EU Court of Justice Issues Ruling on Privacy Rights and International Agreements
In a ruling that should have a significant impact on Canada’s privacy policies, the European Court of Justice (Opinion 1-15, July 26, 2017) has held that the agreement between Canada and the EU on the transfer of Passenger Name Record (PNR) data cannot be concluded because it violates fundamental privacy rights recognized by the EU as it is currently written.
The Court noted that the PNR data could reveal a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health. And since the data will be analyzed through an automated process, the Court also noted the analysis could provide additional personal information about the passengers.
In ruling that the transfer of the PNR data (and its potential subsequent retransfer) constituted an interference with the fundamental right to the protection of personal data, the court also looked at whether this fundamental violation could be justified.
First they noted that there was an objective of general interest (to ensure public security in the context of the fight against terrorist offences and serious transnational crime) and that a transfer of data measure was appropriate for the achievement of that objective.
But the court went on to find that since there was a risk of processing sensitive personal data contrary to the principle of non-discrimination, the transfer to Canada would require a more precise justification than was shown. The Court also noted that the continued storage of the data was not limited to what is strictly necessary.
The court set out six protections that will need to be included in the provision in order to cure these defects. It is worth noting that these measures corresponds to generally established fair information practice/ fair privacy policy (as contained for example in PIPEDA’s Privacy Principles).
The six measures which must be addressed in a revised version are:
- determine in a more clear and precise manner certain of the PNR data to be transferred;
- provide that the models and criteria used for the automated processing of PNR data will be specific, reliable and non-discriminatory;
- provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;
- provide that PNR data may be disclosed by the Canadian authorities to the government authorities of a non-EU country only if there is an agreement between the European Union and that country equivalent to the envisaged agreement or a decision of the European Commission in that field;
- provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data to other authorities or to individuals;
- guarantee that the oversight of the rules relating to the protection of air passengers with regard to the processing of their PNR data is carried out by an independent supervisory authority.
This ruling is timely and very significant for Canadian privacy policymakers for several reasons.
The court’s ruling serves as a reminder that the European Union takes its privacy commitments very seriously. In Europe, privacy is afforded a higher status in the legal hierarchy than it is given in Canada and much more so than in comparison with the United States. While Canada’s PIPEDA standards have been deemed in the past to be in compliance with the EU’s adequacy requirements, there is no guarantee this status of compliance will continue under the new GDPR regime.
Also, in this decision, the Court is showing sensitivity to the impacts and effects of technology on privacy issues, especially with regard to the processing of sensitive personal information. Canada should draw an inference that our PIPEDA principles would benefit from a thorough review to determine if they are keeping up with technological changes (I have addressed this issue in an earlier submission to the Office of the Privacy Commissioner and am expanding this discussion in forthcoming paper on the Internet of Things). I don’t think the correspondence between the Court’s order and basic privacy principles was an accident or a coincidence.
And perhaps of the greatest historical significance, the court noted its decision represents the first time it’s been called on to rule on the compatibility of a draft international agreement with the EU Charter of Fundamental Rights. The significance of this point should not be overlooked as Canada continues to engage in international agreements. NAFTA may not directly affect Canada’s trade relationship with the EU and its members. But Canada must avoid negotiating away any privacy protections which could lock the government into an untenable situation with respect to compliance with the EU’s increasingly robust privacy requirements. My sense is that the NAFTA negotiating demand from the United States (restricting limitations on trans-border data flows or other measures requiring local data processing) impedes the flexibility in privacy protections that Canada needs to maintain.
At the very least the Canadian government needs to issue a clear statement that Canadian privacy protections are NOT going to be subject to NAFTA negotiations, and this would be preferably accomplished by releasing a clear set of its negotiating objectives.
Today’s decision from the European Court only underlines these concerns and should send a clear message to the Canadian government that it needs to take privacy protections more seriously.
[…] Brussels has to go back to the drawing board on a key plank of its counterterrorism strategy. The European Court of Justice dealt a blow to the EU’s policy of sharing information about airline travellers, saying that a long-standing arrangement with Canada ran roughshod over people’s privacy. [See here] In its ruling, the ECJ said the Commission went too far when it gave Canada access to detailed information about airline passengers, including what meals a passenger ate, in what company he or she traveled and how he or she bought a ticket — and stored these data for up to five years. The idea is that law enforcement could use the information to map and monitor terrorists’ and criminals’ travels, and halt them before boarding flights. A PNR data-sharing agreement with Canada dates back to 2006, but when it was revised in 2014, the European Parliament asked the ECJ for its opinion on the update before giving the deal its seal of approval. Security Commissioner Julian King said that Commission officials are speaking to Canadian counterparts “about ways of addressing the concerns raised by the European Court of Justice on the envisaged EU-Canada PNR agreement.” [See here] But King said the opinion did not affect EU countries’ obligations to implement the EU’s own, internal PNR system. Privacy advocates called the opinion a win for privacy. “Reckless data retention and profiling have no place in a democratic, law-based society,” Joe McNamee, executive director at European Digital Rights, said in a statement. [POLITICO.eu | Deal to share passenger info between EU and Canada struck down on privacy concerns | When travel security makes things more dangerous | EU-Canada Airline Data Pact Violates Privacy: Adviser | EU-Canada passenger data deal infringes privacy: EU adviser | EU-Canada Air Data Deal Is Illegal, Warns Top Lawyer | EU-Canada Traveler Data-Sharing Deal May Go Too Far | EU Court of Justice Issues Ruling on Privacy Rights and International Agreements – Sam Trosow,…] […]