In the Opinion 1/15 of 26 July 2017 (“Opinion”), the Court of Justice of the European Union (“CJEU”) held that the proposed agreement between the EU and Canada on the transfer and processing of Passenger Name Record (“PNR”) data may not be concluded in its current form. The Opinion is available here. The CJEU said that the agreement violates EU privacy and data protection laws.
The EU and Canada negotiated an agreement on the transfer and processing of PNR data (“PNR Agreement”). The European Parliament, which was asked to approve the PNR Agreement, called upon the CJEU to give a ruling on its compatibility with the EU Charter of Fundamental Rights. It is the first time the European Parliament or any other EU institution obtained the opinion of the CJEU regarding the question whether a draft international agreement is compatible with EU law.
The PNR Agreement permits the systematic and continuous transfer of PNR data of all airplane passengers flying between the EU and Canada to a Canadian authority. The PNR data includes, for example, the names of air passengers, the dates of intended travel, the travel itinerary, and information relating to payment and baggage. The PNR data may reveal travel habits, relationships between two individuals, information on the financial situation or the dietary habits of individuals. For the purpose of combating terrorism and transnational crime, the PNR Agreement provides that the PNR data can be retained and transferred to other authorities and to other non-member countries. The PNR Agreement stipulates a data storage period of five years.
Opinion of the CJEU
The CJEU observed that the transfer of the PNR data from the EU to Canada, and the rules laid down in the PNR Agreement, violate the fundamental right to respect for private life, and the right to protection of personal data.
The CJEU considered that the systematic transfer, retention and use of all passenger data are, in general, permissible. However, the CJEU found that several provisions of the PNR Agreement do not meet requirements stemming from the fundamental rights of the EU. These provisions are not limited to what is strictly necessary and do not lay down clear and precise rules. A transfer of sensitive data outside the EU requires “a precise and particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime.” In terms of the PNR Agreement, such justification would be missing. The CJEU criticized, in essence, the persistent use of the PNR data during the air passengers’ stay in Canada and the storage period of five years.
Besides, the CJEU provided a list of requirements the PNR Agreement must comply with. The CJEU requires, inter alia:
- Clear and precise definitions of the PNR data to be transferred
- Specific, reliable and non-discriminatory criteria for the automated data processing
- That the databases used will be limited to those used by Canada for the intended purpose – the fight against terrorism and serious transnational crime
- That the disclosure of the data to government authorities of a non-EU country will be subject to an agreement between that country and the EU
After the clear Opinion of the CJEU, the EU Commission and Canada have to find their way back to the negotiating table. Significant amendments to the PNR Agreement are necessary.
Further, the Opinion has broader implications for international data transfers outside the EU. The Opinion includes more detailed requirements for the protection of data to be transferred in the recipient country, compared with the provisions as set out in the 2015 Safe Harbour judgment of the CJEU. Therefore, it has to be assumed that the Opinion will have impact on the assessments of Privacy Shield and the Standard Contractual Clauses.
Both transfer mechanisms are currently being challenged in court. With regard to Privacy Shield, the EU General Court will have to decide on its compatibility with EU law following a complaint of the privacy advocacy group Digital Rights Ireland. The Standard Contractual Clauses are currently being challenged before the Irish High Court by the Irish data protection authority. The Irish High Court will likely refer this case to the CJEU.