Tag Archives: privacy

Section 2. A look at the surface: it is not an adequacy decision, but it establishes adequacy

(Section 2 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

One of the fundamental issues concerning agreements such as the one in the present case is how do these agreements relate to the concept of “adequacy finding” for the purposes of transfers of personal data from the EU to third countries.

While it is straightforward looking at their nature that they are not unilateral acts issued by the European Commission to establish that a third country or the authorities of a third country have an adequate level of protection (as was the Decision invalidated by the Schrems judgement), in essence these agreements have the same effect as that of adequacy decisions: they establish a presumption that the legal system at the receiving end of a data transfer from the EU ensures an adequate level of data protection, eliminating thus impediments of transfers based on concerns that the data are not properly protected at the receiving end.

While the process leading to an adequacy decision by the Commission is long and involves a thorough analysis of the legal system of the third country in order to ascertain that it provides an essentially equivalent level of protection in theory and in practice, the conclusion of an international agreement involves a high level negotiation and commitments taken by the third country that it would ensure appropriate protection. It is more difficult to ascertain and control a posteriori if this indeed happens in practice. Moreover, if the commitments taken by the third country are not sufficient in the Agreement, a clause establishing that the transfers to that country are deemed to comply with EU data protection law may very well be considered as breaching Article 8(1) of the Charter. The CJEU stated in Schrems that the requirements for ensuring lawful international transfers of personal data stem from Article 8(1) of the Charter and the general obligation enshrined therein “to protect personal data” (§71-§72 of Schrems).

These issues are extremely challenging and the current proceedings would be a very good opportunity to address them. However, the AG only marginally touches this question and he does that only to argue against the fact that data protection is the predominant purpose of the Agreement and to argue in favour of a strict review of the limitations brought by the provisions of the Agreement to the exercise of Article 8 of the Charter.

First, in §93, he states that “the object of the agreement envisaged cannot principally be treated as equivalent to an adequacy decision, comparable to the decision which the Commission had adopted under the 2006 Agreement”. He continues by arguing that “both the aim and the content of the agreement envisaged show, on the contrary, that that agreement is intended to reconcile the two objectives which it pursues and that those objectives are inseparably linked” (i.e. – data protection and fight against terrorism) (§93).

However, about a hundred of paragraphs later, after he recalls the finding in §93 that “the agreement envisaged cannot be reduced to a decision finding that the Canadian competent authority guarantees an adequate level of protection” (§203), he recognizes that “Article 5 of the agreement envisaged does indeed provide that, subject to compliance with the terms of that agreement, the Canadian Competent Authority is to be deemed to provide an adequate level of protection, within the meaning of relevant Union data protection law, for the processing and use of PNR data” (§203).

Moreover, in the same paragraph, the AG even adds that “the contracting parties’ intention is indeed to ensure that the high level of personal data protection achieved in the Union may be guaranteed when the PNR data is transferred to Canada” (§203).

The arguments above follow after in paragraph 200 the AG finds that the provisions of the agreement should be subject to a strict review by the Court regarding their compliance with the requirements resulting also from “the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged”.

This analysis seems to me contradictory – both by comparing §93 and §203, and by comparing statements within §203. In any case, the consequences of the intention to establish adequacy through an international agreement are not further analysed. The only conclusion the AG draws after identifying the underlying intention of the parties to conclude this agreement is just that “I see no reason why the Court should not carry out a strict review of compliance with the principle of proportionality” (§203). Moreover, he further expands this argumentation by referring to the Schrems case and findings therein concerning “essentially equivalence” and how the means ensuring this equivalence must be “effective in practice” (§204).

Hopefully, the Court in its final Opinion will make a more in depth analysis of this issue.

Section 3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing

(Section 3 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

In order to answer the first question raised by the Parliament in the proceedings before the Court – whether the Agreement complies with EU Primary law, and in particular with Articles 7 and 8 of the Charter, AG Mengozzi follows the classical test: is there an interference?[1] And if so, is the interference justified?[2]

Analyzing separately Articles 7 and 8 of the Charter, still a challenge

Even if the Court has recently started to analyze separately the rights protected by Article 7 (to respect for private life) and by Article 8 of the Charter (to the protection of personal data) – see the judgments in DRI and Schrems, the AG seems to hesitate again between the two rights. He starts his analysis on whether there is an interference with the two rights (§170) by recalling the older case-law of the Court which stated that the right to the protection of private life and the right to the protection of personal data are “closely connected” (Schecke, §47; ASNEF, §41).

