The European Court of Justice ruled on Tuesday (21 June) that the EU’s Passenger Name Record (PNR) directive must be curtailed to be compatible with fundamental rights.
The PNR directive was adopted in 2016, introducing a mechanism whereby airlines had to hand to national authorities the data of all the passengers that enter or exit the European Union with the aim of preventing, detecting or investigating terrorist activities and serious crimes.
The directive allows member states to extend the same screening procedures also to flights from other EU countries, provided that they inform the European Commission. All EU countries except Austria and Ireland notified the Commission of their intention to do that.
In Belgium, the transposition of the directive into national law was contested by the Ligue des droits humains, which filed an action for annulment before the Belgian Constitutional Court in July 2017. The NGO accused the legislation of introducing generalised surveillance that infringes on the fundamental rights to privacy and data protection.
Moreover, the civil society organisation contested the fact that the directive also went against the free movement of persons, one of the core principles of the EU, arguing that the collection and processing of personal data on intra-EU flights de facto re-established border controls.
In doubt on how to interpret the implementation of EU legislation with some key principles of European law, the Belgian court referred the case to the EU Court of Justice, leading to the landmark ruling.
Limited to the ‘strictly necessary’
In its verdict, the EU court did not go as far as repealing the entire legislation – as per the wishes of the Belgian NGO – although it did recognise that the directive posed serious interferences to the rights to privacy and data protection as it introduced a continuous, untargeted and systemic surveillance mechanism.
Therefore, the judges clarified that – as far as possible – the EU law must be interpreted as not to affect the validity of primary legislation, in this case, the Charter of Fundamental Rights of the European Union.
In other words, the court interpreted the power given by the directive to public authorities restrictively, commanding that these data processing and retention practices are limited to what is strictly necessary to fight terrorism and serious crime.
“While the Court refrained from invalidating the directive altogether, it has imposed numerous detailed and demanding conditions and restrictions on the use of PNR data and especially on the mining of the data to create profiling,” said Douwe Korff, emeritus professor of international law at the London Metropolitan University.
Korff interpreted the ruling as having broader implications for future EU legislation, stressing that “rather than expanding generalised data trawling and mining and profiling, as the EU wants to do through Europol, these invasive measures should be dropped.”
In practice, the judgment notes that the information that public authorities can use is circumscribed to the one that is not explicitly covered in the directive and that the screening of passengers’ data can only take place if there is an objective link between a terrorist activity or a serious crime and a passenger on the aeroplane.
Similarly, the extension of the screening to intra-EU flights must also be restricted to a terrorist threat that is present or foreseeable, a decision to be reviewed by an independent national court or administrative body.
In the absence of an immediate threat, the member state can monitor only certain routes, travel patterns or airports, provided that is properly justified.
Human review and data retention
In a similar vein, the ruling commands the automated systems used to identify suspicious individuals must be based on objective, non-discriminatory criteria. A human review would then have to verify the flagged persons against the list of individuals that are sought or under alert.
The decision also stressed that the automated systems cannot use machine learning techniques, because “given the opacity which characterises the way in which artificial intelligence technology works, it might be impossible to understand the reason why a given program arrived at a positive match.”
“In these months when the European institutions are working on the AI ACT, the Court emphasised the importance of not using machine learning systems that can change the methods of verification of potential suspects without human supervision. The Court intends to avert the risk of automated mass surveillance as well,” said Vincenzo Tiani, a partner at the law firm Panetta.
Moreover, the EU court established that the so-collected passenger data cannot be used for any other purpose than the one established by the directive and that the data of the passengers that did not raise any red flags should be deleted after six months.
“All EU states will now have to limit their use of PNR data due to its intrusiveness. They must apply this ruling swiftly, and end their shameful track record of ignoring decisions from the Court — particularly in the area of data retention,” said Estelle Massé, Europe legislative manager at Access Now.
[Edited by Nathalie Weatherald]