Section 1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for concluding international agreements on transfers of personal data

(Section 1 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

Currently, the Council decision adopted for concluding the EU-Canada PNR agreement rests on two legal bases: Article 82(1)(d) TFEU – on judicial cooperation in criminal matters within the Union[1] and Article 87(2)(a) TFEU – on police cooperation in criminal matters within the Union[2], in conjunction with Articles 218(5) and 218(6)(a) TFEU – procedure to negotiate international agreements. In his Opinion on the EU-Canada PNR Agreement  in 2013, the European Data Protection Supervisor questioned the choice of the legal basis and recommended that the proposal be based on Article 16 TFEU “as a comprehensive legal basis”, in conjunction with the Articles on the procedure to conclude international agreements, considering that:

According to Article 1 of the Agreement, its purpose is to set out the conditions for the transfer and use of PNR data in order to, on the one hand, “ensure the security and safety of the public” and, on the other hand, “prescribe the means by which the data shall be protected”. In addition, the vast majority of provisions of the Agreement relate to the latter objective, i.e. the protection of personal data, including data security and integrity. (EDPS Opinion on EU-Canada PNR, §8).

The European Parliament asked the Court in its request for an Opinion if the police cooperation and judicial cooperation articles are an appropriate legal basis, or if the act should be based on Article 16 TFEU.

  1. Why it matters to have a correct legal basis

As the AG acknowledges, the choice of the appropriate legal basis for concluding an international agreement has “constitutional significance” (§40). “The use of an incorrect legal basis is therefore apt to invalidate the act concluding the agreement and thus to vitiate the European Union’s consent to be bound by that agreement” (§40). Therefore, an act adopted on the wrong legal basis can be invalidated by the Court.

First of all, the AG recalled the settled case-law of the Court that the choice of legal basis for an EU measure “must rest on objective factors amenable to judicial review, which include the purpose and the content of that measure” (§61). He also recalled that if the measure pursues a twofold purpose, which can be differentiated into a predominant and an incidental purpose, “the act must be based on a single legal basis, namely, that required by the main or predominant purpose or component” (§61). The Court accepts only as an exception that an act may be founded on various legal bases corresponding to the number of objectives, if those are “inseparably linked, without one being incidental in relation to the other” (§62).

2. Are the two objectives of the Agreement inseparable?

The AG identifies the two objectives of the agreement – combating terrorism and other serious transnational crimes and respecting private life and the protection of personal data and he struggles to argue that the agreement “pursues two objectives and has two components that are inseparable” (§78) and he finds it difficult “to determine which of those objectives prevails over the other” (§79).

In my view, it is not difficult to identify the protection of personal data as the predominant purpose (think of causa proxima in legal theory) and the fight against terrorism as the incidental purpose (think of causa remota in legal theory).

In the Agreement, according to Article 1, “the Parties set out the conditions for the transfer and use of PNR data to ensure the security and safety of the public and prescribe the means by which the data is protected”. In other words, first and foremost, the Agreement sets out rules for transferring and using PNR data, including by prescribing the means by which the data is protected (causa proxima). This is done to ultimately ensure the security and safety of the public (causa remota).

This conclusion is reinforced by the content of the Agreement, which manifestly contains rules mainly relating to the processing of personal data – Article 2 Definitions, Article 3 – Use of PNR data, Article 5 – Adequacy and in the Chapter titled Safeguards applicable to the use of PNR data”, with Articles from 7 to 21, while the last 9 articles concern “implementing and final provisions” of a technical nature. It is also reinforced by the fact that the transfer of PNR data on the EU side is done from private companies and by the fact that, contrary to what the AG argues, the Agreement itself does not establish an obligation to transfer data.

The AG explains that “it is incorrect to claim that the agreement envisaged lays down no obligation for the airlines to transfer the PNR data to the Canadian competent authority” (§92). While he acknowledges that it is true that Article 4(1) of the Agreement states that the Union is to ensure only that air carriers “are not prevented” from transferring PNR data to the Canadian competent authority, he interprets that Article “in conjunction with Articles 5, 20 and 21 of the Agreement” in the sense that “air carriers are entitled and in practice required to provide the Canadian competent authority systematically with access to the PNR data for the purposes defined in Article 3 of the agreement envisaged” (§92).

