Transferring Personal Information Exterior The Eu: Clarification From The Ecj?

Lorna Woods, Professor of Internet Law, University of Essex

Opinion 1/15 EU/Canada PNR Agreement, 26th July 2017

Facts

Canadian law required airlines, inwards the interests of the contend against serious criminal offence as well as terrorism, to render sure information nigh passengers (API/PNR data), which obligation required airlines nether European Union information protection regulations to transfer information to exterior the EU.  The PNR information includes the names of air passengers, the dates of intended travel, the locomote itinerary, as well as information relating to payment as well as baggage. The PNR information may reveal locomote habits, relationships betwixt ii individuals, information on the fiscal province of affairs or the dietary habits of individuals. To regularise the transfer of data, as well as to back upwards law cooperation, the European Union negotiated an understanding alongside Canada specifying the information to hold upwards transferred, the purposes for which the information could hold upwards used, as good as about processing safeguard provisions (e.g. utilization of sensitive data, safety obligations, oversight requirements, access yesteryear passengers).  The information was permitted to hold upwards retained for v years, albeit inwards a depersonalised form.  Further disclosure of the information beyond Canada as well as the Member States was permitted inwards limited circumstances.  The European Parliament requested an sentiment from the Court of Justice nether Article 218(11) TFEU as to whether the understanding satisfied primal human rights standards as well as whether the appropriate Treaty base of operations had been used for the agreement.

Opinion

The Court noted that the understanding vicious inside the EU’s constitutional framework, as well as must hence comply alongside its constitutional principles, including (though this indicate was non made express), abide by for primal human rights (whether as a full general regulation or yesteryear virtue of the European Union Charter – the EUCFR).

After dealing alongside questions of admissibility, the Court addressed the query of appropriate Treaty base. It re-stated existing principles (elaborated, for example, inwards Case C‑263/14 Parliament v Council, judgment xiv June 2016, EU:C:2016:435) alongside regard to selection of Treaty base of operations generally: the selection must ease on objective factors (including the aim as well as the content of that measure) which are amenable to judicial review.  In this context the Court establish that the proposed understanding has ii objectives: safeguarding world security; as well as safeguarding personal information [opinion, para 90].  The Court concluded that the ii objectives were inextricably linked: spell the driver for the ask to PNR information was protection of world security, the transfer of information would hold upwards lawful only if information protection rules were respected [para 94].  Therefore, the understanding should hold upwards based on both Article 16(2) (data protection) as well as Article 87(2)(a) TFEU (police cooperation).  It held, however, that Article 82(1)(d) TFEU (judicial cooperation) could non hold upwards used, partly because judicial authorities were non included inwards the agreement.

Looking at the number of information protection, the Court re-stated the query as beingness ‘on the compatibility of the envisaged understanding with, inwards particular, the correct to abide by for private life as well as the correct to the protection of personal data’ [para 119].  It as well as so commented that although both Article sixteen TFEU as well as Article 8 EUCFR enshrine the correct to information protection, inwards its analysis it would refer to Article 8 only, because that provision lays downward inwards a to a greater extent than specific fashion the atmospheric condition for information processing.  The understanding refers to the processing of information concerning identified individuals, as well as hence may demeanour upon the primal correct to abide by for private life guaranteed inwards Article vii EUCFR as good as the correct to protection to personal information inwards Article 8 EUCFR. The Court re-iterated a number of principles regarding the range of the correct to private life:

‘the communication of personal information to a tertiary party, such as a world authority, constitutes an interference alongside the primal correct enshrined inwards Article 7 of the Charter, whatever the subsequent utilization of the information communicated. The same is truthful of the retentiveness of personal information as well as access to that information alongside a catch to its utilization yesteryear world authorities. In this connection, it does non thing whether the information inwards query relating to private life is sensitive or whether the persons concerned have got been inconvenienced inwards whatever way on line of piece of job organisation human relationship of that interference’ [para 124].

The transfer of PNR information as well as its retentiveness as well as whatever utilization constituted an interference alongside both Article vii [para 125] as well as Article 8 EUCFR [para 126]. In assessing the seriousness of the interference, the Court flagged ‘the systematic as well as continuous’ nature of the PNR system, the insight into private life of individuals, the fact that the arrangement is used as an intelligence tool as well as the length of fourth dimension for which the information is available.