First he finds that the PNR data “touches on the area of the privacy, indeed intimacy, of persons and indisputably relates to one or more identified or identifiable individual or individuals” (§170). Thus, in the same sentence, the AG brings PNR data within the scope of both Article 7 and Article 8 of the Charter. He further identifies different treatments of the data under the terms of the Agreement (§170):

– systematic transfer of PNR data to the Canadian public authorities,

– access to that data,

– the use of that data,

– its retention for a period of five years by those public authorities,

– its subsequent transfer to other public authorities, including those of third countries,

The AG states that all of the above are “operations which fall within the scope of the fundamental right to respect for private and family life guaranteed by Article 7 of the Charter and to the ‘closely connected’ but nonetheless distinct right to protection of personal data guaranteed by Article 8(1) of the Charter and constitute an interference with those fundamental rights” (§170).

Therefore, the AG does not differentiate here between what constitutes interference with the right to respect for private life and what constitutes interference with the right to the protection of personal data.

However, in the following paragraph, the AG does make such a differentiation, but only because he restates the findings of the Court in Digital Rights Ireland, even if this partly repeats some of the findings in §170: “the obligation to retain that data, required by the public authorities, and subsequent access of the competent national authorities to data relating to a person’s private life also constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter (he refers here to §34 and §35 of DRI in a footnote). Likewise, an EU act prescribing any form of processing of personal data constitutes an interference with the fundamental right, laid down in Article 8 of the Charter, to protection of such data (he refers here to §29 and §36 of DRI)” (§171).

There is not a lot of clarity transpiring from these two paragraphs, especially considering that §170 in fact refers to interference only with the first paragraph of Article 8 and not with the entire Article 8 (See also Section 4 of this analysis for additional comments prompted by this differentiation).

What is certain is that indeed there is an interference with both rights. The AG further notes the seriousness of that interference, indicating that he is fully aware of its severity:

“The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable size and a not insignificant gravity. It systematically affects all passengers flying between Canada and the Union, that is to say, several tens of millions of persons a year. Furthermore, as most of the interested parties have confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers, which includes sensitive data, requiring, by definition, automated processing, and the retention of that data for a period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with pre-established patterns of behaviour that is ‘at risk’ or ‘of concern’, in connection with terrorist activities and/or serious transnational crime, in order to identify persons not hitherto known to the police or not suspected. Those characteristics, apparently inherent in the PNR scheme put in place by the agreement envisaged, are capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects” (§176).

Even though at this stage the AG acknowledges the severity of the interference with fundamental rights of PNR schemes, he deems it to be justified by necessity (See Section 5 of this analysis).

Finally, it is also notable to mention that the AG found that the procedures for collecting the data come within the competence of the air carriers, “which, in this regard, must act in compliance with the relevant national provisions and with EU law” (§178). He concludes that “the collection of the PNR data therefore does not constitute a processing of personal data entailing an interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter that results from the agreement envisaged itself. In the light of the limited power of the Court in the context of the opinion procedure, that operation will therefore not form the subject matter of the following developments” (§179).



[1] Dealt with in this section.

[2] Dealt with in Sections 4 and 5 of this analysis.

Section 4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1) Charter

(Section 4 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After establishing that the EU-Canada PNR Agreement allows for a particularly serious interference with the rights to respect for private life and to the protection of personal data, the AG goes on to analyze whether this interference is justified.

First, he establishes that neither of the two rights “is an absolute prerogative” (§181), meaning that their exercise can be limited. The AG recalls that “that limitations may be placed on the exercise of rights such as those enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (§182).

Again, just like in §170, the AG refers only to limitations of the first paragraph of Article 8. Moreover, he specifies in the following paragraph that “Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’” (§183). He follows this only by stating that “with regard to one of the conditions set out in Article 8(2) of the Charter … the agreement envisaged does not seek to base the processing of the PNR data communicated to the Canadian competent authority on the consent of the air passengers” (§184).

This is why paragraph 188 comes as a surprise, because, after finding the essence of the two rights is not touched (see below), the AG states that “It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied” (§188).  

