• No results found

Is the EU and the US legal PNR Framework compatible with the EU Data Protection Regime?

N/A
N/A
Protected

Academic year: 2021

Share "Is the EU and the US legal PNR Framework compatible with the EU Data Protection Regime?"

Copied!
51
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Hele tekst

(1)

Universiteit van Amsterdam

Winter Semester 2016

Master’s Thesis

Is the EU and the US legal PNR Framework compatible with the EU Data Protection Regime?

by

Benedicte Baier

09.01.2017

1st supervisor: Prof. Dr. Christina Eckes

Faculteit der Rechtsgeleerdheid, Europees Recht

2nd supervisor: Dominique Barnhoorn, LLM

(2)

A) Introduction 1

B) EU Data Protection Regime 2

I. Art. 8 CFREU; Art. 16 TFEU 3

II. Directive 95/46/EC 4

III. General Data Protection Regulation 5

IV. Invalidated Data Retention Directive and Digital Rights Ireland Ruling 6

V. Council Framework Decision 2008/977/JHA 7

VI. Directive 2016/680 7

C) PNR Framework 8

I. Definition / Background 8

II. Umbrella Agreement 9

III. EU-US PNR Agreements 11

1. First PNR Agreement 11

2. Second PNR Agreement 12

3. Third PNR Agreement 13

IV. EU PNR Directive 14

D) The PNR Frameworks in the Light of the EU Data Protection Regime 15

I. The Data Protection Problems with Regard to EU - US PNR 15

1. Comparative Analyses with regard to EU secondary legislation 15

a) Purpose and Use of Data 17

b) Data Retention 19

c) Transfer to Third Parties and Access to Data 20

d) Amount of Data Sets / Data Types 21

e) Data Subjects Rights 22

f) Independence of Oversight 23

g) Judicial Review 24

h) Adequacy Criterion 25

2. Compatibility with the CFREU 26

a) Provided by Law; Art. 52 (1) CFREU 26

b) Object of General Interest 27

c) Principle of Proportionality and Necessity 27

d) Interim Conclusion 31

II. The Data Protection Problematic with Regard to the EU PNR Directive 31

1. Provided by Law; Art. 52 (1) CFREU 32

(3)

3. Principles of Proportionality and Necessity 32

E) Critique 36

(4)

Abstract

Both the EU and the US are in need of an even better counterterrorism regime as terroristic attacks have increased over the last years. One of the used counterterrorism measures is the collection and processing of Passenger Name Records transatlantically, between the EU and the US, and also internally within Europe. However, this mean is affecting fundamental rights, especially the right to protection of personal data. Hence, this paper examines the question whether the EU and the US legal PNR Framework is compatible with the EU Data Protection Regime.

It does so by examining the most important legislation of EU data protection, taking a look at the PNR Frameworks and finally by reviewing the compatibility of, on the one hand, the 2012 PNR Agreement and, on the other hand, the EU PNR Directive, with the EU Data Protection Regime.

The 2012 PNR Agreement and the EU PNR Directive clearly serve to combat terrorism and serious crimes but do violate EU data protection. Not only that data is stored for longer than it is necessary, also the various types of data are not necessary to fulfill the aim of combating crime. Furthermore, individuals do not have sufficient possibilities to legally enforce their rights.

Lastly, the different data protection system in the US lacks a similar protection as offered by the EU and international agreements such as the Umbrella Agreement cannot establish such a protection. The paper hence results in the thesis that neither the EU nor the US PNR Framework is compatible with the EU Data Protection Regime.

(5)

List of Abbreviations

CFREU Charter of Fundamental Rights of the European Union

CJEU Court of Justice of the European Union

DHS Department of Homeland Security

Directive 2016/680 Directive (EU) 2016/680 of the European Parliament and of the

Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

DPD Data Protection Directive; Directive 95/46/EC of the European

Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

DRD Data Retention Directive; Directive 2006/24/EC of the European

Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC

EU PNR Directive Directive 2016/681 of the European Parliament and of the Council on

the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offenses and serious crime; 27.04.16

(6)

FD Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters

GDPR General Data Retention Directive; Regulation 2016/679 of the

European Parliament and of the Council, of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)

PIU Passenger Information Unit

PNR Passenger Name Records

2004 PNR Agreement Agreement between the European Community and the United States

of America on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 17.05.04

2007 PNR Agreement Agreement between the European Union and the United States of

America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)

2012 PNR Agreement Agreement between the United States of America and the European

Union on the use and transfer of passenger name records to the United states Department of Homeland Security, 11.08.12

(7)

A) Introduction

Terrorism is not a new problem. However, it has changed over the past years. It mutated from single spot attacks to far reaching and more wide spreading attacks. The first one of this kind was 9/11 1

with the destruction of the Twin Towers in New York. Later on, the attacks in Madrid, London and Paris were determined as examples of this new form of terrorism. All those incidents led to a variety of adopted measures, which inhere the aim of combating terrorism. Member States of the European 2

Union, as well as global collaborations with the US, produced an increasingly harmonized field of these counterterrorism measures. But still, the Union has to deal with an unprecedented need for an 3

even more well established counterterrorism regime. Current attacks such as those in Brussels, Paris and Nice have reminded us of the pressing need to adopt stronger measures to combat terrorism. 4

In the fight against terrorism and also with regard to the adoption of different measures, data plays an important role. It has become a new mean of fighting terrorism. This is not only because people are producing more data by using smartphones, applications and the internet in an open manner, but also because data is used to track possible terrorists, to check their financial conditions, to surveil persons and make it easier to identify them. After its collection, data can be analyzed and as a result, predictions can be made about security threats and terroristic behavior. This makes data an

important tool in counterterrorism policies.

Not only data related to terrorism but all other kind of mass data are known under the term Big Data.

Big Data, a collective term for digital technologies including digital communication and processing, also includes the processing of huge amounts of data. As hinted above, Big Data as a tool for 5

combating terrorism is not only a great possibility for achieving information about possible terroristic attacks, but also a huge danger.

Kaponyi E., Upholding Human Rights in the Fight against Terrorism, Society and Economy, April 2007, Vol. 29, Issue

1

1, p. 2.

Granger M.-P., Irion K., The Court of Justice and the Data Retention Directive in Digital Rights Ireland: Telling Off

2

the EU Legislator and Teaching a Lesson in Privacy and Data Protection, European Law Review, 2014, Issue 6, p.838. Den Boer M., Monar J., Keynote Article: 11 September and the Challenge of Global Terrorism to the EU as a Security

3

Actor, JCMS, 2002, Vol. 40, p. 11.

Bigo D., Brouwer E., Carrer S., et al., The EU Counter-Terrorism Policy Responses to the Attacks in Paris, Towards an

4

Eu Security and Liberty Agenda, CEPS, Liberty and Security in Europe, March 2015, Vol.81, p.1. European Commission, The EU Data Protection Reform and Big Data, Factsheet, March 2015, p. 2.

(8)

This danger relates to the violation of fundamental rights, especially Art. 8 of the Charter of Fundamental Rights of the European Union (CFREU) , and moreover, to the EU Data Protection 6

Regime.

Never before has the right to protection of data been at stake that seriously, never before have our daily lives become so transparent through different measures and social media as today.

