Opinion 1/15: AG Mengozzi looking for a new balance in data protection (part II)

By Maxime Lassalle

The AG’s proportionality test

After these general considerations, the AG starts his proportionality test. In the opinion nine points are considered separately (para. 210). From this analysis, three main elements deserve to be emphasized.

The first important point is that the AG accepts PNR schemes as a matter of principles. He considers that, excluding sensitive data, all categories of PNR data are considered relevant for the purpose of the envisaged agreement. Sensitive data are defined in Article 2 (e) of the envisaged agreement as ‘information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information about a person’s health or sex life’. The processing of sensitive data is allowed by the envisaged agreement but, for the AG, this is not acceptable as it creates a risk of stigmatization (para. 222). What is more, the fact that these data are excluded from the PNR agreement with Australia shows that the transfer of sensitive data is not necessary to pursue the objective of the scheme (para. 222). This appreciation of the AG is a direct consequence of the first of the three principles he established.

Still on the categories of data, the opinion brushes away the criticism of both the EP and the Article 29 data protection Working Party requesting evidence that the transfer of less data, for example only of API, is not sufficient to meet the objective of the proposed agreement. According to the AG, ‘data of that type does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API data […] are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged’ (para. 214).

Even though all these data are transferred to the Canadian authority irrespective of any indication that the persons concerned may have a connection with terrorism or serious transnational crime (para. 215), the purpose of PNR schemes is to identify persons who were ‘not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security’ (para. 216). For the AG, bulk transfers of data are then necessary. However, he considers the definition of certain categories of data as too vague. For example, heading 17 of the annex, on ‘general remarks’, covers all ‘supplementary information apart from that listed elsewhere in the annex to the agreement envisaged’ (para. 217). Consequently, it is likely that air carriers will transfer all the data that they own, and not only the data that are necessary for Canadian authorities (para. 220).

In addition, the AG’s opinion considers that the scope ratione personae of the agreement envisaged is not too broad and that the massive and indiscriminate transfer of personal data is necessary. If, in theory, it could be possible to imagine a PNR data transfer system which distinguishes passengers according to specific criteria, these systems would never be as effective as PNR data schemes in combating terrorism and serious transnational crime (para. 243). The AG also underlines that consumers of commercial flights voluntarily use a mode of transportation ‘which is itself, repeatedly, unfortunately, a vehicle or a victim of terrorism or serious transnational crime, which requires the adoption of measures ensuring a high level of security for all passengers’ (para. 242).

These first considerations are very important as they show that in principle, for the AG, massive transfer and processing of PNR data is not disproportionate as such. If the undifferentiated and general nature of the retention of the data of any person using electronic communications in the Union was one of the main reasons why Directive 2006/24/EC was considered as going beyond what was strictly necessary (para. 59 of the DRI case), such data retention schemes are possible as long as they respect strict conditions (see the opinion of AG Saugmandsgaard Øe on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, commented on this blog). The fact that AG Mengozzi accepts the principle of large scale transfer of PNR data is thus not so surprising.

Once this step was made and given the specificity of the case, he needed to create specific conditions under which PNR schemes are proportionate. In addition to the loopholes already explained, these conditions are further elaborated in the two remaining important points of the opinion.

The second important point is that the agreement envisaged should justify the duration of data retention. The AG regrets that the agreement envisaged ‘does not indicate the objective reasons that led the contracting parties to increase the PNR data retention period to a maximum of five years’ (para. 279). He adds that such a long period of retention of the data exceeds what is necessary, particularly because all the data are retained for the same duration (para. 284) and because the masking procedure is incomplete and does not fully ensure the depersonalization of the data (para. 287).

This point is significant as this is the only element in the AG’s opinion which is very critical of PNR schemes in general and which puts the PNR directive at risk. This question was also a key issue in the DRI case. In Directive 2006/24/EC the data retention period of a maximum of two years without distinguishing categories of data on the basis of their usefulness was not based on objective criteria and was therefore excessive (para. 64 of the DRI case). This threatens the validity of the PNR Directive. Indeed, Article 12 (1) of this Directive provides for a duration of five years, without distinguishing categories of data and explaining the reasons for such a long retention. Noticeably, its depersonalisation procedure seems more in line with the assessment of the AG, particularly because more data elements are masked (Article 12 (2) of the Directive, para. 287 of the AG opinion).

The last important point relates to the serious doubt of the AG concerning the level of protection granted by Canada. The opinion is indeed the most critical when it comes to the international nature of the agreement. This is not that surprising given that the Court recently adopted a very demanding position on bulk transfers of data to third countries (in the case Schrems, commented on this blog here). The AG acknowledges that the Court ‘cannot express a view on the legislation or the practice of a third country’ (para. 163). However, the terms of the agreement themselves should have been formulated in such a way that no discretion would be left to Canadian authorities as for the applicable level of protection (para. 164).

