Abstract
On 26 July 2017, the Grand Chamber of the Court of Justice (CJEU) handed down its ruling in Opinion 1/15 on the envisaged Agreement between Canada and the EU on the transfer of passenger name record (PNR) data to Canada for the purpose of combating terrorism and serious transnational crime. 1 The Opinion was requested by the European Parliament under Article 218(11) TFEU to check the legal basis of the envisaged Agreement and its compatibility with Article 16 of the Treaty and Articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the European Union (the Charter).
Following the analysis of Advocate General Mengozzi, the Court ruled that the envisaged Agreement could not be concluded in the form signed by the Council and laid down a number of amendments that would have to be made to permit its adoption. The ruling marks a further consolidation of the work of the CJEU in establishing the Charter as a constitutional benchmark and the role of the Court in prioritising the protection of fundamental rights, in particular the rights to privacy and data protection. 2
The envisaged Agreement requires airlines in the EU to transfer to the Canadian authorities specific elements of the PNR data of all passengers flying from the EU to Canada for the purpose of combating terrorism and serious international crime. Airlines routinely collect PNR data from passengers in their automatic reservations systems when booking a flight. This booking information may include the names and addresses of passengers, their payment and credit card details, baggage and seating information, and information on special requirements for meals, which might reveal religious preferences.
The Court observed that the PNR data transferred prior to departure, together with systematic analysis by automated means before arrival in Canada, may reveal considerable information about passengers’ private lives, such as a complete travel itinerary, travel habits, financial situation, dietary habits or their state of health and relationships and may even provide sensitive information about those air passengers. The Court noted that such information may be retained for up to five years, a particularly long period of time.
The Court found that this processing of personal information was covered by the specific data protection requirements of Article 8(2) of the Charter and entailed a serious interference with the fundamental rights to respect for private life under Article 7 and data protection under Article 8 of the Charter. 3 In consequence, the Court subjected the envisaged Agreement to a strict review of compliance with the requirements laid down in the Charter and indicated in some detail how the Agreement would have to be amended to ensure that it does not exceed what is strictly necessary in order to achieve its security objective.
The principles of necessity and proportionality, specifically enshrined in Article 52(1) of the Charter, are a key requirement in the area of mass surveillance, featuring strongly in the case law of both the CJEU and the European Court of Human Rights (ECtHR). 4
The CJEU has consistently sought to find a fair balance between the need of the state to maintain public security and the equally fundamental right for individuals to be able to enjoy a high level of protection of their private life and their personal information. As pointed out in the 2015 Special Issue of this Journal, ‘the CJEU calls for the EU legislator to define key concepts, procedures to follow for the protection of processed data, and authorities who may access and make use of such data more clearly.’ 5
In Opinion 1/15 the Court distinguished between different situations: the transfer and storage of PNR data for the purpose of entering Canada; and the further use and storage of that data during the stay of the passengers concerned in Canada and after their departure. 6
In the first case, the transfer and storage of PNR data of all passengers for the purpose of entering Canada was judged not to exceed the limits of necessity. The Court noted in this respect that the Chicago Convention requires all air passengers to comply with the laws as to admission to and departure from the territory of the country to where they fly. 7 However, the Court specified that the PNR data may only be stored while the traveller remained in Canada.
In the second case, the use of any of this data during or after their stay in Canada would require a specific justification and the development of specific rules on the conditions of use and access, in particular providing that the use of these data is normally only permitted after prior review by a court or an independent authority. 8
Finally, the Court considered that retention of these data after the traveller leaves Canada would be considered acceptable only in specific cases in which a traveller presented a risk relating to the fight against terrorism or serious transnational crime. In such cases, the retention period of five years was felt to be acceptable. 9
The Court also referred to a number of other necessary safeguards: the envisaged Agreement should also provide more clarity on the types of PNR data that can be transferred, it should provide for air passengers to be notified if their PNR data is processed during their stay in Canada or after their departure, the right to effective judicial redress should be sufficiently guaranteed, and the Canadian authorities should only be able to transfer PNR data to authorities in other third countries where the EU itself had established that there was an essentially equivalent level of protection.
