A deal between the European Union and Canada to share airline-passenger data must be revised as parts of it violate privacy and data-protection laws beyond what could be justified for fighting terrorism, the EU's top court has said.
The European Court of Justice, in Luxembourg, ruled that although data could be transferred, retained and used in general, the envisaged rules for handling sensitive personal data “are not limited to what is strictly necessary”.
The court said that passenger-name records, or PNR, can reveal people’s travel and dietary habits, relationships, health conditions and financial situation.
The EU's 28 member states and Canada negotiated the deal in 2014, but the European Parliament – where the collection of data, including names, travel dates, itineraries and contact details, has been debated fiercely – asked for the court's position.
“The PNR agreement may not be concluded in its current form because several of its provisions are incompatible with the fundamental rights recognised by the EU,” the court said on Wednesday.
The EU also has a PNR agreement with the United States and Australia, as well as an internal one, and they could face challenges in light of the ruling.
Militant attacks
The judgment will come as a blow to governments in Europe that have stepped up their arguments in favour of data retention after a spate of militant attacks in recent years.
The EU's security commissioner, Julian King, told a news conference in Brussels he would speak to his Canadian counterparts later in the day about "what we're going to do to take account of the points" raised by the court.
"Exchanges of information such as PNR are critical for the security of our citizens, and the European Commission will do what is necessary to ensure they can continue in accordance with the court's opinion and in full respect of fundamental rights," Mr King said.
The European Digital Rights group, which is campaigning to protect rights and freedoms in the digital environment, welcomed the ruling, saying that authorising enormous databases of sensitive personal data carried unacceptable risks.
“The proposed EU/Canada PNR agreement was considered to be the least restrictive of all of the EU’s PNR agreements. To respect the ruling, the EU must now immediately suspend its deals with Australia and the United States,” it said.
The agreement allows Canada to keep the data for up to five years and possibly share it with other non-EU states, which the court said constituted an “interference with the fundamental right to respect private life” and to personal-data protection.
Battling terrorism
Privacy advocates say the schemes are ineffective in battling terrorism while infringing people’s privacy.
The ruling comes after the court’s adviser said last September that the deal with Canada had to be redrafted before it could be signed, because it allowed authorities to use the data beyond what is strictly necessary to combat terrorist offences and serious transnational crime.
On Wednesday the European Court of Justice specified that a reworked agreement should spell out more clearly the types of data that can be transferred and must ensure that automated analysis is nondiscriminatory and relates exclusively to fighting terrorism and cross-border crime.
Reuters