Yesterday, Advocate General Paolo Mengozzi of the EU’s Court of Justice indicated that in his opinion the EU needs to significantly renegotiate the agreement between Canada and the EU on the transfer and processing of Passenger Name Record data. That agreement is intended to provide a mechanism for the transfer of personal data of airline passengers from the EU to Canada for the purpose of combatting terrorism and other serious transnational crime. The CJEU was asked by the EU’s Parliament whether that agreement is compatible with the EU Treaties and Charter of Fundamental Rights “ … as regards the right of individuals to protection of personal data?”
Mengozzi’s opinion will now be considered by the CJEU, whose judgment will probably issue before the end of the year. Judgments of the ECJ do not automatically follow the opinions of its Advocate General; one recent study suggests that this happens about two-thirds of the time. But what is interesting and very useful about Mengozzi’s opinion is that he analyses the previous decisions of the ECJ in Digital Rights Ireland and Schrems and generates what is effectively a checklist of provisions that should or should not appear in an agreement such as this. Provisions that should appear include: clear definitions of the data to be processed; an exhaustive list of the relevant transnational crimes; clear specification of the authorities processing the data; limitations on the number of persons who can be targeted by the system; retention periods objectively justified; the potential for courts to review requests for data processed under the agreement; supervision by an independent authority; and, requests for access, rectification and annotation may be made.
Provisions that Mengozzi thinks should not appear include: provisions allowing for the processing of data for purposes other than combatting terrorism and other serious transnational crime; provisions allowing for the processing of sensitive personal data; the conferral of broad powers of disclosure on the Canadian authorities; lengthy (five-year) retention periods without an objective justification, and allowing for the transfer of data to third countries without any restriction upon subsequent transfers to other countries.
This opinion comes at a time when the rules that apply to transfers of personal data outside the EU are rapidly evolving. The EU Commission has just agreed and given effect to a new Privacy Shield with the U.S. government, which allows EU controllers to continue to transfer personal data to appropriate U.S. entities. It is anticipated that the Privacy Shield will be challenged before the CJEU; the only question is when. Other data transfer mechanisms are also under review. The Irish High Court is currently considering whether to ask questions of the EU about Standard Contractual Clauses, which are a different transfer mechanism. And in Davis the ECJ has been asked to consider the application of its judgment in Digital Rights Ireland to the data retention laws of EU Member States.
Canada, of course, is not the U.S., but it must be assumed that the CJEU will apply the same standards to transfers to one country as it applies to the other. Final judgment in this case and that of Davis should provide a clear picture of how the CJEU thinks about the processing of personal data for purposes of combatting terrorism and other serious crime. It would be useful to have such a picture before the law changes again in May 2018, which the General Data Protection Regulation or will apply.
This will assert a global jurisdiction for the EU’s data protection laws; that change may have a significant impact on agreements such as this and the Privacy Shield.