To my knowledge, it is for the first time an Advocate General, or the Court for that matter, refers to the second paragraph of Article 8 of the Charter as prescribing “conditions for justification” of interferences with the right to the protection of personal data and equals them to those laid down in Article 52(1) of the Charter.

Such a hypothesis is not without merit from the outset, but it would need a more in depth justification than simply stating a couple of paragraphs above that Article 8(2) of the Charter only allows processing of data only for specified purposes and if it is based on consent or has another legitimate basis laid down by law. For instance, if indeed we were to consider that any processing of personal data constitutes an interference with Article 8 (this finding by the Court in DRI has some faults worthy of academic attention, but for the moment we have to work with it), then it would make sense to see the conditions for having a lawful basis for processing as being conditions for justifying the “interference” with the right to the protection of personal data.

Moreover, a separate analysis of whether the conditions in Article 8(2) are satisfied does not follow. The AG merely states in §189 that the conditions from Article 52(1) for the interference to be provided for by law and to meet objectives of general interest are equivalent with the “expression used in Article 8(2)” – having a “legitimate basis”, and they are “manifestly satisfied” (§189).

As for the essence of the two rights, the AG recalls that neither of the parties did not invoke before the Court that the interference harms the essence of the two fundamental rights (§185).

With regard to the essence of Article 7, he further explains that “the nature of the PNR data forming the subject matter of the agreement envisaged does not permit any precise conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question continues to be limited to the pattern of air travel between Canada and the Union” (§186). The AG also refers in this context to the “masking” and gradual “depersonalization” of the data as guarantees to preserve private life (§186).

With regard to the essence of Article 8, the AG mentions that “under Article 9 of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection, security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data security must be amenable to effective and dissuasive corrective measures which might include sanctions” (§187). Unfortunately, the AG does not expand on the concept of the essence of the right to the protection of personal data and does not depart from what the Court indicated in Digital Rights Ireland at §40, restricting the essence of Article 8 mainly to the presence of data security measures.

Concluding that the essence of the two rights is not touched upon, the AG further analyzes the proportionality and the necessity of the interference.

Section 5. The awkward two level necessity test that convinced the AG PNR schemes are acceptable

(Section 5 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After he establishes that the Court should carry out “a strict review of compliance with the requirements resulting from the principle of proportionality, and more particularly, from the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged” (§200), the AG further assesses if the interference is “strictly necessary”.

He considers the “strict necessity” test as a component of the proportionality test, together with “the ability of the interference to achieve the ‘public security’ objective pursued by the Agreement”.

With regard to the latter criterion, the AG does not believe “there are any real obstacles to recognising that the interference constituted by the agreement envisaged is capable of attaining the objective of public security, in particular the objective of combating terrorism and serious transnational crime” (§205). “As the United Kingdom Government and the Commission, in particular, have claimed, the transfer of PNR data for analysis and retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network or participating in serious transnational criminal activities” (§205).

In addition, the AG finds the statistics provided by the Commission and the UK relevant to find that “the data constitutes a valuable tool for criminal investigations” (§205). He reaches this conclusion in spite of the fact that at §151, when summarizing the contributions of the parties before the Court, the AG recalls that “The Commission accepts that there are no precise statistics indicating the contribution which PNR data makes to the prevention and detection of crime and terrorism, and to the investigation and prosecution of offences of those types.”

With regard to the strict necessity of the interference, the AG establishes that its assessment “entails ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the private life of the persons concerned” (§207), by making a reference to §77 of the Schecke judgment. That paragraph in Schecke seems to me to establish a different principle – namely that, when balancing two opposing rights, one of which is the right to the protection of personal data, it must be taken into account that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”[1].

Notwithstanding, the AG follows by stating that “the terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the agreement envisaged” (§208). He explains:

“That means that it is not sufficient to imagine, in the abstract, the existence of alternative measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be sufficiently effective, that is to say, their effectiveness must, in my view, be comparable with those provided for in the agreement envisaged, in order to attain the public security objective pursued by that agreement” (§208).

In quite a big leap, AG Mengozzi relies for this twofold test for necessity on a paragraph in the Schwartz judgment, §53, which states that “the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints.”