In addition to this specific advice on how to bring the envisaged Agreement into compliance with Articles 7 and 8 of the Charter, the ruling lays down a number of important signposts for the future.
First, this was the Court’s first ruling on the compatibility of a draft international agreement with the fundamental rights enshrined in the Charter. The Court found that an international agreement must be entirely compatible with the EU Treaties and with the constitutional principles stemming therefrom. 10 The ruling will therefore serve as benchmark for similar bilateral agreements with third states which facilitate data transfers in name of public security, notably the PNR Agreements with Australia and the United States, as well as elements of the US Privacy Shield.
Second, the Court resolved the legal basis required for an EU instrument which governs how personal data collected by private operators for commercial purposes may be further used for the purposes of security and law enforcement. The Court examined for the first time the scope of Article 16(2) TFEU, introduced by the Lisbon Treaty, and its interaction with Treaty provisions on freedom, security and justice. The Court found that Articles 16(2) (the right to data protection) and 87(2)(a) TFEU (police cooperation among the Member States in criminal matters) constitute the appropriate legal bases for the act of the Council concluding the envisaged agreement. Whilst normally there should be a single legal basis for a proposed EU instrument, the Court found that security and data protection were two equal components of the envisaged Agreement, inextricably linked to each other, and each requiring its own legal basis. 11
The Parliament had argued that the sole appropriate legal basis of the envisaged Agreement was Article 16(2) TFEU, which is capable of applying across all the sectors in the former First and Third Pillars of the Treaty, as recognised in Declaration 21 to the Lisbon Treaty. The Court found that Article 16 TFEU is an appropriate and necessary legal basis because the envisaged Agreement ‘(…) relates, in particular, to the establishment of a system consisting of a body of rules intended to protect personal data and with which Canada has undertaken to comply (…).’ 12
However, the Court also found that the envisaged Agreement establishes rules governing the transfer of PNR data to the Canadian authority responsible for combating terrorist offences or serious transnational crime and governing the use of that data by that authority. The Council and the Commission, and most of the Member States intervening, had argued that this was the main purpose of the agreement with Canada, and that data protection was only an instrument to achieve that purpose. The Commission recalled the much-criticised EC-US PNR ruling in 2006, where the Court found that the processing of personal data in the context of the first PNR agreement with the United States fell within a framework established by the public authorities that related to public security, which did not come within the scope of Directive 95/46. 13
The Court did not refer to this point, but the Advocate General made it clear that the envisaged Agreement with Canada fell to be considered under the Lisbon Treaty rather than under the narrower scope of Directive 95/46. 14 The ruling in Opinion 1/15 thus marks a complete departure from the limited EC-US PNR ruling in 2006. It illustrates the impact of the Lisbon Treaty, its consolidation of the former First and Third Pillars of the Maastricht Treaty, and the strength that the new Treaty provides to the Court.
Finally, since none of the provisions of the envisaged Agreement refer to facilitating judicial cooperation in criminal matters, the Court found that it could not be based on Article 82(1)(d) TFEU (judicial cooperation in criminal matters in the EU).
Third, the ruling provides valuable support for European negotiators in the future. Article 2 of the Treaty (TEU) reminds us that the EU is founded on the values of democracy and the rule of law, and EU negotiators can insist that certain negotiating concessions demanded by third states would not be acceptable to the Court and/or the Parliament. On the one hand, the detailed prescriptions by the Court have been criticised as performing in effect a ‘redline revision’ 15 of the envisaged Agreementand as posing difficulties for negotiators in the future, in terms of not knowing whether specific clauses in an agreement will pass the test of compatibility. 16 On the other hand, the Court has made its position clear on a number of specific issues, which can undoubtedly be used to advantage in future negotiations.
