Tag Archives: Court of Justice of the EU

Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter

AG Mengozzi delivered his Opinion in the EU-Canada PNR case (Opinion 1/15) on 8 September 2016. While his conclusions clearly indicate that, in part, the current form of the agreement between Canada and the EU “on the transfer and processing of Passenger Name Record data” is not compliant with EU primary law – and in particular with Articles 7, 8 and 52(1) of the Charter[1] and Article 16(2) TFEU[2], the AG seems to accept that PNR schemes in general (involving indiscriminate targeting, profiling, preemptive policing) are compatible with fundamental rights in the EU.

In summary, it seems to me that the AG’s message is: “if you do it unambiguously and transparently, under independent supervision, and without sensitive data, you can process PNR data of all travellers, creating profiles and targeting persons matching patterns of suspicious behaviour”.

This is problematic for the effectiveness of the right to the protection of personal data and the right to respect for private life. Even though the AG agrees that the scrutiny of an international agreement such as the EU-Canada PNR Agreement should not be looser than that of an ordinary adequacy decision or that of an EU Directive, and considers that both Schrems and Digital Rights Ireland should apply in this case, he doesn’t apply in all instances the rigorous scrutiny the Court uses in those two landmark judgments. One significant way in which he is doing this is by enriching the ‘strict necessity test’ so that it comprises a “fair balance” criterion and an “equivalent effectiveness” threshold (See Section 5).

On another hand, AG Mengozzi is quite strict with the safeguards he sees as essential in order to make PNR agreements such as the one in this case compatible with fundamental rights in the EU.

Data protection authorities have warned time and again that PNR schemes are not strictly necessary to fight terrorism, serious and transnational crimes – they are too invasive and their effectiveness has not yet been proven. The European Data Protection Supervisor – the independent advisor of the EU institutions on all legislation concerning processing of personal data, has issued a long series of Opinions on PNR schemes – be it in the form of international agreements on data transfers, adequacy decisions or EU legislation, always questioning their necessity and proportionality[3]. In the latest Opinion from this series, on the EU PNR Directive, the EDPS clearly states that the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance” (§63) and in the lack of appropriate and unambiguous evidence that such a scheme is necessary, the PNR scheme is not compliant with Articles 7, 8 and 52 of the Charter, Article 16 TFEU and Article 8 ECHR (§64).

The Article 29 Working Party also has a long tradition in questioning the idea itself of a PNR system. A good reflection of this is Opinion 7/2010, where the WP states that “the usefulness of large-scale profiling on the basis of passenger data must be questioned thoroughly, based on both scientific elements and recent studies” (p. 4) and declares that it is not satisfied with the evidence for the necessity of such systems.

The European Parliament suspended the procedure to conclude the Agreement and decided to use one of its new powers granted by the Treaty of Lisbon and asked the CJEU to issue an Opinion on the compliance of the Agreement with EU primary law (TFEU and the Charter).

Having the CJEU finally look at PNR schemes is a matter of great interest for all EU travellers, and not only them. Especially at a time like this, when it feels like surveillance is served to the people by states all over the world – from liberal democracies to authoritarian states, as an acceptable social norm.

General remarks: first-timers and wide implications

The AG acknowledges in the introductory part of the Opinion that the questions this case brought before the Court are “unprecedented and delicate” (§5). In fact, the AG observes later on in the Opinion that the “methods” applied to PNR data, once transferred, in order to identify individuals on the basis of patterns of behavior of concern are not at all provided for in the agreement and “seem to be entirely at the discretion of the Canadian authorities” (§164). This is why the AG states that one of the greatest difficulties of this case is that it “entails ascertaining … not merely what the agreement envisaged makes provision for, but also, and above all, what it has failed to make provision for” (§164).

The AG also makes it clear in the beginning of the Opinion that the outcome of this case has implications on the other “PNR” international agreements the EU concluded with Australia and the US and on the EU PNR Directive (§4). A straightforward example of a possible impact on these other international agreements, beyond analyzing their content, is the finding that the legal basis on which they were adopted is incomplete (they must be also based on Article 16 TFEU) and wrong (Article 82(1)(d) TFEU on judicial cooperation is incompatible as legal basis with PNR agreements).

