The transfer as well as the generalised and undifferentiated automated processing of PNR (Passenger Name Record) data, for the purpose of combating terrorism or serious crime, are compatible with fundamental rights and the protection of personal data, said Giovanni Pitruzzella, advocate general of the Court of Justice of the EU, on 27 January in his opinion on case C-817/19.
However, a general and undifferentiated retention of PNR data in a non-anonymised form is justified only in the face of a serious, present or foreseeable threat to the security of the Member States and on condition that the duration of such retention is limited to what is strictly necessary, the Advocate General highlighted.
The EU’s PNR Directive, which covers the collection of such data by airlines on flights to and from the EU to third countries, could however have more precise fields on certain aspects of such data transfers, with the Advocate General declaring one annex invalid.
The EU ‘PNR’ Directive, adopted in 2016, requires the systematic processing of a significant amount of data of air passengers entering and leaving the EU and also provides for the possibility to include intra-EU flights. The Belgian League for Human Rights (LDH) had filed an action for annulment of the Belgian transposition law with the Belgian Constitutional Court in 2017, arguing that it violated the right to privacy and data protection. It challenged the very broad nature of PNR data and the general nature of the collection, transfer and processing of such data.
In his opinion, the Advocate General notes that provisions requiring or permitting the communication of personal data of natural persons to a third party, such as a public authority, can only be justified if they are provided for by law, respect the essential content of those rights and, in compliance with the principle of proportionality, are necessary and meet objectives of general interest recognised by the EU.
After noting that the use of general categories of information which do not sufficiently determine the nature and extent of the data to be transferred does not meet the requirements of clarity and precision laid down by the Charter of Fundamental Rights, the Advocate General concludes that an annex on “general remarks” intended to cover all information collected by air carriers is invalid.
For the rest, he stresses that the data that air carriers are required to transfer under the PNR Directive is “relevant, adequate and not excessive, having regard to the purposes pursued by that Directive, and that their scope does not exceed what is strictly necessary to achieve those purposes”. And there are sufficient guarantees that only the data specifically referred to will be transferred and that the confidentiality of the data will be preserved. The Advocate General also notes that the PNR Directive contains a general prohibition on the processing of sensitive data.
Link to the opinion (in French): https://bit.ly/3KNMwTw (Original version in French by Solenn Paulic)