Category Archives: US and Canada

A look at political psychological targeting, EU data protection law and the US elections

Cambridge Analytica, a company that uses “data modeling and psychographic profiling” (according to its website), is credited with having decisively contributed to the outcome of the presidential election in the U.S.. They did so by using “a hyper-targeted psychological approach” allowing them to see trends among voters that no one else saw and thus to model the speech of the candidate to resonate with those trends. According to Mashable, the same company also assisted the Leave. EU campaign that leaded to Brexit.

How do they do it?

“We collect up to 5,000 data points on over 220 million Americans, and use more than 100 data variables to model target audience groups and predict the behavior of like-minded people” (my emphasis), states their website (for comparison, the US has a 324 million population). They further explain that “when you go beneath the surface and learn what people really care about you can create fully integrated engagement strategies that connect with every person at the individual level” (my emphasis).

According to Mashable, the company “uses a psychological approach to polling, harvesting billions of data from social media, credit card histories, voting records, consumer data, purchase history, supermarket loyalty schemes, phone calls, field operatives, Facebook surveys and TV watching habits“. This data “is bought or licensed from brokers or sourced from social media”.

(For a person who dedicated their professional life to personal data protection this sounds chilling.)

Legal implications

Under US privacy law this kind of practice seems to have no legal implications, as it doesn’t involve processing by any authority of the state, it’s not a matter of consumer protection and it doesn’t seem to fall, prima facie, under any piece of the piecemeal legislation dealing with personal data in the U.S. (please correct me if I’m wrong).

Under EU data protection law, this practice would raise a series of serious questions (see below), without even getting into the debate of whether this sort of intimate profiling would also breach the right to private life as protected by Article 7 of the EU Charter of Fundamental Rights and Article 8 of the European Convention of Human Rights (the right to personal data protection and the right to private life are protected separately in the EU legal order). Put it simple, the right to data protection enshrines the “rules of the road” (safeguards) for data that is being processed on a lawful ground, while the right to private life protects the inner private sphere of a person altogether, meaning that it can prohibit the unjustified interferences in the person’s private life. This post will only look at mass psychological profiling from the data protection perspective.

Does EU data protection law apply to the political profilers targeting US voters?

But why would EU data protection law even be applicable to a company creating profiles of 220 million Americans? Surprisingly, EU data protection law could indeed be relevant in this case, if it turns out that the company carrying out the profiling is based in the UK (London-based), as several websites claim in their articles (here, here and here).

Under Article 4(1)(a) of Directive 95/46, the national provisions adopted pursuant to the directive shall apply “where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State“. Therefore, the territorial application of Directive 95/46 is triggered by the place of establishment of the controller.  Moreover, Recital 18 of the Directive’s Preamble explains that “in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community (EU – n.) must be carried out in accordance with the law of one of the Member States” and that “in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State” (see also CJEU Case C-230/14 Weltimmo, paras. 24, 25, 26).

There are, therefore, no exceptions to applying EU data protection rules to any processing of personal data that is carried out under the responsibility of a controller established in a Member State. Is it relevant here whether the data subjects are not European citizens, and whether they would not even be physically located within Europe? The answer is probably in the negative. Directive 95/46 provides that the data subjects it protects are “identified or identifiable natural persons“, without differentiating them based on their nationality. Neither does the Directive link its application to any territorial factor concerning the data subjects. Moreover, according to Article 8 of the EU Charter of Fundamental Rights, “everyone has the right to the protection of personal data concerning him or her”.

I must emphasise here that the Court of Justice of the EU is the only authority that can interpret EU law in a binding manner and that until the Court decides how to interpret EU law in a specific case, we can only engage in argumentative exercises. If the interpretation proposed above would be found to have some merit, it would indeed be somewhat ironic to have the data of 220 million Americans protected by EU data protection rules.

What safeguards do persons have against psychological profiling for political purposes?

This kind of psychological profiling for political purposes would raise a number of serious questions. First of all, there is the question of whether this processing operation involves processing of “special categories of data”. According to Article 8(1) of Directive 95/46, “Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.” There are several exceptions to this prohibition, of which only two would conceivably be applicable to this kind of profiling:

  • if the data subject has given his explicit consent to the processing of those data (letter a) or
  • the processing relates to data which are manifestly made public by the data subject (letter e).

In order for this kind of psychological profiling to be lawful, the controller must obtain explicit consent to process all the points of data used for every person profiled. Or the controller must only use those data points that were manifestly made public by a person.

Moreover, under Article 15(1) of Directive 95/46, the person has the right “not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”. It is of course to be interpreted to what extent psychological profiling for political purposes produces legal effects or significantly affects the person.

Another problem concerns the obligation of the controller to inform every person concerned that this kind of profiling is taking place (Articles 10 and 11 of Directive 95/46) and to give them details about the identity of the controller, the purposes of the processing and all the personal data that is being processed. In addition, the person should be informed that he or she has the right to ask for a copy of the data the controller holds about him or her and the right to ask for the erasure of that data if it was processed unlawfully (Article 12 of Directive 95/46).

Significantly, the person has the right to opt-out of a processing operation, at any time, without giving reasons, if that data is being processed for the purposes of direct marketing (Article 14(b) of Directive 95/46). For instance, in the UK, the supervisory authority – the Information Commissioner’s Office, issued Guidance for political campaigns in 2014 and gave the example of “a telephone call which seeks an individual’s opinions in order to use that data to identify those people likely to support the political party or referendum campaign at a future date in order to target them with marketing” as constituting direct marketing.

Some thoughts

  • The analysis of how EU data protection law is relevant for this kind of profiling would be more poignant if it would be made under the General Data Protection Regulation, which will become applicable on 25 May 2018 and which has a special provision for profiling.
  • The biggest ever fine issued by the supervisory authority in the UK is 350.000 pounds, this year. Under the GDPR, breaches of data protection rules will lead to fines up to 20 million euro or 4% of the controller’s global annual turnover for the previous year, whichever is higher.
  • If any company based in the UK used this kind of psychological profiling and micro-targeting for the Brexit campaign, that processing operation would undoubtedly fall under the rules of EU data protection law. This stands true of any analytics company that provides these services to political parties anywhere in the EU using personal data of EU persons. Perhaps this is a good time to revisit the discussion we had at CPDP2016 on political behavioural targeting (who would have thought the topic will gain so much momentum this year?)
  • I wonder if data protection rules should be the only “wall (?)” between this sort of targeted-political-message-generating campaign profiling and the outcome of democratic elections.
  • Talking about ethics, data protection and big data together is becoming more urgent everyday.

