Tension between the call for security and data protection in the EU : A legal comparative analysis of the implementation of the PNR Directive in three different Member States

(1)

Tension between the call for security and

data protection in the EU:

a legal comparative analysis

of the implementation of the PNR Directive

in three different Member States

Final version, 20 July 2018

Laura Jacobs, master student European Union Law Supervisor: mw. Prof. Dr. C. Eckes

(2)

List of Abbreviations

CFR Charter of Fundamental Rights of the European Union CJEU Court of Justice of the European Union

EU European Union

TEU Treaty on the European Union

TFEU Treaty on the Function of the European Union

PNR Passenger Name Records

GDPR General Data Protection Regulation

PIU Passenger Information Unit

(3)

Abstract

The processing of PNR data results in a tension between the call for means to combat terrorism on the one hand, and the protection of personal data on the other hand. In May 2018, the EU PNR Directive had to be transposed into the national laws of the EU Member States. However, not long after the adoption of this Directive the CJEU concluded that the draft PNR Agreement between the EU and Canada was not compatible with article 7 and 8 CFR. This Opinion has cast doubts on the full compatibility of the EU’s own PNR Directive, since they share many similarities. Accordingly, Member States were put in a difficult position: on the one hand they face a perhaps incompatible PNR Directive, and on the other hand they are under the obligation to implement this PNR Directive. This thesis provides for a legal comparative analysis of the national implementations of articles 11 and 13 of the PNR Directive by the Netherlands, Belgium and the United Kingdom in order to find out how Member States deal with this difficult position and what they can learn from each other’s data protection guarantees. Of these two articles, six elements are established to focus on when comparing the Member States: the rights of access, rectification, erasure, restriction, compensation and judicial redress, sensitive data, documentation, appropriate technical and organizational measures, communication to the data subject and the transfer to third countries. It is argued that the United Kingdom and Belgium can take the Dutch law as a good example as they both did not totally fulfill the obligation of transposing all six elements into their national law, as the Netherlands did transpose all the elements correctly. It is also argued that the United Kingdom and the Netherlands should distract inspiration from the Belgian law if they want to minimize the risk of their implementations to be incompatible with the CFR, as the Belgian legislation provided for extra data protection guarantees in three of the six elements and therefore is closest to meet the high standards of data protection envisaged by the CJEU.

(4)

Chapter 1: Introduction

At the end of May 2018, mailboxes of EU citizens flooded over. People had received emails from dozens of different companies – companies of which they did not even know that they existed, let alone that they kept personal data of them – with in their topics headings such as ‘we care for your privacy’ and ‘changes to our privacy policy’. About a month before this happened, every news medium had published about the big Facebook scandal, which involved the processing and sharing of data of up to 87 million Facebook users with Cambridge Analytica.1_{At the same time, the ‘see your own data’ tool}2_{– which revealed that Google knows} where you have been, what you have searched for, what apps you have used, and all the information you have ever chosen to delete3 – led people to freak out. The combination of these events and the entering in to force of the General Data Protection Regulation on the 25th of May 2018, make one point clear: privacy and data protection have never been so alive and important as today.

At the same time, the EU is finding itself in a major security crisis, with multiple terrorist attacks being perpetrated on its grounds. The attacks in for example Berlin, Nice and Brussels, show a horrific trend of jihadist militants randomly killing and wounding many EU citizens.4 In 2016, 142 victims died, and 379 people were injured due to the enormous consequences of terrorist attacks.5 Unequivocally, terrorism poses a threat to EU society, the values of Member States’ democratic societies, and the rights and freedoms of its citizens. It has therefore become a top priority for the EU and its Member States.6

Since prior to most attacks, terrorist travelled from, to, outside, and within countries in the EU and a high number of citizens used air travel in order to travel to conflict zones like IS,7 there

1_{See for instance Olivia Solon, ‘Facebook Says Cambridge Analytica May Have Gained 37m More Users’ Data’}

The Guardian (4 April 2018) <http://www.theguardian.com/technology/2018/apr/04/facebook-cambridge-analytica-user-data-latest-more-than-thought> accessed 7 June 2018.

2_{NOS, ‘Privacy, Waar Zeggen We Allemaal Ja Tegen?’ (25 May 2018)}

<https://over.nos.nl/nieuws/996/privacy-waar-zeggen-we-allemaal-ja-tegen> accessed 7 June 2018.

3_{Dylan Curran, ‘Are You Ready? This Is All the Data Facebook and Google Have on You | Dylan Curran’ The}

Guardian (30 March 2018) <http://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy> accessed 7 June 2018.

4_{European Union Agency for Law Enforcement Cooperation, ‘European Union Terrorism Situation and Trend}

Report 2017’ 5.