Governments possess a huge amount of private information about their citizens. 7

One of the measures of combating terrorism includes the collection and storage of Passenger Name Records (PNR). This PNR data is connected to particular passengers of an air craft and is going to be retained for a certain period to be able to achieve information about possible terrorists.

Even if this measure might be helpful in the fight against terrorism, coherence with EU data protection is questionable.

In this light, this paper aims at the examination of whether the EU and the US legal PNR Framework is compatible with the EU Data Protection Regime.

It will start with an overview over the legal EU Data Protection Regime by highlighting the most important legislation. Chapter C will set out the different PNR Frameworks and their development. Subsequently, the PNR Frameworks will be examined in the light of EU data protection standards in Chapter D. Finally, the last Chapter will discuss critical issues with regard to those PNR

Frameworks.

B) EU Data Protection Regime

The right to the protection of personal data is one of the fundamental rights of the CFREU. However, there are more provisions which concern European data protection. When examining conflicts between the particular PNR Frameworks and EU data protection standards, it is important to analyze the entire legal regime of European data protection with the PNR Framework in mind.

Charter of Fundamental Rights, 2000/C 346/01, 18.12.2000.

6

Chesterman S., Privacy and Surveillance in the Age of Terror, Survival, 2010, Vol. 52, Issue 5, p. 34.

(9)

I. Art. 8 CFREU; Art. 16 TFEU

As a starting point, Art. 16 (1) TFEU lays down that „everyone has the right to the protection of personal data […]“. This provision establishes an individual right to data protection and its section two provides a legal basis with regard to the setting up of rules concerning the processing and rules relating to free movement of data. 8

As a consequence, Art. 16 (1) designates data protection as a regulatory objective and section two introduces a comprehensive legal basis. 9

Furthermore, the same right is anchored in Art. 8 (1) of the CFREU, which also states that

„everybody has the right to protection of personal data“. Both articles offer the same protection, the wording with regard to data protection and the scope of the provisions are identical and hence, they are the heart of data protection in the Union.

However, the difference between both is that Art. 8 CFREU guarantees only the right to data protection whereas Art. 16 TFEU also serves as a legal basis, Art. 16 (2) TFEU.

Nevertheless, one needs to bear in mind that the protection of data can be restricted.

For example, Art. 8 (2) CFREU regulates that a legitimate basis by law or by consent of the

individual is required in order to process data. Generally, this applies to all forms of data processing including collection, storage and accession of data. However, it seems that this is only true for Art. 10

8 CFREU, as Art. 16 TFEU lacks similar provisions.

By consequence, there is a goal to protect data but this guarantee is not an absolute one.

Lastly, the right to protection of personal data also inheres a right to access, a right to correct inaccurate data and that an independent data protection authority should guarantee compliance with data protection rules, Art. 8 (2), (3) CFREU.

In addition to the data protection provided for by the Treaties and the CFREU, the Union established its own Data Protection Regime by adopting several directives and regulations.

Art. 16 (2) TFEU.

8

Spieker named Döhmann I., The European Approach towards Data Protection in a Globalized World of Data Transfer,

9

in Dörr D. and Weaver R. (eds.), Perspectives on Privacy, Increasing Regulation in the US, Canada, Australia and European Countries, 2014, p. 55.

Carrera S.,Gonzáles Fuster, Guild E., Mitsilegas V., Access to Electronic Data by Third - Country Law Enforcement

10

(10)

II. Directive 95/46/EC

Following an increased awareness of the importance of data protection itself, the first data protection directive, Directive 95/46/EC (DPD), was established in 1995 and enshrines and 11

safeguards both the free movement of data and the protection of data. 12

Most importantly, Art. 25 (1) of the directive generally prohibits the transfer of data to third countries, but permits it whenever there is an adequate level of protection.

Noteworthy, there were discussions about whether the US Safe Harbor Decision, Decision

2000/520/EC, offers an adequate level of protection. This Decision allows the transfer of personal 13

information from EU Member States to US undertakings, which subscribed that decision, and included principles concerning the protection of personal data. 14

Finally, the case Schrems v Data Protection Commissioner gave an answer to these questions. In 15

this case, an Austrian citizen and Facebook user claimed that there was no sufficient protection against surveillance because Facebook Ireland transferred the Facebook data provided by him to Facebook US. He claimed that the US does not offer an adequate level of protection, especially in the light of the Snowden revelations, even if the Safe Harbor Scheme applies. 16

This brought up a preliminary reference to the Court of Justice of the European Union (CJEU) on whether the Commission’s decision prevents a national authority from examining whether a third country offers an adequate level of protection. The CJEU stated that such a decision is not able to 17

reduce the powers of national authorities and argued further that those authorities are bound by the

Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals

11

with regard to the processing of personal data and on the free movement of such data.

Tzanou M., The War Against Terror and Transatlantic Information Sharing: Spillovers of Privacy or Spillovers of

12

Security?, Utrecht Journal of International and European Law, 2015, 31 (80), p. 87; Gonzáles Fuster and Gellert R., The fundamental right of data protection in the European Union: in search of an uncharted right, International Review of Law, Computers & Technology, March 2012, Vol. 26, No.1, p. 74.

Commission Decision 2000/520/EC, 26 July 2000, pursuant to Directive 95/46 on the adequacy of the protection

13

provided by the safe harbour privacy principles and related frequently asked questions by the US Department of Commerce; European Commission, Communication to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM(2013) 847 final, Brussels, 27.11.2013, p. 17-19.

European Commission, Communication to the European Parliament and the Council on the Functioning of the Safe

14

Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM(2013) 847 final, Brussels, 27.11.2013, p. 4.

CJEU, C-362/14, Schrems v Data Protection Commissioner, 6 October 2015, ECLI:EU:C:2015:650.

15

CJEU, C-362/14, op. cit., paras. 26-28.

16

Ibid., para. 37.

(11)

fundamental rights of the CFREU. Consequently, the CJEU examined whether the Safe Harbor Decision was valid or not and concluded that the US did not offer an equivalent protection in comparison to the one that the Union offers and declared the decision invalid. One of the main 18

reasons for the invalidity ruling was that the US authorities still had the possibility to interfere with EU data protection rights, mainly because US security and law enforcement requirements overruled the standard of protection laid down in the Safe Harbor Agreement. 19

III. General Data Protection Regulation

Attention also needs to be drawn to the fact that the DPD that has been discussed above has been adopted before the surge of the internet and smart devices, hence before the time that the impact of technology and globalization changed. Consequently, a General Data Protection Regulation

(GDPR) has been proposed under the so called Data Protection Reform Package in order to be able to overhaul shortcomings of the DPD and to create a comprehensive set of data protection rules for Europe. This regulation repeals Directive 95/46/EC. 20

The GDPR has been adopted on the basis of the above mentioned Art. 16 (2) TFEU, which is the general legal basis with regard to data protection. This generality is also displayed in the GDPR as it comprises general data protection rules and safeguards and does not serve to approach a specific sector. 21

Whereas its Art. 3 concerns the territorial scope and grants applicability even to processing outside the Union, which widens the data protection regime, inapplicability applies to specific criminal matters. 22

Ibid., para. 107.

18

Ibid., paras. 86 and 98.

