An EU-Canada deal to share air passenger data in a bid to fight terrorism cannot be passed in its present form as it would breach privacy laws, the chief legal advisor to the European Union’s top court said Thursday (8 September).
The European Court of Justice’s advocate general said he reached the conclusion based on the court’s decision last year to strike down a separate pact between the EU and United States on sharing internet information. The agreement to transfer passenger name record (PNR) data between the EU and Canada allows authorities to exceed the aim of preventing and detecting terrorism or crime, said the advocate general, Paolo Mengozzi.
The court is not obliged to follow the advocate general’s rulings when it hands down its final decision, but it frequently does.
“According to Advocate General Mengozzi, the agreement on the transfer of passenger name record data, planned between the European Union and Canada, cannot be entered into in its current form,” the court said in a statement.
“A number of provisions of the draft agreement are incompatible with EU fundamental rights.”
He did not say whether this applied to similar passenger data deals that the EU has with the United States and Australia.
In 2010, the EU and Canada began negotiating an agreement to transfer and process PNR data that passengers give airlines, travel agents and tour operators when they make flight reservations and check-in for flights. US-style PNR data include itineraries, ticket types, contact details, baggage information and payment information.
Mengozzi said the deal must face a “strict review” to determine if it protects personal data and respects private and family life and currently would allow authorities to process PNR data “beyond what is strictly necessary”.
It would also allow the Canadian authorities to use and retain data containing “sensitive” information and lacked measures to check the spread of PNR to various foreign public authorities. Mengozzi reached his conclusions based on the court’s ruling last October striking down an EU-US arrangement allowing firms like Facebook and Google to transfer the personal information of European citizens to the United States.
It came after Austrian activist Max Schrems who sued Facebook in Ireland, citing US snooping practices exposed by former US intelligence contractor Edward Snowden. The EU and the United States have since reached a new internet privacy deal.
British ECR MEP Timothy Kirkhope: "This opinion is quite frankly irresponsible. Given the level of the threat you have to ask what planet some of these lawyers live on. Law enforcement authorities all say we are continually playing catch-up on information flow and analysis, and the ECJ now risks setting back our efforts even further. This opinion not only threatens our fight against terrorism but also the fight against child exploitation, trafficking and drug smuggling."
Joe McNamee, executive director of NGO European Digital Rights: "Once again, the European Court is confirming that the European Commission has failed to understand the law. The European Commission has - again - failed in its basic function as the 'guardian of the treaties'."