For example, it will no longer be acceptable for third states to decline to legislate to fill lacunae under national law so as to ensure an adequate level of protection which is ‘essentially equivalent’ to that in the EU. In the present case, instead of independent supervision by the Privacy Commissioner of Canada of PNR processing, non-resident foreigners must resort to supervision by an ‘impartial’ body entrusted with the task of protecting their rights. The Court did not accept that this alternative form of supervision was adequate to ensure the strict standard of independent supervision required under Article 8(3) of the Charter. 17 As a result, EU negotiators will be able to insist in the future that ad hoc patches of gaps in essential protection cannot be accepted.
Fourth, the CJEU has definitively settled the issue whether international agreements may be used to determine adequacy. The European Parliament had argued that the envisaged Agreement was incapable of being regarded as a ‘law’ for the purposes of justification, the initial and the most basic requirement to justify interference with a fundamental right. However, the Court found, following the Advocate General, that such an agreement may be regarded as being the equivalent, externally, of that which is a legislative act internally. 18 It is noteworthy, however, that the use of an international agreement to recognise adequacy is not foreseen in the relevant secondary legislation, whether Directive 95/46 or the exhaustively-negotiated GDPR. 19
Fifth, in this ruling the CJEU has confirmed and consolidated its recent case law on mass surveillance, 20 which it has developed in parallel with that of the ECtHR. 21
In addition to the rights of privacy, data protection and effective judicial protection applied in this line of case law, the ruling in Opinion 1/15 applied the right to non-discrimination enshrined in Article 21 of the Charter. This prohibits any discrimination based on, inter alia, race, ethnic or social origin, religion or belief, whereas the envisaged Agreement provided for the, albeit restricted, processing of sensitive data revealing racial or ethnic origin and religious or philosophical beliefs, amongst others. The Court concluded that Article 21, together with Articles 7, 8 and 52(1) of the Charter, precludes the transfer of sensitive data to Canada or its use or retention. 22
Outside of Europe, the courts in other countries are also getting to grips with the need to balance privacy and data protection with law enforcement and security in the digital age. In Riley v. California, the U.S. Supreme Court warned that ‘[p]rivacy comes at a cost’ and insisted on prior judicial authorization before searching mobile phones seized after an arrest, in view of ‘all they contain and all that they may reveal.’ 23 In Puttaswamy v. Union of India, the Indian Supreme Court referred to the ‘opportunities and dangers posed to liberty in a digital world’ and found that ‘[p]rivacy is the constitutional core of human dignity’. The Indian Supreme Court called on the government to ‘put into place a robust regime’ for data protection which ‘requires a careful and sensitive balance between individual interests and legitimate concerns of the state’, such as ‘protecting national security.’ 24
Finally, there are still some open questions after the ruling in Opinion 1/15 and the recent case law of the CJEU and the ECtHR. Is generalised mass surveillance permitted under the Charter or the ECHR if there are sufficient safeguards? If so, should these safeguards include specific rules to protect the confidentiality of judicial or legal communications, so as to protect the right to a fair trial and an effective judicial remedy? Should there be specific rules to protect journalists and the freedom of information from surveillance?
Some of these questions are pending before the European courts. In the Privacy International case, the UK Investigatory Powers Tribunal decided on 8 September 2017 to refer a number of questions to the CJEU for a preliminary ruling on the application of EU law to processing by national intelligence agencies, notably in view of Article 4(2) TEU, which reserves national security to the Member States. 25
Both privacy and freedom of expression are at stake in the Big Brother Watch case, which was heard by the ECtHR on 7 November 2017. 26 The claimants argue that the communications of journalists and other social ‘watchdog’ organisations, such as human rights and other public interest organisations, should not be accessed by the UK security authorities without proper regulation.
In this ongoing process, the ruling in Opinion 1/15 makes a welcome and significant contribution.