An agreement to send Canadian authorities passenger name record (PNR) data for flights from the European Union cannot be entered into in its current form, a top European Union judge has said.
That's because parts of the draft agreement are incompatible with EU citizens' fundamental privacy rights, according to Paolo Mengozzi, Advocate General of the Court of Justice of the EU, in a legal opinion issued Thursday.
His opinion, on a case brought by the European Parliament, is only advisory, and it still remains for the CJEU to make a final ruling on the matter.
But if the court follows his advice, it could disrupt the European Commission's plans for a new directive on the sharing of PNR data among EU member states and with other countries.
The agreement, which the EU and Canada began negotiating in 2010, concerns the transfer of PNR data to Canadian authorities for the purpose of combatting terrorism and other serious transnational crime. The passenger name records concerned contain 19 categories of information, covering the passenger's identity, nationality, address, contact details of the person making the reservation, payment information such as the number of the credit card used to reserve the flight, luggage details, and additional services requested concerning health problems, mobility, or dietary requirements. This might allow authorities to infer information about passengers' ethnic origin or religious beliefs.
The European Parliament refused to give its approval to the deal following its signature by the Council of the EU in 2014, preferring first to seek the opinion of the CJEU on its compatibility with EU laws on privacy and the protection of personal data.
In his opinion, Advocate General Mengozzi found five articles of the agreement incompatible with the provisions of the EU Charter of Fundamental Rights on the right to respect for private and family life, and the right to protection of personal data.
Those articles allow Canada to:
- process PNR data for reasons other than the agreement's public security objectives of preventing and detecting terrorist offenses and serious transnational crime;
- process, use and retain sensitive data;
- make unnecessary disclosures of the information;
- keep the data for up to five years for pretty much any reason, whether or not connected to the prevention of terrorism or serious crime, and
- transfer the data to a third country without being able to prevent that transfer to yet other countries.
Mengozzi identified 11 changes to the agreement needed in order to make it compatible with the charter, including:
- clearly defining the data to be transferred, and excluding sensitive data from the definition;
- exhaustively listing the offenses that constitute serious transnational crime, and
- informing EU member states when information about one of their citizens is passed on to other agencies.
Sign up for MIS Asia eNewsletters.