In fact, Article 5 of the Agreement establishes that the Canadian Competent Authority “is deemed to ensure” an adequate level of data protection (therefore, indeed, air carriers would not be prevented to transfer data because of data protection concerns), Article 20 obliges the air carriers to use the “push method” when they transfer data and Article 21 sets out rules on the frequency of the requests of PNR data by the Canadian Competent Authority. While it is true that the last two articles set out rules for how the data should be transferred, neither contains a positive obligation for the air carriers to transfer the data.

Therefore, it seems to be in fact clear that the purpose of PNR arrangements like the one in the present case is to make sure that EU data protection law does not prevent air carriers to send data of travellers to authorities of third countries systematically, in bulk and without an ex ante control.

As the AG points out, “if Article 16 TFEU were taken as the sole legal basis of the act concluding the agreement envisaged, that would alter the status of the Kingdom of Denmark, Ireland and the United Kingdom of Great Britain and Northern Ireland, as those Member States would then be directly and automatically bound by the agreement, contrary to Article 29 of the agreement envisaged” (§51). This would happen because the Agreement would not be placed anymore under the former third pillar (law enforcement, police and judicial cooperation), which would not give the right to Denmark, Ireland and UK to opt out of it. Therefore, the Agreement would automatically apply to all EU Member States. However, this argument should not play a role in deciding which is the appropriate legal basis, as it is not linked to the purpose or the content of the Agreement at all.

Nevertheless, the AG established that the purposes of fighting crime and respecting data protection rights are inseparable. This is in any case a valuable further step, considering that the Council and the Commission completely excluded Article 16 TFEU from the legal bases. So which are the appropriate legal bases the AG recommends?

3. The “judicial cooperation” Article, found to be irrelevant

The AG finds that “as currently drafted, the agreement envisaged does not really seem to contribute to facilitating cooperation between the judicial or equivalent authorities of the Member States” (§108), within the meaning of Article 82(1)(d) TFEU. He sees as incidental the possibility for judicial authorities of Canada to send in particular cases PNR data to judicial authorities in the EU, which would further contribute to judicial cooperation within the EU.

Interestingly, the AG mentions that this conclusion is not affected by the fact that the Council decisions concluding the PNR Agreements with US and Australia are also based on Article 82(1)(d). He reminds that “the legal basis used for the adoption of other Union measures that might display similar characteristics is irrelevant” (§109).

However, the fact remains that if Article 82(1)(d) is not a proper legal basis for the act concluding the EU-Canada PNR Agreement, it is most probably not a proper legal basis for the other EU acts concluding PNR Agreements.

4. The “police cooperation” Article, found to be relevant

Even if he saw that the agreement does not in fact facilitate judicial cooperation within the Union, the AG considers that, on another hand, it does facilitate police cooperation within the Union. To this end, he is building his argumentation mainly on Article 6 of the Agreement, which is the only one referring to “Police and judicial cooperation”.

Indeed, as recalled in §105, “under Article 6(2) of the agreement envisaged Canada is required, at the request of, among others, the police or a judicial authority of a Member State of the Union, to share, in specific cases, PNR data or analytical information containing PNR data obtained under the agreement envisaged in order to prevent or detect ‘within the European Union’ a terrorist offence or serious transnational crime.”

However, what the AG does not refer to in his analysis is the last sentence of Article 6(2) of the Agreement, which states that Canada shall make this information available in accordance with agreements and arrangements on law enforcement, judicial cooperation, or information sharing, between Canada and Europol, Eurojust or that Member State”. Therefore, sharing PNR data obtained by Canada from air carriers in the conditions set out in the Canada-PNR Agreement with Europol, Eurojust or a specific MS will be done in accordance with separate agreements. In conclusion, there are completely different agreements that have as purpose sharing of information to ensure both police and judicial cooperation between Canada and the competent authorities of the EU, which apply to sharing PNR data as well.

Finally, the AG considers that indeed Article 87(2)(a) is properly set out as legal basis of the act concluding the agreement envisaged, but he also states that it seems to him it is “insufficient to enable the Union to conclude that agreement”. Therefore, he proposes the act concluding the Agreement to be also based on Article 16(2) TFEU.