19

N.N., Balance between security and fundamental rights protection,

http://rivista.eurojus.it/balance-between-security-20

and-fundamental-rights-protection-an-analysis-of-the-directive-2016680-for-data-protection-in-the-police-and-justice-sectors-and-the-directive-2016681-on-the-use-of-passen/ , accessed: 20.09.16; Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

See Chapter B, I. p.3.

21

Regulation 2016/679, op. cit., Art. 2 (2)(d).

(12)

Hence, the GDPR is not directly applicable to PNR processing but, nevertheless, applies whenever the more specific Directive 2016/680 explicitly requires it. As a consequence, the GDPR will not 23

be examined in detail but it should be noted that it can still have relevance in that context.

IV. Invalidated Data Retention Directive and Digital Rights Ireland Ruling

Even if all data protection measures provide for certain possibilities to restrict that protection and to allow the collection and retention of data, this may not exceed certain limits. In this light, the Data Retention Directive (DRD) is important. The DRD was an extensive derogation from all other 24

data protection measures before. The data gained by storage was subsequently made available for law enforcement actions with the purpose of fighting serious crime. 25

In order to further enhance the data protection, the DRD was declared invalid in the Digital Rights

Ireland ruling. The Court held that especially the rights guaranteed by Art. 7 and Art. 8 CFREU 26

were at stake and that the directive’s interference was not limited to what is necessary because the directive lacked a provision where criteria were set out limiting the number of persons having access. In addition to that, access was not made conditional to any judicial review by a court or an independent administrative body. The main reason for this ruling was therefore the violation of the 27

principles of proportionality and necessity and hence the interference with fundamental rights, which were classified as „wide-ranging“ and „particularly“ serious. 28

Noteworthily, the CJEU stipulated in that regard that sheer existence of a general interest objective itself, i.e. the combating of terrorism and crime, does not justify the retention according to the DRD. 29

This should be kept in mind as such issues can affect the PNR Framework as well.

Ibid., Art. 2 (2)(d).

23

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data

24

generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC

Carrera S.,Gonzáles Fuster, Guild E., Mitsilegas V., op. cit., p.35; Granger M.-P., Irion K., op. cit., p.838.

25

CJEU, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger v Minister for Communications,

26

Marine and Natural Resources, 8 April 2014, ECLI:EU:C:2014:238.

CJEU, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, op. cit., paras. 56-59, 60-62.

27

CJEU, Joined Cases C-293/12 and C-594/12, op. cit., paras. 37, 65, 69.

28

Ibid., para. 51.

(13)

V. Council Framework Decision 2008/977/JHA

The DPD was supplemented by a Framework Decision in 2008 (FD), which was established to 30

protect personal data in police and justice areas, specifically with regard to their cooperation in criminal matters. However, the scope of this FD was restricted to exchanges of data between 31

authorities of the Member States. The relevance of the FD in the context of PNR is that some 32

provisions still refer to this decision.

VI. Directive 2016/680

As a part of the Reform Package, a directive has been established as well.

To enhance data protection and to adjust those mentioned shortcomings, the Directive 2016/680 33

has been adopted. It replaces the afore mentioned FD and is meant to protect the citizens’

fundamental right to data protection against criminal law enforcement authorities, whereas those have the possibility to process data for the purpose of „prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties“. 34

In contrast to the GDPR, Directive 2016/680 is only applicable to police and criminal justice areas, and focuses on the cooperation in criminal matters and on law enforcement. More specifically, it is a framework under which personal data can be exchanged between police and judicial authorities.

The Directive 2016/680 relates to processing of data in relation to, among others, the investigation or prosecution of criminal offenses or the execution of criminal penalties and is as such more specified towards a certain area.

Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in

30

the framework of police and judicial cooperation in criminal matters Ibid., 1 (2) (a), (b), (c).

31

Ibid., e contrario Art. 1 (2) (5).

32

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural

33

persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Ibid., Art. 1 (1).

(14)

Despite the fact that this directive has been established for a more specific sector, the legal basis for Directive 2016/680 is the same as the one for the GDPR, namely Art. 16 (2) TFEU. 35

One of the aims of that directive is the establishment of a special safeguard for the rights of victims, witnesses and suspects of crime. Besides, it establishes a new and easier way with regard to cross 36

border cooperation to fight crime and terrorism, which is also the aim of the PNR Framework. 37

C) PNR Framework

As assessed above, the EU offers a high level of data protection through various legal means. To be able to examine the PNR Framework’s compatibility with the EU data protection regime later on, the PNR Framework itself has to be discussed first.

I. Definition / Background

Firstly, PNR means Passenger Name Record. It is a record in the database of a computer reservation system containing the itinerary for a passenger and including files that are issued by airlines for each journey and which are stored in the airlines’ control data base. It is a computerized record of 38

the passengers’ travel details which comprises all information necessary to enable reservations to be processed and managed by airlines. However, it can also contain information on individuals who are not traveling by air. 
39

Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to

35

the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and the free movement of such data, COM (2012) 10 final, Brussels, 25.01.12, p.4.

European Commission, http://ec.europa.eu/justice/data-protection/reform/index_en.htm, accessed: 02.10.16.

36

Directive (EU) 2016/680, op. cit., Recital (4).

37

Argomaniz J., When the EU is the ‚Norm-taker‘: The Passenger Name Records Agreement and the EU’s

38

Internalization of US Border Security Norms, Journal of European Integration, January 2009, Vol. 31, No.1, p. 134. Tzanou M., The War Against Terror and Transatlantic Information Sharing: Spillovers of Privacy or Spillovers of

39

(15)

Prior to 9/11, PNR was used in its original sense, hence as a tool to make travel reservations. It 40

then changed to a counterterrorism tool with the ability to track terrorists. From 2001 on, the US induced the transfer of passenger name records data from airlines flying from or to the US or crossing the country by a domestic legislation, the US Aviation and Transportation Security Act. 41

The problem, however, was that this Act contravened Art. 25 of the above mentioned DPD, which allowed data processing only if the other country provided an adequate level of protection. By consequence, negotiations about EU-US PNR Agreements commenced.

II. Umbrella Agreement

As discussed above, PNR data is transferred between the EU and the US, which is why transatlantic data protection is concerned. To safeguard the citizens’ right to data protection, a new agreement concerning transatlantic data protection was established, too.

The so called Umbrella Agreement is an agreement between the EU and the US concerning the 42

protection of personal data, especially in the situation of transfer and processing of data with the aim of „preventing, investigating, detecting or prosecuting criminal offenses, including terrorism“ as laid down in Art. 1 of the agreement.

The mentioned agreement is said to be a huge step for both the US and the EU with regard to their relations to each other as it mirrors the aim of a closer cooperation in the context of, on the one hand, security, and, on the other hand, citizens’ rights. Especially after the Snowden revelations, 43

its aim was to rebuild trust in data exchanges between the EU and the US. 44

The intention was to create an adequate level of protection and, important for the EU, to establish that US law enforcement authorities shouldn't have direct access or the possibility to order a direct

Papakonstantinou V. and De Hert P., The PNR Agreement and Transatlantic Anti-Terrorism Co-Operation: No firm

40

Human Rights Framework on either Side of the Atlantic, Common Market Law Review, 2009, Vol. Issue 46, p. 898. Argomaniz J., When the EU is the ‚Norm- Taker’, op. cit., p. 123.

