PNR Agreements between Fundamental Rights and National Security: Opinion 1/15

On July 26, 2017, the European Court of Justice (ECJ) issued Opinion 1/15 (the Opinion of the Advocate General on this case had been discussed previously in this blog, part I and part II) pursuant to Article 218(11) TFEU on the draft agreement between Canada and the European Union (EU) dealing with the Transfer of Passenger Name Record (PNR) data from the EU to Canada. The draft agreement was referred to the ECJ by the European Parliament (EP) on January 30, 2015. The envisaged agreement would regulate the exchange and processing of PNR data – which reveals passengers’ personal information, itinerary, travel preferences and habits – between the EU and Canada. The adoption of the agreement is crucial because, according to Article 25 of Directive 95/46/EC as interpreted in the Schrems decision (commented here), the transfer of data to a third country (discussed here) is possible only if such country ensures an “adequate level of protection.” This standard can be testified by an “adequacy decision” of the European Commission or, alternatively, by international commitments in place between non-EU countries and the EU – as the one examined by the ECJ in this Opinion.

Not surprisingly, the leitmotiv of the Court’s Opinion is the challenging balance between liberty and security. Maintaining a realistic perspective, the Court considered mass surveillance tolerable at least in theory, because it is a necessary and useful tool for the prevention of terrorism. Yet, it insisted that there should be very strict rules as to the concrete implementation of such surveillance. For this reason, it found some provisions of the draft agreement incompatible with Articles 7 (privacy) and 8 (data protection), in conjunction with Article 52 (principle of proportionality) of the Charter of Fundamental Rights of the European Union (CFREU).

As a result, the agreement cannot be adopted in the current form and the EU institutions will have to renegotiate it with Canada. For sure, this renegotiation will prove to be challenging. Nevertheless, as the analysis below will show, the Luxembourg judges, by addressing particularly technical issues of the agreement, provided a detailed set of guidelines that, if respected, would ideally preserve fundamental rights – in this case, the right to privacy and to data protection – without undermining public security. Through a smooth and refined reasoning, the Court’s decision indeed suggests potential solutions to amend the draft agreement in a way that is compliant with the CFREU and, ultimately, the rule of law.

The legal basis

The Opinion can be divided into two parts, in accordance with the structure of the EP’s request, which are respectively focused on procedural and substantive aspects. The former deals with the legal basis for the Council’s decision on the signature of the agreement (such decision is necessary pursuant to the procedure provided by the TFEU for the adoption of international agreements between the EU and third countries). The latter addresses the merits of the agreement, assessing its compatibility of the aforementioned provisions with the CFREU.

As to the first issue, the ECJ agreed with the EP that, contrary to what the Council claimed, the decision could not be based on Article 82(1)(d) TFEU (judicial cooperation), as none of the provisions of the agreement envisages a facilitation of judicial cooperation. Moreover, the Canadian authority in charge of the use of PNR data is not a judicial authority, nor equivalent to it (para 103). By contrast, the Court considered that Article 87(2)(a) TFEU (the other legal basis invoked by the Council) was a proper legal basis, as the agreement deals with police cooperation. In addition, it agreed with the EP’s argument that the decision also had to be based on Article 16 TFEU, guaranteeing the right to data protection, because the agreement has two aims: ensuring public security through the transfer of PNR data and protecting PNR data when transferred.

The CJEU’s approach to the legal basis of the decision authorising the signature of the agreement has substantive implications. In other words, underlining the double purpose of the agreement (i.e. public security, on the one hand, and data protection, on the other hand), even in relation to procedural matters, the ECJ anticipated the subsequent reasoning on the merits, based on a balancing effort seeking to balance security with fundamental rights.

Addressing the merits of the agreement

In the second part of the Opinion the ECJ, ruling for the first time on the compatibility of a draft international agreement with the CFREU (notably taken  as the sole parameter for decision), basically followed the typical structure of the proportionality test. In particular, taking into consideration all provisions of the agreement, the ECJ assessed whether (or not) there is an interference with above-mentioned fundamental rights to privacy and to data protection; whether (or not) such interference is justified in light of an objective of general interest; and whether (or not) such interference is proportional.

