Canada-EU Agreement to Share Air Travellers' Data Doesn't Fly
An agreement between Canada and the European Union over the sharing of air passengers’ personal information failed to pass muster in the European Court of Justice because Canada was found to have inadequate privacy protections.
On September 8, 2016, the Court of Justice of the European Union ("CJEU") issued an Opinion on the consistency of Canada and the European Union’s agreement on the transfer of passenger name record data (“PNR Agreement”) with the Charter of Fundamental Rights of the European Union (“EU Charter”).
The draft PNR Agreement was initially created with the intention of allowing the transfer of PNR data to Canadian authorities for its use, retention and, where appropriate, subsequent transfer, for the purpose of combatting terrorism and other serious transnational crime. PNR data includes passenger travel habits, payment details, dietary requirements and other information that might contain sensitive data on a passenger’s health, ethnic origin or religious beliefs.
The draft PNR Agreement further provides for PNR data security and integrity requirements, an immediate masking of sensitive data, the right of access to data, the rectification and erasure of data, the possibility of administrative and judicial redress, and storage of the data for a maximum period of five years.
However, the European Parliament refused to approve the draft PNR Agreement until the CJEU considered whether the information sharing arrangement respected the fundamental rights of EU citizens as set out in the EU Charter. The Opinion is the result of the CJEU's consideration.
The Opinion, written by Advocate General Paolo Mengozzi, states that “certain provisions of the agreement envisaged, as currently drafted, are contrary to the EU Charter of Fundamental Rights” and that the PNR Agreement extends beyond what is “strictly necessary [to achieve] the public security objective pursued by the agreement.” As stated in the accompanying press release, additional aspects of the agreement that were held to be contrary to the agreement include the provisions which:
- provide for the processing, use and retention by Canada of PNR data containing sensitive data;
- confer on Canada, beyond what is strictly necessary, the right to make any disclosure of information without a requirement for any connection with the public security objective pursued by the agreement;
- authorise Canada to retain PNR data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the public security objective pursued by the agreement;
- allow PNR data to be transferred to a foreign public authority without the competent Canadian authority, subject to review by an independent authority first being satisfied that the foreign public authority in question to which the data is transferred cannot itself subsequently communicate the data to another foreign body.
As a result, the Opinion asserts that the PNR Agreement, as it stands, contravenes Articles 7 and 8 and Article 52(1) of the EU Charter. The Advocate General's opinion was based on the notion that, “at a time when modern technology allows public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely sophisticated methods of monitoring the private life of individuals and analysing their personal data, the Court should ensure that the proposed measures, even when they take the form of envisaged international agreements, reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data.”
While this is a significant blow for the PNR Agreement, the Advocate General’s Opinion is not binding on the CJEU. The judges of the CJEU are now beginning their deliberations in this case and will issue a final ruling later in the year. If the CJEU determines that the PNR Agreement is incompatible with the Treatises, it will not be permitted to enter into force until amended.
For more information about our Firm’s Technology expertise, please see our Technology group page.
CJEU class actions European Union privacy