Spotlight CJEU: PNR Directive Valid if Limited to the “Strictly Necessary”
In a landmark ruling of 21 June 2022, the CJEU, sitting in for the Grand Chamber, upheld the EU’s regime to collect and use records of travellers, provided that it is strictly interpreted in line with the EU’s fundamental rights. In addition, indiscriminate processing of the data in cases of flights carried out only within the EU is banned unless there is a threat of terrorism. In general, the passengers’ data must also be deleted after six months at the latest unless a connection to terrorism or serious crime has been established. These are the key statements of the answers given to the Belgian Constitutional Court in Case C-817/19 (Ligue des droits humains). For the opinion of AG Pitruzzella → eucrim 1/2022, 30-31.
Background of the case
Passenger Name Record (PNR) data are booking data stored by air carriers in their reservation and check-in systems. Directive (EU) 2016/681 on the use of passenger name records for criminal law purposes (the PNR Directive) requires air carriers to transfer the data of all passengers on flights between a third country and the European Union (extra-EU flights) to the Passenger Information Unit (PIU) of the Member State of arrival or departure in order to combat terrorist offences and serious crime. The PNR data transferred are subject to prior verification by the PIU and subsequently stored for possible further verification by the competent (law enforcement) authorities of the Member State concerned or of another Member State. Art. 2 of the PNR Directive leaves it to the Member States whether they wish to apply the Directive also to flights within the Union (intra-EU flights) – most Member States selected this option.
The Ligue des droits humains (Human Rights League) filed an action for annulment with the Belgian Constitutional Court against the law which transposed the PNR Directive into Belgian law. The association claimed that this law violates the rights to respect for private life and to the protection of personal data due to the very broad nature of PNR data and the general nature of their collection, transmission and processing. Furthermore, it submitted that the law restricts the freedom of movement, as it indirectly re-introduces border controls by extending the PNR system to EU flights as well as to transport by other means within the EU.
In this context, the Belgian Constitutional Court referred ten questions to the CJEU for a preliminary ruling concerning, inter alia, the validity and interpretation of the PNR Directive and the applicability of the GDPR.
On the basis of these questions, the Court had again the opportunity to rule on the processing of PNR data in the light of the fundamental rights after having examined the deal between the EU and Canada on the transfer and processing of PNR data in its landmark judgment of 26 July 2017 (Opinion 1/15 → eucrim 3/2017, 114-115).
In its judgment of 21 June 2022, the Grand Chamber of the CJEU confirmed the validity of the PNR Directive as it can be interpreted in accordance with the Charter and provides clarifications on the interpretation of certain provisions of the Directive.
On the validity of the PNR Directive
The CJEU first held that the PNR Directive can be interpreted in conformity with primary EU law, in particular with the Charter of Fundamental Rights of the EU (CFR). It acknowledged that the PNR Directive “entails undeniably serous interferences with the rights guaranteed in Arts. 7 and 8 CFR”, but proportionality within the PNR Directive’s justification can be upheld if the transfer, processing and retention of PNR data are limited to what is strictly necessary. In this context, the CJEU clarified the restrictive interpretation of several provisions of the PNR Directive as follows:
- Several data headings in Annex I of the PNR Directive must be interpreted more precisely and specifically;
- Since the Directive gives Member States some leeway by providing maximum penalties only, it must be ensured that Member States apply the system only to terrorist offences (as defined by EU law) and serious crime “having an objective link, even if only an indirect one, with the carriage of passengers by air” – hence, the application to ordinary crimes must be excluded;
- The optional application of the Directive to intra-EU flights must be curtailed: application to all intra-EU flights is only possible if a Member State is confronted with a genuine and present or foreseeable terrorist threat. In the absence of such a terrorist threat, the application of the Directive to intra-EU flights must be limited to certain routes or travel patterns or to certain airports for which there are, at the discretion of the Member State concerned, indications that would justify that application. In addition, this is flanked by the procedural requirement that the extension of the application of the PNR Directive to selected intra-EU flights is subject to effective review, either by a court o by an independent administrative body;
- The automated processing when an advance assessment of PNR data is carried out must be limited and accompanied by several safeguards: for instance, the PIU cannot use artificial intelligence technology in self-learning systems (“machine learning”) and verification of positive results must be subject to non-automated (i.e. human) intervention with clear and precise rules that provide sufficient guidance and support for the analysis carried out by the PIU agents. In order to guarantee a uniform administrative practice and respect the principle of non-discrimination, objective review criteria must be established;
- The subsequent disclosure and assessment of PNR data after arrival or departure of the person concerned must include several guarantees: substantially, this assessment can only be carried out on the basis of new circumstances or objective evidence capable of giving rise to a reasonable suspicion of the person’s involvement in serious crime as defined above. procedurally, disclosure must, in principle, be subject to a prior review carried out either by a court or by an independent administrative authority.