41

Agreement between the United Sates of America and the European Union on the Protection of Personal Information

42

relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses of 02 June 2016.

European Commission Statement, Statement/16/2040, Joint EU-U.S. press statement following the EU-U.S. Justice

43

and Home Affairs Ministerial meeting, Amsterdam, 2 June 2016, p. 1. Carrera S.,Gonzáles Fuster, Guild E., Mitsilegas V., op. cit., p. 38.

(16)

transfer of personal data stored by private companies in the EU except in situations which are clearly defined, exceptional and judicially reviewable. 45

Special categories of personal information and the restriction with regard to them are listed in Art. 13 and mirror sensitive data of the PNR Agreements, but the restrictions seem to be less clear and specific than the ones provided by the PNR Agreements.

Overall, the agreement covers all data exchanges by providing safeguards and guarantees with regard to those transfers. Besides, it will make it easier for law enforcement authorities to cooperate with each other.

However, it is not a legal basis for the transfer of data as such but it serves as a supplement to existing data protection safeguards and complements existing agreements with the EU. 46

The importance in the context of EU - US data transfers is that, in principle, all secondary legislation with regard to data protection and data transfer with the US has to be in line with the requirements set up by the Umbrella Agreement. Consequently, the Umbrella Agreement sets up the level of protection, which has also effects on EU law. It can therefore be seen as a mean of

interpretation, as, in essence, frameworks for criminal matters should be interpreted in the light of the Umbrella Agreement.

The reason for this is that the Umbrella Agreement is an international agreement that binds the Union and its institutions, Art. 216 (2) TFEU. Furthermore, from the entry into force on, it becomes an integral part of Union law and it acquires the rank of EU law in the Member States. 47

This fact should be kept in mind with regard to the following examination of the 2012 PNR Agreement and the EU Data Protection Regime.

Ibid., p.38; European Commission, Communication to the European Parliament and to the Council: Rebuilding Trust

45

in EU - US Data Flows, COM (2013) 846 final, Brussels, 27.11.2013, p. 10.

Council of the EU, Press Release, 709/16, Umbrella Agreement: EU ready to conclude deal with the US, 02.12.16, p.

46

1.

Cf. Van Rossem J. W., The Autonomy of EU law: More is Less? in Wessels R. A. and S. Blockmanns (eds.), Between

47

Autonomy and Dependence, The Hague, 2013, p. 20; Martines F., Direct Effect of International Agreements of the European Union, The European Journal of International Law, 2014, Vol. 25, No. 1, p. 133.

(17)

III. EU-US PNR Agreements

As seen above, legislation with regard to PNR was adopted from 2001 on.

1. First PNR Agreement

Generally speaking, the adoption of the first PNR Agreement occurred out of an airlines’ dilemma. 48

After the above mentioned terroristic attacks, the US requested passenger data. However, if EU airlines had transmitted this PNR data, they would have violated the EU Data Protection Regime because the US did not provide an adequate data protection at that time. In contrast to this, by not transmitting the requested data, the airlines were endangered to lose the American market. 49

After having signed the agreement, many concerns arose, especially about the ability of US firms to guarantee adequate data protection. 50

By consequence, the task was to solve issues regarding the adequacy criterion, where data transfer is only permitted whenever an adequate level of protection is provided. 51

Lastly, the first PNR Agreement was based on Art. 95 EC (today, Art. 114 TFEU). 52

However, after an action of the European Parliament, the CJEU annulled the agreement as it was concluded ultra vires. The consequence to this judgment was a new PNR Agreement that would 53

need to be within the Third Pillar. 54

Agreement between the European Community and the United States of America on the Processing and Transfer of

48

PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 17.05.04

Papakonstantinou V. and De Hert P., The PNR Agreement and Transatlantic Anti-Terrorism Co-Operation, op. cit., p.

49

900.

Argomaniz J., When the EU is the ‚Norm- Taker’, op. cit., p. 124.

50

See Chapter B II. 1, p. 3.

51

Papakonstantinou V. and De Hert P., The PNR Agreement and Transatlantic Anti-Terrorism Co-Operation, op. cit., p.

52

902.

CJEU, Joined Cases C-317/04, C-318/04, Parliament v Council, 30 May 2006, ECLI:EU:C:2006:346, paras. 65, 68,

53

69.

Papakonstantinou V. and De Hert P., The PNR Agreement and Transatlantic Anti-Terrorism Co-Operation, op. cit., p.

54

(18)

Importantly, this agreement used the so called „pull method“, meaning that the requesting US authority has direct access to the airlines’ data pools, from which the authority can extract all needed information and make a copy into its own database. 55

2. Second PNR Agreement

After the annulment of the first PNR Agreement, a second one was concluded in 2007. One visible 56

change was that this agreement limited the types of PNR data to 19 different fields of information. 57

Also important to mention is that the transfer of PNR data was expanded to public security

authorities, widening the scope of transfer. Hence, the processing could be done by police, customs and other security authorities.

However, in contrast to the first agreement, the second one established the collection of data through the „push method“. Here, the airlines automatically transmit the relevant data into the requesting authorities’ database. 58

Unlike the first agreement, the retention period was raised to seven years in the analytic data base and extended in the dormant, non-operational status, for another eight years. After those, in total, 15 years, the data should have been deleted. The possibility of putting the data back into the active database was only given in in specific cases or investigations. 59

Hornung G. and Boehm F., Comparative Study on the 2011 draft between the United States of America and the

55

European Union on the use and transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security, Passau/Luxembourg, 14 March 2012, p. 8.

Agreement between the European Union and the United States of America on the processing and transfer of

56

Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)

2007 PNR Agreement, op.cit., US letter to EU, 04.08.07, III. Types of information collected.

57

Hornung G. and Behm F. Comparative Study, op. cit., p. 8.

58

2007 PNR Agreement, op. cit., US letter to EU, 04.08.07, VII. Data Retention.

(19)

3. Third PNR Agreement

Due to too little data protection safeguards and other critical issues with regard to the second PNR Agreement, a third PNR Agreement was adopted. The third and current agreement entered into force in 2012 and aims, as its predecessors, at combating crime and terrorism more effectively. 60

As in the previous agreement, the PNR data types remained 19.

With regard to the retention period, a change took place and the storage is now limited to five years before the data will be transferred to the non-active database, where it will be kept up to 10 years. After this period, the preserved data has to be anonymized by deleting it. 61

Nevertheless, this rule can be restricted under specific circumstances which can lead to a longer period of retention, Art. 8 (5).

Moreover, in order to safeguard a high level of data protection, the criteria and conditions concerning the access to the active database are „restricted to a limited number of specially authorized officials“, Art. 8 (1).

To cope with the special nature of sensitive data, special guidelines are set out in Art. 6 of the agreement. Besides, section three limits access, use and processing of such data to „exceptional circumstances“ and connects those to a possible imperilment of the individual’s life.

Nonetheless, sensitive data can still be stored longer to guarantee the option of a „specific investigation, prosecution or enforcement action“. 62

As has been shown above, the first and the second agreement use different methods for gathering information. The agreement at hand generally uses the push method, but it also allows the use of the pull method in certain situations. 63

Lastly, to ensure that individuals are able to effectively bring legal actions, Art. 13 gives guidance regarding redress for individuals unconditional to nationality or country of origin.

