Yesterday, Advocate General Paolo Mengozzi of the EU’s Court of Justice indicated that in his opinion the EU needs to significantly renegotiate the agreement between Canada and the EU on the transfer and processing of Passenger Name Record data. That agreement is intended to provide a mechanism for the transfer of personal data of airline passengers from the EU to Canada for the purpose of combatting terrorism and other serious transnational crime. The CJEU was asked by the EU’s Parliament whether that agreement is compatible with the EU Treaties and Charter of Fundamental Rights “ … as regards the right of individuals to protection of personal data?”
Mengozzi’s opinion will now be considered by the CJEU, whose judgment will probably issue before the end of the year. Judgments of the ECJ do not automatically follow the opinions of its Advocate General; one recent study suggests that this happens about two-thirds of the time. But what is interesting and very useful about Mengozzi’s opinion is that he analyses the previous decisions of the ECJ in Digital Rights Ireland and
This opinion comes at a time when the rules that apply to transfers of personal data outside the EU are rapidly evolving. The EU Commission has just agreed and given effect to a new the Privacy Shield will be challenged before the CJEU; the only question is when. Other data transfer mechanisms are also under review. The Irish High Court is currently considering whether to ask questions of the EU about Standard Contractual Clauses, which are a different transfer mechanism. And in Digital Rights Ireland to the data retention laws of EU Member States.
Canada, of course, is not the U.S., but it must be assumed that the CJEU will apply the same standards to transfers to one country as it applies to the other. Final judgment in this case and that of Davis should provide a clear picture of how the CJEU thinks about the processing of personal data for purposes of combatting terrorism and other serious crime. It would be useful to have such a picture before the law changes again in May 2018, which the General Data Protection Regulation or will apply.
This will assert a global jurisdiction for the EU’s data protection laws; that change may have a significant impact on agreements such as this and the Privacy Shield.