Interferences alongside these rights may hold upwards justified.  Nonetheless, at that topographic point are constraints on whatever justification: Article 8(2)  of the European Union Charter specifies that processing must hold upwards ‘for specified purposes as well as on the footing of the consent of the individual concerned or another legitimate footing put downward yesteryear law’; and, according to Article 52(1) of the European Union Charter, whatever limitation must hold upwards provided for yesteryear law as well as abide by the essence of those rights as well as freedoms. Further, limitations must hold upwards necessary as well as truly come across objectives of full general involvement recognised yesteryear the Union or the ask to protect the rights as well as freedoms of others. 

Following WebMindLicenses (Case C‑419/14, judgment of 17 December 2015, EU:C:2015:832, para 81), the law that permits the interference should also prepare downward the extent of that interference. Proportionality requires that whatever derogation from as well as limitation on the protection of personal information should apply only insofar as is strictly necessary. To this destination as well as to foreclose the peril of abuse, the legislation must prepare downward ‘clear as well as precise rules governing the range as well as application of the mensurate inwards query as well as imposing minimum safeguards’, specifically ‘indicat[ing] inwards what circumstances as well as nether which atmospheric condition a mensurate providing for the processing of such information may hold upwards adopted’ [para 141], especially when automated processing is involved.

The Court considered whether at that topographic point was a legitimate footing for the processing, noting that although passengers may hold upwards said to consent to the processing of PNR data, this consent related to a unlike purpose. The transfer of the PNR information is non conditional on the specific consent of the passengers as well as must hence hold upwards grounded on another basis, inside the price of Article 8(2) EUCFR. The Court rejected the Parliament’s submission that the pregnant of ‘law’ hold upwards restricted to ‘legislative act’ internally. The Court, next the reasoning of the Advocate General, establish that inwards this regard the international understanding was the external equivalent of the legislative act.

In line alongside its previous jurisprudence, the Court accepted that world safety is an objective of world involvement capable of justifying fifty-fifty serious interferences alongside Articles vii as well as 8 EUCFR. It also noted that everybody has the correct to safety of the individual (Art. vi EUCFR), though this indicate was taken no further. The Court considered that PNR information revealed only limited aspects of a person’s private life, so that the essence of the correct was non adversely affected [para 151]. In principle, limitation may as well as so hold upwards possible. The Court accepted that PNR information transfer was appropriate, but non that the essay of necessity was satisfied. It agreed alongside the Advocate General that the categories of information to hold upwards transferred were non sufficiently precise, specifically ‘available frequent flyer as well as do goodness information (free tickets, upgrades, etc.)’, ‘all available contact information (including originator information)’ as well as ‘general remarks including Other Supplementary Information (OSI), Special Service Information (SSI) as well as Special Service Request (SSR) information’. Although the understanding required the Canadian authorities to delete whatever information transferred to them which vicious exterior these categories, this obligation did non compensate for the lack of precision regarding the range of these categories.

The Court noted that the understanding identified a category of ‘sensitive data’; it was hence to hold upwards presumed that sensitive information would hold upwards transferred nether the agreement. The Court as well as so reasoned:

any mensurate based on the premiss that 1 or to a greater extent than of the characteristics prepare out inwards Article 2(e) of the envisaged understanding may hold upwards relevant, inwards itself or inwards themselves as well as regardless of the private demeanour of the traveller concerned, having regard to the purpose for which PNR information is to hold upwards processed, namely combating terrorism as well as serious transnational crime, would infringe the rights guaranteed inwards Articles vii as well as 8 of the Charter, read inwards conjunction alongside Article 21 thereof [para 165]

Additionally, whatever transfer of sensitive data would require a ‘precise as well as specially solid’ ground beyond that of world safety as well as prevention of terrorism. This justification was lacking. The transfer of sensitive information as well as the framework for the utilization of those information would hold upwards incompatible alongside the European Union Charter [para 167].

While the understanding tried to bound the impact of automated decision-making, the Court establish it problematic because of the ask to have got reliable models on which the automated decisions were made. These models, inwards the catch of the Court, must make results that seat persons nether a ‘reasonable suspicion’ of participation inwards terrorist offences or serious transnational criminal offence as well as should hold upwards non-discriminatory. Models/databases should also hold upwards kept up-to-date as well as accurate as well as discipline to review for bias. Because of the mistake risk, all positive automated decisions should hold upwards individually checked.