Agreement between the United States of America and the European Union on the use and transfer of passenger name

60

records to the United states Department of Homeland Security, 11.08.12; Tzanou M., op. cit., p. 88. 2012 PNR Agreement, op. cit., Art. 8 (1), (3), (4).

61

Ibid., Art. 6 (4).

62

Ibid., Art. 15 (1), (5); Hornung G. and Boehm F., Comparative Study, op. cit., p. 8; Taylor M., Flying from the EU to

63

the US: necessary extraterritorial legal diffusion in the US - EU Passenger Name Record agreement, Spanish Yearbook of International Law, 2015, p. 232.

(20)

By sharp contrast, Art. 21 of the agreement then states that this agreement is not intended to confer any right under US law.

This contradictory situation will be assessed further later on.

IV. EU PNR Directive

With a similar purpose in comparison to the afore mentioned EU - US PNR Agreements, the European Commission proposed a EU PNR Directive which is meant to harmonize rules on collection and processing of PNR data against terroristic offenses and serious crime. With this directive, an obligation to provide EU countries with passenger data shall be established. 64

The need for a European PNR system increased especially after several terroristic attacks in the EU took place. The EU felt to be in need of an own processing tool in order to be able to combat terrorism and serious crime more effectively within the boundaries of the Union.

As a result, the EU PNR Directive was adopted with these underlying aims. The EU PNR 65

Directive as a specificity of data processing for law enforcement purposes and cooperation in criminal matters is based on Art. 82 (1) (d) TFEU and Art. 87 (2) (a) TFEU, which are the legal bases in the Area of Freedom Security and Justice.

It is important to notice that this directive generally applies to extra - EU flights, i.e. flights from a third country to or through Europe. Under special circumstances and after notification of the Commission it may also be applied to intra - EU flights. 66

In contrast to the 2012 PNR Agreement, which focuses on the US, the focus of the EU PNR Directive is devoted to the EU territory and all flights coming into connection with it.

The scope of this EU PNR Directive is limited to data collected for the prevention, detection, investigation and prosecution of terrorist offenses and serious crime, Art. 1 (2).

European Commission Proposal for a Directive of the European Parliament and of the Council on the use of

64

Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offenses and serious crime; COM (2011) 32 final, 2.2.11, p. 4.

Directive 2016/681 of the European Parliament and of the Council on the use of passenger name record (PNR) data

65

for the prevention, detection, investigation and prosecution of terrorist offenses and serious crime; 27.04.16 Directive 2016/681, op. cit., Art. 2 (1).

(21)

To clarify the legal situation concerning the individuals’ right to data protection, Art. 6 (1), (2) lists the purpose for processing data and creates a connection to Annex I, which lists 19 PNR

information elements.

An additional obligation is the usage of the above mentioned push method with regard to data transfer, Art. 8 (1).

As this is a crucial point, the retention in the database is set to a period of five years by Art. 12. However, a depersonalization „shall“ take place after six months.

D) The PNR Frameworks in the Light of the EU Data Protection Regime

As has already been hinted above, the various PNR Agreements are derogations from the EU Data Protection Regime, which casts doubts with regard to the compatibility of the agreements with EU data protection. This Chapter assesses the problems coming along especially with the 2012 PNR Agreement.

I. The Data Protection Problems with Regard to EU - US PNR

Firstly, the data protection concerns particularly arising out of the 2012 PNR Agreement are to be examined.

1. Comparative Analyses with regard to EU secondary legislation

The Directive 2016/680 is secondary Union law, Art. 288 TFEU. By contrast, the 2012 PNR Agreement is an international agreement between the US and the EU.

As mentioned in connection with the Umbrella Agreement, one has to respect the legal hierarchy of EU law when examining the legal validity of such agreements. 67

See Chapter C, II., p.10.

(22)

Hence, the question is whether the 2012 PNR Agreement can be examined in the light of Directive 2016/680.

The treaties, so-called „primary law“, constitute the highest level in the legal hierarchy. The next level is the so-called „secondary law“, which comprises the legal acts as mentioned by Art. 288 TFEU.

However, international agreements are a special part of EU legislation and are hierarchically located between primary and secondary EU law and, consequently, they can affect the validity of EU

secondary law, as secondary law should be interpreted as far as possible in the light of international agreements. 68

One could argue that primary and secondary law are often closely related to each other. By consequence, Directive 2016/680 could be seen as a specific expression of Art. 8 CFREU, hence primary law, which could render it the benchmark of the European Data Protection Regime.

In Kücükdeveci, the CJEU had to deal with a similar issue. It held that directives can give specific 69

expression to general principles of primary law, which makes those directives the basis for validity examinations. 70

However, the situation in the mentioned case differs from the situation at hand. An international agreement has to be examined here, which completely changes the situation compared to

Kücükdeveci.

Secondary law is hierarchically located beyond international agreements, which is why the validity of such agreements cannot be determined by using directives or regulations. Consequently,

international agreements generally replace opposing EU secondary law and hence, their

compatibility can only be examined in the light of EU primary law, which can also be seen in Art. 218 (11) TFEU.

By consequence, as the Directive 2016/680 belongs to the EU Data Protection Regime and regulates especially processing in connection with PNR, the paper first analyzes the 2012 PNR Agreement in the light of that directive in a comparative way.

CJEU, Case-61/94, Commission v Germany, 10 September 1996, ECLI:EU:C:1996:313, para. 52; Case-286/02 Belio

68

F. lli Srl, ECLI:EU:C:2004:212, para.33.

CJEU, C-555/07, Seda Kücükdeveci v Swedex GmbH & Co. KG, 19 January 2010, ECLI:EU:C:2010:21

69

Ibid., paras. 21, 27.

(23)

a) Purpose and Use of Data

The newly adopted Directive 2016/680 rules that its purpose shall be „specified, explicit and legitimate“ and that the relation between data and purpose shall be „adequate, relevant and not excessive“. 71

The 2012 PNR Agreement is intended to ensure the security and to protect the public. Its Art. 4 is 72

divided into four sections, providing definitions and further purposes for which PNR data can be used. However, being very detailed, the wording „including conduct that“, and „in particular" lets one assume that this list is not exhaustive and that those definitions only conduce as examples. 73

This opens the possibility to use PNR also with regard to other crimes as there is no limit, which is why the conclusion of an extended purpose can be drawn.

Contravening to the requirement of specification seems to be, too, that the provision includes crimes that are sentenced with three years or more. The problem is, however, that the treatment of crimes can deviate from country to country, which again creates legal uncertainty with regard to the crimes that are actually encompassed by Art. 4 of the 2012 PNR Agreement. 74

Additionally, the scope gets broadened through section 2 by permitting the use of data either on a case-by-case basis or for a court to order, which is not conditional upon any other requirement. In 75

this context, the clarity of the term „case-by-case basis“ is questionable. It is neither specific nor explicit.

This does result in a legal uncertainty as the agreement makes it possible to use PNR data otherwise than initially intended by the 2012 PNR Agreement.

Moreover, having such a broad and vague purpose could lead to an incompatibility with the directive as this contravenes the required specificity and explicitness of the purpose as mentioned above.

Directive 2016/680, op. cit., Art. 4 (1) (b), (c).

