On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for  the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”).  However, the CJEU also decided that the PNR Directive limits the way in which Member State laws transpose some of its provisions, particularly in relation to the collection of passenger information for intra-EU flights.  Its decision will require Belgium to amend its law transposing the PNR Directive, mainly in relation to the PNR data competent authorities may receive and how they can process this data.  It is likely to indirectly impact air carriers and tour operators operating in Belgium, as it will reduce the amount of data they need to share with competent authorities under such a revised legal framework.

The CJEU decision also considers, as well, Member State laws transposing (1) the Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (API Directive) and (2) Directive 2010/65/EU on reporting formalities for ships arriving in and/or departing from ports of the Member States.

The case was lodged on October 31, 2019, by the non-profit organization Ligue des Droits Humainsbefore the Belgian courts in relation to the Belgian law transposing the PNR and API Directives.  The Belgian Constitutional Court referred certain questions to the CJEU.

The CJEU decided the following:

  • that the General Data Protection Regulation (“GDPR”) applies to (1) private entities processing personal data according to these directives and (2) public authorities processing personal data according to Directive 2004/82/EC and Directive 2010/65/EU, while other processing operations conducted by competent national authorities and national passenger information units (“PIUs”) may be subject to Directive 216/680, the GDPR’s “twin” that regulates the processing of data by public authorities strictly for law enforcement purposes;
  • that although the PNR Directive entails an “undeniably serious interference” with the fundamental rights of the Charter calling for (1) respect for private and family life and (2) protection of personal data, the PNR Directive is compatible with the Charter if EU Member States interpret its provisions in light of the Charter;
  • that Member States may not adopt laws that:
    • authorize the processing of PNR data (collected in accordance with the Directive) for purposes other than those expressly mentioned in the Directive, including the processing of PNR data by its intelligence and security services for monitoring purposes;
    • allow PIUs to approve the disclosure of PNR data to law enforcement authorities upon the expiry of the six month data retention period set out by the Directive;  such approval can only be given by another authority or court, which has the independence and impartiality required to carry out the prior review of the law enforcement authorities’ request to access the PNR data;
    • requiring PIUs to retain PNR data of all air passengers for five years;
    • require air carriers and tour operators to transfer to the PIUs PNR data of all flights and transport operations between EU Members States;
  • that Member States may:
    • only require air carriers and tour operators to transfer to competent authorities PNR data of flights and/or transport operations relating, among others, to certain selected routes or travel patterns or to certain airports, stations or seaports for which there are indications that such processing is necessary and proportionate for the purpose of combating terrorist offences and serious crime; and
    • not require the transfer of PNR data to competent authorities for the purposes of improving external border controls and combating illegal immigration; this is one of the processing purposes of Council Directive 2004/82/EC, which has a different scope of application;
  • that Directive 2004/82/EC only applies to flights between an EU Member State and a non-EU Member State and not to flights between EU Member States; and
  • that if a national court decides that a Member State law transposing the PNR Directive is incompatible with this Directive, the court cannot allow that Member State law to remain in effect for a certain period of time for the purpose of ensuring legal certainty. This means that if the Belgian court decides that the Belgian law transposing the Directive is incompatible with the PNR Directive (as it likely will in accordance with this CJEU judgement), the Belgian law ceases to apply immediately.  It is unclear whether the Belgian court will decide the illegality of the entire Belgian law or only some of its provisions.

*                             *                             *

There are currently 48 data protection cases pending before the CJEU.  The Covington team will keep monitoring and reporting on any data protection related judgment issued by the CJEU.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.