Tag Archives: Passenger Name Records

Section 1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for concluding international agreements on transfers of personal data

(Section 1 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

Currently, the Council decision adopted for concluding the EU-Canada PNR agreement rests on two legal bases: Article 82(1)(d) TFEU – on judicial cooperation in criminal matters within the Union[1] and Article 87(2)(a) TFEU – on police cooperation in criminal matters within the Union[2], in conjunction with Articles 218(5) and 218(6)(a) TFEU – procedure to negotiate international agreements. In his Opinion on the EU-Canada PNR Agreement  in 2013, the European Data Protection Supervisor questioned the choice of the legal basis and recommended that the proposal be based on Article 16 TFEU “as a comprehensive legal basis”, in conjunction with the Articles on the procedure to conclude international agreements, considering that:

According to Article 1 of the Agreement, its purpose is to set out the conditions for the transfer and use of PNR data in order to, on the one hand, “ensure the security and safety of the public” and, on the other hand, “prescribe the means by which the data shall be protected”. In addition, the vast majority of provisions of the Agreement relate to the latter objective, i.e. the protection of personal data, including data security and integrity. (EDPS Opinion on EU-Canada PNR, §8).

The European Parliament asked the Court in its request for an Opinion if the police cooperation and judicial cooperation articles are an appropriate legal basis, or if the act should be based on Article 16 TFEU.

  1. Why it matters to have a correct legal basis

As the AG acknowledges, the choice of the appropriate legal basis for concluding an international agreement has “constitutional significance” (§40). “The use of an incorrect legal basis is therefore apt to invalidate the act concluding the agreement and thus to vitiate the European Union’s consent to be bound by that agreement” (§40). Therefore, an act adopted on the wrong legal basis can be invalidated by the Court.

First of all, the AG recalled the settled case-law of the Court that the choice of legal basis for an EU measure “must rest on objective factors amenable to judicial review, which include the purpose and the content of that measure” (§61). He also recalled that if the measure pursues a twofold purpose, which can be differentiated into a predominant and an incidental purpose, “the act must be based on a single legal basis, namely, that required by the main or predominant purpose or component” (§61). The Court accepts only as an exception that an act may be founded on various legal bases corresponding to the number of objectives, if those are “inseparably linked, without one being incidental in relation to the other” (§62).

2. Are the two objectives of the Agreement inseparable?

The AG identifies the two objectives of the agreement – combating terrorism and other serious transnational crimes and respecting private life and the protection of personal data and he struggles to argue that the agreement “pursues two objectives and has two components that are inseparable” (§78) and he finds it difficult “to determine which of those objectives prevails over the other” (§79).

In my view, it is not difficult to identify the protection of personal data as the predominant purpose (think of causa proxima in legal theory) and the fight against terrorism as the incidental purpose (think of causa remota in legal theory).

In the Agreement, according to Article 1, “the Parties set out the conditions for the transfer and use of PNR data to ensure the security and safety of the public and prescribe the means by which the data is protected”. In other words, first and foremost, the Agreement sets out rules for transferring and using PNR data, including by prescribing the means by which the data is protected (causa proxima). This is done to ultimately ensure the security and safety of the public (causa remota).

This conclusion is reinforced by the content of the Agreement, which manifestly contains rules mainly relating to the processing of personal data – Article 2 Definitions, Article 3 – Use of PNR data, Article 5 – Adequacy and in the Chapter titled Safeguards applicable to the use of PNR data”, with Articles from 7 to 21, while the last 9 articles concern “implementing and final provisions” of a technical nature. It is also reinforced by the fact that the transfer of PNR data on the EU side is done from private companies and by the fact that, contrary to what the AG argues, the Agreement itself does not establish an obligation to transfer data.

The AG explains that “it is incorrect to claim that the agreement envisaged lays down no obligation for the airlines to transfer the PNR data to the Canadian competent authority” (§92). While he acknowledges that it is true that Article 4(1) of the Agreement states that the Union is to ensure only that air carriers “are not prevented” from transferring PNR data to the Canadian competent authority, he interprets that Article “in conjunction with Articles 5, 20 and 21 of the Agreement” in the sense that “air carriers are entitled and in practice required to provide the Canadian competent authority systematically with access to the PNR data for the purposes defined in Article 3 of the agreement envisaged” (§92).

