Today, the Court of Justice of the European Union gave its opinion on the proposed agreement between the EU and Canada on the transfer and processing of passenger name record data in Opinion 1–15. The opinion of the CJEU was that the agreement could not proceed without significant amendment. The CJEU was concerned that the proposed agreement conflicted with EU fundamental rights — the fundamental right to data protection, in particular.
This opinion of the CJEU is significant for air travel between the EU and Canada, as the agreement will have to be renegotiated before it can enter into force.
The opinion may also have broader implications for personal data transfers outside the EU. The most significant of these implications may be the most mundane: Opinion 1–15 seems wholly consistent with recent judgments of the CJEU in Schrems and Tele2 Sverige. There is no dramatic departure from previous case law, as occurred in Digital Rights Ireland. This suggests that the CJEU’s opinion on such transfers is settled. So it may be assumed any future judgment of the CJEU on Privacy Shield or any other transfer mechanism will be consistent with Schrems. Some already question whether Privacy Shield does, in fact, conform to Schrems; that questioning may grow louder following Opinion 1–15.
The court’s consistent approach does not mean that there is nothing new in Opinion 1–15. The CJEU is of the opinion that the proposed agreement is “ ... incompatible with … the Charter of Fundamental Rights of the European Union insofar as it does not preclude the transfer of sensitive data from the European Union to Canada and the use and retention of that data.” Sensitive personal data is defined by the existing Directive 95/46 as “ … racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.” The GDPR will add “genetic data” and “biometric data for the purpose of uniquely identifying a natural person” to this list. This list may not be final; in Tele2 Sverige, the CJEU referred to the “sensitivity” of retained telecommunications data, suggesting an additional category of sensitive personal data that does not appear in either Directive 95/46 or the GDPR.
The CJEU found that transfers of sensitive personal data outside the EU require “ … a precise and particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime.” The CJEU found that this was a solid justification that the proposed agreement failed to provide. The question may now arise whether Privacy Shield does so. Privacy Shield provides that for “ … sensitive information … organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected.” The EU Commission is currently undertaking a review of Privacy Shield, which may well identify “solid justifications” for the transfer of sensitive personal data in that agreement. If not, then the EU Commission and the U.S. government may amend that agreement to take account of the issues raised by the CJEU in Opinion 1–15. The CJEU made clear in Schrems that an EU Commission adequacy decision remains valid until either the EU Commission changes its mind, or the CJEU finds it otherwise. Hence, Opinion 1–15 does not mean that Privacy Shield is in any immediate jeopardy.
The CJEU opinion sets out a list of issues that EU and Canadian negotiators must address before the proposed agreement can conform to EU data protection law. These are obviously of significance for the proposed agreement itself. They will also be relevant to any assessment of other transfer mechanisms, such as Privacy Shield or the standard contractual clauses that are currently being challenged before the Irish High Court. The CJEU considers that the proposed agreement should:
- determine in a more clear and precise manner certain of the PNR data to be transferred;
- ensure that the automated processing of PNR data use models are specific, reliable and nondiscriminatory;
- provide that Canada will only be able to use this data in relation to the fight against terrorism and serious transnational crime;
- limit transfers of PNR data to non-EU countries that have agreements with the EU equivalent to the proposed PNR agreement or else benefit from an EU Commission adequacy decision;
- ensure that subjects are notified if their data is used or disclosed whilst they are in Canada or after they have left; and
- guarantee that the oversight of the rules relating to the protection of air passengers with regard to the processing of their PNR data is carried out by an independent supervisory authority.
Opinion 1–15 suggests that EU and Canadian negotiators have some work to do, but it should not be read as a statement of the CJEU’s implacable opposition to the transfer of personal data outside the EU. It is not. The CJEU held that the proposed agreement complied with EU data protection law in many ways, but that the negotiators had further work to do in particular areas.
That said, the CJEU opinion will have significant implications for data transfers to other non-EU countries, such as the U.K. post-Brexit. The requirement that there be a “solid justification” for the transfer of sensitive personal data may create its own challenges. Furthermore, Opinion 1–15 is a good demonstration of how central the CJEU now is to our understanding of data protection law. This central role for the CJEU may prove difficult for the U.K. to accept in a post-Brexit world.
photo credit: DesignRecipe European Union Flags 2 via photopin (license)