This twofold test is not used in any of the most recent landmark judgments of the Court – DRI, which relies greatly on the analysis of the condition of “necessity”, and Schrems. However, looking at strict necessity through this lens of proportionality and equivalent effectiveness persuaded the AG to conclude that PNR schemes, even if they constitute the kind of interference he accurately described in §176, are acceptable.

Comparing the wealth of PNR data to data collected usually for border control purposes by immigration authorities, including Advance Passenger Information and information collected by Canadian authorities for their eVA program, the AG concluded that “data of that type (API, eVA – my note) does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API and the data required for the issue of an eVA are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged” (§214).

The AG further justifies that PNR data of all passengers are transferred to the Canadian authorities, “even though there is no indication that their conduct may have a connection with terrorism or serious transnational crime” (215) by arguing that “as the interested parties have explained, the actual interest of PNR schemes, whether they are adopted unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks” (§216).

He finds at §244, referring to the fact that the Agreement involves transfers of data of all passengers between the Union and Canada, irrespective of whether they are suspects or not, that no other measure which, while limiting the number of persons whose PNR data is automatically processed by the Canadian competent authority, would be capable of attaining with comparable effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in the context of the present proceedings”.

The AG therefore concluded that “generally, the scope ratione personae of the agreement envisaged cannot be limited further without harming the very object of the PNR regimes” (§245).

Another characteristic of PNR schemes that is generally considered questionable – the lack of an ex ante control of access to PNR data, is found justifiable by the AG in the light of the “fair balance” test for strict necessity: “the appropriate balance that must be struck between the effective pursuit of the fight against terrorism and serious transnational crime and respect for a high level of protection of the personal data of the passengers concerned does not necessarily require that a prior control of access to the PNR data must be envisaged” (§269).

Therefore, the idea of PNR schemes seems to be compatible with the fundamental rights to data protection and respect for private life, in the view of AG Mengozzi. However, the list of conditions he develops for the Agreement in the current case to be fully compliant with EU primary law is quite long and quite strict and it bears bad news for other similar arrangements.



[1] §77 of Schecke states this: “It is thus necessary to determine whether the Council of the European Union and the Commission balanced the European Union’s interest in guaranteeing the transparency of its acts and ensuring the best use of public funds against the interference with the right of the beneficiaries concerned to respect for their private life in general and to the protection of their personal data in particular. The Court has held in this respect that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Satakunnan Markkinapörssi and Satamedia, paragraph 56).”

Section 6. The list of reasons why the EU-Canada PNR Agreement is incompatible with the Charter and the Treaty

(Section 6 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

AG Mengozzi divides his Conclusions on the compatibility of the EU-Canada PNR Agreement with EU primary law into two lists.

The first list contains 11 improvements that can be made in order for the Agreement to be compliant with Articles 7, 8 and 52(1) of the Charter and Article 16 TFEU (see paragraph 2 of the Conclusions)

A. Sensitive data must be outside the scope of PNR schemes

Notably, sensitive data must be excluded from the scope of the Agreement. The AG found that the Agreement “goes beyond what is strictly necessary by including in its scope the transfer of PNR data that is apt to contain sensitive data, which in material terms allows information about the health or ethnic origin or religious beliefs of the passenger concerned and and/or of those travelling with him to be disclosed” (§221). He follows by stating that “the risk of stigmatising a large number of individuals who are not suspected of any offence which the use of such sensitive data entails strikes me as particularly worrying and prompts me to propose that the Court should exclude data of that type from the scope of the agreement envisaged” (§222).

B. Transparency requirements

In addition, the agreement should expressly specify “the principles and rules applicable to both the pre-established scenarios or assessment criteria and the databases with which the Passenger Name Record data is compared in the context of the automated processing of that data, in such a way that the number of ‘targeted’ persons can be limited, to a large extent and in a non-discriminatory manner, to those who can be reasonably suspected of participating in a terrorist offence or serious transnational crime” (4th subparagraph of §2 of the Conclusions).

C. Article 8(3) of the Charter on independent supervision, fully applicable in the light of “essentially equivalence”

Another important condition to achieve compliance with EU primary law is that the agreement must systematically ensure “by a clear and precise rule, control by an independent authority, within the meaning of Article 8(3) of the Charter of Fundamental Rights of the European Union, of respect for the private life and protection of the personal data of passengers whose Passenger Name Record data is processed” (10th subparagraph of §2 of the Conclusions).

