The GDPR already started to appear in CJEU’s soft case-law (AG Opinion in Manni)

CJEU’s AG Bot referred to the GDPR in his recent ‘right to be forgotten’ Opinion

It may only become applicable on 25 May 2018, but the GDPR already made its official debut in the case-law of the CJEU.

It was the last paragraph (§101) of the Conclusions of AG Bot in Case C-398/15 Manni, published on 8 September, that specifically referred to Regulation 2016/679 (the official name of the GDPR). The case concerns the question of whether the right to erasure (the accurate name of the more famous “right to be forgotten”) as enshrined in Article 12 of Directive 95/46 also applies in the case of personal data of entrepreneurs recorded in the Public Registry of companies, if their organisation went bankrupt years ago. Curiously, the preliminary ruling question doesn’t specifically refer to the right to erasure, but to the obligation in Article 6(1)(e) for controllers not to retain the data longer than necessary to achieve the purpose for which they were collected.

In fact, Mr Manni had requested his regional Chamber of Commerce to erase his personal data from the Public Registry of Companies, after he found out that he was losing clients who performed background checks on him through a private company that specialised in finding information in the Public Registry. This happened because Mr Manni had been an administrator of a company that was declared bankrupt more than 10 years before the facts in the main proceedings. In fact, the former company itself was radiated from the Public Registry (§30).

Disclaimer! The Opinion is not yet available in English, but in another handful of official languages of the EU. Therefore, the following quotes are all my translation from French or Romanian.

AG Bot advised the Court to reply to the preliminary ruling questions in the sense that all personal data in the Public Registry of companies should be retained there indefinitely, irrespective of the fact that companies to whose administrators the data refer are still active or not. “Public Registries of companies cannot achieve their main purpose, namely the consolidation of legal certainty by disclosing, in accordance with the transparency principle, legally accurate information, if access to this information would not be allowed indefinitely to all third parties” (§98).

The AG adds that “the choice of natural persons to get involved in the economic life through a commercial company implies a permanent requirement of transparency. For this main reason, detailed throughout the Opinion, I consider that the interference in the the right to the protection of personal data that are registered in a Public Registry of companies, specifically ensuring their publicity for an indefinite period of time and aimed towards any person who asks for access to these data, is justified by the preponderant interest of third parties to access those data” (§100).

Restricting the circle of ‘interested third parties’ would be incompatible with the purpose of the Public Registry

Before reaching this conclusion, the AG dismissed a proposal by the Commission that suggested a limited access to the personal data of administrators of bankrupt companies could be ensured only for those third parties that “show a legitimate interest” in obtaining it.

The AG considered that this suggestion “cannot, at this stage of development of EU law, ensure a fair balance between the objective of protecting third parties and the right to the protection of personal data registered in Public Registries of companies” (§87). In this regard, he recalled that the objective to protect the interest of third parties as enshrined in the First Council Directive 68/151  “is provided for in a sufficiently wide manner so as to encompass not only the creditors of a company, but also, in general, all persons that want to obtain information regarding that company” (§88).

Earlier, the AG had also found that the suggestion to anonymise data regarding the administrators of bankrupt companies is not compatible with the historical function of the Public Registry and with the objective to protect third parties that is inherent to such registries. “The objective to establish a full picture of a bankrupt company is incompatible with processing anonymous data” (§78).

Throughout the Opinion, the AG mainly interprets the principles underpinning the First Council Directive 68/151/EC (of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community)  and it is apparent that it enjoys precedence over Directive 95/46/EC.

Finally: the reference to the GDPR

The AG never refers in his analysis to Article 12 of Directive 95/46,  which grants data subjects the right to erasure. However, come the last paragraph of the Opinion, the AG does refer to Article 17(3)(b) and (d) from Regulation (EU) 2016/679 (yes, the GDPR). He applies Article 17 GDPR to the facts of the case and mentions that the preceding analysis “is compatible” with it, because “this Article provides that the right to erasure of personal data, or ‘the right to be forgotten’, does not apply to a processing operation ‘for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ or ‘for archiving purposes in the public interest'” (§101).

While I find the Opinion of the AG clear and well argued, I have two comments. I wish he had referred more comprehensively to the fundamental rights aspect of the case when balancing the provisions of the two directives. But most of all, I wish he would have analysed the right to erasure itself, the conditions that trigger it and the exemptions under Article 13 of Directive 95/46.

My bet on the outcome of the case: the Court will follow the AG’s Opinion to a large extent. However, it may be more focused on the fundamental rights aspect of balancing the two Directives and it may actually analyse the content of the right to erasure and its exceptions. The outcome, however, is likely to be the same.

A small thing that bugs me about this case is that I find there is a differentiation between searching a Registry of Companies being interested in a company name and searching a Registry of Companies being interested in a specific natural person. I mean, all third parties may very well be interested in finding out everything there is to know about bankrupt Company X, discovering thus that Mr Manni was the administrator. To me, this does not seem to be the same situation as searching the Public Registry of companies using Mr Manni’s name to find out all about Mr Manni’s background. In §88 the AG even mentions, when recognising the all encompassing interest of every third party to access all information about a certain company indefinitely, that Directive 68/151 protects the interest of “all persons that want to obtain information regarding this company“. I know the case is about keeping or deleting the personal data of Mr Manni from the Registry. And ultimately it is important to keep the information there due to the general interest of knowing everything about the history of a company. However, does it make any difference for the lawfulness of certain processing operations related to the data in the Registry that the Registry of companies is used to create profiles of natural persons? I don’t know. But it’s something that bugged me while reading the Opinion. Moreover, if you compare this situation to the “clean slate” rules for certain offenders that have their data erased from the criminal record, it is even more bugging.  (Note: at §34 the AG specifies he is only referring in his Opinion to the processing of personal data by the Chamber of Commerce and not by private companies specialising in providing background information about entrepreneurs).

Fun fact #1

The GDPR made its ‘unofficial’ debut in the case-law of the CJEU in the Opinion of AG Jaaskinen in C-131/14 Google v. Spain delivered on 25 June 2013. In fact, it was precisely Article 17 that was referred to in this Opinion as well, in §110. There’s another reference to the GDPR in §56, mentioning the new rules on the field of application of EU data protection law. Back then, the text of the GDPR was merely a proposal of the Commission – nor the EP, or the Council had adopted their own versions of the text, before entering the trilogue which resulted in the adopted text of Regulation 2016/679.