5_{ibid 10.}

6_{‘EU Fight against Terrorism - Consilium’}

<http://www.consilium.europa.eu/en/policies/fight-against-terrorism/> accessed 7 June 2018.

7_{David Lowe, ‘The European Union’s Passenger Name Record Data Directive 2016/681: Is It Fit for Purpose?’}

(7)

2 have been calls in the EU to adopt legislation about Passenger Name Record data. This would make it possible to monitor passenger airline travel out and to EU Member States in order to prevent, investigate, detect and prosecute terrorist offences and serious crime.

Consequently, on 27 April 2016, the Council and the European Parliament therefore adopted the EU PNR Directive. This Directive had to be transposed into national law by all the Member States on 25 May 2018. However, not long after the adoption of this Directive, the CJEU handed down a landmark ruling in its Opinion 1/15, concerning the draft PNR agreement between the EU and Canada and its compatibility with article 7 and 8 CFR. Concerns about the right to privacy and data protection have always been at the heart of the PNR conflict, since air passenger screening has been alleged to interfere with these rights.8 The CJEU’s Opinion reaches the core of the tension between the call for more means to combat terrorism on the one hand, and appropriate data protection on the other hand. While doing so, the Opinion also cast doubts on the full compatibility of the PNR Directive with the CFR, as the envisaged agreement with Canada and the PNR Directive share some of the same ‘weaknesses’ upheld by the CJEU.9 During the negotiations of the national implementations, political parties from different Member States have stressed their concerns about this. The Dutch Christian Democratic party for example, doubted the validity of the Directive and wondered if the Netherlands could maybe adjust their implementation in a way that it would be in line with Opinion 1/15.10 During the negotiations in Belgium the Opinion was not yet published, however the Opinion of A-G Mengozzi was. Mr. Hellings of the Belgian Green Party predicted that after the Opinion, the EU probably has to revise its Directive and therefore he, and with him also Mr. Crusnière of the Belgian Socialist Party, did not agree with the Belgian Government wanting to implement the Directive so hurriedly.11 Nonetheless, although the PNR Directive might not be in full compliance with the CFR, the obligation on Member States to implement this Directive still stands.

8_{Maria Tzanou, The Fundamental Right to Data Protecction: Normative Value in the Context of}

Counter-Terrorism Surveillance (Bloomsbury Publishing PLC 2017) 162.

9_{Elena Carpanelli and Nicole Lazzerini, ‘PNR: Passenger Name Record, Problems Not Resolved? The EU PNR}

Conundrum After Opinion 1/15 of the CJEU’ (2017) 42 Air and Space Law 377, 401.

10_{Tweede Kamer der Staten-Generaal, ‘Wet gebruik van passagiersgegevens voor de bestrijding van terroristische}

en ernstige misdrijven, Verslag (initiatief)wetsvoorstel (nader), Kamerstukken 34 861 nr. 5’ (22 February 2018) <https://zoek.officielebekendmakingen.nl/kst-34861-5.html> accessed 5 July 2018.

11_{Belgische Kamer van volksvertegenwoordigers, Wetsontwerp betreffende de verwerking van}

(8)

3 As a result, the implications of Opinion 1/15 on the one hand, and the obligation to implement the PNR Directive on the other, put national governments in a difficult situation.12

Accordingly, the PNR Directive and the specific obligations it poses on Member States merits closer investigation. This thesis aims to provide for a legal comparative analysis of the implementations of the PNR Directive by three different Member States. In doing so, it hopes to provide some answers in how Member States can best deal with the difficult situation as afore described.

1.1: Scope

The research question of this thesis is as follows:

‘To what extent can The Netherlands, Belgium and the United Kingdom learn from each other’s

data protection guarantees in their implementations of articles 11 and 13 of the PNR Directive?’

As the author of this thesis is a Dutch national, the Dutch implementation of the PNR Directive formed in first instance the root of this thesis topic. Belgium is chosen to be the second jurisdiction in this comparative analysis, because the Belgium Minister of Safety and Internal Matters claimed that the Belgium law provides for extra data protection guarantees and therefore ‘takes a step further’ than the PNR Directive.13_{The choice for the United Kingdom is} based on the fact that the United Kingdom has had a quite successful14 PNR system in place for years already – adopted far before the coming into force of the PNR Directive. Accordingly, the respective implementations of these three countries are expected to be best suitable for comparison.

