By Dan Cooper and Rosie Klement
On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”). The Agreement was signed in 2014, but the CJEU was asked to determine whether it was compatible with EU data protection law before it is approved by the European Parliament.
The Opinion concluded that a number of provisions relating to the transfer of PNR data – particularly sensitive data – are incompatible with the EU Data Protection Directive (Directive 95/46) and the fundamental rights to privacy and data protection, and the protection against discrimination, under Articles 7, 8 and 21 of the EU Charter of Fundamental Rights (the “Charter”), meaning the Agreement must be renegotiated before it enters into force.
Background to the PNR Agreement
The proposed Agreement permits air carriers operating between the EU and Canada to transfer PNR data of all air passengers to the Canada Border Services Agency (the “Canadian Competent Authority”), where the data may be used, retained for up to 5 years, or transferred to other authorities and other third countries, for the purposes of ensuring public security and combating terrorism and serious transnational crime.
PNR data includes a significant amount of personal data, such as an individual’s name, contact details, passport or other ID number, nationality, and financial payment information. It may also include sensitive personal data, such as data relating to an individual’s health or religious beliefs. Under EU data protection laws, personal data can only be transferred to third countries if those countries ensure a level of protection of personal data that is “adequate” (i.e., “essentially equivalent” to the EU regime).
The Opinion of the CJEU in relation to the transfer of the PNR data
The CJEU found that the transfer and subsequent processing of PNR data under the Agreement entailed “wide-ranging and particularly serious interferences” with Article 8 of the Charter, as very precise conclusions about an identifiable individual’s private life could be drawn from the data. The CJEU identified the following necessary amendments to the Agreement, based on incompatibilities with EU law:
- Categories of data – determine in a more clear and precise manner certain categories (e.g. “all available contact information”) of the PNR data to be transferred;
- Purpose of processing – provide that the Canadian Competent Authority and other recipients of the PNR data will only be able to use this data in relation to the fight against terrorism and serious transnational crime;
- Safeguarding international transfers – limit transfers of PNR data to non-EU countries that have agreements with the EU equivalent to the proposed Agreement or else benefit from an EU Commission adequacy decision; and
- Notice to data subjects – specify that passengers are notified of the transfer of their PNR data to Canada and other third parties (and of its use), as soon as such notice will no longer jeopardise any investigations carried out in pursuit of the Agreement’s objective.
Transfer of sensitive personal data
In relation to transfer of sensitive data, the CJEU found that the Agreement was incompatible with the Charter as it did not preclude the transfer of sensitive data (and its use and retention). Sensitive data is defined by the EU Data Protection Directive as “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”
The CJEU advised that any measure carried out on the basis of a characteristic identified as “sensitive,” in pursuit of the Agreement’s objective, would infringe Articles 7 and 8 of the Charter, read in conjunction with the protection against discrimination under Article 21. Having regard to the risk that data may be processed contrary to Article 21, the CJEU concluded that a transfer of sensitive data to Canada would require a “precise and particularly solid justification.” Such justification must be based on grounds other than for the protection of public security against terrorism and serious transnational crime. The CJEU found that the Agreement contained no such justification and also pointed out that the processing of sensitive data is prohibited under the EU Directive on the use of PNR data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crime ((EU) 2016/681).
Impact of the CJEU’s Opinion
The requirements for adequacy set out in the CJEU’s Opinion will be relevant to the EU Commission’s ongoing assessment of the EU-U.S. Privacy Shield, and the challenge to the EU model contractual clauses, currently before the Irish High Court. Now that the requirement for a “solid justification” has been highlighted by the CJEU, the EU Commission may seek to identify suitable justifications for the transfer of sensitive data during its review of the Privacy Shield. The Privacy Shield may need further negotiation and amendment if such a justification is not identified, but will remain valid unless the EU Commission or the CJEU find it to be inadequate.
The UK Government should also take note of the amendments recommended by the CJEU, as these will be pertinent to its negotiations with the EU for data transfers following Brexit.