24 October 2017
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
MEPs pose tricky questions to the Commission on the EU-Canada PNR deal and others
Follow us: | | Tweet
The Commission's response referred to its Recommendation for a Council Decision: authorising the opening of negotiations on an Agreement between the European Union and Canada for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime (COM 605-17, pdf) and Annex to COM 605 - 17 (pdf)
On PNR Canada
The Commission says that the current exchange of personal data and PNR is covered by a "letter" from Canada setting out "Commitments" set out in the Commission's adequacy finding: (Commission Decision on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency (pdf) which will apply until there is a new agreement.
The Commission's opinion is that:
"Whilst the Court's Opinion does not allow the envisaged EU-Canada PNR Agreement to be concluded in its current form, it does not concern the regime under which PNR data continues to be transferred during the interim period.
Consequently, transfers of PNR data to Canada continue to take place on the basis of those Commitments by Canada towards Member States and Member States continue to assume responsibility for the legality of the transfers."
The CJEU had found that:
"The Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data is incompatible with Articles 7, 8 and 21 and Article 52(1) of the Charter of Fundamental Rights of the European Union in so far as it does not preclude the transfer of sensitive data from the European Union to Canada and the use and retention of that data."
And that now the Commission had proposed a Recommendation for a Council Decision: authorising the opening of negotiations on an Agreement between the European Union and Canada for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime (COM 605-17, pdf)
The Commission says it will "find appropriate solutions to fulfill all the Court's requirements". The Recommendation sets out the slender detail in: Annex to COM 605 - 17 (pdf) which says:
"The Agreement should contain all the safeguards required in order for it to be compatible with Articles 7, 8, 21 and 52 (1) of the Charter of Fundamental Rights of the European Union, as specified in the Opinion 1/15 of the Court of Justice of the European Union of 26 July 2017."
PNR Agreements with other countries
The Commission says:
"The PNR agreements concluded by the EU with the US and Australia remain in force until suspended, terminated, amended, superseded or invalidated."
EU PNR Directive
The Commission fails to answer the detailed questions from the MEPs:
"As stated in the 11th progress report towards an effective and genuine Security Union, the Commission underlines its continuing support to Member States in implementing the EU PNR Directive; the obligations on Member States deriving from that Directive are unaffected by the Court's Opinion."
Other legal instruments
On the Entry-Exit (EES) proposal the Commission says:
"The representatives of the three Legal Services confirmed that Opinion 1/15 does not have a direct automatic impact on the EES proposal. This is due to the differences between the EES and PNR instruments, in particular in respect of the objectives pursued and the scope of the personal data collected."
However, a study for the Green/EFA group: Data Retention under the Proposal for an EU Entry/Exit System (EES) Analysis of the impact on and limitations for the EES by Opinion 1/15 on the EU/Canada PNR Agreement of the Court of Justice of the European Union (pdf):
"It is important that strict necessity as condition for retention periods as well as the requirements for LE access laid down by the CJEU are applied also for the EES. The proposed EES Regulation does not fulfil these requirements at least with regard to the proportionality of retention periods that must be based on strict necessity, conditions for judicial review prior to LE access to personal data and the lack of a truly independent ex post review mechanism."
Asked about the effects on the EU-USA"Umbrella Agreement" the Commission replies:
"The Commission does not see any direct impact of the Court's Opinion on the EU-US Umbrella Agreement which is different in scope and nature from a PNR agreement as it does not constitute a legal basis for the transfer of personal data."
This claim is contrary to the 2 June 2016: Council press release: Enhanced data protection rights for EU citizens in law enforcement cooperation: EU and US sign "Umbrella agreement" (pdf)
The "Umbrella agreement" covers all personal data exchanged between police and criminal justice authorities of the EU member states and the US federal authorities for the purpose of prevention, investigation, detection and prosecution of criminal offences, including terrorism." [emphasis added throughout]
And take a look at: Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses(Full-text, pdf):
Article 1 says:
"ARTICLE 1 Purpose of the Agreement
The purpose of this Agreement is to ensure a high level of protection of personal information and enhance cooperation between the United States and the European Union and its Member States, in relation to the prevention, investigation, detection or prosecution of criminal offenses, including terrorism."
This Agreement sets the overall parameters for each individual measure and their legal basis (eg: PNR).
A similar decisions was made by the CJEU on the Data Retention Directive in which it sought also to limit the scope to "serious crime and terrorism", ie: the mass retention of data on everyonel is unlawful; See: Council in a twist over data retention judgment (Statewatch News) and Data retention: Can the mass retention of data be justified under the planned ePrivacy Regulation? (Statewatch News)
See "Digital Rights Ireland and Seitlinger and others": The Court of Justice declared the Data Retention Directive to be invalid (Press release, 8 April, 2014, pdf) and Judgment (pdf): "This judgment said that the Data Retention Directive adopted in 2006 has been unlawful since it was adopted."
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.