Fun fact #2

AG Bot is the AG that the delivered the Opinion in the Schrems case as well. The Court followed his Opinion to a large extent for its Judgment. There are fair chances the Court will follow again his Opinion.

 

Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter

AG Mengozzi delivered his Opinion in the EU-Canada PNR case (Opinion 1/15) on 8 September 2016. While his conclusions clearly indicate that, in part, the current form of the agreement between Canada and the EU “on the transfer and processing of Passenger Name Record data” is not compliant with EU primary law – and in particular with Articles 7, 8 and 52(1) of the Charter[1] and Article 16(2) TFEU[2], the AG seems to accept that PNR schemes in general (involving indiscriminate targeting, profiling, preemptive policing) are compatible with fundamental rights in the EU.

In summary, it seems to me that the AG’s message is: “if you do it unambiguously and transparently, under independent supervision, and without sensitive data, you can process PNR data of all travellers, creating profiles and targeting persons matching patterns of suspicious behaviour”.

This is problematic for the effectiveness of the right to the protection of personal data and the right to respect for private life. Even though the AG agrees that the scrutiny of an international agreement such as the EU-Canada PNR Agreement should not be looser than that of an ordinary adequacy decision or that of an EU Directive, and considers that both Schrems and Digital Rights Ireland should apply in this case, he doesn’t apply in all instances the rigorous scrutiny the Court uses in those two landmark judgments. One significant way in which he is doing this is by enriching the ‘strict necessity test’ so that it comprises a “fair balance” criterion and an “equivalent effectiveness” threshold (See Section 5).

On another hand, AG Mengozzi is quite strict with the safeguards he sees as essential in order to make PNR agreements such as the one in this case compatible with fundamental rights in the EU.

Data protection authorities have warned time and again that PNR schemes are not strictly necessary to fight terrorism, serious and transnational crimes – they are too invasive and their effectiveness has not yet been proven. The European Data Protection Supervisor – the independent advisor of the EU institutions on all legislation concerning processing of personal data, has issued a long series of Opinions on PNR schemes – be it in the form of international agreements on data transfers, adequacy decisions or EU legislation, always questioning their necessity and proportionality[3]. In the latest Opinion from this series, on the EU PNR Directive, the EDPS clearly states that the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance” (§63) and in the lack of appropriate and unambiguous evidence that such a scheme is necessary, the PNR scheme is not compliant with Articles 7, 8 and 52 of the Charter, Article 16 TFEU and Article 8 ECHR (§64).

The Article 29 Working Party also has a long tradition in questioning the idea itself of a PNR system. A good reflection of this is Opinion 7/2010, where the WP states that “the usefulness of large-scale profiling on the basis of passenger data must be questioned thoroughly, based on both scientific elements and recent studies” (p. 4) and declares that it is not satisfied with the evidence for the necessity of such systems.

The European Parliament suspended the procedure to conclude the Agreement and decided to use one of its new powers granted by the Treaty of Lisbon and asked the CJEU to issue an Opinion on the compliance of the Agreement with EU primary law (TFEU and the Charter).

Having the CJEU finally look at PNR schemes is a matter of great interest for all EU travellers, and not only them. Especially at a time like this, when it feels like surveillance is served to the people by states all over the world – from liberal democracies to authoritarian states, as an acceptable social norm.

General remarks: first-timers and wide implications

The AG acknowledges in the introductory part of the Opinion that the questions this case brought before the Court are “unprecedented and delicate” (§5). In fact, the AG observes later on in the Opinion that the “methods” applied to PNR data, once transferred, in order to identify individuals on the basis of patterns of behavior of concern are not at all provided for in the agreement and “seem to be entirely at the discretion of the Canadian authorities” (§164). This is why the AG states that one of the greatest difficulties of this case is that it “entails ascertaining … not merely what the agreement envisaged makes provision for, but also, and above all, what it has failed to make provision for” (§164).

The AG also makes it clear in the beginning of the Opinion that the outcome of this case has implications on the other “PNR” international agreements the EU concluded with Australia and the US and on the EU PNR Directive (§4). A straightforward example of a possible impact on these other international agreements, beyond analyzing their content, is the finding that the legal basis on which they were adopted is incomplete (they must be also based on Article 16 TFEU) and wrong (Article 82(1)(d) TFEU on judicial cooperation is incompatible as legal basis with PNR agreements).

The implications are even wider than the AG acknowledged. For instance, a legal instrument that could be impacted is the EU-US Umbrella Agreement – another international agreement on transfers of personal data from the EU to the US in the law enforcement area, which has both similarities and differences compared to the PNR agreements. In addition, an immediately affected legal process will be the negotiations that the European Commission is currently undertaking with Mexico for a PNR Agreement.

Even if it is not an international agreement, the adequacy decision based on the EU-US Privacy Shield deal could be impacted as well, especially with regard to the findings on the independence of the supervisory authority in the third country where data are transferred (See Section 6 for more on this topic).

Finally, the AG also mentions that this case allows the Court to “break the ice” in two matters:

  • It will examine for the first time the scope of Article 16(2) TFEU (§6) and
  • rule for the first time on the compatibility of a draft international agreement with the fundamental rights enshrined in the Charter, and more particularly with those in Article 7 and Article 8 (§7).

Therefore, the complexity and novelty of this case are considerable. And they are also a good opportunity for the CJEU to create solid precedents in such delicate matters.

I structured this post around the main ideas I found notable to look at and summarize, after reading the 328-paragraphs long Opinion. In order to make it easier to read, I’ve split it into 6 Sections, which you can find following the links below.

  1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for international agreements on transfers of personal data
  2. A look at the surface: it is not an adequacy decision, but it establishes adequacy
  3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing
  4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1)
  5. The awkward two level necessity test that convinced the AG the PNR scheme is acceptable
  6. The list of reasons why the Agreement is incompatible with the Charter and the Treaty

 

……………………………………………………….

[1] Article 7 – the right to respect for private life, Article 8 – the right to the protection of personal data, Article 52(1) – limitations of the exercise of fundamental rights.

[2] With regard to the obligation to have independent supervision of processing of personal data.

[3] See the latest one, Opinion 5/2015 on the EU PNR Directive and see the Opinion on the EU-Canada draft agreement.

