Last week, Europe’s highest court issued what might seem a fairly obscure ruling on an agreement between the EU and Canada on the transfer of passenger data between the two regions. In fact, the implications of the judgment by the Court of Justice of the European Union (CJEU) are far reaching, and are likely to have a major impact on the flow of all personal data across the Atlantic.
The original agreement on the Passenger Name Record (PNR) data was signed in 2014. It allows the systematic and continuous flow of information to the Canadian authorities about all EU air passengers flying to that country. PNR data includes a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health, and may even include other highly-sensitive information about the air passengers.
The aim is to process the PNR data automatically before the passengers arrive in Canada, allowing individuals possibly involved in terrorism or other serious transnational crimes to be spotted and then interviewed or arrested when the plane lands. The personal data is stored on a Canadian database for five years after it is supplied, and may also be transferred to other authorities within Canada, and even outside – to those in the US, for example.
It is these very wide permissions that the CJEU has now found to be illegal under EU privacy law, after the European Parliament asked it to rule on the matter. It is the first time the Court has been called upon to give a ruling on the compatibility of a draft international agreement with the EU Charter of Fundamental Rights, which makes its negative response even more significant. As the Court’s press release on the judgment