24 November 2023
Six years ago, the Court of Justice struck down the EU's PNR agreement with Canada due to its lack of safeguards on data protection, non-discrimination and effective remedy for individuals. In 2019, a new draft agreement was shared by the Commission with the European Parliament, but no further amended version was communicated until yesterday, on the day negotiations are supposed to be finalised.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Image: European Council
The vast amounts of data collected by private companies are of significant interest to policing, security and border agencies, and in the realm of travel, there is one type of information that has been increasingly sought by governments: Passenger Name Record (PNR) data.
PNR data is made up of a wide range of personal information shared with companies during the booking process, including name, address, travel itinerary, ticket information, contact details and means of payment, amongst other things. Where states have a PNR system in place, the data can be checked against lists of wanted or suspected individuals or run through profiling algorithms to detect individuals who may be of interest to the authorities.
The opinion of the Court of Justice in 2017 that led to the original EU-Candada agreement being halted was hailed by European Digital Rights (EDRi) as “good news for EU citizens, as the risks associated with massive and unnecessary databases of sensitive personal data are unacceptable. Blindly collecting data, hoping it will magically protect our society, is bad for security and bad for fundamental rights.”
In practice, however, an interim solution for member states has been to transfer data directly to the Canadian authorities despite the Council of the EU calling it a “legal vulnerability.” It appears to be common practice for national law enforcement to go rogue (and unsanctioned) on European standards concerning PNR. In December 2022, following a court judgement on the law that governs the use of PNR data within the EU, the European Data Protection Board said it is “likely” that most member states were not complying with the judgment, operating systems that “continue to interfere disproportionately with the fundamental rights of data subjects every day.”
The new Agreement
The first version of the agreement in 2019 was not shared with the European Data Protection Board for an opinion and it is unknown whether the new version, published here (pdf) by Statewatch, was shared either to consult on potential data protection vulnerability.
While the new agreement gives the appearance of complying with the requirements set out in the Court’s 2017 opinion, there are several exceptions in case of emergency that experts may well consider undermine legal certainty and the safeguards offered to individuals.
No clarity on automated decision-making
The new agreement acknowledges the Court’s 2017 opinion and introduces a clause providing that “any automated processing of PNR data is based on non‐discriminatory, specific and reliable pre‐established models and criteria”. A subsequent judgment on the EU’s own PNR rules, known as Ligue des Droits Humains, introduced more precise standards on automated data processing. It precluded the use of self-learning systems “capable of modifying without human intervention or review the assessment process and, in particular, the assessment criteria on which the result of the application of that process is based as well as the weighting of those criteria.”
The proposed agreement with Canada lays out that “Canada shall not take any decisions significantly adversely affecting a passenger solely on the basis of automated processing of PNR data.” The lack of clarity on when an automated decision will be taken and how it could be differentiated from human intervention during a legal review might, as noted by the advocate general in Ligue des Droits Humains case, render humans “redundant [in] the individual review of positive matches and monitoring of lawfulness.”
Further discussion on automated decision-making in the context of PNR can be found here, here and here.
Wide exceptions to independent and judicial supervision
One key controversy on PNR agreements has been the role of courts and independent authorities in controlling the decisions of law enforcement agencies. This agreement does not move away from the rule.
On conditions for the use of PNR data
The agreement lays out that PNR data should only be retained for the purpose of investigating terrorism, excluding “lawful or unlawful advocacy, protest, dissent or stoppage of work, such as a strike” from this definition, provided it is not intended to cause a violent terrorist act.
However, the text also includes exceptions, “where new circumstances based on objective grounds indicate that the PNR data of one or more passengers might make an effective contribution” to the commission of a terrorist act. This derogation is subject to prior review by a court or by an independent administrative body.
The text provides two further exceptions in case of “validly established urgency.” No further information is given on the meaning of this expression or the authority involved, nor are there any indications that an independent authority or judicial authority could contest the “validity” of the emergency or even be informed of it.
An exception is also permitted for the purpose testing and training algorithms, or in the words of the agreement: “of verifying the reliability and currency of the pre‐established models and criteria on which the automated processing of PNR data is based, or of defining new models and criteria for such processing.”
Transfer to third countries
The text states that EU citizens’ passenger data cannot be shared with a third country that does not have a data protection agreement with the European Union.
However, this safeguard can be ignored when “the disclosure is necessary for the prevention or investigation of a serious and imminent threat to public security”. In addition, it adds that the country should “provide a written assurance, pursuant to an arrangement, agreement or otherwise that the information will be protected in line with the protections set out in this Agreement.” Canada should also notify the authorities of the member state or states whose citizen’s personal data has been disclosed at the “earliest opportunity”. There is no mention of oversight or control by a judicial body or other independent authority.
Romain Lanneau, Consultant Researcher for Statewatch, comments:
“The European Parliament might have grounds to refer the agreement again to the CJEU. In any case, MEPs should at the very least complain to the European Ombudsman about the lack of transparency of the Commission which only shared the agreement on the last days of negotiation. Moreover, the Commission did not seek an opinion of the EDPB despite an evident risk of controversy.”
Documentation
This article was edited on 6 December 2023.
In June this year the the Court of Justice ruled that the rules governing the EU's system for travel surveillance and passenger profiling, set out in the Passenger Name Record (PNR) Directive, must be "interpreted restrictively" to conform with fundamental rights standards. The ruling requires substantial changes to member state practices - but the Council, in time-honoured fashion, is looking at how to circumvent it, and to ensure the greatest possible freedom of manouevre for law enforcement authorities.
Last June the EU's Court of Justice massively restricted the scope of the Passenger Name Record (PNR) Directive, which allows the mass surveillance and profiling of air passengers. According to the ruling, member states should make substantial changes to their practices in order to uphold fundamental rights. Instead, they would like to find ways to maintain maximum data collection to continue the hunt for "persons of interest" - yet such practices are incompatible with the rule of law.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.