In fact, Article 5 of the Agreement establishes that the Canadian Competent Authority “is deemed to ensure” an adequate level of data protection (therefore, indeed, air carriers would not be prevented to transfer data because of data protection concerns), Article 20 obliges the air carriers to use the “push method” when they transfer data and Article 21 sets out rules on the frequency of the requests of PNR data by the Canadian Competent Authority. While it is true that the last two articles set out rules for how the data should be transferred, neither contains a positive obligation for the air carriers to transfer the data.

Therefore, it seems to be in fact clear that the purpose of PNR arrangements like the one in the present case is to make sure that EU data protection law does not prevent air carriers to send data of travellers to authorities of third countries systematically, in bulk and without an ex ante control.

As the AG points out, “if Article 16 TFEU were taken as the sole legal basis of the act concluding the agreement envisaged, that would alter the status of the Kingdom of Denmark, Ireland and the United Kingdom of Great Britain and Northern Ireland, as those Member States would then be directly and automatically bound by the agreement, contrary to Article 29 of the agreement envisaged” (§51). This would happen because the Agreement would not be placed anymore under the former third pillar (law enforcement, police and judicial cooperation), which would not give the right to Denmark, Ireland and UK to opt out of it. Therefore, the Agreement would automatically apply to all EU Member States. However, this argument should not play a role in deciding which is the appropriate legal basis, as it is not linked to the purpose or the content of the Agreement at all.

Nevertheless, the AG established that the purposes of fighting crime and respecting data protection rights are inseparable. This is in any case a valuable further step, considering that the Council and the Commission completely excluded Article 16 TFEU from the legal bases. So which are the appropriate legal bases the AG recommends?

3. The “judicial cooperation” Article, found to be irrelevant

The AG finds that “as currently drafted, the agreement envisaged does not really seem to contribute to facilitating cooperation between the judicial or equivalent authorities of the Member States” (§108), within the meaning of Article 82(1)(d) TFEU. He sees as incidental the possibility for judicial authorities of Canada to send in particular cases PNR data to judicial authorities in the EU, which would further contribute to judicial cooperation within the EU.

Interestingly, the AG mentions that this conclusion is not affected by the fact that the Council decisions concluding the PNR Agreements with US and Australia are also based on Article 82(1)(d). He reminds that “the legal basis used for the adoption of other Union measures that might display similar characteristics is irrelevant” (§109).

However, the fact remains that if Article 82(1)(d) is not a proper legal basis for the act concluding the EU-Canada PNR Agreement, it is most probably not a proper legal basis for the other EU acts concluding PNR Agreements.

4. The “police cooperation” Article, found to be relevant

Even if he saw that the agreement does not in fact facilitate judicial cooperation within the Union, the AG considers that, on another hand, it does facilitate police cooperation within the Union. To this end, he is building his argumentation mainly on Article 6 of the Agreement, which is the only one referring to “Police and judicial cooperation”.

Indeed, as recalled in §105, “under Article 6(2) of the agreement envisaged Canada is required, at the request of, among others, the police or a judicial authority of a Member State of the Union, to share, in specific cases, PNR data or analytical information containing PNR data obtained under the agreement envisaged in order to prevent or detect ‘within the European Union’ a terrorist offence or serious transnational crime.”

However, what the AG does not refer to in his analysis is the last sentence of Article 6(2) of the Agreement, which states that Canada shall make this information available in accordance with agreements and arrangements on law enforcement, judicial cooperation, or information sharing, between Canada and Europol, Eurojust or that Member State”. Therefore, sharing PNR data obtained by Canada from air carriers in the conditions set out in the Canada-PNR Agreement with Europol, Eurojust or a specific MS will be done in accordance with separate agreements. In conclusion, there are completely different agreements that have as purpose sharing of information to ensure both police and judicial cooperation between Canada and the competent authorities of the EU, which apply to sharing PNR data as well.

