CJEU passenger data ruling provides welcome clarification for stakeholders

Nils Rauer, privacy law expert at Pinsent Masons, said the CJEU’s judgment on the passenger name record (PNR) directive “provides clarity and legal certainty” for stakeholders. The PNR directive requires the systematic processing of passenger data on flights between the EU and third-party countries. The directive previously enabled member states to collect, transfer and store passenger data from intra-EU flights for up to five years.

But the CJEU placed strict limits on the how data can be stored and transferred in the absence of a “genuine and present or foreseeable terrorist threat”. It added that PNR obligations may not be extended to other means of transportation, such as coaches, boats or trains. The CJEU’s ruling followed an action filed with the Belgian Constitutional Court in 2017 by the Ligue des droits humains (LDH), a not-for-profit association.

The LDH had criticised the broad nature of the PNR data and the way it was collected, transferred and processed. The not-for-profit claimed a law which transposed the PNR directive into Belgian domestic law infringed the right to respect for private life and the right to the protection of personal data guaranteed under Belgian and EU law. The LDH also argued that the law infringed the free movement of people because it indirectly re-established border controls by extending the PNR system to intra-EU flights – as well as other forms of transport within the European Union.

In its ruling, the CJEU clarified that the system introduced by the PNR directive can only cover clearly identifiable and circumscribed information listed in its Annex I and is limited to terrorist offences and serious crimes “with at least an indirect objective connection to the transportation of passengers”. The court held that “general crime” is not a sufficient reason for the application of the PNR system, and that an “adequate degree of seriousness” is required for its use.

The ruling means that the extension of data collection and storage to all EU flights from or to a particular member state is only possible if there is a terrorist threat to the member state which can be classified as real and current or foreseeable. The court said that no artificial intelligence technologies may be used as part of PRN data pre-screening, used to identify wanted or suspected criminals and terrorists, and added that the process must be “free of discrimination”.

It also placed strict limits on the storage of PNR data, stating that a general practice of storing it for five years was incompatible with Articles 7, 8 and 52 of the Charter of Fundamental Rights. The court found that the storage period of six months, provided for by the PNR directive for all passengers, does not exceed the limit of what it considered “absolutely necessary”. The processing of PNR data for purposes other than those expressly listed in the directive was also banned, with the court ruling that the provision and verification of PNR data could only be based on new circumstances or objective evidence of a passenger’s possible involvement in a crime.

Rauer said: “The judges’ ruling clearly rests on the so-called principle of ‘prohibition with reservation of exceptions’ – the concept that underlies the GDPR – and blocks any data processing attempts which do not have adequate and specific justification. The general aim of the PNR directive is to effectively fight terrorism and serious crime, and as the court made clear, that remains a fair and reasonable justification for data processing.”

“It is to the merit of the court that it is now clear how little discretion member states have in the course of implementing the directive. We talk about full harmonisation, the aim of which is a binding legal framework consisting of uniform national regulations throughout the EU. Because fundamental rights are at stake, it requires a narrow interpretation of what data may be collected and processed under the PNR directive. In this respect, the judges stress that PNR data may only be collected and stored in connection with terrorist offenses and serious crime,” said Rauer.

He added: “The CJEU is also right in emphasising the limits on the storage periods: a general storage period of six months, which applies indiscriminately to all passengers, is to be regarded as reasonable, and member states must obey to such limits when implementing the directive.”