Border surveillance: what Europe’s “PNR” ruling means for your privacy

When you travel, your fundamental rights are at risk. Governments around the world continue to implement and expand border surveillance measures at the expense of your right to privacy. However, the summer of 2017 delivered some excellent news. On July 26, the Court of Justice of the European Union (CJEU) issued an opinion in a case challenging the validity of the EU-Canada Passenger Name Records (PNR) agreement. The Court found that the data-sharing arrangement  does not comport with Europeans’ fundamental rights to privacy, data protection, and non-discrimination. The Court therefore concluded that the European Union cannot sign the agreement in its current form and provided a list of safeguards that must be incorporated into the text.

The ruling is a huge victory for the fundamental rights to privacy and data protection. It has implications well beyond Europe and Canada, since disproportionate government agreements for collecting and retaining passenger travel records impact the privacy of everyone travelling across borders, and the ruling provides grounds for invalidating rights-harming frameworks for the EU, Australia, and the United States.

Below, we take a close look at what the Court said, precisely how the EU-Canada PNR agreement failed to protect our rights, and what the ruling means for other EU PNR agreements, which we show must now be suspended and reformed.

What is PNR?

PNR, or Passenger Name Records, contain information about a passenger’s flight details, including itinerary, contact details, forms of payment, accompanying guests, and more. All this information is stored in airlines’ databases for commercial purposes. PNR data is regarded as potentially useful by law enforcement authorities in the prevention and fight against terrorism and vaguely defined serious crimes. For at least the past 10 years, governments have been seeking access to this information through far-reaching, disproportionate agreements that establish excessive data retention mandates and rely on discriminatory profiling.

The EU Parliament brought the EU-Canada PNR case before the CJEU in November 2014 so the court could assess whether the agreement is compatible with rights guaranteed under EU Treaties and the Charter of Fundamental Rights. The court decision follows the opinion of Advocate General Mengozzi delivered in September 2016.

Currently, the EU has PNR arrangements not only with Canada, but also with the United States and Australia. The EU has also adopted its own internal PNR framework.

What did the Court say?

  • Wrong legal basis

The European Union is a complicated legal beast. To be valid, all EU laws must be based on a specific reference from the EU Treaties, known as “legal basis”. Those are principles and objectives such as data protection or judicial and police cooperation between countries. The Court starts its analysis of the EU-Canada PNR agreement by determining whether the legal basis to authorise the transfer, use, and retention of passengers data flying from the EU to Canada is appropriate. The answer is no.

The EU-Canada PNR agreement refers to certain judicial and police cooperation principles as a legal basis, omitting the objectives of data protection and data processing. Using the wrong legal basis for a legislative act is often enough to declare it incompatible with EU law, but the shortcomings of the EU-Canada deal do not stop here.

  • The impact of PNR agreements on people’s lives

The court describes the impact of the collection, use, and length of retention of PNR data on people’s lives. Paragraph 128 of the decision summarises this impact very eloquently (emphasis added):

“even if some of the PNR data, taken in isolation, does not appear to be liable to reveal important information about the private life of the persons concerned, the fact remains that, taken as a whole, the data may, inter alia, reveal a complete travel itinerary, travel habits, relationships existing between air passengers and the financial situation of air passengers, their dietary habits or state of health, and may even provide sensitive information about those passengers,[…]”

The court goes on to explain that the “systematic and continuous transfers” of PNR of all passengers create an interference with the fundamental rights to privacy, data protection, and non-discrimination. The interference is aggravated by the possible collection of sensitive data which might reveal information about a passenger’s ethnicity, race, religious beliefs, or political views, which might result in discriminatory practices at the border. This finding shows the danger of the ongoing government practices around the world to increasingly collect private information about people, in particular when they cross borders.

  • Incompatible with fundamental rights

Despite the intrusiveness of the measures advanced under the EU-Canada PNR agreement, the court indicates that the interference with human rights created by such law could in principle be justified for the purpose of preventing and fighting against terrorism, if safeguards are in place. Not only are these safeguards lacking but the court also highlighted that neither the Commission nor the EU member states were able to provide evidence regarding the necessity of PNR in the fight against terrorism. The Canadian government did provide data on arrests resulting from the use of PNR data collected from passengers flying between the EU and Canada from April 2014 and March 2015, but at that time, there was technically no PNR data sharing agreement in place. It is therefore unclear whether the arrests that Canada refers to were based on PNR data processed from EU passengers.

Regardless of the existence of concrete evidence, the measures in the agreement must still comply with the principles of necessity and proportionality. This criterion is not met by the EU-Canada PNR agreement.

The agreement fails to protect the rights to privacy, data protection and non-discrimination because:

  1. It fails to clearly limit the use of PNR data (purpose limitation).
  2. It fails to provide for clear rules on data security, data integrity, and confidentiality.
  3. It fails to provide for a clear and precise list of PNR data to be transferred. Sensitive data could be transferred as a result despite a lack of protection for these specific data.
  4. It lacks protection against wrongful profiling. In particular, the agreement does not set criteria to limit the type of databases against which PNR data can be checked. The agreement also does not set specific and reliable criteria on which the profiling should be based to ensure non-discrimination. Finally, the agreement does not foresee the possibility for checking on a profiling analysis to reduce the potential for errors. The Commission and the French government conceded before the Court that a margin of error is inevitable when analyses are based solely on automated analysis and unverified data.
  5. It fails to provide for safeguards established by the EU jurisprudence for the use of data retention measures. The agreement for instance applies retention mandates indiscriminately to all travellers, including those that are not considered suspects, and is therefore disproportionate in scope. The agreement also fails to provide for judicial oversight but includes for sufficient guarantee that the data will be erased at the end of the retention period and kept safely.
  6. It fails to ensure that data transferred will be protected at a level that is “essentially equivalent” to the one guaranteed in the EU as the data can potentially be shared with authorities that have not been certified to ensure such level of protection.
  7. It fails to provide for necessary individuals rights. While the agreement guarantees a right to remedy, an individual’s rights to access and modify their personal data are not sufficiently guaranteed as they are not properly informed about the processing of their PNR data.
  8. Finally, the agreement fails to provide for a clear and independent mechanism for oversight.

In light of these shortcomings, the EU must go back to the drafting table and incorporate all these safeguards in the EU-Canada PNR agreement to be compatible with fundamental rights.

What is the impact of the ruling on other PNR schemes? They must be suspended.

The landmark decision of the court provides clear guidance and criteria that PNR schemes must comply with in order to be compatible with EU law. In the table below, we have taken a close look at the EU-Australia and EU-USA agreements as well as the EU-PNR Directive to see if they would pass that the test. The result is clear: all three of them fail to comply with all or a large number of criteria set by the court and should therefore be suspended immediately.


Next steps: suspend and renegotiate rights-harming PNR agreements

Access Now urges the EU Commission to urgently suspend the EU-USA and EU-Australia agreements and the EU-PNR Directive. Member states must immediately stop the implementation the EU-PNR Directive. All PNR schemes manifestly fail to meet the criteria set by the Court in the EU-Canada agreement decision and therefore disproportionately interfere with the fundamental rights of travellers.

The court decision also demonstrates the need to closely evaluate the necessity and proportionality of proposed EU legislation, as it is not the first time that proposed measures have been found to violate fundamental rights. Citizens had to wait eight years for the Data Retention Directive to be invalidated, and 15 years for the Safe Harbour to be suspended. While the Court is becoming the fundamental rights watchdog, repairing mistakes from the legislative and executive bodies of the EU, it is impossible for citizens to get reparation for the many years that their human rights have been violated.