***

Find what you’re reading useful? Consider supporting pdpecho.

Advertisements

Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter

AG Mengozzi delivered his Opinion in the EU-Canada PNR case (Opinion 1/15) on 8 September 2016. While his conclusions clearly indicate that, in part, the current form of the agreement between Canada and the EU “on the transfer and processing of Passenger Name Record data” is not compliant with EU primary law – and in particular with Articles 7, 8 and 52(1) of the Charter[1] and Article 16(2) TFEU[2], the AG seems to accept that PNR schemes in general (involving indiscriminate targeting, profiling, preemptive policing) are compatible with fundamental rights in the EU.

In summary, it seems to me that the AG’s message is: “if you do it unambiguously and transparently, under independent supervision, and without sensitive data, you can process PNR data of all travellers, creating profiles and targeting persons matching patterns of suspicious behaviour”.

This is problematic for the effectiveness of the right to the protection of personal data and the right to respect for private life. Even though the AG agrees that the scrutiny of an international agreement such as the EU-Canada PNR Agreement should not be looser than that of an ordinary adequacy decision or that of an EU Directive, and considers that both Schrems and Digital Rights Ireland should apply in this case, he doesn’t apply in all instances the rigorous scrutiny the Court uses in those two landmark judgments. One significant way in which he is doing this is by enriching the ‘strict necessity test’ so that it comprises a “fair balance” criterion and an “equivalent effectiveness” threshold (See Section 5).

On another hand, AG Mengozzi is quite strict with the safeguards he sees as essential in order to make PNR agreements such as the one in this case compatible with fundamental rights in the EU.

Data protection authorities have warned time and again that PNR schemes are not strictly necessary to fight terrorism, serious and transnational crimes – they are too invasive and their effectiveness has not yet been proven. The European Data Protection Supervisor – the independent advisor of the EU institutions on all legislation concerning processing of personal data, has issued a long series of Opinions on PNR schemes – be it in the form of international agreements on data transfers, adequacy decisions or EU legislation, always questioning their necessity and proportionality[3]. In the latest Opinion from this series, on the EU PNR Directive, the EDPS clearly states that the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance” (§63) and in the lack of appropriate and unambiguous evidence that such a scheme is necessary, the PNR scheme is not compliant with Articles 7, 8 and 52 of the Charter, Article 16 TFEU and Article 8 ECHR (§64).

The Article 29 Working Party also has a long tradition in questioning the idea itself of a PNR system. A good reflection of this is Opinion 7/2010, where the WP states that “the usefulness of large-scale profiling on the basis of passenger data must be questioned thoroughly, based on both scientific elements and recent studies” (p. 4) and declares that it is not satisfied with the evidence for the necessity of such systems.

The European Parliament suspended the procedure to conclude the Agreement and decided to use one of its new powers granted by the Treaty of Lisbon and asked the CJEU to issue an Opinion on the compliance of the Agreement with EU primary law (TFEU and the Charter).

Having the CJEU finally look at PNR schemes is a matter of great interest for all EU travellers, and not only them. Especially at a time like this, when it feels like surveillance is served to the people by states all over the world – from liberal democracies to authoritarian states, as an acceptable social norm.

General remarks: first-timers and wide implications

The AG acknowledges in the introductory part of the Opinion that the questions this case brought before the Court are “unprecedented and delicate” (§5). In fact, the AG observes later on in the Opinion that the “methods” applied to PNR data, once transferred, in order to identify individuals on the basis of patterns of behavior of concern are not at all provided for in the agreement and “seem to be entirely at the discretion of the Canadian authorities” (§164). This is why the AG states that one of the greatest difficulties of this case is that it “entails ascertaining … not merely what the agreement envisaged makes provision for, but also, and above all, what it has failed to make provision for” (§164).

The AG also makes it clear in the beginning of the Opinion that the outcome of this case has implications on the other “PNR” international agreements the EU concluded with Australia and the US and on the EU PNR Directive (§4). A straightforward example of a possible impact on these other international agreements, beyond analyzing their content, is the finding that the legal basis on which they were adopted is incomplete (they must be also based on Article 16 TFEU) and wrong (Article 82(1)(d) TFEU on judicial cooperation is incompatible as legal basis with PNR agreements).

The implications are even wider than the AG acknowledged. For instance, a legal instrument that could be impacted is the EU-US Umbrella Agreement – another international agreement on transfers of personal data from the EU to the US in the law enforcement area, which has both similarities and differences compared to the PNR agreements. In addition, an immediately affected legal process will be the negotiations that the European Commission is currently undertaking with Mexico for a PNR Agreement.

Even if it is not an international agreement, the adequacy decision based on the EU-US Privacy Shield deal could be impacted as well, especially with regard to the findings on the independence of the supervisory authority in the third country where data are transferred (See Section 6 for more on this topic).

Finally, the AG also mentions that this case allows the Court to “break the ice” in two matters:

  • It will examine for the first time the scope of Article 16(2) TFEU (§6) and
  • rule for the first time on the compatibility of a draft international agreement with the fundamental rights enshrined in the Charter, and more particularly with those in Article 7 and Article 8 (§7).

Therefore, the complexity and novelty of this case are considerable. And they are also a good opportunity for the CJEU to create solid precedents in such delicate matters.

I structured this post around the main ideas I found notable to look at and summarize, after reading the 328-paragraphs long Opinion. In order to make it easier to read, I’ve split it into 6 Sections, which you can find following the links below.

  1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for international agreements on transfers of personal data
  2. A look at the surface: it is not an adequacy decision, but it establishes adequacy
  3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing
  4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1)
  5. The awkward two level necessity test that convinced the AG the PNR scheme is acceptable
  6. The list of reasons why the Agreement is incompatible with the Charter and the Treaty

……………………………………………………….

[1] Article 7 – the right to respect for private life, Article 8 – the right to the protection of personal data, Article 52(1) – limitations of the exercise of fundamental rights.

[2] With regard to the obligation to have independent supervision of processing of personal data.

[3] See the latest one, Opinion 5/2015 on the EU PNR Directive and see the Opinion on the EU-Canada draft agreement.

***

Find what you’re reading useful? Consider supporting pdpecho.