Section 1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for concluding international agreements on transfers of personal data

(Section 1 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

Currently, the Council decision adopted for concluding the EU-Canada PNR agreement rests on two legal bases: Article 82(1)(d) TFEU – on judicial cooperation in criminal matters within the Union[1] and Article 87(2)(a) TFEU – on police cooperation in criminal matters within the Union[2], in conjunction with Articles 218(5) and 218(6)(a) TFEU – procedure to negotiate international agreements. In his Opinion on the EU-Canada PNR Agreement  in 2013, the European Data Protection Supervisor questioned the choice of the legal basis and recommended that the proposal be based on Article 16 TFEU “as a comprehensive legal basis”, in conjunction with the Articles on the procedure to conclude international agreements, considering that:

According to Article 1 of the Agreement, its purpose is to set out the conditions for the transfer and use of PNR data in order to, on the one hand, “ensure the security and safety of the public” and, on the other hand, “prescribe the means by which the data shall be protected”. In addition, the vast majority of provisions of the Agreement relate to the latter objective, i.e. the protection of personal data, including data security and integrity. (EDPS Opinion on EU-Canada PNR, §8).

The European Parliament asked the Court in its request for an Opinion if the police cooperation and judicial cooperation articles are an appropriate legal basis, or if the act should be based on Article 16 TFEU.

  1. Why it matters to have a correct legal basis

As the AG acknowledges, the choice of the appropriate legal basis for concluding an international agreement has “constitutional significance” (§40). “The use of an incorrect legal basis is therefore apt to invalidate the act concluding the agreement and thus to vitiate the European Union’s consent to be bound by that agreement” (§40). Therefore, an act adopted on the wrong legal basis can be invalidated by the Court.

First of all, the AG recalled the settled case-law of the Court that the choice of legal basis for an EU measure “must rest on objective factors amenable to judicial review, which include the purpose and the content of that measure” (§61). He also recalled that if the measure pursues a twofold purpose, which can be differentiated into a predominant and an incidental purpose, “the act must be based on a single legal basis, namely, that required by the main or predominant purpose or component” (§61). The Court accepts only as an exception that an act may be founded on various legal bases corresponding to the number of objectives, if those are “inseparably linked, without one being incidental in relation to the other” (§62).

2. Are the two objectives of the Agreement inseparable?

The AG identifies the two objectives of the agreement – combating terrorism and other serious transnational crimes and respecting private life and the protection of personal data and he struggles to argue that the agreement “pursues two objectives and has two components that are inseparable” (§78) and he finds it difficult “to determine which of those objectives prevails over the other” (§79).

In my view, it is not difficult to identify the protection of personal data as the predominant purpose (think of causa proxima in legal theory) and the fight against terrorism as the incidental purpose (think of causa remota in legal theory).

In the Agreement, according to Article 1, “the Parties set out the conditions for the transfer and use of PNR data to ensure the security and safety of the public and prescribe the means by which the data is protected”. In other words, first and foremost, the Agreement sets out rules for transferring and using PNR data, including by prescribing the means by which the data is protected (causa proxima). This is done to ultimately ensure the security and safety of the public (causa remota).

This conclusion is reinforced by the content of the Agreement, which manifestly contains rules mainly relating to the processing of personal data – Article 2 Definitions, Article 3 – Use of PNR data, Article 5 – Adequacy and in the Chapter titled Safeguards applicable to the use of PNR data”, with Articles from 7 to 21, while the last 9 articles concern “implementing and final provisions” of a technical nature. It is also reinforced by the fact that the transfer of PNR data on the EU side is done from private companies and by the fact that, contrary to what the AG argues, the Agreement itself does not establish an obligation to transfer data.

The AG explains that “it is incorrect to claim that the agreement envisaged lays down no obligation for the airlines to transfer the PNR data to the Canadian competent authority” (§92). While he acknowledges that it is true that Article 4(1) of the Agreement states that the Union is to ensure only that air carriers “are not prevented” from transferring PNR data to the Canadian competent authority, he interprets that Article “in conjunction with Articles 5, 20 and 21 of the Agreement” in the sense that “air carriers are entitled and in practice required to provide the Canadian competent authority systematically with access to the PNR data for the purposes defined in Article 3 of the agreement envisaged” (§92).

In fact, Article 5 of the Agreement establishes that the Canadian Competent Authority “is deemed to ensure” an adequate level of data protection (therefore, indeed, air carriers would not be prevented to transfer data because of data protection concerns), Article 20 obliges the air carriers to use the “push method” when they transfer data and Article 21 sets out rules on the frequency of the requests of PNR data by the Canadian Competent Authority. While it is true that the last two articles set out rules for how the data should be transferred, neither contains a positive obligation for the air carriers to transfer the data.

Therefore, it seems to be in fact clear that the purpose of PNR arrangements like the one in the present case is to make sure that EU data protection law does not prevent air carriers to send data of travellers to authorities of third countries systematically, in bulk and without an ex ante control.

As the AG points out, “if Article 16 TFEU were taken as the sole legal basis of the act concluding the agreement envisaged, that would alter the status of the Kingdom of Denmark, Ireland and the United Kingdom of Great Britain and Northern Ireland, as those Member States would then be directly and automatically bound by the agreement, contrary to Article 29 of the agreement envisaged” (§51). This would happen because the Agreement would not be placed anymore under the former third pillar (law enforcement, police and judicial cooperation), which would not give the right to Denmark, Ireland and UK to opt out of it. Therefore, the Agreement would automatically apply to all EU Member States. However, this argument should not play a role in deciding which is the appropriate legal basis, as it is not linked to the purpose or the content of the Agreement at all.

Nevertheless, the AG established that the purposes of fighting crime and respecting data protection rights are inseparable. This is in any case a valuable further step, considering that the Council and the Commission completely excluded Article 16 TFEU from the legal bases. So which are the appropriate legal bases the AG recommends?

3. The “judicial cooperation” Article, found to be irrelevant

The AG finds that “as currently drafted, the agreement envisaged does not really seem to contribute to facilitating cooperation between the judicial or equivalent authorities of the Member States” (§108), within the meaning of Article 82(1)(d) TFEU. He sees as incidental the possibility for judicial authorities of Canada to send in particular cases PNR data to judicial authorities in the EU, which would further contribute to judicial cooperation within the EU.

Interestingly, the AG mentions that this conclusion is not affected by the fact that the Council decisions concluding the PNR Agreements with US and Australia are also based on Article 82(1)(d). He reminds that “the legal basis used for the adoption of other Union measures that might display similar characteristics is irrelevant” (§109).

