Brussels, Belgium – This morning, Paolo Mengozzi, Advocate General of the Court of Justice of the European Union, indicated that, in its current form, the EU-Canada Passenger Name Records (PNR) agreement — an air passenger data sharing deal — may be illegal under EU law and could not therefore be signed by the European Union. The release of the Advocate General’s opinion is the first step in the case brought before the CJEU in November 2014 by the EU Parliament to assess the compatibility of the PNR agreement with rights guaranteed under EU treaties, in particular the rights to privacy and data protection. The first PNR agreement with Canada was concluded in 2006, and was being re-negotiated when the parliament decided to send it for review by the court.
The opinion establishes that a PNR agreement could be legal under EU law if a series of safeguards are put in place. However, the EU-Canada proposed deal fails to provide such safeguards and includes provisions that “are contrary to the EU Charter of Fundamental Rights”. Often described as the “least intrusive” PNR agreement, the shortcomings of the EU-Canada agreement put into question the validity of all existing PNR agreements and of the EU PNR Directive.
“Advocate General Mengozzi’s confirmation that the EU-Canada PNR agreement may be illegal is a milestone towards invalidating this and the other rights-harming PNR agreements now in place,” said Estelle Massé, Senior Policy Analyst at Access Now. “The necessity and proportionality of these instruments has never been demonstrated, and yet, they have been in place for years.”
PNR, or Passenger Name Records, contain information about a passenger’s flight details, including itinerary, contact details, forms of payment, accompanying guests, and more. All this information is stored in airlines’ databases for commercial purposes. While collecting the information may be necessary for an airline or travel agent to proceed with a reservation, it is usually deleted after the flights.
However, PNR data is regarded as potentially useful for the undefined purposes of the “prevention, detection, investigation or prosecution of terrorist offences or serious transnational crime.” So for at least the past ten years, governments have been seeking access to the information through far-reaching agreements that establish excessive data retention mandates.
Currently, the EU has negotiated PNR data-sharing arrangements with
– United States, to allow retention of PNR data for up to 15 years;
– Australia, with a retention period of up to 5 and a half years; and
– Canada, with the proposed deal that the Advocate General commented on today, which foresees an up to 5 year retention period.
The EU has also recently adopted its own internal PNR framework which allows for a maximum retention period of 5 years. When passenger information is indiscriminately collected and retained for lengthy periods of time without appropriate safeguards, it makes it vulnerable to data theft, misuse, or abuse, with potential personal harms ranging from credit card fraud to government profiling and surveillance.
“We urge the EU institutions to assess the validity of all PNR agreements and of its recently adopted EU PNR Directive.” added Massé.
The Advocate General’s opinion helps the CJEU in coming to its final ruling, which it is expected to announce in the next few months. We hope the court will confirm the Advocate General’s findings and render a ruling invalidating the EU-Canada PNR agreement.
For more information on PNR, please see:
Estelle Massé, Senior Policy Analyst