The implications are even wider than the AG acknowledged. For instance, a legal instrument that could be impacted is the EU-US Umbrella Agreement – another international agreement on transfers of personal data from the EU to the US in the law enforcement area, which has both similarities and differences compared to the PNR agreements. In addition, an immediately affected legal process will be the negotiations that the European Commission is currently undertaking with Mexico for a PNR Agreement.

Even if it is not an international agreement, the adequacy decision based on the EU-US Privacy Shield deal could be impacted as well, especially with regard to the findings on the independence of the supervisory authority in the third country where data are transferred (See Section 6 for more on this topic).

Finally, the AG also mentions that this case allows the Court to “break the ice” in two matters:

  • It will examine for the first time the scope of Article 16(2) TFEU (§6) and
  • rule for the first time on the compatibility of a draft international agreement with the fundamental rights enshrined in the Charter, and more particularly with those in Article 7 and Article 8 (§7).

Therefore, the complexity and novelty of this case are considerable. And they are also a good opportunity for the CJEU to create solid precedents in such delicate matters.

I structured this post around the main ideas I found notable to look at and summarize, after reading the 328-paragraphs long Opinion. In order to make it easier to read, I’ve split it into 6 Sections, which you can find following the links below.

  1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for international agreements on transfers of personal data
  2. A look at the surface: it is not an adequacy decision, but it establishes adequacy
  3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing
  4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1)
  5. The awkward two level necessity test that convinced the AG the PNR scheme is acceptable
  6. The list of reasons why the Agreement is incompatible with the Charter and the Treaty

……………………………………………………….

[1] Article 7 – the right to respect for private life, Article 8 – the right to the protection of personal data, Article 52(1) – limitations of the exercise of fundamental rights.

[2] With regard to the obligation to have independent supervision of processing of personal data.

[3] See the latest one, Opinion 5/2015 on the EU PNR Directive and see the Opinion on the EU-Canada draft agreement.

***

Find what you’re reading useful? Consider supporting pdpecho.

Advertisements

Section 6. The list of reasons why the EU-Canada PNR Agreement is incompatible with the Charter and the Treaty

(Section 6 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

AG Mengozzi divides his Conclusions on the compatibility of the EU-Canada PNR Agreement with EU primary law into two lists.

The first list contains 11 improvements that can be made in order for the Agreement to be compliant with Articles 7, 8 and 52(1) of the Charter and Article 16 TFEU (see paragraph 2 of the Conclusions)

A. Sensitive data must be outside the scope of PNR schemes

Notably, sensitive data must be excluded from the scope of the Agreement. The AG found that the Agreement “goes beyond what is strictly necessary by including in its scope the transfer of PNR data that is apt to contain sensitive data, which in material terms allows information about the health or ethnic origin or religious beliefs of the passenger concerned and and/or of those travelling with him to be disclosed” (§221). He follows by stating that “the risk of stigmatising a large number of individuals who are not suspected of any offence which the use of such sensitive data entails strikes me as particularly worrying and prompts me to propose that the Court should exclude data of that type from the scope of the agreement envisaged” (§222).

B. Transparency requirements

In addition, the agreement should expressly specify “the principles and rules applicable to both the pre-established scenarios or assessment criteria and the databases with which the Passenger Name Record data is compared in the context of the automated processing of that data, in such a way that the number of ‘targeted’ persons can be limited, to a large extent and in a non-discriminatory manner, to those who can be reasonably suspected of participating in a terrorist offence or serious transnational crime” (4th subparagraph of §2 of the Conclusions).

C. Article 8(3) of the Charter on independent supervision, fully applicable in the light of “essentially equivalence”

Another important condition to achieve compliance with EU primary law is that the agreement must systematically ensure “by a clear and precise rule, control by an independent authority, within the meaning of Article 8(3) of the Charter of Fundamental Rights of the European Union, of respect for the private life and protection of the personal data of passengers whose Passenger Name Record data is processed” (10th subparagraph of §2 of the Conclusions).

In this regard, the AG found that “control by an independent authority, required in particular by Article 8(3) of the Charter, is fully applicable in the present case” (§310), in the light of the fact that the intention of the contracting parties is “to ensure a level of protection that is intended to be ‘substantially equivalent’ to that which individuals would enjoy if their personal data were processed and retained within the Union” (§309).