12_{Ministerie van Justitie en Veiligheid, ‘Advies Raad van State wetsvoorstel gebruik passagiersgegevens bij}

bestrijding terrorisme - Rapport - Rijksoverheid.nl’ (22 December 2017) 1

<https://www.rijksoverheid.nl/documenten/rapporten/2017/12/22/tk-advies-rvs-w03-17-0224-ii> accessed 16 January 2018; Wetsontwerp passagiersgegevens nr. 003 (n 11); ‘Passenger Name Records – from Canada back to the EU’ (Verfassungsblog) <https://verfassungsblog.de/passenger-name-records-from-canada-back-to-the-eu/> accessed 21 January 2018‘Yet arguably the most pressing question for European plicy-makers and security authorities is whether the implementation of the EU’s own PNR Directive can go ahead as planned’.

13_{Wetsontwerp passagiersgegevens nr. 003 (n 11) 9.}

14_{Commissioner King has complimented the UK Passenger Information Unit with its knowledge and stated that}

‘the UK has more than 10 years of experience in the use of PNR data for law enforcement purposes, more than any other country in the EU.’,‘Commissioner King’s Remarks on Passenger Name Record (PNR) Data at the UK Passenger Information Unit’ (European Commission, 24 May 2018)

<https://ec.europa.eu/commission/commissioners/2014-2019/king/announcements/commissioner-kings-remarks-passenger-name-record-pnr-data-uk-passenger-information-unit_en> accessed 2 June 2018.

(9)

4 In order to narrow down the scope of this thesis, the assessment of the different implementations will be limited to two provisions of the PNR Directive. The focus will be on i) the protection of personal data (article 13 of the PNR Directive); and ii) the transfer of data to third countries (article 11 of the PNR Directive). This choice is made because developments in PNR data regulation have mainly led to discussion about data protection and the transfer of data to third countries.15 Furthermore, over the last few years the CJEU has developed in its case law strict criteria for data protection on the one hand16 and for the transfer of data to third countries on the other.17 This therefore stipulates the importance of these two aspects and is why articles 11 and 13 are supposed to be the most interesting and perhaps controversial for comparison. Furthermore, neither the legislation/rulings of the ECHR and ECtHR concerning data protection nor different PNR Agreements with third countries are covered in this thesis. The focus shall be on Union legislation. Also, this thesis does not aim to provide for a full analysis of the possible bottlenecks of the PNR Directive in the light of Opinion 1/15. For the brief discussion of these bottlenecks in Chapter 2 reference shall therefore be made to articles of scholars in which this link is already established.

1.2: Methodology

In order to address the abovementioned, this thesis provides for a twofold investigation:

First, a legal analysis shall be given of the provisions of data protection in general and the PNR Directive in particular. This is done in a purely textual manner by explaining the various concepts and elements of the respective legislation. Also, the academic literature will be analysed in order to shed light on how data protection has developed throughout the EU.

Second, an in depth legal comparative analysis shall be given of the implementation of the PNR Directive in the national legislation by three Member States: the Netherlands, Belgium and the

15_{See for instance Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the}

European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime [2011] OJ C 181/02 (EDPS Opinion on PNR Directive 2011); Opinion of the European Data Protection Supervisor on the Global approach to transfers of Passenger Name Record data to third countries [2010].

16_{See for instance Joined cases C-293/12 and C-594/12 Digital Rights Ireland [2014] Digital reports (DRI Case);}

Case 131/12, Google Spain SL v AEPD [2014] Digital reports (Google Spain); Joined cases 203/15 and C-698/15, Tele2 Sverige [2016] Digital reports (Tele 2 Sverige); Case C-210/16 Wirtschaftsakademie Schleswig-Holstein [2018] Digital reports (Facebook fanpages).

17_{See for instance C-362/14, Schrems v Data Protection Commissioner [2015] Digital reports (Schrems); Opinion}

(10)

5 United Kingdom. In order to do this, the different provisions and the explanatory memorandums of all three countries will be given close examination.

1.3: Outline

In the second chapter, an outline shall be given of the basics of EU data protection and PNR data. In hierarchical order, primary law, secondary law and case law will be discussed. Subsequently, Chapter 3 shall identify the specific elements of the Directive that form the focus of the comparative analysis of the three Member States. The substantive analysis of the implementation of the Netherlands, Belgium and the United Kingdom will follow. In Chapter 4, the three implementations will be compared. Based on the findings in the above chapters, Chapter 5 will give an answer to the research question and present some recommendations.

(11)

6

Chapter 2: The basics of EU data protection and PNR data

Paul de Hert and Serge Gutwirth commented that ‘it is impossible to summarise data protection

in two or three lines’ and that ‘Data protection is a catch-all term for a series of ideas with regard to the processing of personal data’.18

2.1: Primary law 2.1.1 TFEU and CFR

The right of data protection is codified in different articles. To start with, Article 16(1) TFEU states that ‘everyone has the right to the protection of personal data concerning them’. The second paragraph of Article 16 TFEU gives on the one hand power to the EU legislator to set rules on data protection and gives on the other hand power to independent authorities to ensure control over these rules. Nonetheless, article 16 TFEU has to be read in connection with Articles 7 and 8 CFR.19_{Article 8 is titled ‘Protection of Personal Data’ and establishes that everyone}

has the right to the protection of personal data concerning him or her and that such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Furthermore, everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Article 7 CFR states that everyone has the right to respect for his or her private family life, home and communications (hereafter: the right to privacy).

