By Maxime Lassalle
On 8 September 2016, Advocate General (AG) Mengozzi delivered his much awaited opinion on the agreement between Canada and the European Union on the transfer and processing of Passenger Name Record (PNR). It follows the European Parliament’s resolution seeking an Opinion from the Court of Justice of the European Union (CJEU) on the compatibility of the agreement with the Treaties. Even though the opinion concludes that the agreement has many loopholes, it could disappoint those who were expecting a strong condemnation of PNR schemes as such.

This blogpost intends to present the context of this procedure and the main elements of the AG’s opinion before analysing them. The question of the appropriate legal basis for the agreement, also raised by the Parliament, will not be addressed. However, before turning to the AG’s opinion, we need to briefly sketch the background of the proposed agreement.

The context

Today, in the absence of a PNR agreement with the EU, Canadian authorities apply their own PNR system unilaterally to air carriers established in the European Union (EU) which provide flights to Canada. This means that air carriers have to transfer PNR data (para. 7 of the AG’s opinion) to the extent that it is collected and contained in their automated reservation systems and departure control systems (para. 19). According to the Commission, the adoption of PNR systems is necessary to balance the legitimacy of the requests for PNR data in the fight against terrorism and the need to protect personal data of EU citizens from abusive access. As a result of the Lisbon Treaty, the adoption of PNR agreements now also requires the consent of the European Parliament (EP) (Article 218(6)(a)(v) of the Treaty on the Functioning of the European Union (TFEU)), and it is no secret that the EP is quite reluctant to adopt data retention schemes.

For a long time the EP has been requesting the Commission to provide for evidence that PNR schemes are necessary and in particular that the processing of Advance Passenger Information (API) would not be sufficient to reach the same objective of fighting terrorism and serious crime (for example here andhere). API are one of the 19 categories of PNR data and are limited to the identification of the travelers (name, date of birth, gender, citizenship, and travel document data) while PNR data encompass a much broader range of information (food habits, seating information etc.).

Nevertheless, the Commission ignored this request for evidence and proposed in 2013 a Council decision on the conclusion of a PNR agreement with Canada. This proposal was seriously criticized by the European Data Protection Supervisor (EDPS), also questioning the necessity of PNR schemes. Even though in the past, the Parliament had, albeit reluctantly, given its consent to similar PNR agreements (see the EU-US Agreement and the EU-Australia Agreement), this time it persisted and on 25 November 2014 it decided to refer the proposal on the agreement with Canada to the CJEU for it to assess the compatibility of this proposed agreement with the provisions of the TFEU and the Charter. Clearly, this move of the Parliament was inspired by the activism of the CJEU which had proved to be extremely demanding on the protection of personal data in the framework of the fight against terrorism in its famous Digital Rights Ireland case (DRI, commented on this blog).

The AG’s general considerations on PNR schemes

Let us now have a closer look at the (lengthy) opinion of the AG. Before analyzing the agreement, the AG assesses the intrusiveness of the PNR schemes as such, in relation to the right to data protection and the right to privacy. PNR data consist of 19 categories of personal data including data which ‘might provide information concerning, in particular, the health of one or more passengers, their ethnic origin or their religious beliefs’ (para. 169). The processing of these data therefore constitutes an interference which is of a ‘considerable size’ and ‘a not insignificant gravity’ (para. 176). This system is ‘capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects’ (para. 176). However, the interference does not reach a level where the essence of the fundamental rights is harmed, because the PNR data do not permit to draw precise conclusions concerning ‘the essence of the private life of the persons concerned’ (para. 186). To justify the interference caused by the processing of PNR data, PNR schemes, should be properly provided for by law, such as an EU agreement adopted by the Council and approved by the EP (paras. 191-192), and meet an objective of general interest, namely the objective of combating terrorism and serious transnational crime (para. 194).

The AG’s general considerations on the standard to be applied to this unprecedented case

Following a classical reasoning on the assessment of the proportionality of the interference (see for example Schwarz, C‑291/12, para. 53), the AG explains that the proposed agreement ‘must also consist of the measures least harmful […] while making an effective contribution to the public security objective pursued by the agreement envisaged’. Provided that there are alternative measures which would be less intrusive, ‘those alternative measures must also be sufficiently effective’ in order to be considered as serious alternatives (para. 208). However, the definition of what is “sufficiently effective” is not given by the previous case law, neither that of the European Court of Human Rights (ECtHR) nor that of the CJEU. For the AG, the effectiveness of these alternative measures must ‘be comparable […] in order to attain the public security objective pursued by that agreement’ (para. 208). This standard of comparability is set by the AG himself. This was not evident as he could also have considered that less effective measures are still sufficiently effective. Requesting comparable effectiveness is a first. Usually in the reasoning, it is easy to decide whether there alternative measures are sufficiently effective or not (see for example Saint-Paul Luxembourg S.A. v. Luxembourg, para. 44). For measures of secret surveillance, it seems more difficult. The comparability criteria may be a way not to address a difficult question.