In price of the purposes for processing the data, the Definition of terrorist offences as well as serious transnational criminal offence were sufficiently clear. There were soundless other provisions, allowing case-by-case assessment.  These provisions (Article 3(5)(a) as well as (b) of the treaty) were establish to hold upwards too vague.  By contrast, the Court determined that the authorities who would have the information were sufficiently identified. Further, it accepted that the transfer of information of all passengers, whether or non they were identified as posing a peril or not, does non go yesteryear what is necessary as passengers must comply alongside Canadian law as well as ‘the identification, yesteryear agency of PNR data, of passengers liable to nowadays a peril to world safety forms component division of edge control’ [para 188].

Relying on its recent judgment inwards Tele2/Watson (Joined Cases C‑203/15 as well as C‑698/15, EU:C:2016:970), which I discussed here, the Court reiterated that at that topographic point must hold upwards a connexion betwixt the information retained as well as the objective pursued for the duration of the fourth dimension the information are held, which brought into query the utilization of the PNR information afterward passengers had disembarked inwards Canada.  Further, the utilization of the information must hold upwards restricted inwards accordance alongside those purposes. However,

where at that topographic point is objective evidence from which it may hold upwards inferred that the PNR information of 1 or to a greater extent than air passengers mightiness brand an effective contribution to combating terrorist offences as well as serious transnational crime, the utilization of that information does non go yesteryear the limits of what is strictly necessary [para 201].

Following verification of rider information as well as permission to motility into Canadian territory, the utilization of PNR information during passengers’ remain must hold upwards based on novel justifying circumstances. The Court expected that this should hold upwards discipline to prior review yesteryear an independent body. The Court held that the understanding did non come across the required standards.  Similar points were made, fifty-fifty to a greater extent than strongly, inwards relation to the utilization of PNR information afterward the passengers had left Canada. In general, this was non strictly necessary, as at that topographic point would no longer hold upwards a connexion betwixt the information as well as the objective pursued yesteryear the PNR Agreement such as to justify the retentiveness of their data. PNR information may hold upwards stored inwards Canada, however, when particular passengers nowadays a peril of terrorism of serious transnational crime. Moreover, given the average lifespan of international serious criminal offence networks as well as the duration as well as complexity of investigations relating to them, the Court did non handgrip that the retentiveness of information for v years went beyond the limits of necessity [para 209].

The understanding allows PNR information to hold upwards disclosed yesteryear the Canadian say-so to other Canadian authorities authorities as well as to authorities authorities of tertiary countries. The recipient ground must satisfy European Union information protection standards; an international understanding betwixt the tertiary ground as well as the European Union or an adequacy determination would hold upwards required. There is a further, unlimited as well as ill-defined possibility of disclosure to individuals ‘subject to reasonable legal requirements as well as limitations ... alongside due regard for the legitimate interests of the private concerned’. This provision did non satisfy the necessity test.

To ensure that the individuals’ rights to access their information as well as to have got information rectified is protected, inwards line alongside Tele2/Watson, passengers must hold upwards notified of the transfer of their PNR information to Canada as well as of its utilization as shortly as that information is no longer liable to jeopardise the investigations beingness carried out yesteryear the authorities authorities referred to inwards the envisaged agreement. In this respect, the understanding is deficient. While passengers are told that the information volition hold upwards used for safety checks/border control, they are non told whether their information has been used yesteryear the Canadian Competent Authority beyond utilization for those checks.  While the Court accepted that the understanding provided passengers alongside a possible remedy, the understanding was deficient inwards that it did non guarantee inwards a sufficiently clear as well as precise fashion that the oversight of compliance would hold upwards carried out yesteryear an independent authority, as required yesteryear Article 8(3) EUCFR.

Comment

There are lots of issues inwards this judgment, of involvement from a gain of perspectives, but its length as well as complexity agency it is non an slow read. Because of these characteristics, a weblog – fifty-fifty a lengthy weblog – could hardly do jurist to all issues, especially as inwards about instances, it is hardly clear what the Court’s seat is.

On the whole the Court follows the approach of its Advocate General, Mengozzi, on a number of points specifically referring dorsum to his Opinion. There is, as seems increasingly to hold upwards the trend, heavy reliance on existing instance law as well as it is notable that the Court refers repeatedly to its ruling inwards Tele2/Watson.  This may hold upwards a judicial essay to suggest that Tele2/Watson was non an aberration as well as to reinforce its status as practiced law, if that were inwards whatever doubt. It also operates to create a trunk of surveillance law rulings that are hopefully consistent inwards underpinning principles as well as approach, as well as certainly about of the points inwards before instance law are reiterated alongside regards to the importance of ex ante review yesteryear independent bodies, rights of redress as well as the correct of individuals to know that they have got been discipline to surveillance.

