EU-Canada Airline Data Pact Violates Privacy:Adviser

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

A provisional agreement between the European Union and Canada on the transfer and retention of airline passengers data violates the privacy rights of EU citizens, an adviser to the EU's top court said in a Sept. 8 opinion.

The draft passenger name agreement (PNR) covers sharing information for the purposes of fighting terrorism and serious crime. An eventual European Court of Justice (ECJ) ruling that the EU-Canada PNR agreement doesn't respect EU privacy rights may have implications for similar agreements between the EU and the U.S. and EU and Australia. A similar EU-Mexico agreement is under negotiation. A negative ruling might also call into question the EU's internal PNR directive requiring passenger data sharing among the EU countries.

Although ECJ Advocate General Paolo Mengozzi advised that the EU-Canada agreement is deficient, he said that PNR agreements between the EU and third countries could go forward so long as a series of precise privacy safeguards are respected.

Mengozzi's opinion isn't binding on the court but is highly influential and the EU top court often follows the advice of its advocates general.

ECJ spokeswoman Holly Gallagher told Bloomberg BNA Sept. 8 that no date had been set for the final ruling on the EU-Canada PNR agreement, but it could be “possibly end of this year or the beginning of next.”

Privacy Risks

The EU and Canada signed the PNR agreement in June 2014, but the European Parliament referred the provisional EU-Canada PNR agreement to the ECJ in November 2014 (13 PVLR 2081, 12/8/14) for a ruling on its legality in the context of the April 2014 annulment of the EU Data Retention Directive (2006/24/EC) (13 PVLR 660, 4/14/14).

According to Mengozzi, the draft EU-Canada agreement is out of step with privacy rights contained in the EU Charter of Fundamental Rights because it would allow the processing by Canada of sensitive data from EU data subjects.

Sensitive data under the EU-Canada PNR agreement is defined as data that “reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information about a person's health or sex life.”

Mengozzi also said the agreement would allow an unjustified five-year data retention period and would permit onward transfer of data to third parties without sufficient safeguards.

In addition, the draft agreement goes “beyond what is strictly necessary” in permitting “the extension of the possibilities for processing PNR data” and in allowing Canada to disclose data, Mengozzi said.

Proposed Conditions

Mengozzi's opinion also set out a detailed list of conditions under which the EU-Canada PNR agreement could be implemented.

These include the exclusion of sensitive data from the agreement, inclusion of a detailed list of criminal offences in connection with which data could used, more precise identification of which authorities are permitted to access the data and case-by-case review by an “independent authority or a court in Canada” of any onward transfer of data.

The agreement should also show “precisely why it is objectively necessary to retain all PNR data for a maximum period of five years,” and should allow redress for EU citizens who believe their privacy rights have been violated, Mengozzi's opinion said.

Impact on Other Pacts?

Privacy advocates said that if the EU Court of Justice confirms Mengozzi's opinion, current PNR agreements with Australia and the U.S. would have to be revised, while the April 2016 EU PNR law could be open to challenge.

Under the EU PNR law, EU countries should put in place PNR collection systems for data from flights into and out of the EU, and should retain PNR data for five years, with data anonymized after six months .

German Green member of the European Parliament Jan Philipp Albrecht said in a Sept. 8 statement that according to the criteria set out by the advocate general, the EU PNR agreements with Australia and the U.S. are “unlawful”.

The advocate general's opinion reflected the April 2014 ruling of the EU Court of Justice that invalidated the EU Data Retention Directive on the basis that mass retention of personal data contravened privacy rights, Albrecht said.

Awaiting Final Ruling

Advocacy group European Digital Rights (EDRi) said in a Sept. 8 statement that the EU-Canada agreement was “the least restrictive PNR agreement that the EU has so far adopted” in terms of data retention. The EU-U.S. PNR agreement allows retention of data for 15 years.

Such agreements for the blanket retention of data, as opposed to targeted access to data based on reasonable suspicion, create “a needless security risk, undermines privacy, and generates huge costs,” EDRi said.

The European Commission, the EU's executive arm, which drafted the EU-Canada PNR agreement, declined to comment on the advocate general's opinion.

At a press briefing Sept. 8, commission spokeswoman Mina Andreeva said “we'll wait until we have the court judgment,” and the commission “will then express its position.”

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

The advocate general's opinion is available at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security