Finally, the AG considers that indeed Article 87(2)(a) is properly set out as legal basis of the act concluding the agreement envisaged, but he also states that it seems to him it is “insufficient to enable the Union to conclude that agreement”. Therefore, he proposes the act concluding the Agreement to be also based on Article 16(2) TFEU.

This conclusion prompts a much expected first substantive analysis of the content of Article 16(2) TFEU in an act of the Court of Justice after the entering into force of the Lisbon Treaty in 2009.

5. Relevance of Article 16(2) TFEU to serve as legal basis for concluding the EU-Canada PNR Agreement

 The AG recalls that “the content of the agreement envisaged supports that [data protection – my addition] objective, in particular the terms in the chapter on ‘Safeguards applicable to the processing of PNR data’, consisting of Articles 7 to 21 of the agreement envisaged” (§113). Therefore, he concludes that, in his view, “action taken by the Union must necessarily be based … on the first subparagraph of Article 16(2) TFEU, which, it will be recalled, confers on the Parliament and the Council the task of laying down the rules relating to the protection of individuals with regard to the processing of personal data by, inter alia, the Member States when carrying out activities which fall within the scope of application of EU law and the rules relating to the free movement of such data” (§114).

The AG further develops the three main principles that underlie this approach.

Firstly, he reminds that the EU is competent to conclude international agreements in the field of data protection (Article 216(1) TFEU in conjunction with Article 16 TFEU). In addition, “there is no doubt that the terms of the agreement envisaged must be characterized as “rules” relating to the protection of the data of natural persons, within the meaning of the first subparagraph of Article 16(1) TFEU, and intended to bind the contracting parties” (§115). (Note: considering Article 16(1) does not have subparagraphs, probably there was an error of transcript and this reference should have been either to the first subparagraph of Article 16(2) or simply to Article 16(1)).

Secondly, the AG adds that the first subparagraph of Article 16(2) “is intended to constitute the legal basis for all rules adopted at EU level relating to the protection of individuals with regard to the processing of their personal data, including the rules coming within the framework of the adoption of measures relating to the provisions of the FEU Treaty on police and judicial cooperation in criminal matters” (§116). He explains thus why Article 16 TFEU is relevant even if the act concluding the Agreement would also be based on an Article providing for police cooperation.

Thirdly, and most importantly, the AG clearly states that Article 16(2) cannot be considered irrelevant for the agreement because the protecting measures which can be adopted under that Article relate to the processing of data by authorities of the Member States and not, as in this instance, to the transfer of data previously obtained by private entities (the air carriers) to a third country (§118). This is a key interpretation, because, indeed, the ad litteram wording of Article 16 is restrictive – it refers to putting in place rules by the Union regarding processing of personal data by:

  • Union institutions, bodies, offices and agencies and
  • By the Member States when carrying out activities which fall within the scope of Union law.

Applying Article 16 ad litteram would mean that the Union does not have the competence to regulate how private entities process data. As the AG convincingly explains, “to put a strictly literal interpretation on the new legal basis constituted by the first subparagraph of Article 16(2) TFEU would be tantamount to splitting up the system for the protection of personal data. Such an interpretation would run counter to the intention of the High Contracting Parties to create, in principle, a single legal basis expressly authorising the EU to adopt rules relating to the protection of the personal data of natural persons. It would therefore represent a step backwards from the preceding scheme based on the Treaty provisions relating to the internal market, which would be difficult to explain. That strictly literal interpretation of Article 16 TFEU would thus have the consequence of depriving that provision of a large part of its practical effect” (§119).

 The AG concludes that the answer to the question about the legal basis is that “in the light of the objectives and the components of the agreement envisaged, which are inseparably linked, the act concluding that agreement must in my view be based on the first subparagraph of Article 16(2) TFEU and Article 87(2)(a) TFEU as its substantive legal bases” (§120).