In December 2000, the CFR was born. According to the preamble, the CFR designates the rights it recognizes as fundamental rights.20_{In 2009, the Lisbon Treaty gave legally binding force to}

the CFR, which meant that the fundamental rights to the protection of personal data and to the respect for private family life were officially consolidated in EU law.21_{Therefore, and also}

because of the introduction of article 16 TFEU, the Lisbon Treaty introduced important changes to the legal framework for data protection in the EU.22_{Although the right to privacy was already}

18_{De Hert P., Gutwirth S. (2009) ‘Data Protection in the Case Law of Strasbourg and Luxemburg:}

Constitutionalisation in Action.’ In: S Gutwirth and others (eds), Reinventing Data Protection? (Springer 2009) (as cited in Tzanou [n 8] 12).

19_{Hielke Hijmans, ‘The European Union as a Constitutional Guardian of Internet Privacy and Data Protection’}

543, 15.

20_{Preamble of the Charter of Fundamental Rights of the European Union 2012 (C 326/02).}

21_{Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU}

(Springer 2014) 2.

(12)

7 longer recognized by the Court as a general principle of EU law and now codified in article 7 of the CFR, the right to data protection was for the first time officially established in the CFR.23

Both the right to privacy and the right to the protection of the processing of personal data, concern ‘any information relating to an identified or identifiable individual’.24_{Since the Treaty}

of Lisbon went into force, the Court does not make a clear distinction between right to privacy and the right to data protection anymore.25

The addition of the right to data protection in the CFR as a different and separate right than the right to privacy is related to the right to informal self-determination, as encompassed by the German Constitutional Court. This Court decided that the possibility to control whether data is disclosed or used flows from an individuals’ right to self-determination.26

2.2: Secondary law

On 27 April 2016, the EU adopted three separate pieces of data protection related secondary legislation: Regulation (EU) 2016/679 (GDPR), Directive (EU) 2016/680 and Directive (EU) 2016/681.27 Obviously, the last one will be extensively discussed, because this is the PNR Directive. However, the other two will also be shortly examined. Directive 2016/680 is of relevance because the PNR Directive has declared some of its provisions applicable to the PNR Directive as well. Although the GDPR is not necessarily relevant for this thesis because the GDPR and the PNR Directive do not share overlap – for the processing of PNR data by the PIU’s the specific rules of the PNR Directive and of Directive 2016/680 are applicable and not the rules of the GDPR – the GDPR is an important expression of EU data protection legislation in general and therefore important to shortly discuss. Also, since the PNR Directive does not contain rules for the airline companies, the airline companies are obliged to apply the GDPR when they process PNR data before and when they send it to the PIU’s.28

23_{ibid 89; Hijmans (n 19) 66.}

24_{Joined cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010] ECR 1-11063 para 52.} 25_{Hijmans (n 19) 55.}

26_{Lynskey (n 22) 94.}

27_‘EUR-Lex _- _{L:2016:119:TOC} _- _EN _- _EUR-Lex’

<https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC> accessed 12 July 2018.

28_{Tweede Kamer der Staten-Generaal, ‘Wet gebruik van passagiersgegevens voor de bestrijding van terroristische}

en ernstige misdrijven, Nota n.a.v. het (nader/tweede nader/enz.) verslag, Kamerstukken 34 861 nr. 6’ (11 April 2018) 16 <https://zoek.officielebekendmakingen.nl/dossier/34861/kst-34861-6?resultIndex=18&sorttype=1&sortorder=4> accessed 13 July 2018.

(13)

8 2.2.1 Regulation 2016/679 (GDPR)

Over the years, the data processing environment has changed widely and has therefore brought numerous new challenges. All different kinds of technologies, such as internet and mobile telephony, are used by third parties to gather data of their users.29_{. Hence it is no surprise that}

Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) – adopted 22 years ago in a totally different time of digital technology – needed an update.30_{In 2016 this Directive was}

replaced with a new and broader data protection regulation: the GDPR.31_{The GDPR ensures}

uniformity amongst Member States and precludes differences in the scope of data protection in the EU.32_{With its very wide scope of application, many data protection duties and impending}

fines, the GDPR will highly affect numerous companies.33_{Data protection obligations under}

the GDPR are binding upon all entities that process personal data for their activities, both on public sector units as on private sector units.34 When companies do not comply with the GDPR, they can expect very high fines of up to 4% of their annual worldwide group turnover.35 Apart from the territorial scope and penalties, the most important changes made by the GDPR concern the rights of data subjects. For example, the scope of information that has to be provided to the data subject is broader, more severe requirements (such as clear language) relating to the requesting of consent of the data subject are added, the GDPR now contains the ‘right to be forgotten’ (the right to demand that data put on the internet will be erased), and data subjects have the right to receive their data from the controller in a structured format.36

29_{Mariusz Krzysztofek, Post-Reform Personal Data Protection in the European Union: General Data}

Protection Regulation (EU) 2016/679 (Wolters Kluwer 2017) 10.