In this regard, the AG found that “control by an independent authority, required in particular by Article 8(3) of the Charter, is fully applicable in the present case” (§310), in the light of the fact that the intention of the contracting parties is “to ensure a level of protection that is intended to be ‘substantially equivalent’ to that which individuals would enjoy if their personal data were processed and retained within the Union” (§309).

The AG further found that the “independent supervision” condition is not fully complied with because of the alternative wording of Article 10(1) of the agreement, which gives the impression that the processing of PNR data by the Canadian authorities might also be wholly assumed by the ‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy’ – the Recourse Directorate of the Canadian authority receiving the data, instead of the Privacy Commissioner of Canada (§314).

While nobody questioned the independence of the Privacy Commissioner (§312), the AG found that “irrespective of the guarantees … from the Mission of Canada to the European Union, according to which the Recourse Directorate of the CBSA will receive no directions from the other operational bodies of the latter, that directorate, like all the other bodies of the CBSA, continues to be directly subordinate to the responsible Minister, from whom it may receive directions. Since it is liable to be subject to influence of, in particular, a political nature on the part of the authority to which it is responsible or more generally the Executive, the Recourse Directorate of the CBSA cannot be regarded as an independent supervisory authority for the purposes of Article 8(3) of the Charter” (§315).

This finding, if upheld by the Court, is perhaps the most relevant one that could apply, mutatis mutandis, to an eventual challenge of the EU-US Privacy Shield arrangement, in particular with regard to the independence of the Ombudsman.

D. It must be possible that data subjects exercise their rights from the EU

 Another notable improvement that must be done in order for the Agreement to be compliant with EU primary law is that it should make clear that “requests for access, rectification and annotation made by passengers not present on Canadian territory may be submitted, either directly or by means of an administrative appeal, to an independent public authority” (last subparagraph of §2 of the Conclusions).

The second list of the Conclusions contains 5 reasons why the Agreement is incompatible with EU primary law (§3 of the Conclusions):

  1. “Article 3(5) of the agreement envisaged allows, beyond what is strictly necessary, the possibilities of processing Passenger Name Record data to be extended, independently of the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime”;

The AG found that according to that article, “the processing of PNR data is ‘also’ permitted, on a case-by-case basis, in order to comply with the subpoena or warrant issued, or an order made, by a court, although it is not stated that that court must be acting in the context of the purposes of the agreement envisaged. That article therefore appears to allow the processing of PNR data for purposes unconnected with those pursued by the agreement envisaged and/or possibly in connection with conduct or offences not coming within the scope of that agreement” (§236).

  1. Article 8 of the agreement envisaged provides for the processing, use and retention by Canada of Passenger Name Record data containing sensitive data;
  2. Article 12(3) of the agreement envisaged confers on Canada, beyond what is strictly necessary, the right to make disclosure of information subject to reasonable legal requirements and limitations;

Paragraph 3 of that article extends the possibilities of access to the PNR data and information extracted from it “to anyone, without any specific guarantees being laid down” (§293). “Article 12(3) of the agreement envisaged authorises Canada to ‘make any disclosure of information subject to reasonable legal requirements and limitations …, with due regard for the legitimate interests of the individual concerned’. However, neither the recipients of that ‘information’ nor the use to which it is put is defined in the agreement envisaged. It is therefore quite possible that that information may be communicated to any natural or legal person, such as a bank, for example, provided that Canada considers that the disclosure of such information does not exceed ‘reasonable’ legal requirements, which, moreover, are not defined in the agreement envisaged” (§293).

  1. Article 16(5) of the agreement envisaged authorises Canada to retain Passenger Name Record data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime;

The AG criticized that pursuant to Article 16(5) of the Agreement “sensitive data of a Union citizen who has taken a flight to Canada is liable to be retained for five years (and, where appropriate, unmasked and analysed during that period) by any Canadian public authority, for any ‘action’ or ‘investigation’ or ‘judicial proceeding’, without being in any way connected to the objective pursued by the agreement envisaged, for example, as the Parliament has pointed out, in the event of proceedings related to contract law or family law. The possibility that such a situation will arise prompts the conclusion that on this point the contracting parties have not struck a fair balance between the objectives pursued by the agreement envisaged” (§224).

