An EU data sharing agreement with Canada is illegal because it violates privacy rights, the European Court of Justice said Wednesday (26 July), marking a new legal blow to the bloc’s data deals.
The top EU court’s opinion on a draft passenger name record deal with Canada is the latest setback for the European Commission’s data rules—after it knocked down data retention laws and in 2015, the safe harbour agreement allowing companies to transfer personal data to the United States.
The Commission brokered the so-called PNR agreement with Canada in 2014 as a security safeguard to help authorities monitor potentially dangerous flight passengers. But the court criticised a number of measures in the deal: a requirement to store data for five years is too long, for example.
Plus, the wide-ranging agreement would violate flight passengers’ privacy rights because it allows authorities to exchange data that could reveal “a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health, and may even provide sensitive information”.
Julian King, the EU Commissioner in charge of security, said during a news conference on Wednesday that he would communicate later in the day with Canadian officials about renegotiating the deal.
But King reaffirmed that the PNR deal is “critical” for security and that a changed version would respect EU data protection rules.
The court said the Commission should make sure the deal lists more specific categories of data that should be collected and guarantee that it is only used to fight terrorism or serious crimes.
Dutch Liberal MEP Sophie In ‘t Veld led the Parliament’s negotiations on the PNR agreement with Canada. Afterwards, she asked the court to weigh in on the final deal because she thought it left privacy loopholes.
On Wednesday, In ‘t Veld criticised the Commission and EU national governments that pushed for the deal because they “stubbornly continued to hold on to a flawed agreement, which is deeply regrettable”.
“Today’s ruling shows that anti-terror laws are all too often made in haste, but are then unable to pass judicial review,” she said.
Civil liberties campaign groups said the court’s pushback against the agreement with Canada could have a domino effect and knock down similar data agreements.
“The proposed EU/Canada PNR agreement was considered to be the least restrictive of all of the EU’s PNR agreements. To respect the ruling, the EU must now immediately suspend its deals with Australia and the United States,” the NGO European Digital Rights said in a statement.
Passenger data shared under the EU’s agreement with the US can be stored for up to 15 years. The agreement with Australia allows authorities to store data for up to five-and-a-half years.
Next year, a law is set to go into effect that will force EU countries to share data on flight passengers with each other—for flights entering or exiting their countries and leaving the bloc. Countries can potentially share data on passengers who fly between EU member states too, if they choose to apply the law more broadly.
King insisted that the EU court’s opinion does not threaten the internal EU deal. The Commission is helping ten member states build up their flight database systems so they can track passengers’ data and comply with the new law, he told reporters.
But In’ t Veld said the court’s opinion could have “far-reaching consequences” for the EU deal with the US and other data sharing agreements.
The court already has other privacy cases lined up.
There are two complaints at the Luxembourg court against the EU’s privacy shield agreement with the United States. That complaint was lodged less than two months after the Commission sealed the deal with Obama administration officials—which they set up to replace the safe harbour agreement after the court ruled that illegal in 2015.
A Commission delegation will travel to Washington in September to review the privacy shield deal for the first time. A group of MEPs the Parliament’s Civil Liberties Committee (LIBE) who returned from a trip to Washington last week warned that the agreement does not meet EU privacy standards. President Donald Trump’s administration still has not appointed an official to oversee a complaint service for citizens who think their data privacy is compromised. A European Court of Justice spokeswoman could not indicate when hearings in the two complaint cases will start.