CJEU hearing on the EU Canada PNR agreement: Still shady
The European Court of Justice (CJEU) had a hearing on 5 April to decide about the referral made on 25 November by the European Parliament on the EU-Canada agreement on Passenger Name Records (PNR). Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc. This provides a massive insight into the private life of an individual.
The agreement between the EU and Canada allows for the transfer and processing of PNR data of passengers flying between the EU and Canada. The result of the referral of the agreement to the CJEU could impact the proposal for an EU PNR Directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD)), that was adopted by the European Parliament’s Civil Liberties Committee on 15 July 2015, and which may be scheduled to be voted in the European Parliament’s plenary session on 27-28 April 2016. The narrow vote (32 in favor, 26 against, no abstentions) in favour happened despite the rejection of this same EU PNR proposal by the same Committee in 2014 and despite the CJEU ruling invalidating the Data Retention Directive.
During the hearing, many crucial issues came up:
Firstly, the European Commission (EC) argued before the Court that PNR data is “anonymised” after 30 days and that, as a result, the CJEU judgment invalidating the data retention Directive is not applicable in this case. However, the EC fails to see that the PNR data is only “masked out” – depersonalised by masking certain identifiers. This is not anonymisation. The EU PNR Directive contains similar clauses and the European Data Protection Supervisor (EDPS) Opinion 5/2015 of 24 September 2015 said that they were glad that the mention to anonymous data was taken off the proposal since “(i)ndeed, the data at stake could not be considered as anonymous since they would still be re-identifiable.”
Secondly, the EC quoted the EU anti-terrorism coordinator saying that the number of convinctions based on PNR are irrelevant”. This just does not make sense. If the goal is to find suspects, and there are no convictions based on the PNR data used, the collection and processing of PNR data could well not be “necessary” nor “genuinely meet objectives of general interest recognised by the Union” as Article 52.1 of the Charter of Fundamental Rights states for any limitation for fundamental rights.
Thirdly, during the hearing Member States defended the agreement based on different reasons. The Spanish representative stated that the data retention period of 5 years is absolutely necessary for criminal investigations. Why not five and a half years, as it is the case currently under the PNR agreement with Australia… or 15 years, as under the PNR agreement with the USA? Why not 20 years? Or maybe just 3? Is the standard “whatever-length-we-randomly-decide-each-time”?
Fourthly the issue of the independent supervisory authority was also highlighted during the hearing. The EDPS reiterated the views expressed in their Opinion on the agreement of 30 September 2013 and said that the oversight in Canada PNR is not an equivalent independent authority, which was refuted by the EC during the hearing. The EDPS Opinion explicitly regretted the fact that “oversight may take place (…) by a (non independent) authority created by administrative means”. The EDPS also noted the “limitations of judicial review with respect to judicial redress”.
In sum, the hearing has shown once again that PNR profiling is a not a necessary and proportionate means to prevent international crime and terrorism in the EU. The Advocate General of the Court will announce his opinion on 13 June 2016.
EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)
https://edri.org/eu-canada-agreement-on-pnr-referred-to-the-cjeu-whats-next/
Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record
http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2012657%202013%20REV%201
EU PNR Document Pool
https://edri.org/eu-pnr-document-pool/
Opinion of the European Data Protection Supervisor on the Proposals for Council Decisions on the conclusion and the signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (30.09.2013)
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-09-30_Canada_EN.pdf
Steve Peers: The Domino Effect: how many EU treaties violate the rights to privacy and data protection (25.11.2014)
http://eulawanalysis.blogspot.be/2014/11/the-domino-effect-how-many-eu-treaties.html
Bruce Schneier: Refuse to be terrorised (24.08.2006)
https://www.schneier.com/essays/archives/2006/08/refuse_to_be_terrori.html
Mass surveillance through PNR is facing closure: EU-Canada agreement is put to testing (in German) (05.04.2016)
https://digitalegesellschaft.de/2016/04/vds-reisedaten-kanada-eugh/
(Contribution by Diego Naranjo, EDRi)