  1. Article 19 of the agreement envisaged allows Passenger Name Record data to be transferred to a public authority in a third country without the Canadian competent authority, subject to control by an independent authority, first being satisfied that the public authority in the third country in question to which the data is transferred cannot itself subsequently communicate the data to another body, where relevant, in another third country. (For the relevant analysis, see §300 to §304 of the Opinion).

Research finds that ‘surveillance technologies yield neither the secure utopia nor the police state dystopia promised by their supporters’

Science Magazine published a piece today about the recent book by Keith Guzik, a sociologist at the University of Colorado Denver, “Making Things Stick: Surveillance Technologies and Mexico’s War on Crime”.

Guzik examines Mexico in order to understand how surveillance technologies impact security policy around the world. We could hardly find a more ‘spot on’ theme for general public policy these days.

With Mexico’s War on Crime as the backdrop, Making Things Stick offers an innovative analysis of how surveillance technologies impact governance in the global society. More than just tools to monitor ordinary people, surveillance technologies are imagined by government officials as a way to reform the national state by focusing on the material things—cellular phones, automobiles, human bodies—that can enable crime. In describing the challenges that the Mexican government has encountered in implementing this novel approach to social control, Keith Guzik presents surveillance technologies as a sign of state weakness rather than strength and as an opportunity for civic engagement rather than retreat.

The book is available under an Open Access license following this link: http://www.luminosoa.org/site/books/detail/12/making-things-stick/. Enjoy the read!

And this is the conclusion of the author, according to Science Mag:

“The failed experiment of the Mexican security programs demonstrates that state surveillance technologies yield neither the secure utopia nor the police state dystopia promised by their supporters and opponents“.


EDPS issues guidelines on how to ensure confidentiality of whistleblowers

The European Data Protection Supervisor issued today (18 July 2016) Guidelines addressed to the EU institutions and bodies on how to deal with whistleblowers in a way that is compliant with the data protection requirements in Regulation 45/2001.

The first thing you need to know is that the EU Staff Regulations contain an obligation for staff members and other persons working for the EU institutions and bodies to report in writing any reasonable suspicion of illegal activities to the hierarchy or to the European Anti-Fraud Office (“OLAF”) directly.

EU institutions are required to manage whistleblowing reports and ensure the protection of personal information of the whistleblowers, the alleged wrongdoers, the witnesses and the other persons appearing in the report.

According to the EDPS, “the most effective way to encourage staff to report concerns is to ensure them that their identity will be protected. Therefore, clearly defined channels for internal and external reporting and the protection of the information received should be in place. The identity of the whistleblower who reports serious wrongdoings or irregularities in good faith should be treated with the utmost confidentiality as they should be protected against any retaliation”.

Here is a list with the main recommendations from the Guidelines:

1. Implement defined channels for internal and external reporting and specific rules where the purpose is clearly specified.

2. Ensure confidentiality of the information received and protect the whistleblowers’ identity and all other persons involved.

3. Apply the principle of data minimisation: only process personal information, which are adequate, relevant and necessary, for the particular case.

4. Identify what personal information means in this context and which are the affected individuals to determine their right of information, access and rectification. Restrictions to these rights are allowed, as long as the EU institutions are able to provide documented reasons before taking such a decision.

5. Apply the two-step procedure to inform each category of individuals concerned about how their data will be processed.

6. Ensure when responding to right of access requests that personal information of other parties is not revealed.

7. Assess the appropriate competence of the recipient (internal or external) and then limit the transfer of personal information only when necessary for the legitimate performance of tasks covered by the competence of the recipient.

8. Define proportionate conservation periods for the personal information processed within the scope of the whistleblowing procedure depending on the outcome of each case .

9. Implement both organisational and technical security measures based on a risk assessment analysis of the whistleblowing procedure in order to guarantee a lawful and secure processing of personal information.

Trouble with Science’s special issue on privacy is that it’s called “The End of Privacy”

scienceThe prestigious Science magazine’s issue released today is dedicated to Privacy. The only problem is that it’s title is “The End of Privacy”. This statement is too dramatic. I don’t think we are facing the end of privacy, but the explosion of privacy invading technologies and practices.

