Privacy & Information Security Law Blog

On September 8, 2016, Advocate General Paolo Mengozzi of the Court of Justice of the European Union (“CJEU”) issued his Opinion on the compatibility of the draft agreement between Canada and the European Union on the transfer of passenger name record data (“PNR Agreement”) with the Charter of Fundamental Rights of the European Union (“EU Charter”). This is the first time that the CJEU has been called upon to issue a ruling on the compatibility of a draft international agreement with the EU Charter.

Background

Starting in May 2010, the EU and Canada negotiated a PNR Agreement. The PNR Agreement provides that PNR data, which is collected from passengers for the purpose of reserving flights between Canada and the EU, is to be transferred to competent Canadian authorities and then used, retained and, where appropriate, further disclosed to prevent and detect terrorist offenses and other serious transnational criminal offenses. PNR data under the PNR Agreement includes passenger travel habits, payment details, dietary requirements and other information that might contain sensitive data on a passenger’s health, ethnic origin or religious beliefs.

Similar agreements were signed and concluded by the EU with the U.S. and Australia with the approval of the European Parliament. Although the draft PNR Agreement with Canada was signed on June 25, 2014, the European Parliament decided to refer the matter to the CJEU on account of concerns that the draft PNR Agreement could violate fundamental rights enshrined in the EU Charter and, in particular, the right to respect for privacy and the protection of personal data.

Opinion

In substance, the Advocate General found that, as currently drafted, certain provisions of the draft PNR Agreement were clearly incompatible with the EU Charter. This incompatibility resulted from (1) Canada’s ability to process PNR data beyond what it is strictly necessary and independent of the stated purposes of the PNR Agreement; (2) the processing, use and retention by Canada of PNR data containing sensitive data; (3) the retention of PNR data for a maximum of five years without referring to the purpose pursued by the agreement; and (4) a lack of safeguards and oversight mechanisms for the subsequent transfer of PNR data to other foreign authorities. The Advocate General posited that in order for the draft PNR Agreement to be compatible with the EU Charter, it would need to be amended to provide certain guarantees, including a clear and precise rendering of the categories of PNR data included within the scope of the PNR Agreement, an exclusion of sensitive data from the scope of the PNR Agreement, and limiting the number of ‘targeted’ persons to those individuals who can reasonably be suspected of participating in a terrorist offense or serious transnational crime.

The Advocate General issued the Opinion in light of the CJEU’s decisions in the Digital Rights Ireland and Schrems cases, which invalidated the Data Retention Directive and the European Commission’s Safe Harbor adequacy decision, respectively. While the Advocate General’s Opinion is not binding on the CJEU, the court’s judgments have historically tended to follow the Advocate General’s stated views. It remains to be seen how this Opinion will impact existing PNR Agreements the EU has in place with the U.S. and Australia.