According to the Court, the agreement prima facie was contrary to the rights guaranteed by Articles 7 and 8 of the CFREU. Next, it argued that, in principle, such an infringement could be justified on grounds of public security. Nonetheless, in the most interesting part of its reasoning, the Court considered that the measures contained by the draft agreement were not limited to what is strictly necessary (proportionality test stricto sensu) and therefore not acceptable.

To this end, the ECJ analysed each provision of the envisaged agreement to determine whether they were clear and precise enough to be limited to what is strictly necessary.

First, the ECJ found that some headings of the agreement do not specify concerned PNR data in a clear and precise manner (for example, the line referring to “all available contact information”, which does not specify what type of contact information is covered; but see also paras 157 ff. of the Opinion for other specific examples). Furthermore, the provision stating that PNR data that is not listed cannot be subjected to the rules of the agreement is not sufficient to bypass the lack of precision.

In addition to this argument, sensitive data (such as those revealing ethnic origins, political opinion, religious belief, etc.) cannot be transferred to Canada pursuant to the agreement without a solid justification. Notably, the Court does not consider the prevention of terrorism – at least if only generically invoked, as in the present case – as a sufficiently good reason to transfer sensitive data. Moreover, the ECJ noted that the PNR Directive (Directive (EU) 2016/681) – applicable to the intra-EU situation and used as a basis for comparison – prohibits the processing of sensitive data.

Second, even if, according to the draft agreement, the automated processing of data is followed by a non-automated phase, the ECJ warned that databases with which data is cross-checked should be “reliable, up to date and limited to databases used by Canada in relation to the fight against terrorism and serious transnational crime.” (para 172).

Third, the ECJ focused on definitions. It held that the definition of “terrorist offence” is clear and precise, as well as the definition of “serious transnational crime”, since they are both listed by the agreement. Nonetheless, the agreement says that PNR data can be processed, in exceptional circumstances, also for “other purposes” (e.g. protecting the vital interest of an individual). According to the CJEU, such cases are not defined in a clear and precise manner (paras 179-181). In other words, the draft agreement violates the principle of purpose limitation.

Fourth, in line with its earlier case law, the ECJ also heavily criticised the data retention mechanisms contained by the draft agreement. It recalled that, according to the Schrems and Tele2 Sverige decisions (discussed here and here), there should be a connection between the retention of personal data and the objective pursued. This connection should be established by way of objective criteria, which should result in the existence of substantive and procedural conditions governing the use of data. In light of this case law, the draft agreement is problematic in several respects. Firstly, it provides that all data must be retained for 5 years from the moment of collection. While the data must be masked after 30 days, it is still possible, in specific circumstances – i.e., according to Article 4 of the draft agreement, when it is necessary to carry out investigations –, to unmask it. Secondly, data can be retained and used both before the arrival of the passengers and after their departure. While there is a connection between the retention and use before passengers’ arrival and the objective pursued, there is no clear link between data retention during the stay of passenger’s in Canada and its use. According the ECJ, there should be a review by a court or by an independent administrative body in order to use that data. As the agreement does not provide such review, the use of data is not limited to what is strictly necessary (paras 201-203). Thirdly, the Court found that the retention and use of data after the passengers’ departure is not justified because such data has already been checked and verified: it would not be necessary to continue to store it, unless there are specific reasons to do so. Such reasons consist of “objective evidence […] from which it may be inferred that certain air passengers may present a risk in terms of the fight against terrorism and serious transnational crime even after their departure from Canada” (para 207). It is remarkable, though, that the ECJ did not address the envisaged retention period, contrarily to what it had done in other judgments (i.e. Digital Rights, commented here and whose implications are discussed here).