On the interpretation of the PNR Directive
Regarding questions on the compatibility of the Belgian legislation with the PNR Directive, the judges in Luxembourg make important statements on the retention periods. They point out that a distinction must be drawn between passengers who present a risk in relation to terrorist offences or serious crime and those who do not. In view of different periods defined in Art. 12 of the Directive, the retention of all passengers subject to the PNR system complies with the requirement of “strict necessity” only during the initial six months. A retention up to five years (as indicated in Art. 12(1) of the PNR Directive) is only allowed for data on air passenger if objective evidence revealed a possible involvement in terrorist offences or serious crime (having an objective link, even if only an indirect one, with the carriage of passengers by air). In conclusion, the full retention period of five years is only permissible for “targeted passengers”.
Lastly, the CJEU ruled on possible infringements of the rights to free movement within the EU if a Member State applies the PNR scheme to intra-EU flights and – as Belgium did – to other means of transport (transport by rail, by road, and by sea), departing from or going to Belgium and carried out within the European Union, i.e. without crossing external borders with third countries. The judges in Luxembourg reiterated their viewpoint that in these situations restrictions to citizens’ rights are only proportional, if there is a genuine and present or foreseeable terrorist threat to which the Member State concerned is confronted or, in the absence of that, application is limited to certain routes or travel patterns or to certain airports/stations/seaports (see above). Furthermore, EU law precludes national legislation that wishes to use such system for the purposes of improving external border controls and combating illegal immigration.
Put in focus
The CJEU’s judgment is widely influenced by its previous judgment ruling on the legality of the EU-Canada agreement on the transfer and processing of PNR data (see above). Also, the CJEU’s standpoints on the retention of telecommunications data (e.g. recently voiced in the judgment of 5 April 2022 in Case C-140/20 → separate news item) played a role in the PNR context as well. The CJEU mainly follows the opinion of AG Pitruzzella in this case (→ eucrim 1/2022, 30-31). Both the Court’s and AG’s results are widely driven by maintaining the EU secondary legislation (the PNR Directive), while attempting to ensure the appropriate balance between freedom and security at the national level.
Nonetheless, compared to the AG, the CJEU partly took a more restrictive stance particularly in relation to two issues: (1) stricter limits as to intra-EU flights and transport operations within the EU; (2) stricter approach to storage periods.
It is now up to the Belgian Constitutional Court to decide on the compliance of the Belgian law transposing the EU’s PNR legislation. It is likely that the Belgian Court concludes its invalidity; at least, it must apply a narrower interpretation of the Belgian law.
The judgment in Ligue des droit humains is also a harbinger of further decisions on pending references seeking clarification on the compatibility of the PNR Directive with fundamental rights and/or of national implementing laws with the EU’s statutory requirements on the collection and processing of PNR data. Thus, the judgment will likely apply to the German implementation against which doubts were casted by the Administrative Court of Wiesbaden (Cases C-215/20, JV and C-222/20, OC v Bundesrepublik Deutschland) and by the Local Court of Cologne (Case C-150/20, Deutsche Lufthansa).
The ruling prompted rather restrained reactions from lawyers, NGOs, and academics.
Catherine Forget, who pleaded the case before the CJEU for the Ligue des droits humains, told euobserver that the judgment is a “victory” and “[it] undoubtedly calls into question our [Belgium's] law [on PNR].”
MEP and digital freedom fighter Patrick Breyer commented: “The EU surveillance fanatics have once again disregarded our fundamental rights. (…) The fact that non-transparent black-box machine learning risk evaluation systems have been banned is a particular success against dystopian AI technologies in general, such as ‘video lie detectors’. I am disappointed that a six-month retention of information of all travellers to and from non-EU countries was allowed at all.”
Douwe Korff, emeritus professor of international law at the London Metropolitan University, said in euractiv: “While the Court refrained from invalidating the directive altogether, it has imposed numerous detailed and demanding conditions and restrictions on the use of PNR data and especially on the mining of the data to create profiling.” Korff pointed out that the ruling has broader implications for future EU legislation, stressing that “rather than expanding generalised data trawling and mining and profiling, as the EU wants to do through Europol, these invasive measures should be dropped.”
European Digital Rights (EDRi) fed back: “On several key provisions, the Court grants a disproportionate degree of trust in the Member States to apply the PNR Directive in a restrictive way to meet the requirements of the Charter. For example, the Court counts on Member States to restrict the use of the PNR surveillance system in the fight against terrorism and serious crime, although the Directive does not adequately prevent risks of abuse by investigative authorities and the use of PNR data for ordinary crime.”
Estelle Massé, Europe Legislative Manager at Access Now, said: “Considering the impact that the EU PNR Directive has on fundamental rights — as confirmed by the Court — the law should have been invalidated. All EU states will now have to limit their use of PNR data due to its intrusiveness.”
Similarly, Christian Thönnes, a doctoral researcher at the Department of Public Law of the Max Planck Institute for the Study of Crime, Security and Law in Freiburg, wrote on Verfassungsblog: “[The CJEU] altered [the Directive] beyond recognition. (…) Some of the Court’s guidelines will almost certainly force Member States to adapt their transposition laws, foreseeably embroiling them in protracted legal battles. (…) I am not sure, however, if European security authorities would not have been better served with a clear decision to invalidate.”