AG Mengozzi delivered his Opinion in the EU-Canada PNR case (Opinion 1/15) on 8 September 2016. While his conclusions clearly indicate that, in part, the current form of the agreement between Canada and the EU “on the transfer and processing of Passenger Name Record data” is not compliant with EU primary law – and in particular with Articles 7, 8 and 52(1) of the Charter and Article 16(2) TFEU, the AG seems to accept that PNR schemes in general (involving indiscriminate targeting, profiling, preemptive policing) are compatible with fundamental rights in the EU.
In summary, it seems to me that the AG’s message is: “if you do it unambiguously and transparently, under independent supervision, and without sensitive data, you can process PNR data of all travellers, creating profiles and targeting persons matching patterns of suspicious behaviour”.
This is problematic for the effectiveness of the right to the protection of personal data and the right to respect for private life. Even though the AG agrees that the scrutiny of an international agreement such as the EU-Canada PNR Agreement should not be looser than that of an ordinary adequacy decision or that of an EU Directive, and considers that both Schrems and Digital Rights Ireland should apply in this case, he doesn’t apply in all instances the rigorous scrutiny the Court uses in those two landmark judgments. One significant way in which he is doing this is by enriching the ‘strict necessity test’ so that it comprises a “fair balance” criterion and an “equivalent effectiveness” threshold (See Section 5).
On another hand, AG Mengozzi is quite strict with the safeguards he sees as essential in order to make PNR agreements such as the one in this case compatible with fundamental rights in the EU.
Data protection authorities have warned time and again that PNR schemes are not strictly necessary to fight terrorism, serious and transnational crimes – they are too invasive and their effectiveness has not yet been proven. The European Data Protection Supervisor – the independent advisor of the EU institutions on all legislation concerning processing of personal data, has issued a long series of Opinions on PNR schemes – be it in the form of international agreements on data transfers, adequacy decisions or EU legislation, always questioning their necessity and proportionality. In the latest Opinion from this series, on the EU PNR Directive, the EDPS clearly states that “the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance” (§63) and in the lack of appropriate and unambiguous evidence that such a scheme is necessary, the PNR scheme is not compliant with Articles 7, 8 and 52 of the Charter, Article 16 TFEU and Article 8 ECHR (§64).
The Article 29 Working Party also has a long tradition in questioning the idea itself of a PNR system. A good reflection of this is Opinion 7/2010, where the WP states that “the usefulness of large-scale profiling on the basis of passenger data must be questioned thoroughly, based on both scientific elements and recent studies” (p. 4) and declares that it is not satisfied with the evidence for the necessity of such systems.
The European Parliament suspended the procedure to conclude the Agreement and decided to use one of its new powers granted by the Treaty of Lisbon and asked the CJEU to issue an Opinion on the compliance of the Agreement with EU primary law (TFEU and the Charter).
Having the CJEU finally look at PNR schemes is a matter of great interest for all EU travellers, and not only them. Especially at a time like this, when it feels like surveillance is served to the people by states all over the world – from liberal democracies to authoritarian states, as an acceptable social norm.
General remarks: first-timers and wide implications
The AG acknowledges in the introductory part of the Opinion that the questions this case brought before the Court are “unprecedented and delicate” (§5). In fact, the AG observes later on in the Opinion that the “methods” applied to PNR data, once transferred, in order to identify individuals on the basis of patterns of behavior of concern are not at all provided for in the agreement and “seem to be entirely at the discretion of the Canadian authorities” (§164). This is why the AG states that one of the greatest difficulties of this case is that it “entails ascertaining … not merely what the agreement envisaged makes provision for, but also, and above all, what it has failed to make provision for” (§164).
The AG also makes it clear in the beginning of the Opinion that the outcome of this case has implications on the other “PNR” international agreements the EU concluded with Australia and the US and on the EU PNR Directive (§4). A straightforward example of a possible impact on these other international agreements, beyond analyzing their content, is the finding that the legal basis on which they were adopted is incomplete (they must be also based on Article 16 TFEU) and wrong (Article 82(1)(d) TFEU on judicial cooperation is incompatible as legal basis with PNR agreements).
The implications are even wider than the AG acknowledged. For instance, a legal instrument that could be impacted is the EU-US Umbrella Agreement – another international agreement on transfers of personal data from the EU to the US in the law enforcement area, which has both similarities and differences compared to the PNR agreements. In addition, an immediately affected legal process will be the negotiations that the European Commission is currently undertaking with Mexico for a PNR Agreement.
Even if it is not an international agreement, the adequacy decision based on the EU-US Privacy Shield deal could be impacted as well, especially with regard to the findings on the independence of the supervisory authority in the third country where data are transferred (See Section 6 for more on this topic).
Finally, the AG also mentions that this case allows the Court to “break the ice” in two matters:
- It will examine for the first time the scope of Article 16(2) TFEU (§6) and
- rule for the first time on the compatibility of a draft international agreement with the fundamental rights enshrined in the Charter, and more particularly with those in Article 7 and Article 8 (§7).
Therefore, the complexity and novelty of this case are considerable. And they are also a good opportunity for the CJEU to create solid precedents in such delicate matters.
I structured this post around the main ideas I found notable to look at and summarize, after reading the 328-paragraphs long Opinion. In order to make it easier to read, I’ve split it into 6 Sections, which you can find following the links below.
- De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for international agreements on transfers of personal data
- A look at the surface: it is not an adequacy decision, but it establishes adequacy
- An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing
- Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1)
- The awkward two level necessity test that convinced the AG the PNR scheme is acceptable
- The list of reasons why the Agreement is incompatible with the Charter and the Treaty
 Article 7 – the right to respect for private life, Article 8 – the right to the protection of personal data, Article 52(1) – limitations of the exercise of fundamental rights.
 With regard to the obligation to have independent supervision of processing of personal data.
 See the latest one, Opinion 5/2015 on the EU PNR Directive and see the Opinion on the EU-Canada draft agreement.
Find what you’re reading useful? Consider supporting pdpecho.
Pingback: Data Protection, Data Transfers, and International Agreements: the CJEU’s Opinion 1/15 | Verfassungsblog