30_{ibid 11.}

31_{Paul Voigt and Axel von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical}

Guide (Springer 2017) 2; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119, 4.5.2016 (General Data Protection Regulation) (GDPR).

32_{Krzysztofek (n 29) 3; Christina Tikkinen-Piri, Anna Rohunen and Jouni Markkula, ‘EU General Data}

Protection Regulation: Changes and Implications for Personal Data Collecting Companies’ (2018) 34 Computer Law & Security Review 134, 134, 135.

33_{Voigt and Bussche (n 31) 2.} 34_{Krzysztofek (n 29) 27.}

35_{Jesper Zerlang, ‘GDPR: A Milestone in Convergence for Cyber-Security and Compliance’ (2017) 2017}

Network Security 8.

(14)

9 2.2.2 Directive 2016/680

In 2016 the EU legislator also adopted Directive 2016/680 for the criminal and justice sector. The new Directive for data protection in the police and justice sectors provides a harmonized legal framework to facilitate the free flow of personal data between competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties within the Union and the transfer of such personal data to third countries whilst ensuring personal data protection to a high extent.37_{The GDPR regulates}

data protection in general, and this Directive the data protection in police and justice sectors. It replaces Framework Decision 2008/977/JHA. One of the main differences between the GDPR and this Directive is founded in the rights of information and the access to personal data; if the rights provided for in the GDPR were to the same full extent exercised in the scope of criminal law, it would mean that criminal investigations are not possible anymore.38_{Therefore, special}

provisions concerning criminal law are necessary.

2.2.3 Directive 2016/681

A ‘Passenger Name Record’ is a computerized ‘record of each passenger’s travel requirements

which contain all information necessary to enable reservations to be processed and controlled by the booking and participating airlines’.39_{PNR data includes inter alia the name(s) of air}

passengers, information about payment or billing, e-mail addresses, telephone numbers, passport information, information concerning luggage, dates of intended travel and travel itinerary, frequent flyer information, groups of persons checked-in under the same reservation number, meal preferences, special health requirements, travel habits and relationships existing between air passengers.40

37_{Costanza Di Francesco Maesa, ‘Balance between Security and Fundamental Rights Protection: An Analysis of}

the Directive 2016/680 for data protection in the police and justice sectors and the Directive 2016/681 on the use of passenger name record (PNR)’ (Eurojus.it, 2016) 2.

38_{Di Francesco Maesa (n 37) 4.}

39_{Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in}

the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection [2004] C(2004) 1914 para 4.

40_{Mario Mendez, ‘Opinion 1/15: The Court of Justice Meets PNR Data (Again!)’ (European Papers}

(15)

10

2.2.3.1 An historical insight in PNR data in the EU

The Commission introduced its first proposal for a Council Framework decision on the use of PNR data in 2007.41_{The proposal incorporated only two vague articles regarding the protection}

of personal data: Member States had to set up PIU’s to be responsible for the PNR data and the collecting of data containing personal information such as religious beliefs and ethnic origin was not allowed.42_{Furthermore, the PNR data would be retained for a period of 13 years in}

total.43_{The proposal received many criticisms by different parties such as from the EDPS and}

the Parliament.44_{The EDPS for example, casted doubts on the legal certainty of the proposal,}

since the risk assessment was to be performed without any uniform standards concerning the identification of suspects; the criteria against which passengers would be scanned were poorly defined.45_{Furthermore, the EDPS doubted the necessity of an EU PNR system since there was}

no precise information in the proposal on the concrete results of such systems.46_{Also, the}

proportionality test was not fulfilled.47_{Accordingly, the Framework Decision did not get}

adopted. The Commission came with a new proposal in February 2011: the EU PNR Directive.48_{This time the Commission provided an extensive explanatory memorandum in}

which it explained the need for harmonization and stated that the proposal was in accordance with fundamental rights of the Charter.49_{Although the Commission’s analysis had been more}

elaborated than the one in the Framework Decision, the EDPS still did not find it convincing and stated that the content did again not meet the requirements of necessity and proportionality.50_{In 2013, the LIBE Committee voted against the proposal.}51

41_{Tzanou (n 8) 155.} 42_{Lowe (n 7) 864.}

43_{Commission, ‘Proposal for a Council framework decision on the use of Passenger Name Record (PNR) for}

law enforcement purposes’ COM (2007) 654 final, art 9.