For the AG, the access to the data and the use of the transferred data by Canadian authorities is not sufficiently regulated in the envisaged agreement. It leaves to Canada the entire discretion to determine what officials and what competent authorities are allowed to access the data (paras. 250 and 267). Similarly, the envisaged agreement does not stick to a strict principle of purpose limitation as the processing of PNR data is not strictly limited to the fight against terrorism and serious crime (paras 236-237). This is aggravated by the fact that the offences which belong to the categories of terrorism and serious crime are not exhaustively listed (para. 235). Concerning the use of the data, the AG considers that the possibilities of disclosure and subsequent transfer of the PNR data is not sufficiently framed. Indeed, Articles 18 and 19 of the agreement envisaged allow the disclosure and subsequent transfer of the PNR data to other government authorities in Canada and could be used to circumvent the level of protection afforded in the EU (para. 296). As a matter of fact, no independent authority or judge would check the appreciation of the Canadian competent authority that the authority to which the data are transferred can afford an equivalent level of protection (para. 300). The AG concludes that all these points need to be more detailed in the agreement in order to make sure that the level of protection of data ensured in Canada is equivalent to the level of protection ensured in the European Union. Following the previous case law of the Court, particularly the DRI case, the level of protection ensured in the EU is quite demanding and the respect of same level of protection has to be ensured before transferring personal data to third countries (see in particular para. 96 in Schrems).

Finally, the AG points out that the mechanism for detection and review of any violations of the rules of the agreement envisaged affording protection of passengers’ privacy and personal data is not effective because it does not belong to a fully independent and impartial supervisory authority (para. 315). This last point reminds the Commission that the mechanisms of control in the third country must be insured by a sufficiently independent body. This reminder is interesting as the new ‘privacy shield’ replacing the safe harbor is criticized for providing a right to review only through an ombudsman whose independence and powers are questionable.

Some comments

In his reasoning, the AG addresses issues linked to the very nature of PNR schemes and the solutions he proposes do not threaten the principle of PNR schemes. Even though this opinion could seem at first disappointing for those who were expecting the AG to condemn PNR schemes, it appears that this ‘implicit acceptance’ of PNR schemes follows the general principles created by the Court but simply innovates and addresses the new issues that had not been addressed so far with more consideration for the necessity to provide for effective tools to fight terrorism and serious crime.

Even though a lot of questions had to be addressed by the AG, there is one which is of paramount importance. Ever since its DRI case, the Court has developed a strong focus on the guarantees concerning the access to personal data by law enforcement authorities and the AG had to adapt the requirements of the Court to PNR schemes. The attempt of the AG to adapt the standard of the ‘reasonable suspicion’ shows that the applicability of guarantees to law enforcement authorities’ access to data from different data retention schemes is a question which would deserve more attention. Generally speaking, the ECtHR considers that to assess the existence of a reasonable suspicion, it is necessary to check ‘whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security’ (para. 260 of the case Zakharov v. Russia). The problem with PNR schemes is that the suspicion is not prior to the collection and processing of PNR data but discovered as a result of this collection and processing.

This question differs from the ones the Court has previously addressed in its case law, in particular in the DRI case. However, such an issue also exists in other areas. For instance, based on the European system of prevention of money laundering and terrorist financing, financial institutions have to monitor the transactions of all their clients and have the duty to report suspicious transactions. The control of suspicious transactions by these financial institutions also relies on mechanisms of data mining. The processing of personal data is made by private parties, namely financial institutions. Law enforcement authorities can in theory only obtain these data once financial institutions have reported a suspicion (this is, however, something that the Commission would like to change in order to facilitate the access to the data for the Financial Intelligence Units, see its proposal). Consequently, only the financial institutions, which collect anyways these data for the purpose of their economic activities and are subjected to the data protection framework provided for by Directive 95/46/EC, can access these data. This appears to be a safeguard against abusive access from law enforcement authorities. As a matter of fact, when law enforcement authorities access the personal data, after a report from a financial institution, there is already a degree of suspicion. This is probably more in line with the standard of ‘reasonable suspicion’. However, in this field, too, there is a massive collection of personal data which are analysed mainly through data mining procedures in order to discover suspicious transactions.

For PNR data, according to the agreement with Canada as well as for the new PNR Directive, air carriers companies do not have to analyse the data by themselves, but have to transfer all the data respectively to the Canada Border Services Agency or to the new ‘Passenger Information Units’ which will analyse all these data, through data mining procedures. From this data processing suspicions will then emerge which will be further analysed by law enforcement authorities.

Those two examples show that personal data are not only used a posteriori, once criminal investigations are open when a suspicion already exists but are also used for data mining processes with the purpose of discovering new suspicions. It might be that there is a difference based on whether private parties or public authorities are in charge of the data mining procedures. However, in both cases there is no previous ‘reasonable suspicion’; suspicions emerge following a massive monitoring of personal data. At the end of the day, once the principle of massive surveillance schemes based on data mining mechanisms is considered to be acceptable as such, the standard of the ‘reasonable suspicion’ is overrun and has to be replaced by principles and other guarantees preventing any abuse, provided that this is possible. Are the three principles proposed by the AG sufficient? Hopefully the Court will address this key issue in a clear and detailed way.

Note: the author was not involved in the preparation of AG Mengozzi’s Opinion during his internship at the CJEU.