This conclusion prompts a much expected first substantive analysis of the content of Article 16(2) TFEU in an act of the Court of Justice after the entering into force of the Lisbon Treaty in 2009.

5. Relevance of Article 16(2) TFEU to serve as legal basis for concluding the EU-Canada PNR Agreement

 The AG recalls that “the content of the agreement envisaged supports that [data protection – my addition] objective, in particular the terms in the chapter on ‘Safeguards applicable to the processing of PNR data’, consisting of Articles 7 to 21 of the agreement envisaged” (§113). Therefore, he concludes that, in his view, “action taken by the Union must necessarily be based … on the first subparagraph of Article 16(2) TFEU, which, it will be recalled, confers on the Parliament and the Council the task of laying down the rules relating to the protection of individuals with regard to the processing of personal data by, inter alia, the Member States when carrying out activities which fall within the scope of application of EU law and the rules relating to the free movement of such data” (§114).

The AG further develops the three main principles that underlie this approach.

Firstly, he reminds that the EU is competent to conclude international agreements in the field of data protection (Article 216(1) TFEU in conjunction with Article 16 TFEU). In addition, “there is no doubt that the terms of the agreement envisaged must be characterized as “rules” relating to the protection of the data of natural persons, within the meaning of the first subparagraph of Article 16(1) TFEU, and intended to bind the contracting parties” (§115). (Note: considering Article 16(1) does not have subparagraphs, probably there was an error of transcript and this reference should have been either to the first subparagraph of Article 16(2) or simply to Article 16(1)).

Secondly, the AG adds that the first subparagraph of Article 16(2) “is intended to constitute the legal basis for all rules adopted at EU level relating to the protection of individuals with regard to the processing of their personal data, including the rules coming within the framework of the adoption of measures relating to the provisions of the FEU Treaty on police and judicial cooperation in criminal matters” (§116). He explains thus why Article 16 TFEU is relevant even if the act concluding the Agreement would also be based on an Article providing for police cooperation.

Thirdly, and most importantly, the AG clearly states that Article 16(2) cannot be considered irrelevant for the agreement because the protecting measures which can be adopted under that Article relate to the processing of data by authorities of the Member States and not, as in this instance, to the transfer of data previously obtained by private entities (the air carriers) to a third country (§118). This is a key interpretation, because, indeed, the ad litteram wording of Article 16 is restrictive – it refers to putting in place rules by the Union regarding processing of personal data by:

  • Union institutions, bodies, offices and agencies and
  • By the Member States when carrying out activities which fall within the scope of Union law.

Applying Article 16 ad litteram would mean that the Union does not have the competence to regulate how private entities process data. As the AG convincingly explains, “to put a strictly literal interpretation on the new legal basis constituted by the first subparagraph of Article 16(2) TFEU would be tantamount to splitting up the system for the protection of personal data. Such an interpretation would run counter to the intention of the High Contracting Parties to create, in principle, a single legal basis expressly authorising the EU to adopt rules relating to the protection of the personal data of natural persons. It would therefore represent a step backwards from the preceding scheme based on the Treaty provisions relating to the internal market, which would be difficult to explain. That strictly literal interpretation of Article 16 TFEU would thus have the consequence of depriving that provision of a large part of its practical effect” (§119).

 The AG concludes that the answer to the question about the legal basis is that “in the light of the objectives and the components of the agreement envisaged, which are inseparably linked, the act concluding that agreement must in my view be based on the first subparagraph of Article 16(2) TFEU and Article 87(2)(a) TFEU as its substantive legal bases” (§120).

Before going through the analysis of the compliance of the Agreement with Articles 7 and 8 of the Charter, it’s worth having a look at one of the fundamental issues raised by the Agreement, but which, unfortunately, was only looked at briefly and with no consequence.

 

……………………………………………………….

[1] “The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall adopt measures to:

(d) facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions.”

[2] 1. The Union shall establish police cooperation involving all the Member States’ competent authorities, including police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences.

  1. For the purposes of paragraph 1, the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, may establish measures concerning:

(c) common investigative techniques in relation to the detection of serious forms of organised crime.

Advertisements

One response to “Section 1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for concluding international agreements on transfers of personal data

  1. Pingback: Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter | pdpEcho

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s