However, the fact remains that if Article 82(1)(d) is not a proper legal basis for the act concluding the EU-Canada PNR Agreement, it is most probably not a proper legal basis for the other EU acts concluding PNR Agreements.

4. The “police cooperation” Article, found to be relevant

Even if he saw that the agreement does not in fact facilitate judicial cooperation within the Union, the AG considers that, on another hand, it does facilitate police cooperation within the Union. To this end, he is building his argumentation mainly on Article 6 of the Agreement, which is the only one referring to “Police and judicial cooperation”.

Indeed, as recalled in §105, “under Article 6(2) of the agreement envisaged Canada is required, at the request of, among others, the police or a judicial authority of a Member State of the Union, to share, in specific cases, PNR data or analytical information containing PNR data obtained under the agreement envisaged in order to prevent or detect ‘within the European Union’ a terrorist offence or serious transnational crime.”

However, what the AG does not refer to in his analysis is the last sentence of Article 6(2) of the Agreement, which states that Canada shall make this information available in accordance with agreements and arrangements on law enforcement, judicial cooperation, or information sharing, between Canada and Europol, Eurojust or that Member State”. Therefore, sharing PNR data obtained by Canada from air carriers in the conditions set out in the Canada-PNR Agreement with Europol, Eurojust or a specific MS will be done in accordance with separate agreements. In conclusion, there are completely different agreements that have as purpose sharing of information to ensure both police and judicial cooperation between Canada and the competent authorities of the EU, which apply to sharing PNR data as well.

Finally, the AG considers that indeed Article 87(2)(a) is properly set out as legal basis of the act concluding the agreement envisaged, but he also states that it seems to him it is “insufficient to enable the Union to conclude that agreement”. Therefore, he proposes the act concluding the Agreement to be also based on Article 16(2) TFEU.

This conclusion prompts a much expected first substantive analysis of the content of Article 16(2) TFEU in an act of the Court of Justice after the entering into force of the Lisbon Treaty in 2009.

5. Relevance of Article 16(2) TFEU to serve as legal basis for concluding the EU-Canada PNR Agreement

 The AG recalls that “the content of the agreement envisaged supports that [data protection – my addition] objective, in particular the terms in the chapter on ‘Safeguards applicable to the processing of PNR data’, consisting of Articles 7 to 21 of the agreement envisaged” (§113). Therefore, he concludes that, in his view, “action taken by the Union must necessarily be based … on the first subparagraph of Article 16(2) TFEU, which, it will be recalled, confers on the Parliament and the Council the task of laying down the rules relating to the protection of individuals with regard to the processing of personal data by, inter alia, the Member States when carrying out activities which fall within the scope of application of EU law and the rules relating to the free movement of such data” (§114).

The AG further develops the three main principles that underlie this approach.

Firstly, he reminds that the EU is competent to conclude international agreements in the field of data protection (Article 216(1) TFEU in conjunction with Article 16 TFEU). In addition, “there is no doubt that the terms of the agreement envisaged must be characterized as “rules” relating to the protection of the data of natural persons, within the meaning of the first subparagraph of Article 16(1) TFEU, and intended to bind the contracting parties” (§115). (Note: considering Article 16(1) does not have subparagraphs, probably there was an error of transcript and this reference should have been either to the first subparagraph of Article 16(2) or simply to Article 16(1)).

Secondly, the AG adds that the first subparagraph of Article 16(2) “is intended to constitute the legal basis for all rules adopted at EU level relating to the protection of individuals with regard to the processing of their personal data, including the rules coming within the framework of the adoption of measures relating to the provisions of the FEU Treaty on police and judicial cooperation in criminal matters” (§116). He explains thus why Article 16 TFEU is relevant even if the act concluding the Agreement would also be based on an Article providing for police cooperation.

Thirdly, and most importantly, the AG clearly states that Article 16(2) cannot be considered irrelevant for the agreement because the protecting measures which can be adopted under that Article relate to the processing of data by authorities of the Member States and not, as in this instance, to the transfer of data previously obtained by private entities (the air carriers) to a third country (§118). This is a key interpretation, because, indeed, the ad litteram wording of Article 16 is restrictive – it refers to putting in place rules by the Union regarding processing of personal data by:

  • Union institutions, bodies, offices and agencies and
  • By the Member States when carrying out activities which fall within the scope of Union law.

Applying Article 16 ad litteram would mean that the Union does not have the competence to regulate how private entities process data. As the AG convincingly explains, “to put a strictly literal interpretation on the new legal basis constituted by the first subparagraph of Article 16(2) TFEU would be tantamount to splitting up the system for the protection of personal data. Such an interpretation would run counter to the intention of the High Contracting Parties to create, in principle, a single legal basis expressly authorising the EU to adopt rules relating to the protection of the personal data of natural persons. It would therefore represent a step backwards from the preceding scheme based on the Treaty provisions relating to the internal market, which would be difficult to explain. That strictly literal interpretation of Article 16 TFEU would thus have the consequence of depriving that provision of a large part of its practical effect” (§119).

 The AG concludes that the answer to the question about the legal basis is that “in the light of the objectives and the components of the agreement envisaged, which are inseparably linked, the act concluding that agreement must in my view be based on the first subparagraph of Article 16(2) TFEU and Article 87(2)(a) TFEU as its substantive legal bases” (§120).

Before going through the analysis of the compliance of the Agreement with Articles 7 and 8 of the Charter, it’s worth having a look at one of the fundamental issues raised by the Agreement, but which, unfortunately, was only looked at briefly and with no consequence.

 

……………………………………………………….

[1] “The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall adopt measures to:

(d) facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions.”

[2] 1. The Union shall establish police cooperation involving all the Member States’ competent authorities, including police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences.

  1. For the purposes of paragraph 1, the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, may establish measures concerning:

(c) common investigative techniques in relation to the detection of serious forms of organised crime.

Section 2. A look at the surface: it is not an adequacy decision, but it establishes adequacy

(Section 2 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

One of the fundamental issues concerning agreements such as the one in the present case is how do these agreements relate to the concept of “adequacy finding” for the purposes of transfers of personal data from the EU to third countries.