71

2012 PNR Agreement, op. cit., Art. 1.

72

Ibid., Art. 4 (1) (a) (i); Art.4 (1) (b); Hornung G. and Boehm F., Comparative Study, op. cit., p. 9.

73

2012 PNR Agreement, op. cit., Art. 4 (1) (b).

74

Ibid., Art. 4(2); Hornung G. and Boehm F., Comparative Study, op. cit., p. 10.

(24)

Furthermore, the wording of Section 3 allows for the use of PNR data for the purpose of border control. The formulation is not specific enough and allows a wide ranging control, which is not in line with the original purpose. 76

Besides, no clearance is given with regard to the term „identification“, which could therefore also include computerized labelling of individuals on a risk scale. 77

Finally, „Paragraphs 1, 2, and 3 shall be without prejudice [to] where other violations of law […] are detected“. However, there is no clarification about which violations are actually meant and this 78

therefore opens the way for further interpretation. By consequence, the scope of the application of this article is broadened once again.

The lack of purpose limitations in the current PNR Agreement is accompanied by the absence of a link between the purpose and the counterterrorism goal and allows the use for other purposes, which is not in line with the original intention and with this contrary to what is required by the Directive 2016/680.

Lines of possible incompatibilities can also be drawn from the above mentioned recent CJEU judgement. In the Digital Rights Ireland Judgement, the CJEU held that, in the EU, the scope and application of measures must be defined clearly and precisely. The above mentioned articles are 79

not in line with these requirements, as they are open to further interpretation which could lead to an abuse on the one hand and to a variation of usages on the other hand.

Another critique in this judgement was that the DRD did not set out any limits concerning the access to data and therefore allowed usage in a bigger frame, even if the data was collected on other grounds than the original purpose. If one considers this critique in the light of the current PNR 80

Agreement, it is striking that this agreement is not restricted to the initial purpose of combating terrorism and serious crime and therefore could considered being way too broad.

2012 PNR Agreement, op. cit., Art. 4 (3); Boehm F. and Cole M., Data Retention after the Judgement of the Court of

76

Justice of the European Union, 30 June 2014, p. 60.

Korff D. and Georges M., Passenger Name Records, data mining & data protection: the need for strong safeguards,

T-77

PD(2015)11, Strasbourg, 15 June 2015, p. 69. 2012 PNR Agreement, op. cit., Art. 4 (4).

78

CJEU, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, op. cit., para. 54.

79

CJEU, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, op. cit., para. 54.

(25)

By consequence, the 2012 PNR Agreement is not in line with Directive 2016/680 and is therefore derogating from the EU Data Protection Regime.

b) Data Retention

Directive 2016/680 generally requires appropriate time limits for the retention periods and applies the necessity principle to cases in which identification of data subjects is feasible. 81

The Digital Rights Ireland ruling showed that the DRD violated the principles of proportionality and necessity and that it was a wide ranging interference with fundamental rights, as it lacked clear limits. This could also influence the current PNR Agreement. 82

In the current agreement, a retention period of maximum 15 years is set up and compound by years of active and dormant data bases. 83

Solely those 15 years can already be regarded as being doubtful in relation to the necessity principle, but this is even more critical in the light of the following.

In the dormant data base, a re-personalization for the purpose of law enforcement is possible, but only in connection with „an identifiable case, threat or risk“. A time limit of 5 years for this re-84

personalization is established for serious crimes other than terroristic crimes. This indicates that 85

by exclusively limiting the period in regard to those crimes, an unlimited period of

re-personalization can take place for all other purposes listed by Art. 4 of the 2012 PNR Agreement.

Additionally, whenever such a re-personalization happens, the data constitutes „personal data“ in the meaning of Art. 3 (1) Directive 2016/680 again for a period of 15 years. This has the effect of creating an unlimited retention period, which contradicts the directive’s original intention.

After the dormant period, the data is going to be „fully anonymized“. However, this does not prevent the authority from retaining data in an active data base, even if this is limited to specific

Directive 2016/680, op. cit., Art. 5, Art. 4 (1) (e).

81

CJEU, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, op. cit., paras. 65, 69, 73.

82

See Chapter C III. 3, p. 13.

83

2012 PNR Agreement, op. cit., Art. 8 (3), Art. 8 (4).

84

Ibid. Art. 8 (3) in connection with Art. 4 (1) (b).

(26)

cases. The benefit here is that identification is impossible. Nevertheless, it does not influence the 86

retention period.

The main problem is the infinite retention period, as it, on the one hand, does not respect the

interests of unsuspected passengers and, on the other hand, leads to unclarity. This is not in line with the Digital Rights Ireland Ruling, especially because terms such as „anonymization“, „masking out“ and „re-personalization“ stay undefined.

As hinted above, the principle of proportionality plays an important role when examining the retention period, which was also highlighted by the CJEU in the Digital Rights Ireland Ruling. The 2012 PNR Agreement makes no distinction between unsuspicious and suspicious passengers and applies the 15 years limit to both of them. According to the CJEU, this does not only contradict the principle of proportionality but moreover leads to a risk of stigmatization. This can also be said 87

for Directive 2016/680, which imposes the obligation to distinguish between data of different data subjects. 88

Consequently, the fact that there is a possibly unlimited period of retention and that there is no distinguishing between different groups of individuals leads to the situation that the 2012 PNR Agreement contravenes EU secondary legislation.

c) Transfer to Third Parties and Access to Data

The PNR Agreements generally allow for collection and storing of personal data and give national authorities access to this data. The transfer combines domestic data sharing and onward transfer. With regard to sharing, two methods can be distinguished. Today, the 2012 PNR Agreement uses 89

mainly the push method, except in special circumstances, in which air carriers are required to provide access otherwise. This can be understood in the way that those provisions allow the use of 90

the pull method in certain situations. Even if the use of the pull method is exceptional, it is still problematic in the light of general access criteria. The CJEU stated that such access has to be made

2012 PNR Agreement, op. cit., Art. 8 (5).

86

Joined Cases C-293/12 and C-594/12, op. cit., paras. 57 - 59.

87

Directive 2016/680, op. cit., Art. 6.

88

See Chapter C III. 1, 2, p.11-12.

89

2012 PNR Agreement, op. cit., Art. 15 (5).

(27)

conditional upon a decision by a court or an independent administrative body. However, access 91

control by such an authority is missing in those situations and this contradicts Art. 41 (1) of Directive 2016/680.

While the 2007 Agreement includes a clause which allows sharing only if a data protection comparable to the one applied to the PNR by the DHS is established, the current agreement 92

provides for such a clause as well but moreover, an information duty was established. Nevertheless, a specified purpose for the transmission is not included. Art. 17 of the 2012 Agreement regulates that transfer is only permitted „under terms consistent with this Agreement“ but it lacks a clear guidance or reference. This facilitates other transfers, which is not in line with the jurisprudence of the CJEU, which postulates clear limits.

For example, one of the reasons why the DRD was declared invalid was that it did not ensure criteria establishing access limits. 93

Consequently, the Transfer and Access rules differ from Directive 2016/680.

d) Amount of Data Sets / Data Types

As seen above, the agreements include different amounts of data sets. The 2004 Agreement listed 34, whereas in 2007 and 2012 it was reduced to 19. However, even if this seems to be an

improvement at first sight, a detailed examination reveals a rather formal than a qualitative

reduction. The reason is that the PNR Agreement, which technically still contains more than 34 data types, provides a more summarized data set. By consequence, fewer points than before evolved.