44_{Tzanou (n 8) 156.}

45_{Opinion of the European Data Protection Supervisor on the draft Proposal for Council Framework Decision on}

the use of Passenger Name Record (PNR) data for law enforcement purposes 2008/C 110/01 para 23.

46_{ibid 28.} 47_{ibid 30, 37.}

48_{Tzanou (n 8) 158; Commission, ‘Proposal for a Directive of the European Parliament and the Council on the}

use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime’ COM (2011) 0032 Final.

49_{COM (2011) 0032 Final (n 49) 8,9.}

50_{EDPS Opinion on PNR Directive 2011 (n 15) paras 10, 11.}

51_{Martine Marx, ‘The EP Committee Rejects the Proposal for an European Passenger Name Record System}

(PNR)’ (European Area of Freedom Security & Justice, 1 May 2013) <https://free-group.eu/2013/05/01/the-ep-committee-rejects-the-proposal-for-an-european-passanger-name-record-system-pnr/> accessed 27 May 2018 (as cited in Tzanou [n 8] 159).

(16)

11 After the Snowden revelations, and numerous terrorist attacks in 201552, a new draft text for the EU PNR system was proposed by MEP Timothy Kirkhope. These attacks were arguably a reason for EU officials to take quick steps in establishing an EU PNR system, because in February 2016, Directive 2016/681 was approved by the EU institutions.53

2.2.3.2 Content of the 2016 PNR Directive

According to the fifth preamble, the objectives of the Directive are to ensure security, to protect the life and safety of persons and to create a legal framework for the protection of PNR data with regard to their processing by competent authorities.54 This is because effective use of PNR data is necessary to prevent, detect, investigate and prosecute terrorist offences and serious crime. Concerning data protection, the text of the preamble makes several claims to ensure full respect for fundamental rights.55

The definition of terrorist offences entails the same offences as provided for in Framework Decision 2002/475/JHA56_{. A list of ‘serious crimes’ can be found in Annex II of the Directive.}57

The Directive is based on Articles 82(1)(d) and 87(2)(a) TFEU and regulates, as said before, the transfer of PNR data by air carriers of extra58_{- and optionally intra-EU flights}59_{, as well as}

the processing, collection, use and retention of such data by the Member States and the exchange between the Member States60_{. Every Member State needs to establish a special}

authority who is responsible for the collecting and exchange (to other Member States61_{or to}

Europol62_{, or to third countries in certain circumstances on a case-by-case basis}63_{) of the data,}

called PIU.64_{Each PIU must appoint a data protection officer who is responsible for}

52_{W Gregory Voss, ‘After Google Spain and Charlie Hebdo: The Continuing Evolution of European Union Data}

Privacy Law in a Time of Change’ (Social Science Research Network 2016) SSRN Scholarly Paper ID 2711996 289 <https://papers.ssrn.com/abstract=2711996> accessed 21 January 2018.

53_{Lowe (n 7) 573.}

54_{Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of}

passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime [2016] OJ L119/132 (PNR Directive).

55_{ibid see for instance preamble (22) and (36).}

56_{ibid Preamble (12); Council Framework Decision 2002/475/JHA on combatting terrorism, [2002] OJ L164/3.} 57_{PNR Directive (n 54) art 3(9).}

58_{ibid art 1(1)(a).} 59_{ibid art 2.} 60_{ibid art 1(1)(b).} 61_{ibid art 9.} 62_{ibid art 10.} 63_{ibid art 11.} 64_{ibid art 4.}

(17)

12 implementing relevant safeguards.65_{The Directive emphasizes that the assessment of}

passengers must be carried out in a non-discriminatory manner and that pre-determined criteria must be proportionate and specific. Also, these criteria may not be based on a persons’ race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.66_{Furthermore, the Directive obligates the Member}

States to ensure that air carriers use the ‘push method’ for transmitting PNR data.67_{The ‘push}

method’ entails that air carriers transfer the required PNR data to the authority requesting them, with the result that air carriers retain control of what data is provided. This push method is considered to offer a higher level of data protection than its alternative ‘pull method’, which means competent authorities can access the air carrier’s reservation system themselves.68

Each Member States has to provide the Commission with a list of competent authorities that are entitled to request, receive or process the PNR data from the PIU.69

PNR data is to be retained in a database for a period of five years.70_{However, after six months}

