According to Advocate General (AG) Giovanni Pitruzzella, the EU regime for collecting, transferring, processing and retain Passenger Name Records (PNR) for the prevention and prosecution of terrorist offences and serious crime is, in essence, compatible with EU law.

Background of the case

The AG’s opinion of 27 January 2022 replies to numerous questions that were referred by the Belgian Constitutional Court regarding the validity and interpretation of Directive 2016/681 on the use of PNR data for law enforcement purposes (PNR Directive) and Directive 2004/82 on the obligation of carriers to communicate passenger data (the API Directive) as well as the interpretation of the GDPR in that context. The case is referred to as C-817/19 (Ligue des droits humains). Requests for preliminary rulings on the validity of the PNR scheme submitted by German and Slovenian courts are pending (Cases C-215/20 and C-486/20).

In the proceedings before the Belgian Constitutional Court, the Belgium law implementing the PNR and API Directives is challenged. The applicant – the non-profit organisation “Ligue des droits humains” – opposed the broad definitions of PNR data and “passengers” which would lead to an indiscriminate and generalised collection of all people travelling to, from and in the EU. Furthermore, the applicant put forward the unclear and imprecise method of pre-screening persons and the long, undifferentiated period of retention of PNR data for five years.

The AG’s opinion

At first, AG Pitruzzella stated that provisions requiring or permitting the communication of personal data of natural persons to a third party (here: public law enforcement authorities) must be classified as an interference with the fundamental rights to private life and protection of personal data. Such interference can only be justified by meeting the requirements of Art. 52 of the Charter. The AG further stressed that it is the onus of the EU legislature to set out the essential elements which define the scope of these interferences. In this context, the AG observes that the EU legislature failed to clearly and precisely define the nature and extent of the data to be transferred by air carriers when it included “general remarks” into the definition of PNR data in point 12 of Annex I of the PNR Directive. Insofar the Directive is invalid.

However, the AG sees no reasons for invalidity as regards first the data that air carriers are required to transfer to Passenger Information Units (PIUs) as such and second the generalised and undifferentiated nature of the transfer of PNR data including the prior assessment of air passengers by means of automated processing. The AG highlights above all the system of safeguards put in place by the PNR Directive. He also takes the view that the CJEU’s case law on retention of telecommunication data (Tele2 Sverige and La Quadrature du Neteucrim 4/2016, 164 and eucrim 3/2020, 184-186 as well as the article by Juszczak/Sason, eucrim 4/2021, 238-266) is not transposable to the PNR case.

Regarding the issues of pre-screening and comparison of PNR data with “other relevant databases”, the AG proposed a narrow interpretation of the PNR Directive. Accordingly, the concept of “relevant databases” must be interpreted as covering only national databases managed by the competent authorities and EU and international databases, which

  • have been developed for the purposes of the Directive, i.e. the fighting of terrorism and serious crime, and
  • are directly operated by the law enforcement authorities in the course of their duties.

Furthermore, the automated processing of PNR data cannot be carried out by means of machine-learning artificial intelligence systems, which do not make it possible to ascertain the reasons which led the algorithm to establish a positive match.

Regarding the complaint about the data retention period, the AG ultimately proposed that the PNR Directive should be interpreted in accordance with the Charter. This means that the retention of PNR data provided by air carriers to the PIU for a period of five years is permitted, after the prior assessment has been carried out, only to the extent that a connection is established, on the basis of objective criteria, between those data and the fight against terrorism or serious crime.