While it is straightforward looking at their nature that they are not unilateral acts issued by the European Commission to establish that a third country or the authorities of a third country have an adequate level of protection (as was the Decision invalidated by the Schrems judgement), in essence these agreements have the same effect as that of adequacy decisions: they establish a presumption that the legal system at the receiving end of a data transfer from the EU ensures an adequate level of data protection, eliminating thus impediments of transfers based on concerns that the data are not properly protected at the receiving end.

While the process leading to an adequacy decision by the Commission is long and involves a thorough analysis of the legal system of the third country in order to ascertain that it provides an essentially equivalent level of protection in theory and in practice, the conclusion of an international agreement involves a high level negotiation and commitments taken by the third country that it would ensure appropriate protection. It is more difficult to ascertain and control a posteriori if this indeed happens in practice. Moreover, if the commitments taken by the third country are not sufficient in the Agreement, a clause establishing that the transfers to that country are deemed to comply with EU data protection law may very well be considered as breaching Article 8(1) of the Charter. The CJEU stated in Schrems that the requirements for ensuring lawful international transfers of personal data stem from Article 8(1) of the Charter and the general obligation enshrined therein “to protect personal data” (§71-§72 of Schrems).

These issues are extremely challenging and the current proceedings would be a very good opportunity to address them. However, the AG only marginally touches this question and he does that only to argue against the fact that data protection is the predominant purpose of the Agreement and to argue in favour of a strict review of the limitations brought by the provisions of the Agreement to the exercise of Article 8 of the Charter.

First, in §93, he states that “the object of the agreement envisaged cannot principally be treated as equivalent to an adequacy decision, comparable to the decision which the Commission had adopted under the 2006 Agreement”. He continues by arguing that “both the aim and the content of the agreement envisaged show, on the contrary, that that agreement is intended to reconcile the two objectives which it pursues and that those objectives are inseparably linked” (i.e. – data protection and fight against terrorism) (§93).

However, about a hundred of paragraphs later, after he recalls the finding in §93 that “the agreement envisaged cannot be reduced to a decision finding that the Canadian competent authority guarantees an adequate level of protection” (§203), he recognizes that “Article 5 of the agreement envisaged does indeed provide that, subject to compliance with the terms of that agreement, the Canadian Competent Authority is to be deemed to provide an adequate level of protection, within the meaning of relevant Union data protection law, for the processing and use of PNR data” (§203).

Moreover, in the same paragraph, the AG even adds that “the contracting parties’ intention is indeed to ensure that the high level of personal data protection achieved in the Union may be guaranteed when the PNR data is transferred to Canada” (§203).

The arguments above follow after in paragraph 200 the AG finds that the provisions of the agreement should be subject to a strict review by the Court regarding their compliance with the requirements resulting also from “the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged”.

This analysis seems to me contradictory – both by comparing §93 and §203, and by comparing statements within §203. In any case, the consequences of the intention to establish adequacy through an international agreement are not further analysed. The only conclusion the AG draws after identifying the underlying intention of the parties to conclude this agreement is just that “I see no reason why the Court should not carry out a strict review of compliance with the principle of proportionality” (§203). Moreover, he further expands this argumentation by referring to the Schrems case and findings therein concerning “essentially equivalence” and how the means ensuring this equivalence must be “effective in practice” (§204).

Hopefully, the Court in its final Opinion will make a more in depth analysis of this issue.

Section 3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing

(Section 3 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

In order to answer the first question raised by the Parliament in the proceedings before the Court – whether the Agreement complies with EU Primary law, and in particular with Articles 7 and 8 of the Charter, AG Mengozzi follows the classical test: is there an interference?[1] And if so, is the interference justified?[2]

Analyzing separately Articles 7 and 8 of the Charter, still a challenge

Even if the Court has recently started to analyze separately the rights protected by Article 7 (to respect for private life) and by Article 8 of the Charter (to the protection of personal data) – see the judgments in DRI and Schrems, the AG seems to hesitate again between the two rights. He starts his analysis on whether there is an interference with the two rights (§170) by recalling the older case-law of the Court which stated that the right to the protection of private life and the right to the protection of personal data are “closely connected” (Schecke, §47; ASNEF, §41).

First he finds that the PNR data “touches on the area of the privacy, indeed intimacy, of persons and indisputably relates to one or more identified or identifiable individual or individuals” (§170). Thus, in the same sentence, the AG brings PNR data within the scope of both Article 7 and Article 8 of the Charter. He further identifies different treatments of the data under the terms of the Agreement (§170):

– systematic transfer of PNR data to the Canadian public authorities,

– access to that data,

– the use of that data,

– its retention for a period of five years by those public authorities,

– its subsequent transfer to other public authorities, including those of third countries,

The AG states that all of the above are “operations which fall within the scope of the fundamental right to respect for private and family life guaranteed by Article 7 of the Charter and to the ‘closely connected’ but nonetheless distinct right to protection of personal data guaranteed by Article 8(1) of the Charter and constitute an interference with those fundamental rights” (§170).

Therefore, the AG does not differentiate here between what constitutes interference with the right to respect for private life and what constitutes interference with the right to the protection of personal data.

However, in the following paragraph, the AG does make such a differentiation, but only because he restates the findings of the Court in Digital Rights Ireland, even if this partly repeats some of the findings in §170: “the obligation to retain that data, required by the public authorities, and subsequent access of the competent national authorities to data relating to a person’s private life also constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter (he refers here to §34 and §35 of DRI in a footnote). Likewise, an EU act prescribing any form of processing of personal data constitutes an interference with the fundamental right, laid down in Article 8 of the Charter, to protection of such data (he refers here to §29 and §36 of DRI)” (§171).

There is not a lot of clarity transpiring from these two paragraphs, especially considering that §170 in fact refers to interference only with the first paragraph of Article 8 and not with the entire Article 8 (See also Section 4 of this analysis for additional comments prompted by this differentiation).

What is certain is that indeed there is an interference with both rights. The AG further notes the seriousness of that interference, indicating that he is fully aware of its severity:

“The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable size and a not insignificant gravity. It systematically affects all passengers flying between Canada and the Union, that is to say, several tens of millions of persons a year. Furthermore, as most of the interested parties have confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers, which includes sensitive data, requiring, by definition, automated processing, and the retention of that data for a period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with pre-established patterns of behaviour that is ‘at risk’ or ‘of concern’, in connection with terrorist activities and/or serious transnational crime, in order to identify persons not hitherto known to the police or not suspected. Those characteristics, apparently inherent in the PNR scheme put in place by the agreement envisaged, are capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects” (§176).