Section 1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for concluding international agreements on transfers of personal data

(Section 1 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

Currently, the Council decision adopted for concluding the EU-Canada PNR agreement rests on two legal bases: Article 82(1)(d) TFEU – on judicial cooperation in criminal matters within the Union[1] and Article 87(2)(a) TFEU – on police cooperation in criminal matters within the Union[2], in conjunction with Articles 218(5) and 218(6)(a) TFEU – procedure to negotiate international agreements. In his Opinion on the EU-Canada PNR Agreement  in 2013, the European Data Protection Supervisor questioned the choice of the legal basis and recommended that the proposal be based on Article 16 TFEU “as a comprehensive legal basis”, in conjunction with the Articles on the procedure to conclude international agreements, considering that:

According to Article 1 of the Agreement, its purpose is to set out the conditions for the transfer and use of PNR data in order to, on the one hand, “ensure the security and safety of the public” and, on the other hand, “prescribe the means by which the data shall be protected”. In addition, the vast majority of provisions of the Agreement relate to the latter objective, i.e. the protection of personal data, including data security and integrity. (EDPS Opinion on EU-Canada PNR, §8).

The European Parliament asked the Court in its request for an Opinion if the police cooperation and judicial cooperation articles are an appropriate legal basis, or if the act should be based on Article 16 TFEU.

  1. Why it matters to have a correct legal basis

As the AG acknowledges, the choice of the appropriate legal basis for concluding an international agreement has “constitutional significance” (§40). “The use of an incorrect legal basis is therefore apt to invalidate the act concluding the agreement and thus to vitiate the European Union’s consent to be bound by that agreement” (§40). Therefore, an act adopted on the wrong legal basis can be invalidated by the Court.

First of all, the AG recalled the settled case-law of the Court that the choice of legal basis for an EU measure “must rest on objective factors amenable to judicial review, which include the purpose and the content of that measure” (§61). He also recalled that if the measure pursues a twofold purpose, which can be differentiated into a predominant and an incidental purpose, “the act must be based on a single legal basis, namely, that required by the main or predominant purpose or component” (§61). The Court accepts only as an exception that an act may be founded on various legal bases corresponding to the number of objectives, if those are “inseparably linked, without one being incidental in relation to the other” (§62).

2. Are the two objectives of the Agreement inseparable?

The AG identifies the two objectives of the agreement – combating terrorism and other serious transnational crimes and respecting private life and the protection of personal data and he struggles to argue that the agreement “pursues two objectives and has two components that are inseparable” (§78) and he finds it difficult “to determine which of those objectives prevails over the other” (§79).

In my view, it is not difficult to identify the protection of personal data as the predominant purpose (think of causa proxima in legal theory) and the fight against terrorism as the incidental purpose (think of causa remota in legal theory).

In the Agreement, according to Article 1, “the Parties set out the conditions for the transfer and use of PNR data to ensure the security and safety of the public and prescribe the means by which the data is protected”. In other words, first and foremost, the Agreement sets out rules for transferring and using PNR data, including by prescribing the means by which the data is protected (causa proxima). This is done to ultimately ensure the security and safety of the public (causa remota).

This conclusion is reinforced by the content of the Agreement, which manifestly contains rules mainly relating to the processing of personal data – Article 2 Definitions, Article 3 – Use of PNR data, Article 5 – Adequacy and in the Chapter titled Safeguards applicable to the use of PNR data”, with Articles from 7 to 21, while the last 9 articles concern “implementing and final provisions” of a technical nature. It is also reinforced by the fact that the transfer of PNR data on the EU side is done from private companies and by the fact that, contrary to what the AG argues, the Agreement itself does not establish an obligation to transfer data.

The AG explains that “it is incorrect to claim that the agreement envisaged lays down no obligation for the airlines to transfer the PNR data to the Canadian competent authority” (§92). While he acknowledges that it is true that Article 4(1) of the Agreement states that the Union is to ensure only that air carriers “are not prevented” from transferring PNR data to the Canadian competent authority, he interprets that Article “in conjunction with Articles 5, 20 and 21 of the Agreement” in the sense that “air carriers are entitled and in practice required to provide the Canadian competent authority systematically with access to the PNR data for the purposes defined in Article 3 of the agreement envisaged” (§92).

In fact, Article 5 of the Agreement establishes that the Canadian Competent Authority “is deemed to ensure” an adequate level of data protection (therefore, indeed, air carriers would not be prevented to transfer data because of data protection concerns), Article 20 obliges the air carriers to use the “push method” when they transfer data and Article 21 sets out rules on the frequency of the requests of PNR data by the Canadian Competent Authority. While it is true that the last two articles set out rules for how the data should be transferred, neither contains a positive obligation for the air carriers to transfer the data.

Therefore, it seems to be in fact clear that the purpose of PNR arrangements like the one in the present case is to make sure that EU data protection law does not prevent air carriers to send data of travellers to authorities of third countries systematically, in bulk and without an ex ante control.

As the AG points out, “if Article 16 TFEU were taken as the sole legal basis of the act concluding the agreement envisaged, that would alter the status of the Kingdom of Denmark, Ireland and the United Kingdom of Great Britain and Northern Ireland, as those Member States would then be directly and automatically bound by the agreement, contrary to Article 29 of the agreement envisaged” (§51). This would happen because the Agreement would not be placed anymore under the former third pillar (law enforcement, police and judicial cooperation), which would not give the right to Denmark, Ireland and UK to opt out of it. Therefore, the Agreement would automatically apply to all EU Member States. However, this argument should not play a role in deciding which is the appropriate legal basis, as it is not linked to the purpose or the content of the Agreement at all.

Nevertheless, the AG established that the purposes of fighting crime and respecting data protection rights are inseparable. This is in any case a valuable further step, considering that the Council and the Commission completely excluded Article 16 TFEU from the legal bases. So which are the appropriate legal bases the AG recommends?

3. The “judicial cooperation” Article, found to be irrelevant

The AG finds that “as currently drafted, the agreement envisaged does not really seem to contribute to facilitating cooperation between the judicial or equivalent authorities of the Member States” (§108), within the meaning of Article 82(1)(d) TFEU. He sees as incidental the possibility for judicial authorities of Canada to send in particular cases PNR data to judicial authorities in the EU, which would further contribute to judicial cooperation within the EU.

Interestingly, the AG mentions that this conclusion is not affected by the fact that the Council decisions concluding the PNR Agreements with US and Australia are also based on Article 82(1)(d). He reminds that “the legal basis used for the adoption of other Union measures that might display similar characteristics is irrelevant” (§109).

However, the fact remains that if Article 82(1)(d) is not a proper legal basis for the act concluding the EU-Canada PNR Agreement, it is most probably not a proper legal basis for the other EU acts concluding PNR Agreements.

