Guest Post by Vasileios Rovilos. Vasileios is MA Graduate in European Politics & Governance at the College of Europe and non-residential researcher at CEDIS Institute at the Faculty of Law of Universidade NOVA de Lisboa.

Photo credit: European Parliament

Concerns relating to fundamental rights have been at the epicenter of Passenger Name Record (PNR) data transatlantic transfers since their inception post 9/11. The EU legislative framework stipulates that PNR data must be provided by airborne passengers and collected by air carriers to enable reservations to take place. Evidence suggests that the majority of the Member States wish to expand the scope of application of the Directive in order to cover rail, sea and other modes/channels of transportation. Along with their commercial purpose, PNR data may comprise sensitive passenger data that could be used by law enforcement authorities to facilitate counter-terrorism objectives. Specifically, they allow the authorities to perform an individualized background check, which might lead both to identifying connections with offenders as well as the monitoring of potential suspects. As such this data raises urgent questions about privacy and data protection.

The EU PNR Directive, adopted in 2016, aims to lay down an EU PNR framework for intra-EU flights and non-EU flights. The Directive not only allows for the transfer of PNR data to third countries, but it also regulates the retention and processing of data alongside disclosure in exceptional circumstances and with supervisory authorities in place. 

Since the Schrems case, countries that are recipients of PNR data must ensure that the diligence and safeguards they use to protect these data is ‘essentially equivalent’ to EU standards. This, however, does not necessarily mean that the Directive fully conforms to the right to data protection as enshrined into the Charter of Fundamental Rights of the EU. This blog entry examines the compatibility of the EU PNR Directive with Articles 7 and 8 of the Charter of Fundamental Rights of the EU, paying particular attention to the purpose limitation principle. 

The purpose limitation principle comprises two main features. First, personal data processing must relate to a specified, explicit and legitimate purpose; and second, any further processing is only permissible if it reflects the originally designated purpose for which the personal data were gathered. This principle is considered a defensive milestone for the fundamental right to data protection. It acts as a shielding measure for transmission and processing of PNR data.  

The PNR Directive prohibits the deployment and processing of sensitive data in light of Recital 37. While, specifically, Article 6(4) of the Directive establishes that PNR data prescribed for its purposes shall be based on pre-determined criteria that do not relate to ‘race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual orientation or life’.  

On the other hand, Article 6(3) of the PNR Directive permits processing of the collected PNR data to facilitate combatting actions related to terrorism or serious transnational crime. The purpose of this processing practice seems to be justified in light of Article 6(2)(a), corresponding to the obligation of abiding to the clearly designated pre-determined criteria. However, a closer look at the manner the enlisted categories amounting to the ‘General Remarks’ of how PNR data would be filtered (see Annex I of the Directive) does not adequately comply with the purposes to be attained. Specifically, as demonstrated, recital 12 of the Directive 2016/681 (the equivalent is found under recital 17 in the EU-Canada PNR Agreement) corresponds to the comments highlight in Opinion 1/15. Namely, there is ‘no indication as to the nature and scope of the information to be communicated, and it may even encompass information entirely unrelated to the purpose of the transfer of PNR data’ – while this heading does not establish any explicit ‘limitation on the nature and scope of the information that could be set out thereunder’ (para 160 et seq.). This approach creates leeway in the processing of sensitive data and thus is contrary to Recital 37 and the Opinion 1/15 ruling. 

In its Opinion 1/15 regarding a potential EU-Canada PNR agreement, the Court of Justice has reiterated the importance of the limiting principle. The Opinion is a landmark case that not only assessed an international agreement based on the Charter of Fundamental Rights but also ruled that this agreement is not to be adopted by the EU Institutions due to its lack of safeguards for data protection and privacy. Potential deviations from the purpose limitation principle, as established in Digital Rights Ireland case (para 60-61), could compromise the right to data protection.

The Court’s balancing exercise between (national) security and data protection/privacy is important for the EU legal order; specifically, since the objective of combatting terrorism seems to have expanded its prominence across the international stage. However, it is important to note that the stance of the Court in seminal cases like Schrems and Digital Rights Ireland has fortified the fundamental rights to data protection and privacy, even though the Union’s negotiated agreements that the PNR Directive falls short of protection safeguards.

In the aftermath of Opinion 1/15, the PNR Directive shall not be ‘wedded to lower standards’ of protection, aiming for a future-proof approach. However, even though, the Court delivered its Opinion more than 2 years ago stressing the need for fostering data protection rules relating to the data purpose limitation principle, no conforming action has been taken regarding the international agreements with Australia and/or the EU PNR Directive. Instead, on the 19th of December 2019, Advocate General Saugmandsgaard Øe issued his opinion on the Schrems II case in which he noted that he has doubts about whether the safeguards of the Privacy Shield are equivalent to those of Article 8 of the Charter and Article 45(1) GDPR (paragraph 342). The definitive outcome of the case will come by ruling of the Court in the coming months since the AG opinion is not binding.  

Any comments about this post? Get in touch with us! Send us an email, or post a comment here or on Facebook. You can also tweet us.

__________   

How to cite this blog post (Harvard style) 

Rovilos, V (2020). Walking on the wild side since Opinion 1/15: Assessing the EU PNR Directive in light of the principle of purpose limitation. Available at: https://www.law.ox.ac.uk/research-subject-groups/centre-criminology/centreborder-criminologies/blog/2020/05/walking-wild-side [date]