Even though at this stage the AG acknowledges the severity of the interference with fundamental rights of PNR schemes, he deems it to be justified by necessity (See Section 5 of this analysis).

Finally, it is also notable to mention that the AG found that the procedures for collecting the data come within the competence of the air carriers, “which, in this regard, must act in compliance with the relevant national provisions and with EU law” (§178). He concludes that “the collection of the PNR data therefore does not constitute a processing of personal data entailing an interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter that results from the agreement envisaged itself. In the light of the limited power of the Court in the context of the opinion procedure, that operation will therefore not form the subject matter of the following developments” (§179).

 

……………………………………………………..

[1] Dealt with in this section.

[2] Dealt with in Sections 4 and 5 of this analysis.

Section 4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1) Charter

(Section 4 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After establishing that the EU-Canada PNR Agreement allows for a particularly serious interference with the rights to respect for private life and to the protection of personal data, the AG goes on to analyze whether this interference is justified.

First, he establishes that neither of the two rights “is an absolute prerogative” (§181), meaning that their exercise can be limited. The AG recalls that “that limitations may be placed on the exercise of rights such as those enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (§182).

Again, just like in §170, the AG refers only to limitations of the first paragraph of Article 8. Moreover, he specifies in the following paragraph that “Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’” (§183). He follows this only by stating that “with regard to one of the conditions set out in Article 8(2) of the Charter … the agreement envisaged does not seek to base the processing of the PNR data communicated to the Canadian competent authority on the consent of the air passengers” (§184).

This is why paragraph 188 comes as a surprise, because, after finding the essence of the two rights is not touched (see below), the AG states that “It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied” (§188).  

To my knowledge, it is for the first time an Advocate General, or the Court for that matter, refers to the second paragraph of Article 8 of the Charter as prescribing “conditions for justification” of interferences with the right to the protection of personal data and equals them to those laid down in Article 52(1) of the Charter.

Such a hypothesis is not without merit from the outset, but it would need a more in depth justification than simply stating a couple of paragraphs above that Article 8(2) of the Charter only allows processing of data only for specified purposes and if it is based on consent or has another legitimate basis laid down by law. For instance, if indeed we were to consider that any processing of personal data constitutes an interference with Article 8 (this finding by the Court in DRI has some faults worthy of academic attention, but for the moment we have to work with it), then it would make sense to see the conditions for having a lawful basis for processing as being conditions for justifying the “interference” with the right to the protection of personal data.

Moreover, a separate analysis of whether the conditions in Article 8(2) are satisfied does not follow. The AG merely states in §189 that the conditions from Article 52(1) for the interference to be provided for by law and to meet objectives of general interest are equivalent with the “expression used in Article 8(2)” – having a “legitimate basis”, and they are “manifestly satisfied” (§189).

As for the essence of the two rights, the AG recalls that neither of the parties did not invoke before the Court that the interference harms the essence of the two fundamental rights (§185).

With regard to the essence of Article 7, he further explains that “the nature of the PNR data forming the subject matter of the agreement envisaged does not permit any precise conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question continues to be limited to the pattern of air travel between Canada and the Union” (§186). The AG also refers in this context to the “masking” and gradual “depersonalization” of the data as guarantees to preserve private life (§186).

With regard to the essence of Article 8, the AG mentions that “under Article 9 of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection, security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data security must be amenable to effective and dissuasive corrective measures which might include sanctions” (§187). Unfortunately, the AG does not expand on the concept of the essence of the right to the protection of personal data and does not depart from what the Court indicated in Digital Rights Ireland at §40, restricting the essence of Article 8 mainly to the presence of data security measures.

Concluding that the essence of the two rights is not touched upon, the AG further analyzes the proportionality and the necessity of the interference.

Section 5. The awkward two level necessity test that convinced the AG PNR schemes are acceptable

(Section 5 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After he establishes that the Court should carry out “a strict review of compliance with the requirements resulting from the principle of proportionality, and more particularly, from the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged” (§200), the AG further assesses if the interference is “strictly necessary”.

He considers the “strict necessity” test as a component of the proportionality test, together with “the ability of the interference to achieve the ‘public security’ objective pursued by the Agreement”.

With regard to the latter criterion, the AG does not believe “there are any real obstacles to recognising that the interference constituted by the agreement envisaged is capable of attaining the objective of public security, in particular the objective of combating terrorism and serious transnational crime” (§205). “As the United Kingdom Government and the Commission, in particular, have claimed, the transfer of PNR data for analysis and retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network or participating in serious transnational criminal activities” (§205).

In addition, the AG finds the statistics provided by the Commission and the UK relevant to find that “the data constitutes a valuable tool for criminal investigations” (§205). He reaches this conclusion in spite of the fact that at §151, when summarizing the contributions of the parties before the Court, the AG recalls that “The Commission accepts that there are no precise statistics indicating the contribution which PNR data makes to the prevention and detection of crime and terrorism, and to the investigation and prosecution of offences of those types.”

With regard to the strict necessity of the interference, the AG establishes that its assessment “entails ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the private life of the persons concerned” (§207), by making a reference to §77 of the Schecke judgment. That paragraph in Schecke seems to me to establish a different principle – namely that, when balancing two opposing rights, one of which is the right to the protection of personal data, it must be taken into account that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”[1].

Notwithstanding, the AG follows by stating that “the terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the agreement envisaged” (§208). He explains:

“That means that it is not sufficient to imagine, in the abstract, the existence of alternative measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be sufficiently effective, that is to say, their effectiveness must, in my view, be comparable with those provided for in the agreement envisaged, in order to attain the public security objective pursued by that agreement” (§208).

In quite a big leap, AG Mengozzi relies for this twofold test for necessity on a paragraph in the Schwartz judgment, §53, which states that “the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints.”

This twofold test is not used in any of the most recent landmark judgments of the Court – DRI, which relies greatly on the analysis of the condition of “necessity”, and Schrems. However, looking at strict necessity through this lens of proportionality and equivalent effectiveness persuaded the AG to conclude that PNR schemes, even if they constitute the kind of interference he accurately described in §176, are acceptable.

Comparing the wealth of PNR data to data collected usually for border control purposes by immigration authorities, including Advance Passenger Information and information collected by Canadian authorities for their eVA program, the AG concluded that “data of that type (API, eVA – my note) does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API and the data required for the issue of an eVA are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged” (§214).