Privacy as an inherent human value cannot disappear.

Privacy as the web of legal protection is not likely to disappear soon. Au contraire. It is likely it will be developed and taken more and more seriously.

The fact remains that privacy is under siege. But if scientific magazines are starting to publish entire issues on this topic, it would be more useful if they would not declare privacy dead, but figure out ways to construe a stronger web (technical, legal or whatever else nature) of protecting privacy.

Never-mind the title. Beyond it, there are some interesting articles:

1) Privacy and human behavior in the age of information, by Alessandro Acquisti, Laura Brandimarte and George Loewenstein.

2) Could your pacemaker be hackable?, by Daniel Clery (Medical devices connected to the Internet are vulnerable to sabotage or data theft).

3) Hiding in plain sight, by Jia You. (Software lets you use location-based apps without revealing where you are).

4) Control use of data to protect privacy, by Susan Landau (“..But notice, designated as a fundamental privacy principle in a different era, makes little sense in situations where collection consists of lots and lots of small amounts of information, whereas consent is no longer realistic, given the complexity and number of decisions that must be made. Thus, efforts to protect privacy by controlling use of data are gaining more attention…”)

While at it, also check my CPDP 2013 paper (presented two years ago at the conference in Brussels and published that year in a Springer volume edited by the organisers of the conference), Forgetting about consent. Why the focus should be on suitable safeguards in data protection law.

In conclusion, no, this is not the end of privacy. This is just the middle of a very, very difficult fight to protect privacy.

Main points from FTC’s Internet of Things Report

FTC published on 27 January a Report on the Internet of Things, based on the conclusions of a workshop organised in November with representatives of industry, consumers and academia.

It is apparent from the Report that the most important issue to be tackled by  the industry is data security – it represents also the most important risk to consumers.

While data security enjoys the most attention in the Report and the bigger part of the recommendations for best practices, data minimisation and notice and choice are considered to remain relevant and important in the IoT environment. FTC even provides a list of practical options for the industry to provide notice and choice, admitting that there is no one-size-fits-all solution.

The most welcomed recommendation in the report (at least, by this particular reader) was the one referring to the need of general data security and data privacy legislation – and not such legislation especially tailored for IoT. FTC called the Congress to act on these two topics.

Here is a brief summary of the Report:

The IoT definition from FTC’s point of view

Everyone in the field knows there is no generally accepted definition of what IoT is. It is therefore helpful to know what FTC considers IoT to be for its own activity:

“things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.

In addition, FTC clarified that, consistent with their mission to protect consumers in the commercial sphere, their discussion of IoT is limited to such devices that are sold to or used by consumers.

Stunning facts and numbers

  • as of this year, there will be 25 billion connected devices worldwide;
  • fewer than 10,000 households using one company’s IoT home automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household.

Data security, the elephant in the house

Most of the recommendations for best practices that FTC made are about ensuring data security. According to the Report, companies:

  • should implement “security by design” by building security into their devices at the outset, rather than as an afterthought;
  • must ensure that their personnel practices promote good security; as part of their personnel practices, companies should ensure that product security is addressed at the appropriate level of responsibility within the organization;
  • must work to ensure that they retain service providers that are capable of maintaining reasonable security, and provide reasonable oversight to ensure that those service providers do so;
  • should implement a defense-in-depth approach, where security measures are considered at several levels; (…) FTC staff encourages companies to take additional steps to secure information passed over consumers’ home networks;
  • should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network;
  • should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.

Attention to de-identification! 

In the IoT ecosystem, data minimization is challenging, but it remains important.

  • Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.
  • To the extent that companies decide they need to collect and maintain data to satisfy a business purpose, they should also consider whether they can do so while maintaining data in deidentified form.

When a company states that it maintains de-identified or anonymous data, the Commission has stated that companies should

  1. take reasonable steps to de-identify the data, including by keeping up with technological developments;
  2. publicly commit not to re-identify the data; and
  3. have enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.

Notice and choice – difficult in practice, but still relevant

While the traditional methods of providing consumers with disclosures and choices may need to be modified as new business models continue to emerge, (FTC) staff believes that providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT. Notice and choice is particularly important when sensitive data is collected.

