July 20, 2018

July 19, 2018

Subscribe to Latest Legal News and Analysis

July 18, 2018

Subscribe to Latest Legal News and Analysis

July 17, 2018

Subscribe to Latest Legal News and Analysis

CJEU: EU-Canada Proposed Agreement On The Transfer of Passenger Name Record Data Does Not Conform to EU Data Protection Law Standards

On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”).  The Agreement was signed in 2014, but the CJEU was asked to determine whether it was compatible with EU data protection law before it is approved by the European Parliament.

The Opinion concluded that a number of provisions relating to the transfer of PNR data – particularly sensitive data – are incompatible with the EU Data Protection Directive (Directive 95/46) and the fundamental rights to privacy and data protection, and the protection against discrimination, under Articles 7, 8 and 21 of the EU Charter of Fundamental Rights (the “Charter”), meaning the Agreement must be renegotiated before it enters into force.

Notably, the CJEU’s opinion was consistent with its recent judgments concerning data transfers to “third countries” (outside the EEA) in Schrems and Tele2/Watson

Background to the PNR Agreement

The proposed Agreement permits air carriers operating between the EU and Canada to transfer PNR data of all air passengers to the Canada Border Services Agency (the “Canadian Competent Authority”), where the data may be used, retained for up to 5 years, or transferred to other authorities and other third countries, for the purposes of ensuring public security and combating terrorism and serious transnational crime.

PNR data includes a significant amount of personal data, such as an individual’s name, contact details, passport or other ID number, nationality, and financial payment information.  It may also include sensitive personal data, such as data relating to an individual’s health or religious beliefs.  Under EU data protection laws, personal data can only be transferred to third countries if those countries ensure a level of protection of personal data that is “adequate” (i.e., “essentially equivalent” to the EU regime).

The Opinion of the CJEU in relation to the transfer of the PNR data

The CJEU found that the transfer and subsequent processing of PNR data under the Agreement entailed “wide-ranging and particularly serious interferences” with Article 8 of the Charter, as very precise conclusions about an identifiable individual’s private life could be drawn from the data.  The CJEU identified the following necessary amendments to the Agreement, based on incompatibilities with EU law:

  • Categories of data – determine in a more clear and precise manner certain categories (e.g. “all available contact information”) of the PNR data to be transferred;

  • Purpose of processing – provide that the Canadian Competent Authority and other recipients of the PNR data will only be able to use this data in relation to the fight against terrorism and serious transnational crime;

  • Safeguarding international transfers – limit transfers of PNR data to non-EU countries that have agreements with the EU equivalent to the proposed Agreement or else benefit from an EU Commission adequacy decision; and

  • Notice to data subjects – specify that passengers are notified of the transfer of their PNR data to Canada and other third parties (and of its use), as soon as such notice will no longer jeopardise any investigations carried out in pursuit of the Agreement’s objective.

Transfer of sensitive personal data

In relation to transfer of sensitive data, the CJEU found that the Agreement was incompatible with the Charter as it did not preclude the transfer of sensitive data (and its use and retention).  Sensitive data is defined by the EU Data Protection Directive as “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”

The CJEU advised that any measure carried out on the basis of a characteristic identified as “sensitive,” in pursuit of the Agreement’s objective, would infringe Articles 7 and 8 of the Charter, read in conjunction with the protection against discrimination under Article 21.  Having regard to the risk that data may be processed contrary to Article 21, the CJEU concluded that a transfer of sensitive data to Canada would require a “precise and particularly solid justification.”  Such justification must be based on grounds other than for the protection of public security against terrorism and serious transnational crime.  The CJEU found that the Agreement contained no such justification and also pointed out that the processing of sensitive data is prohibited under the EU Directive on the use of PNR data for the prevention, detection, investigation, and prosecution of terrorist offences and serious crime ((EU) 2016/681).

Impact of the CJEU’s Opinion

The requirements for adequacy set out in the CJEU’s Opinion will be relevant to the EU Commission’s ongoing assessment of the EU-U.S. Privacy Shield, and the challenge to the EU model contractual clauses, currently before the Irish High Court.  Now that the requirement for a “solid justification” has been highlighted by the CJEU, the EU Commission may seek to identify suitable justifications for the transfer of sensitive data during its review of the Privacy Shield.  The Privacy Shield may need further negotiation and amendment if such a justification is not identified, but will remain valid unless the EU Commission or the CJEU find it to be inadequate.

The UK Government should also take note of the amendments recommended by the CJEU, as these will be pertinent to its negotiations with the EU for data transfers following Brexit.

Dan Cooper and Rosie Klement autored this post.

© 2018 Covington & Burling LLP


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...