An agreement to send Canadian authorities passenger name record (PNR) data for flights from the European Union cannot be entered into in its current form, a top European Union judge has said.
That's because parts of the draft agreement are incompatible with EU citizens' fundamental privacy rights, according to Paolo Mengozzi, Advocate General of the Court of Justice of the EU, in a legal opinion issued Thursday.
His opinion, on a case brought by the European Parliament, is only advisory, and it still remains for the CJEU to make a final ruling on the matter.
But if the court follows his advice, it could disrupt the European Commission's plans for a new directive on the sharing of PNR data among EU member states and with other countries.
The agreement, which the EU and Canada began negotiating in 2010, concerns the transfer of PNR data to Canadian authorities for the purpose of combatting terrorism and other serious transnational crime. The passenger name records concerned contain 19 categories of information, covering the passenger's identity, nationality, address, contact details of the person making the reservation, payment information such as the number of the credit card used to reserve the flight, luggage details, and additional services requested concerning health problems, mobility, or dietary requirements. This might allow authorities to infer information about passengers' ethnic origin or religious beliefs.
The European Parliament refused to give its approval to the deal following its signature by the Council of the EU in 2014, preferring first to seek the opinion of the CJEU on its compatibility with EU laws on privacy and the protection of personal data.
In his opinion, Advocate General Mengozzi found five articles of the agreement incompatible with the provisions of the EU Charter of Fundamental Rights on the right to respect for private and family life, and the right to protection of personal data.
Those articles allow Canada to:
- process PNR data for reasons other than the agreement's public security objectives of preventing and detecting terrorist offenses and serious transnational crime;
- process, use and retain sensitive data;
- make unnecessary disclosures of the information;
- keep the data for up to five years for pretty much any reason, whether or not connected to the prevention of terrorism or serious crime, and
- transfer the data to a third country without being able to prevent that transfer to yet other countries.
Mengozzi identified 11 changes to the agreement needed in order to make it compatible with the charter, including:
- clearly defining the data to be transferred, and excluding sensitive data from the definition;
- exhaustively listing the offenses that constitute serious transnational crime, and
- informing EU member states when information about one of their citizens is passed on to other agencies.
His opinion was greeted with a mixture of delight and dismay.
Timothy Kirkhope MEP, Justice and Home Affairs spokesman of the European Conservatives and Reformists group, described the opinion as irresponsible and said: "Given the level of the threat you have to ask what planet some of these lawyers live on. Law enforcement authorities all say we are continually playing catch-up on information flow and analysis, and the CJEU now risks setting back our efforts even further."
But Joe McNamee, Executive Director of lobby group European Digital Rights, agreed with the advocate general's disapproval of the deal. "Once again, the European Court is confirming that the European Commission has failed to understand the law. The European Commission has -- again -- failed in its basic function as the 'guardian of the treaties,'" he said.
If the full court follows Mengozzi's advice, then the data sharing agreement may not enter into force until those amendments are made. The opinions of the court's advocates general are not binding, but the court follows them in the majority of cases.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.