Fifth, the CJEU addressed provisions of the agreement allowing disclosure to government authorities (both Canadian and of other third countries) and to individuals. The ECJ found that disclosure to Canadian authorities is not limited to what is strictly necessary, because there is no obligation to disclose the data in compliance with the conditions governing the use of data. Those conditions had been specifically laid down in Tele2 Sverige and consist of subjecting the use of data to a prior review – except for cases of urgency – by a court or an independent administrative body, to which the competent authority submit a “reasoned request” (para 202). In addition, and with regards to third countries, no provisions require an essentially equivalent level of protection (as imposed by Directive 95/46/EC). Therefore, EU safeguards are likely to be circumvented (paras 215). As to individuals, according to the agreement, data can be disclosed to them when their “legitimated interests” are at stake. However, the text does not specify what the legal requirements and limitations are, neither what kind of interests can be concerned, nor what the purposes and guarantees are. Therefore, this clause too is not limited to what is strictly necessary.

After this proportionality test, the ECJ moved on to the guarantees for passengers’ fundamental rights and the oversight mechanisms of the exchange and processing of PNR data. As to the former aspect, the ECJ acknowledged that the wording of the provisions on the rights to information, access and rectification is too generic, lacking in particular any obligations to individually notify passengers of the transfer of their PNR data and of its use (para 221). The competent Canadian authority is indeed only bound to make certain information available on its website. Therefore, the ECJ insisted that a mechanism of individual notification should instead exist (para 225). As to the latter aspect, i.e. oversight, the Court recalled that Article 8 CFREU requires oversight by an independent authority on the processing and use of personal data. Yet, the draft agreement states that data protection safeguards will be subject to the oversight of an “independent public authority” or of an “authority created by administrative means that exercised its functions in an impartial manner and that has proven a record of autonomy.” According to the ECJ, such alternative formulation implies that the oversight, or at least some of its stages, may hypothetically be carried out by an entity that is not completely independent and therefore does not sufficiently guarantee the respect of passengers’ rights to privacy and data protection (para 230).

To sum up, the ECJ theoretically legitimated mass surveillance, but, as to its concrete implementation, it provided for such strict requirements that, quite paradoxically, they are difficult to be applied in practice.

Opinion 1/15’s implications

The above analysis shows that the ECJ has given quite precise guidelines on how the agreement should be re-drafted in order to be compatible with the CFREU. In October 2017, the Commission issued a recommendation for a Council decision on the reopening of negotiations on a new agreement with Canada “in line with the requirements laid down by the Court’s Opinion.” We are still waiting for the reactions of EU institutions on the political scenario, since a new version of the agreement has not been concluded yet. More importantly, Opinion 1/15 may also affect international agreements on PNR in place between the EU and other third countries, such as those concluded with the US or Australia; these agreements appear quite far from meeting the requirements laid down by the ECJ. Furthermore, this decision is highly likely to influence negotiations of other PNR agreements, such as those forthcoming with Mexico, Argentina and Japan, which have not been concluded yet. Notably, agreements with such countries are indeed more difficult to be concluded per se, due to big differences in those countries’ legal systems; it is unquestionable that the need to comply with strict conditions laid down by the ECJ adds a further element of complexity. In sum, on the one hand, Opinion 1/15 undoubtedly presented a step forward for the protection of privacy and data protection even in stressful times, in which the impending terrorist threat does not allow a condition of normalcy, but, at the same time, did not trigger – in most of cases – a formal situation of crisis. On the other hand, the decision may have a significant impact on the relationship between the different institutions. This is due to the fact that the ECJ, in some parts of its reasoning, ruled on very specific and technical matters, even criticising the wording of the agreement. In doing so, it behaviour is similar to that of a legislative body, concretely drafting and amending a normative text. Indeed, it could even be said that it was “forced” to do so by the EP, which, perhaps wishing to avoid the political responsibility of rejecting the agreement, “shifted” it to the Court.

What has still to be assessed is whether all this will result in a better balance between rights and security. Hopefully, it will be so.