The instance is of involvement non only inwards regards mass surveillance but to a greater extent than mostly inwards relation to Article 16(2) TFEU. It is also the initiatory off fourth dimension an sentiment has been given on a draft understanding considering its compatibility alongside human rights standards as good as the appropriate Treaty base. In this abide by the judgment may hold upwards a niggling disappointing; certainly on Article 16, the Court did non larn into the same flat of item as inwards the AG’s sentiment [AG114-AG120]. Instead it equated Article sixteen TFEU to Article 8 EUCFR, as well as based its analysis on the latter provision.

As a full general point, it is evident that the Court has adopted a detailed flat of review of the PNR agreement.  The outcome of the instance has widely been recognised as having implications, as –for instance – discussed earlier on this blog.  Certainly, as the Advocate General noted, possible impact on other PNR agreements [AG para 4] which relate to the same sorts of information shared for the same objectives.  The EDPS made this indicate too, inwards the context of the European Union PNR Directive:

Since the functioning of the European Union PNR as well as the EU-Canada schemes are similar, the answer ofthe Court mayhave a important impact on the validity of all other PNR instruments …. [Opinion 2/15, para 18]

There are other forms of information sharing agreement, for example, SWIFT, the Umbrella Agreement,  the Privacy Shield (and other adequacy decisions) the terminal of which is coming nether pressure level inwards whatever lawsuit (DRI v Commission (T-670/16) as well as La Quadrature du Net and Others v Commission (T-738/16)).  Note that inwards this context, at that topographic point is non only a query of considering the safeguards for protection of rights but also relates to Treaty base.  The Court establish that Article sixteen must hold upwards used as well as that – because at that topographic point was no role for judicial authorities, soundless less their cooperation – the utilization of Article 82(1)(d) is wrong.  It has, however, been used for instance inwards regards to other PNR agreements.  This agency that that the footing for those agreements is thrown into doubt.

While the Court agreed alongside its Advocate General to suggest that a double Treaty base of operations was necessary given the inextricable linkage, at that topographic point is about room to query this assumption.  It could also hold upwards argued that at that topographic point is a dominant purpose, as the primary purpose of the PNR understanding is to protect personal data, albeit alongside a unlike objective inwards view, that of world security. In the background, however, is the seat of the UK, Republic of Ireland as well as Kingdom of Denmark as well as their respective ‘opt-outs’ inwards the field. While a finding of a articulation Treaty base of operations made possible the declaration of the Court that:

since the determination on the conclusion of the envisaged understanding must hold upwards based on both Article 16 as well as Article 87 TFEU as well as falls, therefore, inside the range of Chapter 5 of Title V of Part Three of the FEU Treaty inwards so far as it must hold upwards founded on Article 87 TFEU, the Kingdom of Kingdom of Denmark volition non hold upwards bound, inwards accordance alongside Articles 2 as well as 2a of Protocol No 22, yesteryear the provisions of that decision, nor, consequently, yesteryear the envisaged agreement. Furthermore, the Kingdom of Kingdom of Denmark volition non bring component division inwards the adoption of that decision, inwards accordance alongside Article 1 of that protocol. [para 113, reckon also para 115]

The seat would, however, have got been unlike had the understanding hold upwards establish to have got been predominantly nigh information protection as well as hence based on Article sixteen TFEU alone.

Looking at the noun issues, the Court clearly accepted the ask for PNR to challenge the threat from terrorism, noting inwards particular that Article vi of the Charter (the “right to liberty as well as safety of person”) tin sack justify the processing of personal data. While it accepted that this resulted inwards systemic transfer of large quantities of people, nosotros reckon no comments nigh mass surveillance. Yet, is this non like to the ‘general as well as indiscriminate’ collection as well as analysis rejected yesteryear the Court inwards Tele2/Watson [para 97], as well as which cannot hold upwards seen as automatically justified fifty-fifty inwards the context of the contend against terrorism [para 103 as well as 119]? Certainly, the EDPS took the catch inwards its sentiment on the European Union PNR Directive that “the non-targeted as well as volume collection as well as processing of information of the PNR scheme amount to a mensurate of full general surveillance” [Opinion 1/15, para 63]. It may hold upwards that the difference is inwards the nature of the data; fifty-fifty if this is so, the Court does non brand this argument. Indeed, it makes no declaration but rather weakly accepts the ask for the data.  On this point, it should hold upwards noted that “the usefulness of large-scale profiling on the footing of rider information must hold upwards questioned thoroughly, based on both scientific elements as well as recent studies” [Art. 29 WP Opinion 7/2010, p. 4]. In this aspect, Opinion 1/15 is non as strong a stand upwards as Tele2/Watson [c.f para 105-106]; it seems that the Court was less emphatic nigh significance of surveillance fifty-fifty than the Advocate General [AG 176].