4. The “police cooperation” Article, found to be relevant

Even if he saw that the agreement does not in fact facilitate judicial cooperation within the Union, the AG considers that, on another hand, it does facilitate police cooperation within the Union. To this end, he is building his argumentation mainly on Article 6 of the Agreement, which is the only one referring to “Police and judicial cooperation”.

Indeed, as recalled in §105, “under Article 6(2) of the agreement envisaged Canada is required, at the request of, among others, the police or a judicial authority of a Member State of the Union, to share, in specific cases, PNR data or analytical information containing PNR data obtained under the agreement envisaged in order to prevent or detect ‘within the European Union’ a terrorist offence or serious transnational crime.”

However, what the AG does not refer to in his analysis is the last sentence of Article 6(2) of the Agreement, which states that Canada shall make this information available in accordance with agreements and arrangements on law enforcement, judicial cooperation, or information sharing, between Canada and Europol, Eurojust or that Member State”. Therefore, sharing PNR data obtained by Canada from air carriers in the conditions set out in the Canada-PNR Agreement with Europol, Eurojust or a specific MS will be done in accordance with separate agreements. In conclusion, there are completely different agreements that have as purpose sharing of information to ensure both police and judicial cooperation between Canada and the competent authorities of the EU, which apply to sharing PNR data as well.

Finally, the AG considers that indeed Article 87(2)(a) is properly set out as legal basis of the act concluding the agreement envisaged, but he also states that it seems to him it is “insufficient to enable the Union to conclude that agreement”. Therefore, he proposes the act concluding the Agreement to be also based on Article 16(2) TFEU.

This conclusion prompts a much expected first substantive analysis of the content of Article 16(2) TFEU in an act of the Court of Justice after the entering into force of the Lisbon Treaty in 2009.

5. Relevance of Article 16(2) TFEU to serve as legal basis for concluding the EU-Canada PNR Agreement

 The AG recalls that “the content of the agreement envisaged supports that [data protection – my addition] objective, in particular the terms in the chapter on ‘Safeguards applicable to the processing of PNR data’, consisting of Articles 7 to 21 of the agreement envisaged” (§113). Therefore, he concludes that, in his view, “action taken by the Union must necessarily be based … on the first subparagraph of Article 16(2) TFEU, which, it will be recalled, confers on the Parliament and the Council the task of laying down the rules relating to the protection of individuals with regard to the processing of personal data by, inter alia, the Member States when carrying out activities which fall within the scope of application of EU law and the rules relating to the free movement of such data” (§114).

The AG further develops the three main principles that underlie this approach.

Firstly, he reminds that the EU is competent to conclude international agreements in the field of data protection (Article 216(1) TFEU in conjunction with Article 16 TFEU). In addition, “there is no doubt that the terms of the agreement envisaged must be characterized as “rules” relating to the protection of the data of natural persons, within the meaning of the first subparagraph of Article 16(1) TFEU, and intended to bind the contracting parties” (§115). (Note: considering Article 16(1) does not have subparagraphs, probably there was an error of transcript and this reference should have been either to the first subparagraph of Article 16(2) or simply to Article 16(1)).

Secondly, the AG adds that the first subparagraph of Article 16(2) “is intended to constitute the legal basis for all rules adopted at EU level relating to the protection of individuals with regard to the processing of their personal data, including the rules coming within the framework of the adoption of measures relating to the provisions of the FEU Treaty on police and judicial cooperation in criminal matters” (§116). He explains thus why Article 16 TFEU is relevant even if the act concluding the Agreement would also be based on an Article providing for police cooperation.

Thirdly, and most importantly, the AG clearly states that Article 16(2) cannot be considered irrelevant for the agreement because the protecting measures which can be adopted under that Article relate to the processing of data by authorities of the Member States and not, as in this instance, to the transfer of data previously obtained by private entities (the air carriers) to a third country (§118). This is a key interpretation, because, indeed, the ad litteram wording of Article 16 is restrictive – it refers to putting in place rules by the Union regarding processing of personal data by:

  • Union institutions, bodies, offices and agencies and
  • By the Member States when carrying out activities which fall within the scope of Union law.

Applying Article 16 ad litteram would mean that the Union does not have the competence to regulate how private entities process data. As the AG convincingly explains, “to put a strictly literal interpretation on the new legal basis constituted by the first subparagraph of Article 16(2) TFEU would be tantamount to splitting up the system for the protection of personal data. Such an interpretation would run counter to the intention of the High Contracting Parties to create, in principle, a single legal basis expressly authorising the EU to adopt rules relating to the protection of the personal data of natural persons. It would therefore represent a step backwards from the preceding scheme based on the Treaty provisions relating to the internal market, which would be difficult to explain. That strictly literal interpretation of Article 16 TFEU would thus have the consequence of depriving that provision of a large part of its practical effect” (§119).

 The AG concludes that the answer to the question about the legal basis is that “in the light of the objectives and the components of the agreement envisaged, which are inseparably linked, the act concluding that agreement must in my view be based on the first subparagraph of Article 16(2) TFEU and Article 87(2)(a) TFEU as its substantive legal bases” (§120).

Before going through the analysis of the compliance of the Agreement with Articles 7 and 8 of the Charter, it’s worth having a look at one of the fundamental issues raised by the Agreement, but which, unfortunately, was only looked at briefly and with no consequence.

 

……………………………………………………….

[1] “The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall adopt measures to:

(d) facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions.”

[2] 1. The Union shall establish police cooperation involving all the Member States’ competent authorities, including police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences.

  1. For the purposes of paragraph 1, the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, may establish measures concerning:

(c) common investigative techniques in relation to the detection of serious forms of organised crime.

Section 2. A look at the surface: it is not an adequacy decision, but it establishes adequacy

(Section 2 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

One of the fundamental issues concerning agreements such as the one in the present case is how do these agreements relate to the concept of “adequacy finding” for the purposes of transfers of personal data from the EU to third countries.

While it is straightforward looking at their nature that they are not unilateral acts issued by the European Commission to establish that a third country or the authorities of a third country have an adequate level of protection (as was the Decision invalidated by the Schrems judgement), in essence these agreements have the same effect as that of adequacy decisions: they establish a presumption that the legal system at the receiving end of a data transfer from the EU ensures an adequate level of data protection, eliminating thus impediments of transfers based on concerns that the data are not properly protected at the receiving end.