The AG acknowledges the ability of the interference to achieve the public security objective based on statistics communicated by the United Kingdom Government and the Commission concerning the Canadian authorities’ best practices (para. 205). Between April 2014 and March 2015, thanks to PNR data, 9,500 targets were identified, among them 1,765 persons were subjected to more thorough checks and 178 were arrested for a serious transnational criminal offence, connected in particular with drug trafficking (para. 262). However, the AG does not take into account that the statistics which were presented to the Court do not indicate the amount of data which was necessary to identify these targets. Moreover, one could note that according to the statistics no terrorist was identified, which is quite surprising for a scheme whose main purpose is precisely to identify people related to terrorism. The AG was obviously satisfied with the fact that PNR schemes are effective against organized crime.

The AG goes on addressing the specificity of PNR schemes, namely that it is their very nature to be based on profiling methods, by a comparison of the PNR data with scenarios or predetermined assessment criteria and that PNR data processing can lead to ‘false positive “targets” being identified’ (para. 255). This specificity of PNR schemes, which have never been assessed by the CJEU, made it necessary for the AG to detail the conditions under which PNR schemes could be considered as proportionate. In order to do so, he suggests to adapt a standard used by the ECtHR in Zakharov v. Russia, namely the standard of ‘reasonable suspicion’. For the AG, these procedures should manage to target ‘individuals who might be under a ‘reasonable suspicion’ of participating in terrorism or serious transnational crime’ (para. 256). The application of this standard is ambitious. Indeed, Judge Pinto de Albuquerque, in his dissenting opinion in Szabò and Vissy v. Hungary, had feared that this standard would be replaced by an ‘individual suspicion’, a lower standard, for surveillance measures whose purpose is to fight terrorism. However, this standard is used to limit the access to personal data by law enforcement authorities (an idea also present in the DRI case, para. 60-62). And yet the purpose of PNR schemes is not to create a pool of information available under strict conditions to law enforcement authorities, but to allow the Canadian competent authority, namely the Canada Border Services Agency, to use data mining procedures in order to discover new persons who were not previously suspected. Hence, the application of the standard of the ‘reasonable suspicion’ seems impossible as such: the limitation of the access to the data is not compatible with the idea, accepted by the AG, that PNR schemes need to process all the data that are available. The AG nevertheless tries to adapt the standard by proposing three principles.

The first principle is that the assessment criteria used to analyse the PNR data should not ‘be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation’ (para. 258). The AG obviously fears discriminatory measures based on the processing of PNR data. The second principle, which is in line with the new principles proposed by Directive 2016/680 (i.e., the new Directive on data protection for police and criminal justice sector) is that the result of the automatic processing of data must be examined by non-automatic means (para. 259). The third principle is that the functioning of the automatic means should be checked regularly by an independent public authority (para. 259).

The AG’s proportionality test

After these general considerations, the AG starts his proportionality test. In the opinion nine points are considered separately (para. 210). From this analysis, three main elements deserve to be emphasized.

The first important point is that the AG accepts PNR schemes as a matter of principles. He considers that, excluding sensitive data, all categories of PNR data are considered relevant for the purpose of the envisaged agreement. Sensitive data are defined in Article 2 (e) of the envisaged agreement as ‘information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information about a person’s health or sex life’. The processing of sensitive data is allowed by the envisaged agreement but, for the AG, this is not acceptable as it creates a risk of stigmatization (para. 222). What is more, the fact that these data are excluded from the PNR agreement with Australia shows that the transfer of sensitive data is not necessary to pursue the objective of the scheme (para. 222). This appreciation of the AG is a direct consequence of the first of the three principles he established.

Still on the categories of data, the opinion brushes away the criticism of both the EP and the Article 29 data protection Working Party requesting evidence that the transfer of less data, for example only of API, is not sufficient to meet the objective of the proposed agreement. According to the AG, ‘data of that type does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API data […] are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged’ (para. 214).

