EU and Canada PNR Agreement Invalid

September 7, 2016

According to Advocate General Mengozzi, the agreement on the transfer of passenger name record data, planned between the European Union and Canada, cannot be entered into in its current form. A number of provisions of the draft agreement are incompatible with EU fundamental rights.

Starting in 2010, the EU and Canada negotiated an agreement on the transfer and processing of passenger name record data (PNR Agreement). The agreement envisaged intends to allow the transfer of PNR data to the Canadian authorities for its use, retention and, where appropriate, subsequent transfer, for the purpose of combatting terrorism and other serious transnational crime. The draft agreement further provides for PNR data security and integrity requirements, an immediate masking of sensitive data, the right of access to data, the rectification and erasure of data, the possibility of administrative and judicial redress, and storage of the data for a maximum period of five years.

The agreement was signed in 2014 and the Council of the European Union requested the European Parliament to approve it. The Parliament then decided to refer the matter to the Court of Justice in order to ascertain whether the agreement envisaged was compatible with EU law guaranteeing the respect for private and family life and the protection of personal data. In particular, the Parliament is uncertain whether, notwithstanding the guarantees afforded by the agreement, the interference with the fundamental right to the protection of personal data is justified. It is to be noted that this is the first time the Court has been called upon to give a ruling on the compatibility of a draft international agreement with the EU Charter of Fundamental Rights.

Advocate General Paolo Mengozzi takes the view, first, that the agreement envisaged is compatible with the EU Charter of Fundamental Rights (in particular the right to respect for private and family life and the right to protection of personal data), provided that:

·        the categories of PNR data of airline passengers are clearly and precisely worded and sensitive data is excluded from the scope of the agreement;

·        offences covered by the definition of serious forms transnational crime are listed exhaustively in the agreement;

·        the agreement identifies in a sufficiently clear and precise manner the authority responsible for processing PNR data, in such a way as to ensure the protection and security of that data;

·        the number of ‘targeted’ persons can be limited, to a large extent, and in a non-discriminatory manner, to those who can be reasonably suspected of participating in a terrorist offence or serious transnational crime;

·        the agreement specifies that only the officials of the competent Canadian authority are to be authorised to access the PNR data and lays down objective criteria that enable the number of those officials to be specified;

·        the agreement indicates precisely why it is objectively necessary to retain all PNR data for a maximum period of five years; where the PNR data is to be retained for a period of five years, the data that would enable an airline passenger to be directly identified must be depersonalised by redaction;

·        an independent authority or a court in Canada is empowered to review, in advance, whether the competent Canadian authority may, on a case-by-case basis, disclose PNR data to other Canadian or foreign public authorities (in cases where the data relates to an EU citizen, prior information must also be sent to the competent authorities of the Member State concerned and/or the Commission);

·        the agreement systematically ensures, by a clear and precise rule, that an independent authority can monitor the respect for the private life and protection of the personal data of passengers whose PNR data is processed;

·        the agreement makes clear that requests for access, rectification and annotation made by passengers not present on Canadian territory may be submitted to an independent public authority.

By contrast, Advocate General Mengozzi takes the view that certain provisions of the agreement envisaged, as currently drafted, are contrary to the EU Charter of Fundamental Rights. More specifically, those are the provisions which:

·        allow, beyond what is strictly necessary, the extension of the possibilities for processing PNR data, independently of the public security objective pursued by the agreement, namely preventing and detecting terrorist offences and serious forms of transnational crime;

·        provide for the processing, use and retention by Canada of PNR data containing sensitive data;

·        confer on Canada, beyond what is strictly necessary, the right to make any disclosure of information without a requirement for any connection with the public security objective pursued by the agreement;

·        authorise Canada to retain PNR data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the public security objective pursued by the agreement;

·        allow PNR data to be transferred to a foreign public authority without the competent Canadian authority, subject to review by an independent authority, first being satisfied that the foreign public authority in question to which the data is transferred cannot itself subsequently communicate the data to another foreign body.

Generally, the Advocate General reached those conclusions on the basis of the CJEU’s rulings in Case C-293/12 and C-594/12 Digital Rights Ireland and Case C-362/14 Schrems. In his view, it is necessary to follow the route outlined by those judgments and to subject the agreement envisaged to a strict review as regards the right to respect for private and family life and the right to protection of personal data. It is necessary that, at a time when modern technology allows public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely sophisticated methods of monitoring the private life of individuals and analysing their personal data, the Court should ensure that the proposed measures, even when they take the form of envisaged international agreements, reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data.

The Parliament also seeks to ascertain whether the legal basis of the agreement envisaged should be Articles 82 and 87 TFEU (judicial cooperation in criminal matters and police cooperation) or Article 16 TFEU (protection of personal data). In that regard, the Advocate General replies that the agreement must be concluded on the basis of both Articles 16 and 87 TFEU. The agreement envisaged pursues two inseparable objectives of equal importance (namely combatting terrorism and serious transnational crime – which follows from Article 87 TFEU – and the protection of personal data – which follows from Article 16 TFEU).