  • Staff believes that providing consumers with the ability to make informed choices remains practicable in the IoT;
  • Staff acknowledges the practical difficulty of providing choice when there is no consumer interface, and recognizes that there is no one-size-fits-all approach. Some options are enumerated in the report – several of which were discussed by workshop participants: choices at point of sale, tutorials, codes on the device, choices during set-up.

No need for IoT specific legislation, but general data security and data privacy legislation much needed

  • Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time;
  • However, while IoT specific-legislation is not needed, the workshop provided further evidence that Congress should enact general data security legislation;
  • General technology-neutral data security legislation should protect against unauthorized access to both personal information and device functionality itself;
  • General privacy legislation that provides for greater transparency and choices could help both consumers and businesses by promoting trust in the burgeoning IoT marketplace; In addition, as demonstrated at the workshop, general privacy legislation could ensure that consumers’ data is protected, regardless of who is asking for it.

ECHR: an article about a wedding is not exclusively private

The European Court of Human Rights in Strasbourg decided on Thursday (16 January) that publishing photos from the wedding of two celebrities in a magazine without their consent, as long as the photos were not taken at the ceremony per se, but outside of the ceremony location, is not a violation of the right to private life as it is enshrined in Article 8 of the European Convention of Human Rights.

The Court decided in its Lillo Stenberg and SÆTHER v. Norway decision (Application no. 13258/09that “a wedding has a public side” (para. 37), hence “the publication of an article about a wedding cannot itself relate exclusively to details of a person’s private life and have the sole aim of satisfying public curiosity in that respect (see, Von Hannover (no. 2), § 110). It (the Court – n.n.) therefore considers that there was an element of general interest in the article about the applicants’ wedding” (para. 37).

In this regard, the Court entirely admitted the argument of the Supreme Court of Norway, which stated in a decision concerning the facts of the case that “a wedding is a very personal act. At the same time it also has a public side. A wedding is a public affirmation that two persons intend to live together, and has legal consequences in many different sectors of society. Thus information about a wedding does not in itself involve a violation of privacy if it is given in a natural form and based on a reliable source” (see para. 37 of the ECHR Decision).

According to the facts of the case, the first applicant is a musician and the second applicant is an actress. They are both known to the public in Norway. On 20 August 2005, the applicants married in a private ceremony which took place outdoors on an islet in the municipality of Tjøme in the Oslo fjord, approximately 100 km south of the capital. The weekly magazine Se og Hør published a two-page article about the wedding, accompanied by six photographs. The photographs were taken without the consent of the applicants and outside of the premises of the wedding.

Highlights of the judgment

A. Criteria to assess the balance between freedom of expression and the right to private life

The Court reiterated the specific criteria it uses to assess which right prevails in a certain situation – freedom of expression or the right to private life:

“(i) contribution to a debate of general interest

(ii) how well known is the person concerned and what is the subject of the report?

(iii) prior conduct of the person concerned

(iv) method of obtaining the information and its veracity/circumstances in which the photographs were taken

(v) content, form and consequences of the publication.”

(see para. 34 of the current case, Von Hannover (no. 2), paras. 109‑113, and Axel Springer AG,  paras. 89-95). 

B. Interference with dignity to weigh in between freedom of expression and private life?

Without clearly indicating in the wording of the judgment that it rallies with the point of view of the Norwegian Supreme Court, ECHR pointed out one of the arguments used by the Supreme Court which indicates that an interference with dignity is able to decisively lean in towards the protection of private life or freedom of expression.

“It [the Supreme Court – n.] also pointed out that neither the text nor the photographs in the disputed magazine article contained anything unfavourable to the applicants. It did not contain any criticism, nor was there anything in the content that could damage their reputation (see para. 41).

C. The implied legitimate expectation of privacy

ECHR accepted the Supreme Court’s view that “since the ceremony took place in an area that was accessible to the public, easily visible, and a popular holiday location, it was likely to attract attention by third parties”, hence “these elements should also be given a certain amount of weight” (see para. 43).

D. The increased autonomy of the national courts

Finally, I have to point out to the reiteration of the ECHR that “although opinions may differ on the outcome of a judgment, where the balancing exercise has been undertaken by the national authorities in conformity with the criteria laid down in the Court’s case‑law, the Court would require strong reasons to substitute its view for that of the domestic courts” (see para. 44).