– apart from some exceptions71_{– , the PNR data will be depersonalized through masking out}

data elements that could identify the passenger to whom the PNR data relates, such as name, address, and payment information.72

The protection of personal data is established in article 13. First, concerning the right of access, rectification, restriction, and judicial redress, and the confidentiality and security of data processing, the Directive refers to the Articles of Framework Decision 2008/977 JHA (however, now Directive 2016/680 since it replaced the Framework Decision), which will apply.73_Second,

if PIU’s receive PNR data that reveals very personal facts as also established in article 6(4), this data must be deleted immediately.74 Third, Member States must ensure that the PIU’s will take proper documentation of all processing systems and procedures under their responsibility.75 The records of consultation and disclosure have to show the purpose, data and time of the operations and the identity of the person who consulted or disclosed and received the PNR data.76 Fourth,

65_{ibid art 5(1).} 66_{ibid art 6(4).} 67_{ibid art 8(2).} 68_{ibid preamble (16).} 69_{ibid art 7(1), art 7(3).} 70_{ibid art 12(1).} 71_{ibid art 12(3).} 72_{ibid art 12(2).}

73_{ibid art 13(1), art 13(2), art 13(3).} 74_{ibid art 13(4).}

75_{ibid art 13(5).} 76_{ibid art 13(6).}

(18)

13 Member States need to ensure that PIU’s will implement appropriate technical and organisational measures and procedures to ensure a high level of security appropriate to the risk of data processing.77 Fifth, if a personal data breach is likely to result in a high risk for the protection of the personal data or affect the privacy adversely, this breach must be communicated to the data subject and the national supervisory authority.78

Member States also need to provide that a national supervisory authority is responsible for advising and monitoring the provisions of the Directive. This national supervisory authority will also be the contact person for any questions or complaints of data subjects.79

Furthermore, all transfers of PNR data by air carriers to the PIUs shall be made by electronic means that provide sufficient guarantees of technical security measures and organisational measures about the processing to be carried out.80

Finally, the last articles of the Directive -amongst others- provide for the Commisssion adopting implementing measures81, penalties,82 transposition83, and review.84

2.3 Case law

Over the past years, the CJEU has often promoted the right to privacy in the context of digital surveillance for the purpose of national security and has ruled in several landmark judgements about whether or not the processing and collection of personal data is in compliance with articles 7 and 8 CFR. In this section two landmark cases and one opinion of the CJEU will be discussed to provide insight in how the CJEU deals with breaches of article 7 and 8 CFR. These three ground-breaking pieces of the CJEU are of particular relevance for PNR data and the research question of this thesis; the DRI case is chosen because it raises questions about if the indiscriminate bulk data collection in PNR systems can pass the necessity and proportionality conditions as stressed in the case85, the Schrems case will be discussed because it will explain what rules apply for the transfer of PNR data to third countries. Finally, the already in Chapter

77_{ibid art 13(7).} 78_{ibid art 13(8).} 79_{ibid art 15.} 80_{ibid art 16(1).}

81_{ibid art 16(2), art 16(3).} 82_{ibid art 14.}

83_{ibid art 18.} 84_{ibid art 19.}

85_{Irena Nesterova, ‘Crisis of Privacy and Sacrifice of Personal Data in the Name of National Security: The}

CJEU Rulings Strengthening EU Data Protection Standards’ (Social Science Research Network 2017) SSRN Scholarly Paper ID 2911999 12, 13 <https://papers.ssrn.com/abstract=2911999> accessed 21 January 2018.

(19)

14 1 mentioned Opinion 1/15 and its link with the PNR Directive will be examined. As will be seen, the CJEU relied extensively on its previous DRI and Schrems cases in this Opinion.

2.3.1 Digital Rights Ireland case

In the Digital Rights Ireland case, a preliminary ruling was requested by the Irish High Court in order to challenge the validity of Directive 2006/24/EC about data retention. When assessing the question put before the Court, the Court first established whether the situation at hand felt into the scope of the fundamental rights of Article 7 and 8 CFR: Article 7 ‘directly and specifically affects private life’ and the data retention ‘constitutes the processing of personal data within the meaning of Article 8 and therefore necessarily has to satisfy the data protection requirements’.86_{Second, it concluded that the obligation of retaining traffic and location data}

and making it possible for authorities to access these, constituted a particularly serious breach of Article 7 and 8 CFR.87_{Third, it examined whether these breaches could be justified under}