Even though all these data are transferred to the Canadian authority irrespective of any indication that the persons concerned may have a connection with terrorism or serious transnational crime (para. 215), the purpose of PNR schemes is to identify persons who were ‘not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security’ (para. 216). For the AG, bulk transfers of data are then necessary. However, he considers the definition of certain categories of data as too vague. For example, heading 17 of the annex, on ‘general remarks’, covers all ‘supplementary information apart from that listed elsewhere in the annex to the agreement envisaged’ (para. 217). Consequently, it is likely that air carriers will transfer all the data that they own, and not only the data that are necessary for Canadian authorities (para. 220).

In addition, the AG’s opinion considers that the scope ratione personae of the agreement envisaged is not too broad and that the massive and indiscriminate transfer of personal data is necessary. If, in theory, it could be possible to imagine a PNR data transfer system which distinguishes passengers according to specific criteria, these systems would never be as effective as PNR data schemes in combating terrorism and serious transnational crime (para. 243). The AG also underlines that consumers of commercial flights voluntarily use a mode of transportation ‘which is itself, repeatedly, unfortunately, a vehicle or a victim of terrorism or serious transnational crime, which requires the adoption of measures ensuring a high level of security for all passengers’ (para. 242).

These first considerations are very important as they show that in principle, for the AG, massive transfer and processing of PNR data is not disproportionate as such. If the undifferentiated and general nature of the retention of the data of any person using electronic communications in the Union was one of the main reasons why Directive 2006/24/EC was considered as going beyond what was strictly necessary (para. 59 of the DRI case), such data retention schemes are possible as long as they respect strict conditions (see the opinion of AG Saugmandsgaard Øe on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, commented on this blog). The fact that AG Mengozzi accepts the principle of large scale transfer of PNR data is thus not so surprising.

Once this step was made and given the specificity of the case, he needed to create specific conditions under which PNR schemes are proportionate. In addition to the loopholes already explained, these conditions are further elaborated in the two remaining important points of the opinion.

The second important point is that the agreement envisaged should justify the duration of data retention. The AG regrets that the agreement envisaged ‘does not indicate the objective reasons that led the contracting parties to increase the PNR data retention period to a maximum of five years’ (para. 279). He adds that such a long period of retention of the data exceeds what is necessary, particularly because all the data are retained for the same duration (para. 284) and because the masking procedure is incomplete and does not fully ensure the depersonalization of the data (para. 287).

This point is significant as this is the only element in the AG’s opinion which is very critical of PNR schemes in general and which puts the PNR directive at risk. This question was also a key issue in the DRI case. In Directive 2006/24/EC the data retention period of a maximum of two years without distinguishing categories of data on the basis of their usefulness was not based on objective criteria and was therefore excessive (para. 64 of the DRI case). This threatens the validity of the PNR Directive. Indeed, Article 12 (1) of this Directive provides for a duration of five years, without distinguishing categories of data and explaining the reasons for such a long retention. Noticeably, its depersonalisation procedure seems more in line with the assessment of the AG, particularly because more data elements are masked (Article 12 (2) of the Directive, para. 287 of the AG opinion).

The last important point relates to the serious doubt of the AG concerning the level of protection granted by Canada. The opinion is indeed the most critical when it comes to the international nature of the agreement. This is not that surprising given that the Court recently adopted a very demanding position on bulk transfers of data to third countries (in the case Schrems, commented on this blog here). The AG acknowledges that the Court ‘cannot express a view on the legislation or the practice of a third country’ (para. 163). However, the terms of the agreement themselves should have been formulated in such a way that no discretion would be left to Canadian authorities as for the applicable level of protection (para. 164).

For the AG, the access to the data and the use of the transferred data by Canadian authorities is not sufficiently regulated in the envisaged agreement. It leaves to Canada the entire discretion to determine what officials and what competent authorities are allowed to access the data (paras. 250 and 267). Similarly, the envisaged agreement does not stick to a strict principle of purpose limitation as the processing of PNR data is not strictly limited to the fight against terrorism and serious crime (paras 236-237). This is aggravated by the fact that the offences which belong to the categories of terrorism and serious crime are not exhaustively listed (para. 235). Concerning the use of the data, the AG considers that the possibilities of disclosure and subsequent transfer of the PNR data is not sufficiently framed. Indeed, Articles 18 and 19 of the agreement envisaged allow the disclosure and subsequent transfer of the PNR data to other government authorities in Canada and could be used to circumvent the level of protection afforded in the EU (para. 296). As a matter of fact, no independent authority or judge would check the appreciation of the Canadian competent authority that the authority to which the data are transferred can afford an equivalent level of protection (para. 300). The AG concludes that all these points need to be more detailed in the agreement in order to make sure that the level of protection of data ensured in Canada is equivalent to the level of protection ensured in the European Union. Following the previous case law of the Court, particularly the DRI case, the level of protection ensured in the EU is quite demanding and the respect of same level of protection has to be ensured before transferring personal data to third countries (see in particular para. 96 in Schrems).

