ECJ sets tight limits on processing of passenger data

Personal data may only be stored for five years if there are actual indications of terrorism. (Source: Arne Müseler – CC BY-SA 3.0 EN)

According to a ruling by the European Court of Justice, the processing of passenger data by EU states must be limited to what is absolutely necessary for the fight against terror. In addition, Europe’s highest court made it clear in Tuesday’s ruling that the processing of data on flights within the EU violates EU law unless there is a threat of terrorism. Data collected would also have to be deleted after six months at the latest. Data may only be stored longer for people for whom there are indications of danger from terrorism or serious crime.

The European Union’s PNR (Passenger Name Record) Directive requires that passenger data be systematically processed in large numbers when passengers cross an external EU border. Airlines, travel agencies and travel providers have had to pass on extensive personal data on customers to the relevant authorities in a standardized data format since 2018.

This is to prevent and detect terrorist offences and other serious crimes. The 20 or so items of data stored include, for example, name, address, telephone number, payment information, seat location and baggage. So far, the information has been allowed to remain stored for five years.

The Belgian human rights organization Ligue des droits humains (League for Human Rights) filed a complaint against how Belgium implements the EU regulations. Among other things, it sees the right to respect for private life and the protection of personal data violated. In addition, extending the system to flights within the EU and to transport by means other than air would indirectly reintroduce border controls.

German regulations also affected

Under Belgian law, air, rail, bus, ferry and travel companies are obliged to pass on the data of their passengers travelling across national borders to a central office in which police and intelligence services, among others, are represented.

The ruling in the Belgian case must now be made by a national court, following the ECJ ruling. According to the ECJ’s ruling, the Belgian regulations will in all likelihood violate EU law.

The same is likely to apply to the German implementation of the EU directive, as Germany has extended the regulations to include all intra-European flights. In 2020, the Wiesbaden Administrative Court and the Cologne Local Court submitted questions on the PNR Directive to the ECJ. Here, too, the ECJ is to clarify, among other things, whether the directive is compatible with fundamental rights to respect for private and family life and the protection of personal data.

Surveillance permitted in principle

With regard to the Belgian case, the ECJ now states that the directive is in line with the relevant parts of the European Charter of Fundamental Rights. At the same time, the Court emphasizes that the regulations “unquestionably constitute a serious interference” with, for example, the right to respect for private and family life and the protection of personal data.

The powers must be strictly interpreted, according to the ECJ. Then, it said, the transfer, processing and storage of the data in question could be considered limited to what is absolutely necessary in the fight against terrorism and serious crime.

This means that the system introduced by the PNR Directive may only cover the information listed in the Annex to the Directive. Also, the system must be limited to terrorist offences and serious crime with an objective connection to the transportation of passengers. Crimes that are mentioned in the directive but fall under ordinary crime in the respective EU country should not be included.

False positives through automation

In addition, the extension of the system to some or all EU flights must be limited to what is absolutely necessary, he said. The PNR Directive may be applied to all EU flights through a country only if the country faces a real, present or foreseeable terrorist threat, it said.

In this context, the court also noted the “significant number” of false positives in 2018 and 2019 that resulted from the automatic processing of the data. There must be “clear and precise rules” for the subsequent manual review by employees of the PNR central office. They must also be able to verify whether the automated processing is “discriminatory in nature.”

The ECJ sees the five-year retention period as conflicting with fundamental rights. It is “not limited to what is absolutely necessary” if no indications have emerged during the prior check or within six months.

More fundamentally, the ECJ stressed that the directive should not be used to strengthen border controls and the fight against illegal immigration.

“All EU states must now restrict the use of PNR data, as it is too intrusive,” said Estelle Massé of the civil rights organization Access Now. However, the organization was not entirely satisfied with the ruling. “Considering the impact of the EU PNR Directive on fundamental rights – which was confirmed by the Court – the law should have been declared invalid,” Massé added. (dpa / hcz)