EU: Mass travel surveillance: no problem, says court

Topic
Country/Region
EU

The mass travel surveillance and profiling of air passengers carried out under the EU's Passenger Name Record Directive does not breach fundamental rights standards, says an opinion published yesterday by the Court of Justice in Strasbourg. Opinions precede the verdict of the court, and often set the tone for rulings.

The Passenger Name Record (PNR) Directive was agreed in April 2016 and mandates the surveillance and profiling of almost all air passengers entering, travelling within, or leaving the EU. Passenger data has to be transmitted by travel companies and airlines to Passenger Information Units (PIUs) operated by national police forces.

PIUs can then:

"(a) compare PNR data against databases relevant for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, including databases on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such databases; or

(b) process PNR data against pre-determined criteria [i.e. profiling]."

The case was brought by Belgium's Ligue des droits humains and referred to the Court of Justice to assess whether the Belgian implementation of the PNR Directive and Advance Passenger Information (API) Directive complied with the rights to respect for private life and data protection. The API Directive requires the transmission of air passengers' travel document data to the authorities prior to a flight's departure.

The Advocate-General's Opinion recognises that the measures are "an interference with their private life and as an interference with the fundamental right to protection of personal data," but, as the court's press release puts it:

"...the Advocate General points out that the data that air carriers are required to transfer to PIUs under the PNR Directive are relevant, adequate and not excessive in relation to the objectives pursued by that directive and that their scope does not exceed what is strictly necessary in order to attain those objectives. He considers, moreover, that this transfer is surrounded by sufficient safeguards, the objectives of which are, first, to ensure that only the data expressly referred to are transferred and, second, to ensure the security and confidentiality of the data transferred. The Advocate General also recalls that the PNR Directive sets out a general prohibition on the processing of sensitive data, including also their collection, with the result that the PNR system provides sufficient safeguards making it possible to exclude, at each stage of the processing of the data collected, that this processing may directly or indirectly take into account protected characteristics." [all emphasis in quotes in the original]

Furthermore:

"...the Advocate General considers that the generalised and undifferentiated nature of the transfer of PNR data and the prior assessment of air passengers by means of the automated processing of those data is compatible with Articles 7 and 8 of the Charter, which enshrine the fundamental rights to respect for private life and to the protection of personal data."

Christian Thönnes has roundly demolished the reasoning of the opinion in a detailed post for Verfassungsblog.

Beyond its overall approval of the Directive, the Advocate General's opinion does state:

  • the PNR data category "general remarks" fails to identify "as clearly and precisely as possible" the types of data that may be included, does "not satisfy the conditions of clarity and precision," and the part of the Directive mandating transmission of that data is therefore invalid;
  • "it is essential that the Member States, when transposing this directive into national law, recognise the full extent of these powers for their national [data protection] supervisory authority by providing it with the material and staff resources necessary for it to carry out its task";
  • the term "relevant database" in the PNR Directive (see point (a) above) "must be interpreted as covering only national databases managed by the competent authorities and EU and international databases, directly operated by those authorities in the course of their duties, in addition to the fact that they must be directly and closely related to the objectives of fighting terrorism and serious crime pursued by the PNR Directive, which implies that they have been developed for those purposes";
  • automated processing against pre-determined criteria "cannot be carried out by means of machine-learning artificial intelligence systems, which do not make it possible to ascertain the reasons which led the algorithm to establish a positive match"; and
  • the retention of PNR data for five years "is permitted, after the prior assessment has been carried out, only to the extent that a connection is established, on the basis of objective criteria, between those data and the fight against terrorism or serious crime. A general and undifferentiated retention of PNR data in a non-anonymised form can be justified only where there is a serious threat to the security of the Member States which is shown to be real and present or foreseeable, linked, for example, to terrorist activities, and only on condition that the duration of such retention is limited to what is strictly necessary."

Other cases challenging national implementation of the law, from Slovenia and Germany, are pending before the CJEU.

Documentation

Further reading


Image: Sourabh, CC BY-NC-ND 2.0

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error