data is disclosed to law enforcement authorities. The PNR Directive does not satisfy this requirement in the initial six months after retention, as the PIU can decide on access requests in this period and does not qualify as an independent authority as they are mainly composed of law enforcement officers.

In order to remedy these deficiencies, the AG proposes a minor partial invalidation of point 12 of Annex I (the General remarks field) and to interpret other parts of the PNR Directive so that they are compatible with the Charter of Fundamental Rights. Specifically, the five-year retention in Article 12(1) is only permitted in a targeted manner for passengers where a link with terrorism or serious crime can be established based on objective criteria. The access to retained PNR data in the initial six-month period must comply with the conditions in Article 12(3)(b), which in the directive text only applies after six months.

The solution proposed by the AG leaves the PNR Directive essentially untouched, and instead puts the burden on Member States to implement the Directive in a way that is consistent with the interpretation of the CJEU. Since Member States have followed the legislative text to the letter, this will require substantial amendments of all national PNR laws, e.g. to ensure that the five-year retention is targeted. This means it could take several years before these corrective measures are implemented, also considering the reluctance of many Member States to surrender their mass data retention regimes.

Moreover, as the interpretation of the PNR Directive proposed by the Advocate General clearly goes against the intention of the EU legislature in at least one critical area (generalised retention), it would arguably have been more logical to simply invalidate the Directive, as was done by the CJEU in the 2014 judgment on the Data Retention Directive. The Commission would have then be able to use the guidance from the CJEU to propose a new PNR directive in compliance with the Charter of Fundamental Rights.

A missed opportunity for scrutinising profiling practices

The biggest disappointment in the AG Opinion is the rather limited attention given to the profiling of all passengers by means of automated analysis of their PNR data. This may be a consequence of closely following the EU-Canada PNR case, where the CJEU also did not object to the automated analysis subject to certain safeguards. Nonetheless, the AG Opinion represents a missed opportunity by not critically addressing the substantial fundamental rights problems inextricably associated with profiling all passengers. A recent opinion on the PNR Directive by Douwe Korff contains an in-depth and evidence-based analysis of these issues, leading to the conclusion that profiling based on systematic analysis of PNR data is inherently flawed and incompatible with fundamental rights.

In the data retention cases before the CJEU, Member States have tried, but failed, to demonstrate the strict necessity of this intrusive measure. The PNR Directive should be subjected to the same test, but the AG has only applied the necessity test for the retention of PNR data after the flight, which must be targeted. For the initial transfer of PNR data to the PUI and the profiling of all passengers, the AG rather uncritically accepts the premise that systematic analysis of PNR data is essential for the fight against terrorism and serious crime, and that data mining can be used to find unknown criminals. The link between air travel, terrorism and serious crime is insufficient in itself to justify the indiscriminate profiling where everybody is treated as a potential suspect, even for intra-EU flights where border checks have been abolished with the Schengen Convention.

The AG is aware of the risks with data mining of PNR data and even cites the high number of false positive matches in the Commission’s evaluation of the PNR Directive. The high error rate is to be expected due to the base-rate fallacy, but it does not affect the AG’s conclusion that systematic analysis of PNR data is a suitable measure. The problems with data mining must instead be addressed through appropriate safeguards, including manual review of automated positive matches. In point 228 of his Opinion, the Advocate General emphasises that in order for human review to be effective, it must be possible to understand why the algorithm has produced a positive match. This cannot be guaranteed with self-learning systems such as machine learning and artificial intelligence technologies. If this reasoning is adopted by the CJEU in the final judgment, the implications will extend considerably beyond the PNR Directive itself. For example, the amended Europol Regulation envisages a considerable role for AI technologies and predictive policing systems.

Image credits: Jeremy Bezanger / Unsplash

(Contribution by: Chloé Berthélemy, EDRi Policy Advisor and Jesper Lund, Chairman EDRi member, IT-Political Association of Denmark)