Despite 10 years of Access Now campaigning against the legislation, this morning, the Court of Justice of the European Union (CJEU) ruled that the EU Passenger Name Record (PNR) Directive is compatible with EU law and human rights. In a case brought by Belgian civil society group, Ligue des droits humains, the Court upheld the validity of the law despite acknowledging that “the PNR Directive entails undeniably serious interferences” with the rights to privacy and data protection, and seeks to introduce a “surveillance regime that is continuous, untargeted and systematic.” However, instead of scrapping the entire law, judges decided to limit its key measures.
“Considering the impact that the EU PNR Directive has on fundamental rights — as confirmed by the Court — the law should have been invalidated,” said Estelle Massé, Europe Legislative Manager at Access Now. “All EU states will now have to limit their use of PNR data due to its intrusiveness. They must apply this ruling swiftly, and end their shameful track record of ignoring decisions from the Court — particularly in the area of data retention.”
The Directive initially required the collection and retention for up to five years of large amounts of personal information for all passengers travelling from, to, and (often) within the EU, risking privacy, data protection, and non-discrimination. Data could also be checked against undefined databases to identify passengers that may pose a threat. EU states will have to change their national laws as the Court decided to:
- Reduce the data retention requirements;
- Clarify the purpose for which PNR data can be used;
- Limit the application of the law in the context of intra-EU flights;
- Limit the way EU states could extend the use of PNR data to other means of transport like trains or buses;
- Limit the types of database against which PNR data are checked; and,
- Prohibit the use of self-learning systems in steps that lead to automated profiling of passengers.
The Court also acknowledged that the automated processing of personal data poses a serious risk of discrimination, but the technical solution that it offered does not solve the core issue with automated profiling. The Court stated that as long as self-learning systems are not used to affect the way the screening rules are defined, the discrimination risk can be mitigated. But this will not be enough.
“Automated profiling risk assessment cannot be done in a manner that respects fundamental rights,” said Caterina Rodelli, EU Policy Analyst at Access Now. “Research has repeatedly shown that automated profiling systems are intrinsically discriminatory, as they are often contaminated with problematic biases that reinforce existing forms of racism and discrimination. In order to ensure fundamental rights are not undermined, the automated-profiling of travellers based on PNR data should be prohibited.’’
Even though the Court has upheld the PNR scheme, it is not the end of the road for the Directive, as more challenges have been filed against this law at the CJEU. The timeline of these cases coming from Germany and Austria are unclear, but Access Now supports their moves to increase scrutiny over these highly-intrusive measures.