Before going through the analysis of the compliance of the Agreement with Articles 7 and 8 of the Charter, it’s worth having a look at one of the fundamental issues raised by the Agreement, but which, unfortunately, was only looked at briefly and with no consequence.

 

……………………………………………………….

[1] “The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall adopt measures to:

(d) facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions.”

[2] 1. The Union shall establish police cooperation involving all the Member States’ competent authorities, including police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences.

  1. For the purposes of paragraph 1, the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, may establish measures concerning:

(c) common investigative techniques in relation to the detection of serious forms of organised crime.

Advertisements

Section 3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing

(Section 3 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

In order to answer the first question raised by the Parliament in the proceedings before the Court – whether the Agreement complies with EU Primary law, and in particular with Articles 7 and 8 of the Charter, AG Mengozzi follows the classical test: is there an interference?[1] And if so, is the interference justified?[2]

Analyzing separately Articles 7 and 8 of the Charter, still a challenge

Even if the Court has recently started to analyze separately the rights protected by Article 7 (to respect for private life) and by Article 8 of the Charter (to the protection of personal data) – see the judgments in DRI and Schrems, the AG seems to hesitate again between the two rights. He starts his analysis on whether there is an interference with the two rights (§170) by recalling the older case-law of the Court which stated that the right to the protection of private life and the right to the protection of personal data are “closely connected” (Schecke, §47; ASNEF, §41).

First he finds that the PNR data “touches on the area of the privacy, indeed intimacy, of persons and indisputably relates to one or more identified or identifiable individual or individuals” (§170). Thus, in the same sentence, the AG brings PNR data within the scope of both Article 7 and Article 8 of the Charter. He further identifies different treatments of the data under the terms of the Agreement (§170):

– systematic transfer of PNR data to the Canadian public authorities,

– access to that data,

– the use of that data,

– its retention for a period of five years by those public authorities,

– its subsequent transfer to other public authorities, including those of third countries,

The AG states that all of the above are “operations which fall within the scope of the fundamental right to respect for private and family life guaranteed by Article 7 of the Charter and to the ‘closely connected’ but nonetheless distinct right to protection of personal data guaranteed by Article 8(1) of the Charter and constitute an interference with those fundamental rights” (§170).

Therefore, the AG does not differentiate here between what constitutes interference with the right to respect for private life and what constitutes interference with the right to the protection of personal data.

However, in the following paragraph, the AG does make such a differentiation, but only because he restates the findings of the Court in Digital Rights Ireland, even if this partly repeats some of the findings in §170: “the obligation to retain that data, required by the public authorities, and subsequent access of the competent national authorities to data relating to a person’s private life also constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter (he refers here to §34 and §35 of DRI in a footnote). Likewise, an EU act prescribing any form of processing of personal data constitutes an interference with the fundamental right, laid down in Article 8 of the Charter, to protection of such data (he refers here to §29 and §36 of DRI)” (§171).

There is not a lot of clarity transpiring from these two paragraphs, especially considering that §170 in fact refers to interference only with the first paragraph of Article 8 and not with the entire Article 8 (See also Section 4 of this analysis for additional comments prompted by this differentiation).

What is certain is that indeed there is an interference with both rights. The AG further notes the seriousness of that interference, indicating that he is fully aware of its severity:

“The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable size and a not insignificant gravity. It systematically affects all passengers flying between Canada and the Union, that is to say, several tens of millions of persons a year. Furthermore, as most of the interested parties have confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers, which includes sensitive data, requiring, by definition, automated processing, and the retention of that data for a period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with pre-established patterns of behaviour that is ‘at risk’ or ‘of concern’, in connection with terrorist activities and/or serious transnational crime, in order to identify persons not hitherto known to the police or not suspected. Those characteristics, apparently inherent in the PNR scheme put in place by the agreement envisaged, are capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects” (§176).

Even though at this stage the AG acknowledges the severity of the interference with fundamental rights of PNR schemes, he deems it to be justified by necessity (See Section 5 of this analysis).