In price of justification, spell the Court accepts that the transfer of information as well as its analysis may give rising to intrusion, it suggests that the essence of the correct has non been affected. In this it follows the approach inwards the communications information cases.  It is unclear, however, what the essence of the correct is; it seems that no thing how detailed a pic of an private tin sack hold upwards drawn from the analysis of data, the essence of the correct remains intact.  If the implication is that where the essence of the correct is affected as well as so no justification for the intrusion could hold upwards made, a narrow catch of essence is understandable.  This does not, however, answer the query of what the essence is and, indeed, whether the essence of the correct is the same for Article vii as for Article 8.  In this case, the Court has in 1 lawsuit over again referred to both articles, without delineating the boundaries betwixt them, but as well as so proceeded to base of operations its analysis mainly on Article 8.

In price of human relationship betwixt provisions, it is also unclear what the human relationship is betwixt Art 8(2) as well as Art 52.  The Court bundles the requirements for these ii provisions together but they serve unlike purposes. Article 8(2) farther elaborates the range of the right; Article 52 deals alongside the limitations of Charter rights.  Despite this, it seems that about of the findings volition apply Article 52 inwards the context of other rights. For example, inwards considering that an international understanding constitutes law for the purposes of the EUCFR, the Court took a broader approach to pregnant of ‘law’ than the Parliament had argued for.  This soundless seems a sensible approach, avoiding undue formality. 

One farther indicate nigh the approach to interpreting exceptions to the rights as well as Article 52 tin sack hold upwards made. It seems that the Court has non followed the Advocate General who had suggested that strict necessity should hold upwards understood inwards the calorie-free of achieving a fair residual [AG207].

 

Some specific points are worth highlighting. The Court held that sensitive information (information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information nigh a person’s wellness or gender activity life) should non hold upwards transferred. It is non clear what interpretation should hold upwards given to these data, especially as regards proxies for sensitive information (e.g. nutrient preferences may give rising to inferences nigh a person’s religious beliefs).

One excogitation inwards the PNR context is the distinction the Court introduced betwixt utilization of PNR information on entry, utilization spell the traveller is inwards Canada, as well as utilization afterward the individual has left, which maybe mitigates the Court’s credence of undifferentiated surveillance of travellers.  The Court’s catch of the acceptability of utilization inwards relation to this terminal category is the most stringent.  While the Court accepts the link betwixt the processing of PNR information on arrival, afterward divergence the Court expects that link to hold upwards proven, as well as absent such proof, at that topographic point is no justification for the retentiveness of data. Does this hateful that on divergence PNR information of persons who are non suspected of terrorism or transnational criminal offence should hold upwards deleted at the indicate of their departure? Such a requirement sure enough gives rising to practical problems as well as would appear to bound the Court’s before credence of the utilization of full general PNR information to verify/update estimator models [para 198].

One of the weaknesses of the Court’s caselaw so far has been a failure to consider investigatory techniques, as well as whether all are as acceptable.  Here nosotros reckon the Court commencement to consider the utilization of automated intelligence techniques.  While the Court does non larn into item on all the issues to which predictive policing as well as large information mightiness give rise, it does authorities notation that models must hold upwards accurate.  It also refers to Article 21 EUCFR (discrimination).  In that this department is phrased inwards full general terms, it has potentially wide-reaching application, potentially fifty-fifty beyond Earth sector.

The Court’s judgment has farther implications as regards the sharing of PNR as well as other safety information alongside other countries also Canada, most notably inwards the context of EU/UK relations afterward Brexit. Negotiators instantly have got a clearer indication of what it volition bring for an understanding betwixt the European Union as well as a non-EU province to satisfy the requirements of the Charter, inwards the ECJ’s view. Time volition tell what impact this ruling volition have got on the progress of those talks.

Barnard & Peers: chapter 25

JHA4: chapter II:9

Photo credit: ctvnews.ca

Share this post