While the process leading to an adequacy decision by the Commission is long and involves a thorough analysis of the legal system of the third country in order to ascertain that it provides an essentially equivalent level of protection in theory and in practice, the conclusion of an international agreement involves a high level negotiation and commitments taken by the third country that it would ensure appropriate protection. It is more difficult to ascertain and control a posteriori if this indeed happens in practice. Moreover, if the commitments taken by the third country are not sufficient in the Agreement, a clause establishing that the transfers to that country are deemed to comply with EU data protection law may very well be considered as breaching Article 8(1) of the Charter. The CJEU stated in Schrems that the requirements for ensuring lawful international transfers of personal data stem from Article 8(1) of the Charter and the general obligation enshrined therein “to protect personal data” (§71-§72 of Schrems).

These issues are extremely challenging and the current proceedings would be a very good opportunity to address them. However, the AG only marginally touches this question and he does that only to argue against the fact that data protection is the predominant purpose of the Agreement and to argue in favour of a strict review of the limitations brought by the provisions of the Agreement to the exercise of Article 8 of the Charter.

First, in §93, he states that “the object of the agreement envisaged cannot principally be treated as equivalent to an adequacy decision, comparable to the decision which the Commission had adopted under the 2006 Agreement”. He continues by arguing that “both the aim and the content of the agreement envisaged show, on the contrary, that that agreement is intended to reconcile the two objectives which it pursues and that those objectives are inseparably linked” (i.e. – data protection and fight against terrorism) (§93).

However, about a hundred of paragraphs later, after he recalls the finding in §93 that “the agreement envisaged cannot be reduced to a decision finding that the Canadian competent authority guarantees an adequate level of protection” (§203), he recognizes that “Article 5 of the agreement envisaged does indeed provide that, subject to compliance with the terms of that agreement, the Canadian Competent Authority is to be deemed to provide an adequate level of protection, within the meaning of relevant Union data protection law, for the processing and use of PNR data” (§203).

Moreover, in the same paragraph, the AG even adds that “the contracting parties’ intention is indeed to ensure that the high level of personal data protection achieved in the Union may be guaranteed when the PNR data is transferred to Canada” (§203).

The arguments above follow after in paragraph 200 the AG finds that the provisions of the agreement should be subject to a strict review by the Court regarding their compliance with the requirements resulting also from “the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged”.

This analysis seems to me contradictory – both by comparing §93 and §203, and by comparing statements within §203. In any case, the consequences of the intention to establish adequacy through an international agreement are not further analysed. The only conclusion the AG draws after identifying the underlying intention of the parties to conclude this agreement is just that “I see no reason why the Court should not carry out a strict review of compliance with the principle of proportionality” (§203). Moreover, he further expands this argumentation by referring to the Schrems case and findings therein concerning “essentially equivalence” and how the means ensuring this equivalence must be “effective in practice” (§204).

Hopefully, the Court in its final Opinion will make a more in depth analysis of this issue.

Section 3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing

(Section 3 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

In order to answer the first question raised by the Parliament in the proceedings before the Court – whether the Agreement complies with EU Primary law, and in particular with Articles 7 and 8 of the Charter, AG Mengozzi follows the classical test: is there an interference?[1] And if so, is the interference justified?[2]

Analyzing separately Articles 7 and 8 of the Charter, still a challenge

Even if the Court has recently started to analyze separately the rights protected by Article 7 (to respect for private life) and by Article 8 of the Charter (to the protection of personal data) – see the judgments in DRI and Schrems, the AG seems to hesitate again between the two rights. He starts his analysis on whether there is an interference with the two rights (§170) by recalling the older case-law of the Court which stated that the right to the protection of private life and the right to the protection of personal data are “closely connected” (Schecke, §47; ASNEF, §41).

First he finds that the PNR data “touches on the area of the privacy, indeed intimacy, of persons and indisputably relates to one or more identified or identifiable individual or individuals” (§170). Thus, in the same sentence, the AG brings PNR data within the scope of both Article 7 and Article 8 of the Charter. He further identifies different treatments of the data under the terms of the Agreement (§170):

– systematic transfer of PNR data to the Canadian public authorities,

– access to that data,

– the use of that data,

– its retention for a period of five years by those public authorities,

– its subsequent transfer to other public authorities, including those of third countries,

The AG states that all of the above are “operations which fall within the scope of the fundamental right to respect for private and family life guaranteed by Article 7 of the Charter and to the ‘closely connected’ but nonetheless distinct right to protection of personal data guaranteed by Article 8(1) of the Charter and constitute an interference with those fundamental rights” (§170).

Therefore, the AG does not differentiate here between what constitutes interference with the right to respect for private life and what constitutes interference with the right to the protection of personal data.

However, in the following paragraph, the AG does make such a differentiation, but only because he restates the findings of the Court in Digital Rights Ireland, even if this partly repeats some of the findings in §170: “the obligation to retain that data, required by the public authorities, and subsequent access of the competent national authorities to data relating to a person’s private life also constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter (he refers here to §34 and §35 of DRI in a footnote). Likewise, an EU act prescribing any form of processing of personal data constitutes an interference with the fundamental right, laid down in Article 8 of the Charter, to protection of such data (he refers here to §29 and §36 of DRI)” (§171).

There is not a lot of clarity transpiring from these two paragraphs, especially considering that §170 in fact refers to interference only with the first paragraph of Article 8 and not with the entire Article 8 (See also Section 4 of this analysis for additional comments prompted by this differentiation).

What is certain is that indeed there is an interference with both rights. The AG further notes the seriousness of that interference, indicating that he is fully aware of its severity:

“The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable size and a not insignificant gravity. It systematically affects all passengers flying between Canada and the Union, that is to say, several tens of millions of persons a year. Furthermore, as most of the interested parties have confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers, which includes sensitive data, requiring, by definition, automated processing, and the retention of that data for a period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with pre-established patterns of behaviour that is ‘at risk’ or ‘of concern’, in connection with terrorist activities and/or serious transnational crime, in order to identify persons not hitherto known to the police or not suspected. Those characteristics, apparently inherent in the PNR scheme put in place by the agreement envisaged, are capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects” (§176).

Even though at this stage the AG acknowledges the severity of the interference with fundamental rights of PNR schemes, he deems it to be justified by necessity (See Section 5 of this analysis).

Finally, it is also notable to mention that the AG found that the procedures for collecting the data come within the competence of the air carriers, “which, in this regard, must act in compliance with the relevant national provisions and with EU law” (§178). He concludes that “the collection of the PNR data therefore does not constitute a processing of personal data entailing an interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter that results from the agreement envisaged itself. In the light of the limited power of the Court in the context of the opinion procedure, that operation will therefore not form the subject matter of the following developments” (§179).