The AG further justifies that PNR data of all passengers are transferred to the Canadian authorities, “even though there is no indication that their conduct may have a connection with terrorism or serious transnational crime” (215) by arguing that “as the interested parties have explained, the actual interest of PNR schemes, whether they are adopted unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks” (§216).

He finds at §244, referring to the fact that the Agreement involves transfers of data of all passengers between the Union and Canada, irrespective of whether they are suspects or not, that no other measure which, while limiting the number of persons whose PNR data is automatically processed by the Canadian competent authority, would be capable of attaining with comparable effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in the context of the present proceedings”.

The AG therefore concluded that “generally, the scope ratione personae of the agreement envisaged cannot be limited further without harming the very object of the PNR regimes” (§245).

Another characteristic of PNR schemes that is generally considered questionable – the lack of an ex ante control of access to PNR data, is found justifiable by the AG in the light of the “fair balance” test for strict necessity: “the appropriate balance that must be struck between the effective pursuit of the fight against terrorism and serious transnational crime and respect for a high level of protection of the personal data of the passengers concerned does not necessarily require that a prior control of access to the PNR data must be envisaged” (§269).

Therefore, the idea of PNR schemes seems to be compatible with the fundamental rights to data protection and respect for private life, in the view of AG Mengozzi. However, the list of conditions he develops for the Agreement in the current case to be fully compliant with EU primary law is quite long and quite strict and it bears bad news for other similar arrangements.

 

……………………………………………

[1] §77 of Schecke states this: “It is thus necessary to determine whether the Council of the European Union and the Commission balanced the European Union’s interest in guaranteeing the transparency of its acts and ensuring the best use of public funds against the interference with the right of the beneficiaries concerned to respect for their private life in general and to the protection of their personal data in particular. The Court has held in this respect that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Satakunnan Markkinapörssi and Satamedia, paragraph 56).”

Section 6. The list of reasons why the EU-Canada PNR Agreement is incompatible with the Charter and the Treaty

(Section 6 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

AG Mengozzi divides his Conclusions on the compatibility of the EU-Canada PNR Agreement with EU primary law into two lists.

The first list contains 11 improvements that can be made in order for the Agreement to be compliant with Articles 7, 8 and 52(1) of the Charter and Article 16 TFEU (see paragraph 2 of the Conclusions)

A. Sensitive data must be outside the scope of PNR schemes

Notably, sensitive data must be excluded from the scope of the Agreement. The AG found that the Agreement “goes beyond what is strictly necessary by including in its scope the transfer of PNR data that is apt to contain sensitive data, which in material terms allows information about the health or ethnic origin or religious beliefs of the passenger concerned and and/or of those travelling with him to be disclosed” (§221). He follows by stating that “the risk of stigmatising a large number of individuals who are not suspected of any offence which the use of such sensitive data entails strikes me as particularly worrying and prompts me to propose that the Court should exclude data of that type from the scope of the agreement envisaged” (§222).

B. Transparency requirements

In addition, the agreement should expressly specify “the principles and rules applicable to both the pre-established scenarios or assessment criteria and the databases with which the Passenger Name Record data is compared in the context of the automated processing of that data, in such a way that the number of ‘targeted’ persons can be limited, to a large extent and in a non-discriminatory manner, to those who can be reasonably suspected of participating in a terrorist offence or serious transnational crime” (4th subparagraph of §2 of the Conclusions).

C. Article 8(3) of the Charter on independent supervision, fully applicable in the light of “essentially equivalence”

Another important condition to achieve compliance with EU primary law is that the agreement must systematically ensure “by a clear and precise rule, control by an independent authority, within the meaning of Article 8(3) of the Charter of Fundamental Rights of the European Union, of respect for the private life and protection of the personal data of passengers whose Passenger Name Record data is processed” (10th subparagraph of §2 of the Conclusions).

In this regard, the AG found that “control by an independent authority, required in particular by Article 8(3) of the Charter, is fully applicable in the present case” (§310), in the light of the fact that the intention of the contracting parties is “to ensure a level of protection that is intended to be ‘substantially equivalent’ to that which individuals would enjoy if their personal data were processed and retained within the Union” (§309).

The AG further found that the “independent supervision” condition is not fully complied with because of the alternative wording of Article 10(1) of the agreement, which gives the impression that the processing of PNR data by the Canadian authorities might also be wholly assumed by the ‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy’ – the Recourse Directorate of the Canadian authority receiving the data, instead of the Privacy Commissioner of Canada (§314).

While nobody questioned the independence of the Privacy Commissioner (§312), the AG found that “irrespective of the guarantees … from the Mission of Canada to the European Union, according to which the Recourse Directorate of the CBSA will receive no directions from the other operational bodies of the latter, that directorate, like all the other bodies of the CBSA, continues to be directly subordinate to the responsible Minister, from whom it may receive directions. Since it is liable to be subject to influence of, in particular, a political nature on the part of the authority to which it is responsible or more generally the Executive, the Recourse Directorate of the CBSA cannot be regarded as an independent supervisory authority for the purposes of Article 8(3) of the Charter” (§315).

This finding, if upheld by the Court, is perhaps the most relevant one that could apply, mutatis mutandis, to an eventual challenge of the EU-US Privacy Shield arrangement, in particular with regard to the independence of the Ombudsman.

D. It must be possible that data subjects exercise their rights from the EU

 Another notable improvement that must be done in order for the Agreement to be compliant with EU primary law is that it should make clear that “requests for access, rectification and annotation made by passengers not present on Canadian territory may be submitted, either directly or by means of an administrative appeal, to an independent public authority” (last subparagraph of §2 of the Conclusions).

The second list of the Conclusions contains 5 reasons why the Agreement is incompatible with EU primary law (§3 of the Conclusions):

  1. “Article 3(5) of the agreement envisaged allows, beyond what is strictly necessary, the possibilities of processing Passenger Name Record data to be extended, independently of the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime”;

The AG found that according to that article, “the processing of PNR data is ‘also’ permitted, on a case-by-case basis, in order to comply with the subpoena or warrant issued, or an order made, by a court, although it is not stated that that court must be acting in the context of the purposes of the agreement envisaged. That article therefore appears to allow the processing of PNR data for purposes unconnected with those pursued by the agreement envisaged and/or possibly in connection with conduct or offences not coming within the scope of that agreement” (§236).

