Aug 12017

CJEU Rules on EU-Canadian Passenger Name Record Agreement; Data Retention Possible; Detailed Court Scrutiny to Ensure Proportionality

Cameron F. Kerry, Jacques Bourgeois and Maarten Meulenbelt
, , , ,

On 26 July 2017, the Court of Justice of the EU (“Court”) issued its Opinion on the proposed EU-Canada Agreement on the transfer and processing of Passenger Name Record data (“PNR Data”).  The opinion, issued by the Court’s Grand Chamber, confirms that the Court accepts the necessity of processing large amounts of personal data to protect against terrorism in general.  However, in order to ensure compliance with the EU Charter of Fundamental Rights (“the Charter”), the Court will scrutinize the details of any EU legislative act to ensure that no data are retained or accessed without a clear link to the underlying justification of combating terrorism.

Implications

The opinion will have important implications for the proposed Agreement with Canada, but also for the Agreements that the EU had previously concluded with the US and Australia, as well as for upcoming cases dealing with surveillance.

The implications of the Court’s rulings, set out in more detail below, are clear.  First, third countries negotiating with the EU are facing a “moving target”:  the Court took into account various judgments and a Directive adopted after the EU-Canada Agreement was agreed and submitted to the Court for review.   Second, the opinion helpfully confirms that the Court recognizes the need to combat terrorism, noting in particular that Article 6 of the Charter (the “right to liberty and security of person”) can justify the processing of personal data.  Third, the Court nevertheless will not hesitate to scrutinize every detail of an EU act submitted to it for review as a potential violation of fundamental rights under the Charter.

Background

In line with earlier judgments on data protection, the Court recognized that the transfer of PNR data and the conditions concerning its retention, use and transfer to other EU or foreign authorities constitute interference with the right to privacy and data protection guaranteed in Articles 7 and 8 of the Charter.  The Court, however, noted that the purpose of the PNR Agreement is to ensure the security and the safety of the public through facilitating the transfer and use of PNR data by Canadian authorities, and prescribes the means to protect the PNR data during such processing.  The Agreement aims to achieve the objective of security and safety by seeking to “prevent, combat, repress and eliminate terrorism and terrorist-related offences, as well as serious transnational crime.” This, according to the Court, is an objective of general interest of the EU that is capable of justifying even serious interferences with the fundamental rights enshrined in the Charter.

In assessing whether the Agreement does justify interferences with the right to privacy, the Court considered that the nature of the information is limited to certain aspects of private life, that the Agreement limits the purposes for which PNR data may be processed, and that rules are provided to ensure the security, confidentiality and integrity of the data and to protect it against unlawful access and processing.

The Court then reviewed the necessity and proportionality of various interferences contemplated by the Agreement.  It concluded that:

  • The Agreement is incompatible with Charter insofar as it does not preclude the transfer, use and retention of “sensitive data” within the meaning of the Agreement (information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about a person’s health or sex life).  In reaching this conclusion, the Court took into account that EU’s own Directive on PNR data (Directive (EU) 2015/681) does not permit the retention of sensitive data.
  • In order to be compatible with the Charter, the Agreement must be amended on a number of points.  This includes determining precisely the PNR data subject to processing; ensuring that an “individual re-examination” takes place before an individual measure is taken against any individual who is selected on the basis of automated processing of PNR data; making the use of the data by the Canadian Competent Authority and its disclosure to other authorities subject to substantive and procedural conditions, generally limiting the retention of PNR data; subjecting the disclosure of PNR data to a third country to the condition that there be either an agreement between the EU and the third country equivalent to the Canada-EU Agreement (or a decision of the European Commission finding that the third-country ensures an “adequate level of protection”); providing for a right to individual notification for air passengers after completion of investigations; and guaranteeing that the oversight of the rules of the Agreement will be carried out by an independent supervisory authority.  The Court’s review was remarkably detailed in this respect.  For example, the Court criticized every single open-ended item on a list of data to be transferred.

The opinion is available here.

Cameron F. Kerry

ckerry@sidley.com

Jacques Bourgeois

Brussels

jbourgeois@sidley.com

Maarten Meulenbelt

Brussels

mmeulenbelt@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.