 

……………………………………………………..

[1] Dealt with in this section.

[2] Dealt with in Sections 4 and 5 of this analysis.

Section 4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1) Charter

(Section 4 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After establishing that the EU-Canada PNR Agreement allows for a particularly serious interference with the rights to respect for private life and to the protection of personal data, the AG goes on to analyze whether this interference is justified.

First, he establishes that neither of the two rights “is an absolute prerogative” (§181), meaning that their exercise can be limited. The AG recalls that “that limitations may be placed on the exercise of rights such as those enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (§182).

Again, just like in §170, the AG refers only to limitations of the first paragraph of Article 8. Moreover, he specifies in the following paragraph that “Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’” (§183). He follows this only by stating that “with regard to one of the conditions set out in Article 8(2) of the Charter … the agreement envisaged does not seek to base the processing of the PNR data communicated to the Canadian competent authority on the consent of the air passengers” (§184).

This is why paragraph 188 comes as a surprise, because, after finding the essence of the two rights is not touched (see below), the AG states that “It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied” (§188).  

To my knowledge, it is for the first time an Advocate General, or the Court for that matter, refers to the second paragraph of Article 8 of the Charter as prescribing “conditions for justification” of interferences with the right to the protection of personal data and equals them to those laid down in Article 52(1) of the Charter.

Such a hypothesis is not without merit from the outset, but it would need a more in depth justification than simply stating a couple of paragraphs above that Article 8(2) of the Charter only allows processing of data only for specified purposes and if it is based on consent or has another legitimate basis laid down by law. For instance, if indeed we were to consider that any processing of personal data constitutes an interference with Article 8 (this finding by the Court in DRI has some faults worthy of academic attention, but for the moment we have to work with it), then it would make sense to see the conditions for having a lawful basis for processing as being conditions for justifying the “interference” with the right to the protection of personal data.

Moreover, a separate analysis of whether the conditions in Article 8(2) are satisfied does not follow. The AG merely states in §189 that the conditions from Article 52(1) for the interference to be provided for by law and to meet objectives of general interest are equivalent with the “expression used in Article 8(2)” – having a “legitimate basis”, and they are “manifestly satisfied” (§189).

As for the essence of the two rights, the AG recalls that neither of the parties did not invoke before the Court that the interference harms the essence of the two fundamental rights (§185).

With regard to the essence of Article 7, he further explains that “the nature of the PNR data forming the subject matter of the agreement envisaged does not permit any precise conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question continues to be limited to the pattern of air travel between Canada and the Union” (§186). The AG also refers in this context to the “masking” and gradual “depersonalization” of the data as guarantees to preserve private life (§186).

With regard to the essence of Article 8, the AG mentions that “under Article 9 of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection, security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data security must be amenable to effective and dissuasive corrective measures which might include sanctions” (§187). Unfortunately, the AG does not expand on the concept of the essence of the right to the protection of personal data and does not depart from what the Court indicated in Digital Rights Ireland at §40, restricting the essence of Article 8 mainly to the presence of data security measures.

Concluding that the essence of the two rights is not touched upon, the AG further analyzes the proportionality and the necessity of the interference.

Section 5. The awkward two level necessity test that convinced the AG PNR schemes are acceptable

(Section 5 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After he establishes that the Court should carry out “a strict review of compliance with the requirements resulting from the principle of proportionality, and more particularly, from the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged” (§200), the AG further assesses if the interference is “strictly necessary”.

He considers the “strict necessity” test as a component of the proportionality test, together with “the ability of the interference to achieve the ‘public security’ objective pursued by the Agreement”.

With regard to the latter criterion, the AG does not believe “there are any real obstacles to recognising that the interference constituted by the agreement envisaged is capable of attaining the objective of public security, in particular the objective of combating terrorism and serious transnational crime” (§205). “As the United Kingdom Government and the Commission, in particular, have claimed, the transfer of PNR data for analysis and retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network or participating in serious transnational criminal activities” (§205).

In addition, the AG finds the statistics provided by the Commission and the UK relevant to find that “the data constitutes a valuable tool for criminal investigations” (§205). He reaches this conclusion in spite of the fact that at §151, when summarizing the contributions of the parties before the Court, the AG recalls that “The Commission accepts that there are no precise statistics indicating the contribution which PNR data makes to the prevention and detection of crime and terrorism, and to the investigation and prosecution of offences of those types.”

With regard to the strict necessity of the interference, the AG establishes that its assessment “entails ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the private life of the persons concerned” (§207), by making a reference to §77 of the Schecke judgment. That paragraph in Schecke seems to me to establish a different principle – namely that, when balancing two opposing rights, one of which is the right to the protection of personal data, it must be taken into account that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”[1].

Notwithstanding, the AG follows by stating that “the terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the agreement envisaged” (§208). He explains:

“That means that it is not sufficient to imagine, in the abstract, the existence of alternative measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be sufficiently effective, that is to say, their effectiveness must, in my view, be comparable with those provided for in the agreement envisaged, in order to attain the public security objective pursued by that agreement” (§208).

In quite a big leap, AG Mengozzi relies for this twofold test for necessity on a paragraph in the Schwartz judgment, §53, which states that “the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints.”

This twofold test is not used in any of the most recent landmark judgments of the Court – DRI, which relies greatly on the analysis of the condition of “necessity”, and Schrems. However, looking at strict necessity through this lens of proportionality and equivalent effectiveness persuaded the AG to conclude that PNR schemes, even if they constitute the kind of interference he accurately described in §176, are acceptable.

Comparing the wealth of PNR data to data collected usually for border control purposes by immigration authorities, including Advance Passenger Information and information collected by Canadian authorities for their eVA program, the AG concluded that “data of that type (API, eVA – my note) does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API and the data required for the issue of an eVA are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged” (§214).

The AG further justifies that PNR data of all passengers are transferred to the Canadian authorities, “even though there is no indication that their conduct may have a connection with terrorism or serious transnational crime” (215) by arguing that “as the interested parties have explained, the actual interest of PNR schemes, whether they are adopted unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks” (§216).

He finds at §244, referring to the fact that the Agreement involves transfers of data of all passengers between the Union and Canada, irrespective of whether they are suspects or not, that no other measure which, while limiting the number of persons whose PNR data is automatically processed by the Canadian competent authority, would be capable of attaining with comparable effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in the context of the present proceedings”.