  1. Article 8 of the agreement envisaged provides for the processing, use and retention by Canada of Passenger Name Record data containing sensitive data;
  2. Article 12(3) of the agreement envisaged confers on Canada, beyond what is strictly necessary, the right to make disclosure of information subject to reasonable legal requirements and limitations;

Paragraph 3 of that article extends the possibilities of access to the PNR data and information extracted from it “to anyone, without any specific guarantees being laid down” (§293). “Article 12(3) of the agreement envisaged authorises Canada to ‘make any disclosure of information subject to reasonable legal requirements and limitations …, with due regard for the legitimate interests of the individual concerned’. However, neither the recipients of that ‘information’ nor the use to which it is put is defined in the agreement envisaged. It is therefore quite possible that that information may be communicated to any natural or legal person, such as a bank, for example, provided that Canada considers that the disclosure of such information does not exceed ‘reasonable’ legal requirements, which, moreover, are not defined in the agreement envisaged” (§293).

  1. Article 16(5) of the agreement envisaged authorises Canada to retain Passenger Name Record data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime;

The AG criticized that pursuant to Article 16(5) of the Agreement “sensitive data of a Union citizen who has taken a flight to Canada is liable to be retained for five years (and, where appropriate, unmasked and analysed during that period) by any Canadian public authority, for any ‘action’ or ‘investigation’ or ‘judicial proceeding’, without being in any way connected to the objective pursued by the agreement envisaged, for example, as the Parliament has pointed out, in the event of proceedings related to contract law or family law. The possibility that such a situation will arise prompts the conclusion that on this point the contracting parties have not struck a fair balance between the objectives pursued by the agreement envisaged” (§224).

  1. Article 19 of the agreement envisaged allows Passenger Name Record data to be transferred to a public authority in a third country without the Canadian competent authority, subject to control by an independent authority, first being satisfied that the public authority in the third country in question to which the data is transferred cannot itself subsequently communicate the data to another body, where relevant, in another third country. (For the relevant analysis, see §300 to §304 of the Opinion).

Research finds that ‘surveillance technologies yield neither the secure utopia nor the police state dystopia promised by their supporters’

Science Magazine published a piece today about the recent book by Keith Guzik, a sociologist at the University of Colorado Denver, “Making Things Stick: Surveillance Technologies and Mexico’s War on Crime”.

Guzik examines Mexico in order to understand how surveillance technologies impact security policy around the world. We could hardly find a more ‘spot on’ theme for general public policy these days.

With Mexico’s War on Crime as the backdrop, Making Things Stick offers an innovative analysis of how surveillance technologies impact governance in the global society. More than just tools to monitor ordinary people, surveillance technologies are imagined by government officials as a way to reform the national state by focusing on the material things—cellular phones, automobiles, human bodies—that can enable crime. In describing the challenges that the Mexican government has encountered in implementing this novel approach to social control, Keith Guzik presents surveillance technologies as a sign of state weakness rather than strength and as an opportunity for civic engagement rather than retreat.

The book is available under an Open Access license following this link: http://www.luminosoa.org/site/books/detail/12/making-things-stick/. Enjoy the read!

And this is the conclusion of the author, according to Science Mag:

“The failed experiment of the Mexican security programs demonstrates that state surveillance technologies yield neither the secure utopia nor the police state dystopia promised by their supporters and opponents“.

 

Here’s how Internet’s inventor wants to reinvent it and why this is great news for privacy

Last May I had the chance to meet Prof. Tim Berners-Lee and one of the lead researchers in his team at MIT, Andrei Sambra, when I accompanied Giovanni Buttarelli, the European Data Protection Supervisor, in his visit at MIT.

Andrei presented then the SOLID project, and we had the opportunity to discuss about it with Prof. Berners-Lee, who leads the work for SOLID. The project “aims to radically change the way Web applications work today, resulting in true data ownership as well as improved privacy.” In other words, the researchers want to de-centralise the Internet.

“Solid (derived from “social linked data”) is a proposed set of conventions and tools for building decentralized social applications based on Linked Data principles. Solid is modular and extensible and it relies as much as possible on existing W3C standards and protocols”, as explained on the project’s website.

Andrei explains in a blog post that, in a first step, the project finds solutions “to decouple the applications from the data they produce, and then to decouple the data from the actual storage server.”

“This means that applications and servers are interchangeable, and they can be swapped without impacting the most important part – your data. It’s all about freedom of choice.” (Read the entire explanation in this blog post)

I was so excited to find out about the efforts conducted by Prof. Berners-Lee and his team. At the end of the presentation and the discussion, I asked, just to make sure I understood it correctly: “Are you trying to reinvent the Internet?”. And Prof. Berners-Lee replied, simply: “Yes”. A couple of weeks later I saw this article in the New York Times: “The Web’s creator looks to reinvent it” So I did understand correctly🙂

But why was I so excited? Because I saw first hand that some of the greatest minds in the world are working to bring back control to the individual on the Internet. Some of the greatest minds in the world are not giving up on privacy, irrespective of how many “Privacy is dead” books and articles are published, irrespective of how public and private policymakers, lobbyists and Courts understand at this moment in history the value of privacy and of what Andrei called “freedom of choice” in the digital world.

I was excited because I found out about a common goal us, the legal privacy bookworms/occasional policymakers, and the IT masterminds have: empower the ‘data subject’, the ‘user’, well, the human being, in the new Digital Age, put them back in control and curtail unnecessary invasions of privacy for all kind of purposes (profit making to security).

In fact, my entire PhD thesis was built on the assumption that the rights of the data subject, as they are provided in EU law (rights to access, to erase, to object, to be informed, to oppose automated decision making) are all prerogatives of the individual that aim to give control to the individual over his or her data. So if technical solutions are developed for this kind of control to be practical and effective, I am indeed excited about it!

I also realised that some of the provisions that survived incredible, multifaceted opposition to make it to the new General Data Protection Regulation are in fact tenable, like the right to data portability (check out Article 20 of the GDPR, here).

This is why, when I saw that today the world celebrates 25 years since the Internet went public, I remembered this moment in May and I wanted to share it with you. Here’s to a decentralised Internet!

Later Edit: The man itself says August 23 is not exactly accurate. Nor 25 years! In any case, it was still a good day for me to think about all of the above and share it with you🙂

IMG_7391