Court grounds EU counterterrorism plan

Commission went too far in allowing Canada access to private and sensitive information about air passengers, says EU’s highest court.

Brussels has to go back to the drawing board on a key plank of its counterterrorism strategy.

The European Court of Justice on Wednesday dealt a blow to the EU’s policy of sharing information about airline travellers, saying that a long-standing arrangement with Canada ran roughshod over people’s privacy.

The court’s opinion endangers similar agreements with the United States and Australia, and will surely hinder existing plans to collect passenger data from trains and other modes of transport. Stung by the ruling, Commission officials said Brussels would move to address the court’s concerns urgently, calling the program essential to European security.

In its ruling, the ECJ said the Commission went too far when it gave Canada access to detailed information about airline passengers, including what meals a passenger ate, in what company he or she traveled and how he or she bought a ticket — and stored these data for up to five years. The idea is that law enforcement could use the information to map and monitor terrorists’ and criminals’ travels, and halt them before boarding flights.

The EU created several so-called passenger name record systems (PNR) following major terrorist attacks, including 9/11 and those in Paris and Brussels in 2015 and 2016. A PNR data-sharing agreement with Canada dates back to 2006, but when it was revised in 2014, the European Parliament asked the ECJ for its opinion on the update before giving the deal its seal of approval. Some MEPs said the surveillance powers of security forces violated EU citizens’ rights to privacy.

The court agreed, saying the Commission was sloppy about how it drafted the deal. The Commission, the court said, lacked a “precise and particularly solid justification” for the measures, and should limit the kind of data being shared and how long they are stored.

“This confirms what we’ve been saying for 10, 14 years even … Too bad it took that long,” said Sophie in ’t Veld, the liberal Dutch MEP who led Parliament’s charge to forward the agreement to the EU court.

The opinion forces the Commission to redo the EU-Canada deal and reconsider the entire PNR approach to cracking down on terrorist and criminal networks.

Security Commissioner Julian King said in a press briefing on Wednesday that Commission officials are speaking to Canadian counterparts “about ways of addressing the concerns raised by the European Court of Justice on the envisaged EU-Canada PNR agreement.”

Click Here: West Coast Eagles Guernsey

But King said the opinion did not affect EU countries’ obligations to implement the EU’s own, internal PNR system. “From the Commission’s side we will do what is necessary to ensure [data exchanges with the EU] can continue, obviously in accordance with the court’s opinion and with full respect to fundamental rights, in particular the right to data protection,” he added.

“The key thing,” King said, “is to recall that the exchange of information such as PNR are and remain critical for the security of our citizens.”

Privacy advocates and some MEPs dismissed the commissioner’s take Wednesday.

“The flaws attributed to the EU-Canada deal can largely be attributed to all the other PNR deals, which means that they are likely all incompatible with fundamental rights recognized in the EU,” said Estelle Massé, a lawyer and privacy activist at Access Now.

Birgit Sippel, a Socialist German MEP and key figure on privacy files, said “if you compare the text of Canada PNR with our internal EU PNR, I’m even more convinced that the EU PNR does not fit with fundamental rights.”

The European Court of Justice has repeatedly limited the Commission’s ability to collect data without proper protections. It has also spoken out against a series of surveillance measures in Europe that empower law enforcement agencies to access data gathered in bulk. 

Privacy-minded lawmakers have questioned whether the system that gathers vast parcels of data even works. “This doesn’t have anything to do with security: It is all window dressing and political grandstanding between hawks and doves,” in ’t Veld said.

But German EPP MEP Axel Voss said the court’s placement of a higher value on privacy over security is misguided. “On the issue of the fight against terrorism, the protection of the data of all citizens is less important than the protection of the individual,” Voss said.

Airlines welcome clarity

Airlines flying from Europe have been between a rock and hard place on the PNR issue for more than a decade. Some countries demand the data in exchange for giving airlines rights to fly there. Courts say they can’t supply the data unless the EU has a specific bilateral deal to share it. But the EU has deals only with Australia, the U.S. and Canada.

The Commission held back on negotiating new PNR deals because of the EU-Canada case before the high court.

The ECJ opinion could be an opportunity for the European Commission to develop a new approach to the transfer of PNR data to countries with which there is no bilateral agreement, the International Air Transport Association’s (IATA) Chris Goater said. IATA represents airlines from across the world.

About 15 non-EU countries want air carriers to provide PNR data for EU originating flights, and another 10 or so are plan to follow suit in the coming year.

Airlines are regularly threatened with financial or operational sanctions or even suspension of traffic rights if they do not provide the data.

Opinion sets boundaries

The court specified a few limits to sharing and probing PNR data.

“The EU court deems that the PNR agreement allows for the transfer of way too many types of personal data,” said Peter Van Dyck, partner at the law firm Allen & Overy in Brussels. For instance, exchanging data on a passenger’s choice of meals, together with names and birth country, allows to identify someone’s religion — which is considered disproportionate intel under EU law, Van Dyck said.

Most of all, the opinion slammed the Commission for allowing data on any EU citizen to be stored for up to five years without that person being involved in any kind of investigation. “This could result in the building of huge databases with data of European citizens of which there are no indications or suspicions that they have any link to terrorism whatsoever,” Van Dyck said.

Privacy advocates called the opinion a win for privacy. “Reckless data retention and profiling have no place in a democratic, law-based society,” Joe McNamee, executive director at European Digital Rights, said in a statement.