The AG therefore concluded that “generally, the scope ratione personae of the agreement envisaged cannot be limited further without harming the very object of the PNR regimes” (§245).

Another characteristic of PNR schemes that is generally considered questionable – the lack of an ex ante control of access to PNR data, is found justifiable by the AG in the light of the “fair balance” test for strict necessity: “the appropriate balance that must be struck between the effective pursuit of the fight against terrorism and serious transnational crime and respect for a high level of protection of the personal data of the passengers concerned does not necessarily require that a prior control of access to the PNR data must be envisaged” (§269).

Therefore, the idea of PNR schemes seems to be compatible with the fundamental rights to data protection and respect for private life, in the view of AG Mengozzi. However, the list of conditions he develops for the Agreement in the current case to be fully compliant with EU primary law is quite long and quite strict and it bears bad news for other similar arrangements.

 

……………………………………………

[1] §77 of Schecke states this: “It is thus necessary to determine whether the Council of the European Union and the Commission balanced the European Union’s interest in guaranteeing the transparency of its acts and ensuring the best use of public funds against the interference with the right of the beneficiaries concerned to respect for their private life in general and to the protection of their personal data in particular. The Court has held in this respect that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Satakunnan Markkinapörssi and Satamedia, paragraph 56).”

Section 6. The list of reasons why the EU-Canada PNR Agreement is incompatible with the Charter and the Treaty

(Section 6 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

AG Mengozzi divides his Conclusions on the compatibility of the EU-Canada PNR Agreement with EU primary law into two lists.

The first list contains 11 improvements that can be made in order for the Agreement to be compliant with Articles 7, 8 and 52(1) of the Charter and Article 16 TFEU (see paragraph 2 of the Conclusions)

A. Sensitive data must be outside the scope of PNR schemes

Notably, sensitive data must be excluded from the scope of the Agreement. The AG found that the Agreement “goes beyond what is strictly necessary by including in its scope the transfer of PNR data that is apt to contain sensitive data, which in material terms allows information about the health or ethnic origin or religious beliefs of the passenger concerned and and/or of those travelling with him to be disclosed” (§221). He follows by stating that “the risk of stigmatising a large number of individuals who are not suspected of any offence which the use of such sensitive data entails strikes me as particularly worrying and prompts me to propose that the Court should exclude data of that type from the scope of the agreement envisaged” (§222).

B. Transparency requirements

In addition, the agreement should expressly specify “the principles and rules applicable to both the pre-established scenarios or assessment criteria and the databases with which the Passenger Name Record data is compared in the context of the automated processing of that data, in such a way that the number of ‘targeted’ persons can be limited, to a large extent and in a non-discriminatory manner, to those who can be reasonably suspected of participating in a terrorist offence or serious transnational crime” (4th subparagraph of §2 of the Conclusions).

C. Article 8(3) of the Charter on independent supervision, fully applicable in the light of “essentially equivalence”

Another important condition to achieve compliance with EU primary law is that the agreement must systematically ensure “by a clear and precise rule, control by an independent authority, within the meaning of Article 8(3) of the Charter of Fundamental Rights of the European Union, of respect for the private life and protection of the personal data of passengers whose Passenger Name Record data is processed” (10th subparagraph of §2 of the Conclusions).

In this regard, the AG found that “control by an independent authority, required in particular by Article 8(3) of the Charter, is fully applicable in the present case” (§310), in the light of the fact that the intention of the contracting parties is “to ensure a level of protection that is intended to be ‘substantially equivalent’ to that which individuals would enjoy if their personal data were processed and retained within the Union” (§309).

The AG further found that the “independent supervision” condition is not fully complied with because of the alternative wording of Article 10(1) of the agreement, which gives the impression that the processing of PNR data by the Canadian authorities might also be wholly assumed by the ‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy’ – the Recourse Directorate of the Canadian authority receiving the data, instead of the Privacy Commissioner of Canada (§314).

While nobody questioned the independence of the Privacy Commissioner (§312), the AG found that “irrespective of the guarantees … from the Mission of Canada to the European Union, according to which the Recourse Directorate of the CBSA will receive no directions from the other operational bodies of the latter, that directorate, like all the other bodies of the CBSA, continues to be directly subordinate to the responsible Minister, from whom it may receive directions. Since it is liable to be subject to influence of, in particular, a political nature on the part of the authority to which it is responsible or more generally the Executive, the Recourse Directorate of the CBSA cannot be regarded as an independent supervisory authority for the purposes of Article 8(3) of the Charter” (§315).

This finding, if upheld by the Court, is perhaps the most relevant one that could apply, mutatis mutandis, to an eventual challenge of the EU-US Privacy Shield arrangement, in particular with regard to the independence of the Ombudsman.

D. It must be possible that data subjects exercise their rights from the EU

 Another notable improvement that must be done in order for the Agreement to be compliant with EU primary law is that it should make clear that “requests for access, rectification and annotation made by passengers not present on Canadian territory may be submitted, either directly or by means of an administrative appeal, to an independent public authority” (last subparagraph of §2 of the Conclusions).

The second list of the Conclusions contains 5 reasons why the Agreement is incompatible with EU primary law (§3 of the Conclusions):

  1. “Article 3(5) of the agreement envisaged allows, beyond what is strictly necessary, the possibilities of processing Passenger Name Record data to be extended, independently of the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime”;

The AG found that according to that article, “the processing of PNR data is ‘also’ permitted, on a case-by-case basis, in order to comply with the subpoena or warrant issued, or an order made, by a court, although it is not stated that that court must be acting in the context of the purposes of the agreement envisaged. That article therefore appears to allow the processing of PNR data for purposes unconnected with those pursued by the agreement envisaged and/or possibly in connection with conduct or offences not coming within the scope of that agreement” (§236).

  1. Article 8 of the agreement envisaged provides for the processing, use and retention by Canada of Passenger Name Record data containing sensitive data;
  2. Article 12(3) of the agreement envisaged confers on Canada, beyond what is strictly necessary, the right to make disclosure of information subject to reasonable legal requirements and limitations;

Paragraph 3 of that article extends the possibilities of access to the PNR data and information extracted from it “to anyone, without any specific guarantees being laid down” (§293). “Article 12(3) of the agreement envisaged authorises Canada to ‘make any disclosure of information subject to reasonable legal requirements and limitations …, with due regard for the legitimate interests of the individual concerned’. However, neither the recipients of that ‘information’ nor the use to which it is put is defined in the agreement envisaged. It is therefore quite possible that that information may be communicated to any natural or legal person, such as a bank, for example, provided that Canada considers that the disclosure of such information does not exceed ‘reasonable’ legal requirements, which, moreover, are not defined in the agreement envisaged” (§293).

