Canadian data sharing deal with EU could be illegal under European Law

A top EU lawyer has concluded that the EU-Canada PNR agreement which oversees the transfer of information on flight records between the two countries goes against the EU Charter Fundamental Human Rights.

Picture credit: Altair78/Flickr
Picture credit: Altair78/Flickr

Advocate General Paolo Mengozzi of the Court of Justice of the European Union (CJEU), has ruled that certain parts of the draft Passenger Name Record (PNR) agreement between the European Union (EU) and Canada cannot in its current form go ahead.

Mengozzi  has advised that "certain provisions of the agreement envisaged, as currently drafted, are contrary to the EU Charter of Fundamental Rights." He added that  it has gone beyond what was "strictly necessary" for achieving "the public security objective pursued by the agreement."

Mengozzi has listed the conditions which would have to be met, in his non-binding opinion, for the agreement to be compatible with the EU Charter of Fundamental Rights in this press release.  

PNR data  includes travel dates, travel itinerary, ticket information, contact details, luggage list, and payment information.

Stewart Room, global head of cyber-security and data protection, at PricewaterhouseCoopers Legal LLP told SCMagazineUK.com that: “What we are seeing here is the third substantive legal challenge to EU data transfer arrangements. The first concerned the original EU-USA PNR agreement.  So far, the EU transfer mechanisms have not stood up well to these challenges.”  

Room explained: “This will be of concern to entities that want to adopt the Privacy Shield, Safe Harbour's replacement, but are holding back because of these challenges.  They may see the pattern that is emerging and because of their worry about legal validity they are stalled in their tracks.”  

“It is of great significance that the Privacy Shield has not been formally approved by the Article 29 Working Party and that it has not yet been through the scrutiny of the CJEU. Hence, there are some legitimate doubts about the Shield's robustness. This latest development is not going to ease any worries.”

According to the European Parliament website, PNR data is used to identify "persons who were previously unsuspected of involvement in terrorism or in serious crime before an analysis of that data suggests that they may be involved in such crime, and who could therefore be subject to further examination by the competent authorities".

The deal was signed in 2014,  and prior to its approval, the European Parliament asked the CJEU to inspect it on its compatibility with the EU Charter of Fundamental Rights.

The Advocate General, by his own account, reached these conclusions based on the CJEU's rulings on the cases of Schrems and Digital Rights Ireland which struck down the Safe Harbour and EU data retention directive.

Mengozzi explained his position by saying that: “It is necessary that, at a time when modern technology allows public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely sophisticated methods of monitoring the private life of individuals and analysing their personal data … [that we have a] fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data.”

Of course, it is well within the right of the CJEU to dismiss the Advocate General's opinion, which is not legally binding.

However, If it does agree with Mengozzi's opinion on the situation, it would cause the EU-Canada PNR agreement to brought to a halt alongside similar deals with other nations such as the US, Australia, and the EU's own PNR directive.

A decision against the EU-Canada PNR agreement could show the kinds of data agreements Britain will be striking with the EU for the purpose of data transfers in a post-Brexit world.

Sign up to our newsletters