The AG further found that the “independent supervision” condition is not fully complied with because of the alternative wording of Article 10(1) of the agreement, which gives the impression that the processing of PNR data by the Canadian authorities might also be wholly assumed by the ‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy’ – the Recourse Directorate of the Canadian authority receiving the data, instead of the Privacy Commissioner of Canada (§314).

While nobody questioned the independence of the Privacy Commissioner (§312), the AG found that “irrespective of the guarantees … from the Mission of Canada to the European Union, according to which the Recourse Directorate of the CBSA will receive no directions from the other operational bodies of the latter, that directorate, like all the other bodies of the CBSA, continues to be directly subordinate to the responsible Minister, from whom it may receive directions. Since it is liable to be subject to influence of, in particular, a political nature on the part of the authority to which it is responsible or more generally the Executive, the Recourse Directorate of the CBSA cannot be regarded as an independent supervisory authority for the purposes of Article 8(3) of the Charter” (§315).

This finding, if upheld by the Court, is perhaps the most relevant one that could apply, mutatis mutandis, to an eventual challenge of the EU-US Privacy Shield arrangement, in particular with regard to the independence of the Ombudsman.

D. It must be possible that data subjects exercise their rights from the EU

 Another notable improvement that must be done in order for the Agreement to be compliant with EU primary law is that it should make clear that “requests for access, rectification and annotation made by passengers not present on Canadian territory may be submitted, either directly or by means of an administrative appeal, to an independent public authority” (last subparagraph of §2 of the Conclusions).

The second list of the Conclusions contains 5 reasons why the Agreement is incompatible with EU primary law (§3 of the Conclusions):

  1. “Article 3(5) of the agreement envisaged allows, beyond what is strictly necessary, the possibilities of processing Passenger Name Record data to be extended, independently of the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime”;

The AG found that according to that article, “the processing of PNR data is ‘also’ permitted, on a case-by-case basis, in order to comply with the subpoena or warrant issued, or an order made, by a court, although it is not stated that that court must be acting in the context of the purposes of the agreement envisaged. That article therefore appears to allow the processing of PNR data for purposes unconnected with those pursued by the agreement envisaged and/or possibly in connection with conduct or offences not coming within the scope of that agreement” (§236).

  1. Article 8 of the agreement envisaged provides for the processing, use and retention by Canada of Passenger Name Record data containing sensitive data;
  2. Article 12(3) of the agreement envisaged confers on Canada, beyond what is strictly necessary, the right to make disclosure of information subject to reasonable legal requirements and limitations;

Paragraph 3 of that article extends the possibilities of access to the PNR data and information extracted from it “to anyone, without any specific guarantees being laid down” (§293). “Article 12(3) of the agreement envisaged authorises Canada to ‘make any disclosure of information subject to reasonable legal requirements and limitations …, with due regard for the legitimate interests of the individual concerned’. However, neither the recipients of that ‘information’ nor the use to which it is put is defined in the agreement envisaged. It is therefore quite possible that that information may be communicated to any natural or legal person, such as a bank, for example, provided that Canada considers that the disclosure of such information does not exceed ‘reasonable’ legal requirements, which, moreover, are not defined in the agreement envisaged” (§293).

  1. Article 16(5) of the agreement envisaged authorises Canada to retain Passenger Name Record data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime;

The AG criticized that pursuant to Article 16(5) of the Agreement “sensitive data of a Union citizen who has taken a flight to Canada is liable to be retained for five years (and, where appropriate, unmasked and analysed during that period) by any Canadian public authority, for any ‘action’ or ‘investigation’ or ‘judicial proceeding’, without being in any way connected to the objective pursued by the agreement envisaged, for example, as the Parliament has pointed out, in the event of proceedings related to contract law or family law. The possibility that such a situation will arise prompts the conclusion that on this point the contracting parties have not struck a fair balance between the objectives pursued by the agreement envisaged” (§224).

  1. Article 19 of the agreement envisaged allows Passenger Name Record data to be transferred to a public authority in a third country without the Canadian competent authority, subject to control by an independent authority, first being satisfied that the public authority in the third country in question to which the data is transferred cannot itself subsequently communicate the data to another body, where relevant, in another third country. (For the relevant analysis, see §300 to §304 of the Opinion).