  1. Article 16(5) of the agreement envisaged authorises Canada to retain Passenger Name Record data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime;

The AG criticized that pursuant to Article 16(5) of the Agreement “sensitive data of a Union citizen who has taken a flight to Canada is liable to be retained for five years (and, where appropriate, unmasked and analysed during that period) by any Canadian public authority, for any ‘action’ or ‘investigation’ or ‘judicial proceeding’, without being in any way connected to the objective pursued by the agreement envisaged, for example, as the Parliament has pointed out, in the event of proceedings related to contract law or family law. The possibility that such a situation will arise prompts the conclusion that on this point the contracting parties have not struck a fair balance between the objectives pursued by the agreement envisaged” (§224).

  1. Article 19 of the agreement envisaged allows Passenger Name Record data to be transferred to a public authority in a third country without the Canadian competent authority, subject to control by an independent authority, first being satisfied that the public authority in the third country in question to which the data is transferred cannot itself subsequently communicate the data to another body, where relevant, in another third country. (For the relevant analysis, see §300 to §304 of the Opinion).

Main points from FTC’s Internet of Things Report

FTC published on 27 January a Report on the Internet of Things, based on the conclusions of a workshop organised in November with representatives of industry, consumers and academia.

It is apparent from the Report that the most important issue to be tackled by  the industry is data security – it represents also the most important risk to consumers.

While data security enjoys the most attention in the Report and the bigger part of the recommendations for best practices, data minimisation and notice and choice are considered to remain relevant and important in the IoT environment. FTC even provides a list of practical options for the industry to provide notice and choice, admitting that there is no one-size-fits-all solution.

The most welcomed recommendation in the report (at least, by this particular reader) was the one referring to the need of general data security and data privacy legislation – and not such legislation especially tailored for IoT. FTC called the Congress to act on these two topics.

Here is a brief summary of the Report:

The IoT definition from FTC’s point of view

Everyone in the field knows there is no generally accepted definition of what IoT is. It is therefore helpful to know what FTC considers IoT to be for its own activity:

“things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.

In addition, FTC clarified that, consistent with their mission to protect consumers in the commercial sphere, their discussion of IoT is limited to such devices that are sold to or used by consumers.

Stunning facts and numbers

  • as of this year, there will be 25 billion connected devices worldwide;
  • fewer than 10,000 households using one company’s IoT home automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household.

Data security, the elephant in the house

Most of the recommendations for best practices that FTC made are about ensuring data security. According to the Report, companies:

  • should implement “security by design” by building security into their devices at the outset, rather than as an afterthought;
  • must ensure that their personnel practices promote good security; as part of their personnel practices, companies should ensure that product security is addressed at the appropriate level of responsibility within the organization;
  • must work to ensure that they retain service providers that are capable of maintaining reasonable security, and provide reasonable oversight to ensure that those service providers do so;
  • should implement a defense-in-depth approach, where security measures are considered at several levels; (…) FTC staff encourages companies to take additional steps to secure information passed over consumers’ home networks;
  • should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network;
  • should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.

Attention to de-identification! 

In the IoT ecosystem, data minimization is challenging, but it remains important.

  • Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.
  • To the extent that companies decide they need to collect and maintain data to satisfy a business purpose, they should also consider whether they can do so while maintaining data in deidentified form.

When a company states that it maintains de-identified or anonymous data, the Commission has stated that companies should

  1. take reasonable steps to de-identify the data, including by keeping up with technological developments;
  2. publicly commit not to re-identify the data; and
  3. have enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.

Notice and choice – difficult in practice, but still relevant

While the traditional methods of providing consumers with disclosures and choices may need to be modified as new business models continue to emerge, (FTC) staff believes that providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT. Notice and choice is particularly important when sensitive data is collected.

  • Staff believes that providing consumers with the ability to make informed choices remains practicable in the IoT;
  • Staff acknowledges the practical difficulty of providing choice when there is no consumer interface, and recognizes that there is no one-size-fits-all approach. Some options are enumerated in the report – several of which were discussed by workshop participants: choices at point of sale, tutorials, codes on the device, choices during set-up.

No need for IoT specific legislation, but general data security and data privacy legislation much needed

  • Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time;
  • However, while IoT specific-legislation is not needed, the workshop provided further evidence that Congress should enact general data security legislation;
  • General technology-neutral data security legislation should protect against unauthorized access to both personal information and device functionality itself;
  • General privacy legislation that provides for greater transparency and choices could help both consumers and businesses by promoting trust in the burgeoning IoT marketplace; In addition, as demonstrated at the workshop, general privacy legislation could ensure that consumers’ data is protected, regardless of who is asking for it.

What Happens in the Cloud Stays in the Cloud, or Why the Cloud’s Architecture Should Be Transformed in ‘Virtual Territorial Scope’

This is the paper I presented at the Harvard Institute for Global Law and Policy 5th Conference, on June 3-4, 2013. I decided to make it available open access on SSRN. I hope you will enjoy it and I will be very pleased if any of the readers would provide comments and ideas. The main argument of the paper is that we need global solutions for regulating cloud computing. It begins with a theoretical overview on global governance, internet governance and territorial scope of laws, and it ends with three probable solutions for global rules envisaging the cloud. Among them, I propose the creation of a “Lex Nubia” (those of you who know Latin will know why 😉 ).  My main concern, of course, is related to privacy and data protection in the cloud, but that is not the sole concern I deal with in the paper.

Abstract:

The most common used adjective for cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals. Regulating a “model” of “ubiquitous network access” which relates to “a shared pool of computing resources” (the NIST definition of cloud computing) is perhaps the most challenging task for regulators worldwide since the appearance of the computer, both procedurally and substantially. Procedurally, because it significantly challenges concepts such as “territorial scope of the law” – what need is there for a territorial scope of a law when regulating a structure which is designed to be “abstracted”, in the sense that nobody knows “where things physically reside” ? Substantially, because the legal implications in connection with cloud computing services are complex and cannot be encompassed by one single branch of law, such as data protection law or competition law. This paper contextualizes the idea of a global legal regime for providing cloud computing services, on one hand by referring to the wider context of global governance and, on the other hand, by pointing out several solutions for such a regime to emerge.

You can download the full text of the paper following this link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2409006