In a decisive victory for privacy rights and a clear rejection of broad anti-terrorism legislation, the Court of Justice of the European Union on July 26 quashed the pending agreement between Canada and the European Union on the transfer and processing of passenger name record data as providing insufficient protection and inadequate safeguards for Europeans.
As is well known, Europe has enacted robust privacy legislation. For example, Article 25 of its Directive 95/46/EC precludes a member state from transferring data to a third country for processing data unless that country ensures that such data is adequately protected. Each country has to assess the adequacy of protection in light of all the circumstances related to the data transfer, including the nature of the data, the purpose and duration of its proposed processing, the country of origin and final destination, rules of law in the third country and professional rules and security measures complied with in that country.
The roots of the present PNRA date back to Dec. 2, 2010, when the council authorized the commission to open negotiations with the Canadian government to negotiate an agreement on the transfer and use of passenger name records to prevent and combat terrorism, terrorist-related offences and other serious crimes.
The Canada Border Services Agency wanted European PNR data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and transnational crime. Europe desired to share analytic information containing PNR data obtained by Canada with police/judicial authorities in member states, Europol and Eurojust. The PNRA was, therefore, intended to provide the legal basis for the systematic and automatic reciprocal transfer of PNR data from the EU to Canada, providing legal certainty for air carriers while enhancing the fight against terrorism. As discussed in its preamble, the purpose of the PNRA is to encourage the use of PNR data as a critically important instrument to “pursue these goals.” The PNRA would have permitted a data retention period of five years.
“PNR data” is blandly defined in the PNRA as “the records created by the air carrier for each journey booked by or on behalf of a passenger, necessary for the processing and control of reservations.” In reality, this includes considerable personal information, including the PNR locator code, date of reservation/issue of the ticket, dates of intended travel, names, frequent flier and benefit information, all available contract information, all available payment/billing information, travel itinerary, travel agent/agency, code share information, baggage information, seat information and any other advance passenger information.
So what went wrong? According to the CJEU, plenty. The PNRA was found to have myriad conflicts with European privacy law, data protection, the fundamental right to respect for private life and the protection of personal data. For example:
• Taken as a whole, the CJEU found that the PNR data reveals a complete travel itinerary, travel habits, relationships existing between air passengers and the financial situation of air passengers and their dietary habits or state of health. It may even provide sensitive data about those passengers (i.e., information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health information, etc.). This data was going to be systematically analyzed before a passenger’s arrival in Canada by automated means, based on pre-established models and criteria. As a result of this processing, additional information on the private lives of air passengers could be generated. The court found the proposed PNRA to be incompatible with articles 7, 8 and 21 and article 52(1) of the European Charter as it did not preclude the transfer of sensitive data from the European Union to Canada, nor was use of such data limited to what is strictly necessary. Transfers of sensitive data to Canada require a precise and “particularly solid justification” based on grounds other than the (vague) protection of public security against terrorism and serious transnational crime, and the court determined here that there was no such justification.
• The CJEU was also quite unhappy with the PNRA’s proposed five-year Canadian retention period, which applied to PNR data collected from all air passengers flying between the EU and Canada regardless of the absence of any evidence that justified such a lengthy retention period. The court held that any actual use of PNR data collected from a passenger during their stay in Canada should be based on new circumstances justifying that use, but the PNRA lacked substantive and procedural rules to protect that data against risk of abuse. Additionally, the PNRA does not require that any retained PNR data would be subject to a prior review by a court or independent administrative body before its use by the CBSA or others. This means that there is no guarantee that the use of PNR data of air passengers in Canada by Canadian authorities would be limited to what was “strictly necessary.” The continued storage of the PNR data of all air passengers after their departure from Canada was not limited to what is strictly necessary and so ran afoul of European law.
• The PNRA also allowed PNR data to be disclosed by the CBSA to other Canadian government authorities and to government authorities of third countries, but the court had no faith that the discretionary power of the CBSA would ensure that such transfers would meet equivalent EU data protection standards/requirements in this area. Normally, such disclosure requires the existence of either an agreement between the EU and the non-member country or a decision of the commission finding that such third party can ensure an adequate level of protection, but this limitation was not contained in the PNRA. Accordingly, the PNRA does not ensure that the disclosure of PNR data by the CBSA would be limited to what is strictly necessary.
• Lastly, even though passengers whose data was collected had the right to access their PNR data and the right to request the correction of their data, those provisions did not require that those passengers be notified of the transfer of their PNR data to Canada or of its use. While the CJEU opinion torpedoed the act, it did helpfully set out a detailed list of how an updated version of the PNRA could be made compatible with European laws and requirements. This “new and improved” version of the PNRA would have to address the following:
(a) determine in a clear and precise manner the PNR data to be transferred from the EU to Canada;
(b) provide that the models and criteria used for the automated processing of PNR data will be specific and reliable and non-discriminatory;
(c) provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;
(d) make the use of that data by CBSA during the air passengers’ stay in Canada and after their departure from that country, and any disclosure of that data to other authorities, subject to substantive and procedural conditions based on objective criteria;
(e) make that use and that disclosure, except in cases of “validly established urgency,” subject to a prior review carried out either by a court or by an independent administrative body, the decision of that court or body authorizing the use being made following a reasoned request by those authorities, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime;
(f) limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime;
(g) make the disclosure of PNR data by the CBSA to the government authorities of a third country subject to the requirement that there be either an agreement between the European Union and that third country in place with that country equivalent to the PNRA, or a decision of the commission, under article 25(6) of directive 95/46, covering the authorities to which it is intended that PNR data be disclosed;
(h) provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country and in the event of disclosure of that data by CBSA to other authorities or to individuals;
and (g) guarantee that the oversight of the rules relating to the protection of air passengers with regard to the processing of PNR data concerning them will be carried out by an independent supervisory authority.
The CJEU’s decision to reject the PNRA may have some far-reaching consequences. It confirms that, in Europe, the judiciary requires the fight against terrorism and serious transnational crime to be equally balanced with concerns regarding the protection of personal data/private life. The EU currently also has existing PNR arrangements with the United States and Australia in addition to Canada, and based on this recent decision, these laws could potentially be challenged, as well as other statutes, including those related to bank data sharing or SWIFT. Interestingly, the commission has kept the door open to trying to successfully achieve a PNR deal with Canada. On the same date that the opinion was released, the commission released a press release that noted that the commission "will now carefully assess the Opinion and its potential impact . . . We stand ready to engage with Canada about ways of addressing the concerns raised by the European Court of Justice on the envisaged EU-Canada PNR Agreement.” Let’s hope the next drafters do a better job of meeting European privacy concerns or the next iteration of the PNRA will also be grounded.