Finally, it is also notable to mention that the AG found that the procedures for collecting the data come within the competence of the air carriers, “which, in this regard, must act in compliance with the relevant national provisions and with EU law” (§178). He concludes that “the collection of the PNR data therefore does not constitute a processing of personal data entailing an interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter that results from the agreement envisaged itself. In the light of the limited power of the Court in the context of the opinion procedure, that operation will therefore not form the subject matter of the following developments” (§179).

 

……………………………………………………..

[1] Dealt with in this section.

[2] Dealt with in Sections 4 and 5 of this analysis.

Section 4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1) Charter

(Section 4 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After establishing that the EU-Canada PNR Agreement allows for a particularly serious interference with the rights to respect for private life and to the protection of personal data, the AG goes on to analyze whether this interference is justified.

First, he establishes that neither of the two rights “is an absolute prerogative” (§181), meaning that their exercise can be limited. The AG recalls that “that limitations may be placed on the exercise of rights such as those enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (§182).

Again, just like in §170, the AG refers only to limitations of the first paragraph of Article 8. Moreover, he specifies in the following paragraph that “Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’” (§183). He follows this only by stating that “with regard to one of the conditions set out in Article 8(2) of the Charter … the agreement envisaged does not seek to base the processing of the PNR data communicated to the Canadian competent authority on the consent of the air passengers” (§184).

This is why paragraph 188 comes as a surprise, because, after finding the essence of the two rights is not touched (see below), the AG states that “It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied” (§188).  

To my knowledge, it is for the first time an Advocate General, or the Court for that matter, refers to the second paragraph of Article 8 of the Charter as prescribing “conditions for justification” of interferences with the right to the protection of personal data and equals them to those laid down in Article 52(1) of the Charter.

Such a hypothesis is not without merit from the outset, but it would need a more in depth justification than simply stating a couple of paragraphs above that Article 8(2) of the Charter only allows processing of data only for specified purposes and if it is based on consent or has another legitimate basis laid down by law. For instance, if indeed we were to consider that any processing of personal data constitutes an interference with Article 8 (this finding by the Court in DRI has some faults worthy of academic attention, but for the moment we have to work with it), then it would make sense to see the conditions for having a lawful basis for processing as being conditions for justifying the “interference” with the right to the protection of personal data.

Moreover, a separate analysis of whether the conditions in Article 8(2) are satisfied does not follow. The AG merely states in §189 that the conditions from Article 52(1) for the interference to be provided for by law and to meet objectives of general interest are equivalent with the “expression used in Article 8(2)” – having a “legitimate basis”, and they are “manifestly satisfied” (§189).

As for the essence of the two rights, the AG recalls that neither of the parties did not invoke before the Court that the interference harms the essence of the two fundamental rights (§185).

With regard to the essence of Article 7, he further explains that “the nature of the PNR data forming the subject matter of the agreement envisaged does not permit any precise conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question continues to be limited to the pattern of air travel between Canada and the Union” (§186). The AG also refers in this context to the “masking” and gradual “depersonalization” of the data as guarantees to preserve private life (§186).

With regard to the essence of Article 8, the AG mentions that “under Article 9 of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection, security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data security must be amenable to effective and dissuasive corrective measures which might include sanctions” (§187). Unfortunately, the AG does not expand on the concept of the essence of the right to the protection of personal data and does not depart from what the Court indicated in Digital Rights Ireland at §40, restricting the essence of Article 8 mainly to the presence of data security measures.

Concluding that the essence of the two rights is not touched upon, the AG further analyzes the proportionality and the necessity of the interference.

Section 5. The awkward two level necessity test that convinced the AG PNR schemes are acceptable

(Section 5 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After he establishes that the Court should carry out “a strict review of compliance with the requirements resulting from the principle of proportionality, and more particularly, from the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged” (§200), the AG further assesses if the interference is “strictly necessary”.

He considers the “strict necessity” test as a component of the proportionality test, together with “the ability of the interference to achieve the ‘public security’ objective pursued by the Agreement”.