Finally, the AG points out that the mechanism for detection and review of any violations of the rules of the agreement envisaged affording protection of passengers’ privacy and personal data is not effective because it does not belong to a fully independent and impartial supervisory authority (para. 315). This last point reminds the Commission that the mechanisms of control in the third country must be insured by a sufficiently independent body. This reminder is interesting as the new ‘privacy shield’ replacing the safe harbor is criticized for providing a right to review only through an ombudsman whose independence and powers are questionable.

Some comments

In his reasoning, the AG addresses issues linked to the very nature of PNR schemes and the solutions he proposes do not threaten the principle of PNR schemes. Even though this opinion could seem at first disappointing for those who were expecting the AG to condemn PNR schemes, it appears that this ‘implicit acceptance’ of PNR schemes follows the general principles created by the Court but simply innovates and addresses the new issues that had not been addressed so far with more consideration for the necessity to provide for effective tools to fight terrorism and serious crime.

Even though a lot of questions had to be addressed by the AG, there is one which is of paramount importance. Ever since its DRI case, the Court has developed a strong focus on the guarantees concerning the access to personal data by law enforcement authorities and the AG had to adapt the requirements of the Court to PNR schemes. The attempt of the AG to adapt the standard of the ‘reasonable suspicion’ shows that the applicability of guarantees to law enforcement authorities’ access to data from different data retention schemes is a question which would deserve more attention. Generally speaking, the ECtHR considers that to assess the existence of a reasonable suspicion, it is necessary to check ‘whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security’ (para. 260 of the case Zakharov v. Russia). The problem with PNR schemes is that the suspicion is not prior to the collection and processing of PNR data but discovered as a result of this collection and processing.

This question differs from the ones the Court has previously addressed in its case law, in particular in the DRI case. However, such an issue also exists in other areas. For instance, based on the European system of prevention of money laundering and terrorist financing, financial institutions have to monitor the transactions of all their clients and have the duty to report suspicious transactions. The control of suspicious transactions by these financial institutions also relies on mechanisms of data mining. The processing of personal data is made by private parties, namely financial institutions. Law enforcement authorities can in theory only obtain these data once financial institutions have reported a suspicion (this is, however, something that the Commission would like to change in order to facilitate the access to the data for the Financial Intelligence Units, see its proposal). Consequently, only the financial institutions, which collect anyways these data for the purpose of their economic activities and are subjected to the data protection framework provided for by Directive 95/46/EC, can access these data. This appears to be a safeguard against abusive access from law enforcement authorities. As a matter of fact, when law enforcement authorities access the personal data, after a report from a financial institution, there is already a degree of suspicion. This is probably more in line with the standard of ‘reasonable suspicion’. However, in this field, too, there is a massive collection of personal data which are analysed mainly through data mining procedures in order to discover suspicious transactions.

For PNR data, according to the agreement with Canada as well as for the new PNR Directive, air carriers companies do not have to analyse the data by themselves, but have to transfer all the data respectively to the Canada Border Services Agency or to the new ‘Passenger Information Units’ which will analyse all these data, through data mining procedures. From this data processing suspicions will then emerge which will be further analysed by law enforcement authorities.

Those two examples show that personal data are not only used a posteriori, once criminal investigations are open when a suspicion already exists but are also used for data mining processes with the purpose of discovering new suspicions. It might be that there is a difference based on whether private parties or public authorities are in charge of the data mining procedures. However, in both cases there is no previous ‘reasonable suspicion’; suspicions emerge following a massive monitoring of personal data.

At the end of the day, once the principle of massive surveillance schemes based on data mining mechanisms is considered to be acceptable as such, the standard of the ‘reasonable suspicion’ is overrun and has to be replaced by principles and other guarantees preventing any abuse, provided that this is possible. Are the three principles proposed by the AG sufficient? Hopefully the Court will address this key issue in a clear and detailed way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s