In this regard, the above mentioned Schrems case can be considered. Advocate - General Bot acknowledged in regard to the US Safe Harbour Agreement that surveillance by the US is mass, i.e. indiscriminate surveillance, which violates Art. 8 CFREU. This does also affect the 2012 PNR 94

Agreement, which could also be deemed as mass surveillance.

CJEU, Joined Cases C-293/12 and C-594/12, op. cit., para. 62.

91

2007 PNR Agreement, op. cit.,US letter to EU 2007, II. Sharing of PNR.

92

CJEU, Joined Cases C-293/12 and C-594/12, op. cit., paras. 60, 61.

93

Opinion of Advocate General Bot, C-362/14, 23 September 2015, ECLI:EU:C:2015:627, paras.199, 200.

(28)

With regard to sensitive data, collecting this type of data under the PNR Agreement in 2004, which changed in the subsequent agreements, though, was not permitted. Generally, such sensitive data should be filtered and masked out from PNR. However, processing is still allowed in situations where „the life of an individual could be imperiled or seriously impaired“ and retention can take place for specific investigations, prosecutions or enforcement purposes. 95

This contradicts the Directive 2016/680, which sets out very clearly and precise conditions for the processing of such data. This provided list seems to be exhaustive and in contrast to this, the 2012 96

PNR Agreements’ wording is interpretable.

As a result, at least the type of data being collected is not in line with the directive .

e) Data Subjects Rights

Also included in the Digital Rights Ireland Judgement and well established in the Directive 2016/680, data subjects should have rights and safeguards with regard to their retained data. 97

Even if individuals generally should have means to access, correction redress and information, which are also provided in the 2012 PNR Agreement, one still can assume that this is not really guaranteed as a right. As mentioned before, Art. 21 of the 2012 PNR Agreement clearly rules that 98

this agreement should not confer any rights under US law.

However, the agreement states that „any individual, regardless of nationality, country of origin, or place of residence is entitled to request his or her PNR“. This seems to be a provision setting up 99

individual rights at first sight, but limitations under US law are possible and by consequence, no real change is apparent. Moreover, this is not comparable to the rights laid down in Art. 14 of 100

Directive 2016/680, as this article is not only demanding the provisioning of PNR data but to forward also more information if such a request is made. By consequence, the provisions

2012 PNR Agreement, op. cit., Art. 6 (3), (4).

95

Directive 2016/680, op. cit., Art. 10.

96

Ibid., Art. 12 - 14; CJEU, Joined Cases C-293/12 and C-594/12, op. cit., para. 54.

97

2012 PNR Agreement, op. cit., Art. 11-13 and Art. 21.

98

Ibid., Art. 11.

99

Ibid. Art. 11 (2).

(29)

concerning the right to access of the 2012 PNR Agreement are clearly below the standard provided for by Directive 2016/680.

Furthermore, individuals seem to be provided with a right of correction or rectification. What 101

raises doubts with regard to this provision is that even if such a right is provided in principal, there is no specific measure inherent on how this right can be enforced or on which basis such a right is conferred. For example, Art. 16 of Directive 2016/680 gives a right to rectification and erasure. Specifically, Art. 16 (1) obliges Member States to rectify inaccurate data. In contrast, Art. 12 of the 2012 PNR Agreement does not give any criteria specifying how such a rectification should happen. As a consequence, it remains unclear when and how such a rectification can take place.

The right provided by the 2012 PNR Agreement is therefore not specific enough, which is why Directive 2016/680 is offering more protection also in this regard.

f) Independence of Oversight

In contrast to the earlier two agreements, which did not contain provisions on supervision, the 2012 Agreement makes „Department Privacy Officers“ responsible for „independent review[s]“. 102

Nevertheless, even if this is an improvement to the former agreements, it is still questionable whether this is sufficient in the light of EU data protection.

Chapter VI of the Directive 2016/680 contains rules on the independent supervisory authorities and obliges Member States to establish „independent public authorities“. In addition to this, a 103

judgement about the complete independence of supervisory stipulates that those authorities should be objective, impartially and should stay „free from any external influence“. This wording is now 104

also included in the new Directive 2016/680 and a detailed assessment about independence is set out in Art. 42 thereof.

2012 PNR Agreement, op. cit., Art. 12.

101

Ibid., Art. 14.

102

Directive 2016/680, op. cit., Art. 41 (1).

103

CJEU, C-518/07, Commission v Germany, 9 March 2010, ECLI:EU:C:2010:125, para. 25.

(30)

The problem which arises here is that the authorities mentioned in the PNR Agreement, the DHS Office of Inspector General, the Government Accountability Office and the US Congress, with exception of the latter one, are not independent in the way which is required by Directive 2016/680. Both of them, but especially the DHS, are rather similar to internal data protection officers which do not fulfill the mentioned requirement. 105

The above mentioned authorities are not obliged to review cumulatively and therefore it is sufficient that a single authority is in charge of that. Consequently, independency is not safeguarded as it is also possible for the non-independent DHS alone to act as the oversight authority. 106

This also leads to a derogation from Directive 2016/680.

g) Judicial Review

Regarding judicial redress, the 2012 PNR Agreement grants administrative and judicial review under US law to any data subject. However, no rights are conferred. It is therefore questionable 107 108

whether effective redress policies exist under US law.

The problem is that EU citizens do not fall within the scope of the US Privacy Act and hence, doubts arise whether other US statutes can provide for such a level of protection. The recent 109

agreement thereby mentions similar US Acts and other US provisions and establishes a potential link to the US Privacy Act. 110

Even if one considers a new redress right under Art. 13 (1) of the 2012 PNR Agreement, doubts arise with regard to the enforceability. It is not only questionable whether the US generally complies with the provisions but also whether it deals with individual requests within an adequate time frame as there have been cases where the request has been dealt with only three years later. 111

2012 PNR Agreement, op. cit., Art. 14 (2)(a)(b)(c); Hornung G. and Boehm F., Comparative Study, op.cit., p.16.

105

2012 PNR Agreement, op. cit., Art. 14 (2).

106

Ibid., Art. 13 (1).

107

Ibid., Art. 21; see Chapter C III. 3, p. 14.

108

Taylor M., Flying from the EU to the US, op. cit., p. 233.

109

2012 PNR Agreement, op. cit., Art. 13(3); Boehm F. and Cole M., Data Retention after the Judgement of the Court

110

of Justice of the European Union,op. cit., p. 65.

Cf. Hornung G. and Boehm F., Comparative Study, op. cit., p. 16 - 17; Edward Hasbrouck v. US Customs and Border

111

Protection, United States District Court for the Northern District of California, San Francisco Division, order No.

