THE EUROPEAN Court of Justice (ECJ) has turned thumbs down on a proposed agreement between the European Union and Canada on the transfer and processing of airlines’ passenger name records (PNRs) and associated data.
“The ECJ concluded that the transfer and use of passenger name records as contemplated in the proposed agreement was incompatible with the respect for private life and the protection of personal data within the meaning of the Charter of Fundamental Rights of the European Union,” says Antoine Aylwin of Fasken Martineau DuMoulin LLP’s privacy and information protection group in Montréal.
The agreement would have allowed Canada to keep PNRs for up to five years and possibly share them with other non-EU states. As the court saw it, that constituted a valid purpose. Unfortunately, the agreement was sufficiently lacking in particularity to render it an “interference with the fundamental right to respect private life.”
PNR lists have existed since the International Air Transport Association was founded in 1945. Often cited as important tools in the fight against terrorism, the use of PNRs has become controversial, particularly in the EU where PNRs are seen by privacy advocates as yet another massive database that carries unacceptable risks of infringements on human rights. Indeed, the PNR agreement explicitly recognized the competing consideration, stating that its purpose was both to “ensure the security and safety of the public” and “prescribe the means by which the data is protected.”
The ECJ took explicit objection to several aspects of the proposed EU-Canada agreement. In particular, the court found:
- The words “all available contact information” and “any information” were too broad;
- The basis for transferring sensitive information required a “particularly solid justification” that the agreement lacked;
- Recent research suggested the automated predictive algorithms used to process PNRs might be subject to discriminatory bias;
- There was no need to retain the data once passengers who presented no risk of terrorism or transnational crime before or during their stay in Canada and had now left; and
- The agreement did not provide for an independent supervisory authority empowered to ensure that passengers whose PNR data was used or retained be notified.
The decision does not, however, mean that the agreement is dead in the water.
“While the opinion questions several rules under the PNR system, it does not question its raison d’être,” Aylwin says. “In other words, the EU-Canada agreement is currently on the grey list, but it could still take off.”
Almost immediately after the ruling, the European Commission (EC) indicated that it would seek to comply with the court’s ruling by way of further negotiation with Canada. That negotiation could proceed relatively smoothly from a Canadian perspective. “The court’s reasons are not that far removed from the principles underlying Canadian privacy laws, in particular with respect to necessity or transparency,” Aylwin says.
Still, while the court’s reasons are based on the European Charter of Fundamental Rights, they underscore the challenges facing any further efforts Canada and the EU to collaborate on data transfer.
This is particularly so with the EU’s new General Data Protection Regulation (GDPR) due to take effect in May 2018.
“The GDPR is much more comprehensive than the current regulation,” says privacy lawyer David Young of David Young Law in Ottawa.
“When it comes into force, Canada will again have to seek confirmation that its privacy laws comply with EU law in order for Canadian businesses to transfer or receive personal data from the EU.”
Although the EC determined in 2001 that Canada’s Personal Information Protection and Electronic Documents Act provided “adequate protection” for data transferred from the EU, it could revisit that conclusion. Indeed, the ECJ noted in a previous decision that the level of protection ensured by countries outside the EU is liable to change and that “it is incumbent upon the [Data Protection] Commissioner” to periodically check whether an earlier adequacy decision was still justified.
What the EC may find particularly objectionable is that Canadian law does not prohibit the transfer of data to countries lacking meaningful privacy regimes, meaning that data transferred from the EU to Canada could end up in those countries.
“All [Canada requires] is contractual arrangements ensuring that Canadian restrictions will be largely honoured by the entity that is receiving the data,” says Mark Hayes of Hayes eLaw LLP in Toronto.