With regard to the latter criterion, the AG does not believe “there are any real obstacles to recognising that the interference constituted by the agreement envisaged is capable of attaining the objective of public security, in particular the objective of combating terrorism and serious transnational crime” (§205). “As the United Kingdom Government and the Commission, in particular, have claimed, the transfer of PNR data for analysis and retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network or participating in serious transnational criminal activities” (§205).

In addition, the AG finds the statistics provided by the Commission and the UK relevant to find that “the data constitutes a valuable tool for criminal investigations” (§205). He reaches this conclusion in spite of the fact that at §151, when summarizing the contributions of the parties before the Court, the AG recalls that “The Commission accepts that there are no precise statistics indicating the contribution which PNR data makes to the prevention and detection of crime and terrorism, and to the investigation and prosecution of offences of those types.”

With regard to the strict necessity of the interference, the AG establishes that its assessment “entails ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the private life of the persons concerned” (§207), by making a reference to §77 of the Schecke judgment. That paragraph in Schecke seems to me to establish a different principle – namely that, when balancing two opposing rights, one of which is the right to the protection of personal data, it must be taken into account that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”[1].

Notwithstanding, the AG follows by stating that “the terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the agreement envisaged” (§208). He explains:

“That means that it is not sufficient to imagine, in the abstract, the existence of alternative measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be sufficiently effective, that is to say, their effectiveness must, in my view, be comparable with those provided for in the agreement envisaged, in order to attain the public security objective pursued by that agreement” (§208).

In quite a big leap, AG Mengozzi relies for this twofold test for necessity on a paragraph in the Schwartz judgment, §53, which states that “the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints.”

This twofold test is not used in any of the most recent landmark judgments of the Court – DRI, which relies greatly on the analysis of the condition of “necessity”, and Schrems. However, looking at strict necessity through this lens of proportionality and equivalent effectiveness persuaded the AG to conclude that PNR schemes, even if they constitute the kind of interference he accurately described in §176, are acceptable.

Comparing the wealth of PNR data to data collected usually for border control purposes by immigration authorities, including Advance Passenger Information and information collected by Canadian authorities for their eVA program, the AG concluded that “data of that type (API, eVA – my note) does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API and the data required for the issue of an eVA are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged” (§214).

The AG further justifies that PNR data of all passengers are transferred to the Canadian authorities, “even though there is no indication that their conduct may have a connection with terrorism or serious transnational crime” (215) by arguing that “as the interested parties have explained, the actual interest of PNR schemes, whether they are adopted unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks” (§216).

He finds at §244, referring to the fact that the Agreement involves transfers of data of all passengers between the Union and Canada, irrespective of whether they are suspects or not, that no other measure which, while limiting the number of persons whose PNR data is automatically processed by the Canadian competent authority, would be capable of attaining with comparable effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in the context of the present proceedings”.

The AG therefore concluded that “generally, the scope ratione personae of the agreement envisaged cannot be limited further without harming the very object of the PNR regimes” (§245).

Another characteristic of PNR schemes that is generally considered questionable – the lack of an ex ante control of access to PNR data, is found justifiable by the AG in the light of the “fair balance” test for strict necessity: “the appropriate balance that must be struck between the effective pursuit of the fight against terrorism and serious transnational crime and respect for a high level of protection of the personal data of the passengers concerned does not necessarily require that a prior control of access to the PNR data must be envisaged” (§269).

Therefore, the idea of PNR schemes seems to be compatible with the fundamental rights to data protection and respect for private life, in the view of AG Mengozzi. However, the list of conditions he develops for the Agreement in the current case to be fully compliant with EU primary law is quite long and quite strict and it bears bad news for other similar arrangements.

 

……………………………………………

[1] §77 of Schecke states this: “It is thus necessary to determine whether the Council of the European Union and the Commission balanced the European Union’s interest in guaranteeing the transparency of its acts and ensuring the best use of public funds against the interference with the right of the beneficiaries concerned to respect for their private life in general and to the protection of their personal data in particular. The Court has held in this respect that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Satakunnan Markkinapörssi and Satamedia, paragraph 56).”