(31)

By sharp contrast, Directive 2016/680 requires that judicial review is possible in order to constitute an adequate level or data protection. 112

Once again, the fact that there is no real possibility of judicial review is not in line with Directive 2016/680.

h) Adequacy Criterion

Another interesting point is the adequacy criterion. The DHS is considered to „provide […] an adequate level of protection“, which is deemed to be in line with EU data protection law. The 113

question is whether the 2012 PNR Agreement can be considered an adequate level of protection. Directive 2016/681 sets out a detailed list of elements, which are important for assessing the adequacy criterion. 114

Firstly, importance is given, among others, to the rule of law, to human rights and fundamental freedoms and to legislation (defence law, data protection rules, rules with regard to transfer of data and finally, data subjects rights). 115

As mentioned before, the 2012 PNR Agreement does not provide sufficient data protection standards, including the establishment of real individual rights, in comparison to the Directive 2016/680. Rights to redress as set out in the 2012 Agreement are not enforceable for individuals, at least not for EU citizens, and by consequence, this derogates from Directive 2016/680.

Secondly, a criterion for adequacy is a functioning and independent supervisory authority. Even if 116

the 2012 PNR Agreements assigns different authorities with the oversight task, the independency criterion is not safeguarded. This in turn contradicts the obligation inherent in offering an adequate level of protection.

Directive 2016/680, op. cit., Art. 36 (2) (a).

112

2012 PNR Directive, op. cit., Art. 19.

113

Directive 2016/680, op. cit., Art. 36(2).

114

Ibid., Art. 36(2)(a).

115

Ibid., Art. 36(2)(b).

(32)

Thirdly, international commitments, obligations from conventions or derived from the participation in multilateral systems should be contemplated with regard to data protection issues. 117

In respect thereof it must be noted that such commitments, as seen with regard to the Umbrella Agreement, are also rather weak compared to the obligations set out in Directive 2016/680.

To sum up, the forgoing shows that the level of protection offered in the 2012 PNR Agreement cannot be deemed as adequate in the light of the Directive 2016/680.

2. Compatibility with the CFREU

The 2012 PNR Agreement has to be in line with the CFREU. Generally, the retention and the access to data constitutes an interference with Art. 8 CFREU. However, Art. 52 (1) CFREU requires that any deviation from a provision of the CFREU has to be provided by law and has to be in

accordance with the principle of proportionality, which is why a justification is needed in the case at hand.

a) Provided by Law; Art. 52 (1) CFREU

The first requirement is that any interference has to be provided by law.

This provision has to be understood in a substantive sense, meaning that it needs to have a basis in domestic law. 118

Moreover, it also refers to the quality of law, meaning that it has to be accessible and foreseeable, hence sufficiently clear. This requirement is fulfilled as soon as the law is publicized in the Official Journal of the European Union. 119

As the agreement at hand is adopted law and has been published in this Journal, it fulfills this obligation.

Ibid., Art. 36(2)(c).

117

Opinion of Advocate General Mengozzi, 8 September 2016, Opinion 1/15, para.191.

118

Ibid., para. 193.

(33)

b) Object of General Interest

The second requirement, data retention meeting an objective of general interest, has to be fulfilled as well. 120

Consequently, the purpose of the 2012 PNR Agreement, namely combating terrorism and serious crime, needs to be a general interest in the European Union. Regarding the latter, it was established in the Tsakouridis Case that serious crime constitutes such an interest and the same takes effect for the fight against international terrorism. 121

In light of this case law the aim of the 2012 PNR Agreement is of general interest.

c) Principle of Proportionality and Necessity

Finally, the 2012 PNR Agreement needs to be in line with the proportionality principle, meaning that it needs to have a legitimate aim, be suitable and necessary.

aa) First of all, the agreement needs to have a legitimate aim. As the agreement’s aim is to ensure the maintenance of, inter alia, public security, which is in the public interest, it has a legitimate aim.

bb) Secondly, the 2012 PNR Agreement needs to be suitable to achieve this aim, meaning that it somehow has to facilitate the achievement of the aim. As the 2012 PNR Agreement makes it easier to achieve passenger related data and use it in the fight against terrorism and crime and with this enhance the public security, the agreement is also suitable.

cc) Thirdly, the agreement also needs to be necessary. This means that it has to be the least harmful mean of all similarly effective means available.

(1) Firstly, the purpose and the use of PNR data does not seem to be limited to what is necessary. Doubtful is the existence of a non exhaustive way of presenting the offenses falling under the scope of this agreement. Both the terrorist offenses and related crimes as well as transnational crimes are defined but the wording used leaves room for interpretation. This contravenes the necessity

Art. 52 (1) CFREU.

120

CJEU, Land Baden - Württemberg v Panagiotis Tsakouridis, C -145/09, para. 46,47; CJEU, Yassin Abdullah Kadi

121

and Al Barakaat International Foundation v Council of the European Union and Commission of the European Communities, Joined Cases C-402/05 P and C-415/05 P, para. 363.

(34)

principle as it would be in the same way effective to use a list of offenses in the Annexes to clarify to which crimes the 2012 PNR Agreement is applicable.

By not doing so, the agreement does also apply to other offenses that are not necessarily vital to pursue the aim, which is why the principle of necessity is violated.

The same takes effect for the three years or more sentence stipulated with regard to other crimes. Here, the problem arises that the three years by pure duration can be different in each country and with this no clear rule on which crimes are exactly meant by that is established. Furthermore, the fact that PNR can be used and processed on a case by case basis or by a court order is questionable in the light of necessity, too, as this opens the door even more. There are no clear rules inherent, for which cases this actually applies, as both requirements, the serious threat and the vital interest, are not defined either. This provides for a big discretion, which includes more offenses than are necessary to achieve the purpose. A clear definition would be equally effective.

Lastly, the same is valid for other violations mentioned in Art. 4 (4) of the 2012 PNR Agreement. The term „other violations“ is simply too broad and open for further interpretation.

All those issues show that the 2012 PNR Agreement does not inhere clear limitations concerning the scope of the use of PNR data. By consequence, it comprises more than would actually be necessary to fulfill its aim properly, which is why the principle of necessity as explained above is violated.

(2) The retention period, a maximum of 15 years, casts doubts as well. Is it really necessary to retain data for such a long time? The Annex of the agreement provides a list of different data types, which can be retained. Especially the fact that the agreement does not distinguish between those different types is questionable. Information such as the check in status or ticket prices do not seem to be relevant for the purpose and it is therefore not necessary to store such data for 15 years.

(3) Additionally, with regard to the scope, it seems to be striking at first that there is no distinction being made between suspected and unsuspected persons. The PNR data that is collected of all travelers can be considered not differential and generalized enough. The question is whether schemes which would distinguish between different categories of travelers would provide for the same effectiveness or not. Theoretically, it is possible to only store the data of a specifically suspect group of passengers. However, this would require a prior assessment of which peoples’ data needs

Referenties

GERELATEERDE DOCUMENTEN

It covers the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data under the General Data

the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or

For example, if a group of Luxemburgish tourists come to Amsterdam and take a tour on a canal boat, both these tourists and the operator of the canal boat fall under the scope of

However, despite this paper does not find significant effects of corporate governance variables of EU-targets on the acquisition announcement abnormal returns, this paper does

States shall not impose any further security or notification re- quirements on digital service providers.” Article 1(6) reads as fol- lows: “This Directive is without prejudice to

Taking into account that data separation strategies constrain commercial communication and strengthen responsible gambling approaches, their implementation may lead

Works councils also have the right of information on broader themes like diversity, anti- discrimination, environmental issues and they have the right of advice when the

majority by means of the European Commission and the European Parliament does set the fiscal rules as well as does make policy inside those rules on a seemingly