Article 52(1) CFR. Both the rights did not adversely affect the essence of the right88_{, and}

retention of data for the purpose of allowing competent national authorities to access these data in order to fight against serious crime and international terrorism constituted an objective of the general interest.89_{Next, the CJEU tested the proportionality and concluded that the interference}

went beyond what is strictly necessary90_{because of several reasons: the Directive was too}

generalized since it covered all persons and all means of electronic communication and traffic data without any limitation91_{; the Directive did not lay down objective criterions by which}

access of the competent authorities to the data and their use for the purposes of the prevention of criminal prosecutions was limited, neither any criterion by which the number of persons authorized to access and use was limited92_{; the Directive did not set a timeframe for the retention}

of the data; the Directive did not ensure a high level of protection and security applied by the providers93_{and lastly, since the Directive did not require the data to be retained in the European}

Union, Article 8(3) was not satisfied because it could not be held that the control by an

86_{DRI Case (n 16) para 29.} 87_{ibid para 34-37.} 88_{ibid para 39, 40.} 89_{ibid para 41, 42.} 90_{ibid para 45.} 91_{ibid para 57.} 92_{ibid para 60-62.} 93_{ibid para 67.}

(20)

15 independent authority of compliance with the requirements of protection and security was fully ensured.94

2.3.2. Schrems case

In October 2015, the Court handed down its Schrems judgement, in which it largely relied on the previous mentioned DRI case.95_{Mr. Schrems, an Austrian Facebook user wanted to}

challenge the Safe Harbour96 agreement in response to the revelations of Edward Snowden, in which appeared that the US National Security Agency obtained many data via American companies such as Facebook.97_{When the case came before the CJEU, it considered the validity}

of the Safe Harbour Decision. First, the CJEU repeated its own rules from the DRI case; EU legislation involving in an interference with articles 7 and 8 CFR must lay down clear and precise rules about the scope and application of the measure, must impose minimum safeguards and can only be applied in so far as it is strictly necessary.98_{The Court then argued that the}

necessity criterion was not fulfilled because on a generalised basis storage of all the personal data of all the persons whose data has been transferred from the EU to the US without differentiation or limitation, and without an existing objective criterion by which to determine the limits of the access had taken place. The Court eventually concluded that the Commission did not prove that the US ensures an adequate level of protection by reason of its domestic law or its international commitments and that the safe harbour principles were therefore – without any examination of the content thereof – invalid in the light of the CFR.99

2.3.3 Opinion 1/15

In July 2017 the Court gave its Opinion 1/15 about the compatibility of the draft EU-Canada PNR Agreement with the Treaty and the CFR.

Obviously, the Court came to the conclusion that the transfer and processing of PNR data interfere with the fundamental rights of article 7 and 8 TFEU. Therefore, article 52 CFR had to be examined.100

94_{ibid para 68.} 95_{Nesterova (n 85) 6.}

96_{The Safe Harbour agreement was an agreement between the EU and the US government that promised to}

protect EU citizens’ data if it was transferred to the US by Amercian companies.

97_{OL van Daalen, ‘Het Schrems/Facebook-Arrest En de Gevolgen Voor Internationale Doorgifte’ (2016) 22}

Nederlands tijdschrift voor Europees Recht 75, 76.

98_{Schrems (n 17) paras 91, 92.} 99_{ibid para 97, 98.}

(21)

16 When assessing article 52, the Court first made clear that the interferences are capable of being justified by an objective of general interest – fighting terrorism and serious transnational crime – and are not liable adversely to affect the essence of the fundamental rights.101_{Also, the}

processing of PNR data was appropriate having regard to the objective of ensuring public security.102

The first time the agreement felt short was when the Court came to the necessity hurdle because not every provision in the Agreement laid down clear and precise rules concerning the scope and application of the measures provided for.103_{The agreement was not sufficiently precise as}

regards the transfer of the PNR data, because three of the headings – heading 5, 7 and 17 – were not sufficiently precise. For example, heading 5 uses the word ‘etc’, and therefore did not specify the scope of the data that can be transferred.104

The second deficiency concerned the processing of PNR data by automated means; since analyses took place based on unverified personal data and are based on pre-established models and criteria, they will present some significant margin of error. Therefore, a positive result obtained by a non-automated method had to be be re-examined by non-automated means.105

Thirdly, the wording of the cases in which Canada can process PNR data under Article 3(5)(a) and (b) of the envisaged agreement was too vague and general.106

The fourth default regarded the retention and use of PNR data after the air passenger’s departure from Canada. The Court concluded that it was not limited to what is strictly necessary to continue storage of PNR data of all passengers after their departure from Canada, if it regards passengers of whom no risk has been identified on their arrival in Canada and up to their departure from that country.107

101_{ibid paras 148-151.} 102_{ibid para 152.} 103_{Mendez (n 40) 809.} 104_{Opinion 1/15 (n 17) paras 156-163.} 105_{ibid paras 169-173.} 106_{ibid para 181.} 107_{ibid paras 204-211.}

(22)

17 Fifthly, the disclosure of the data to government authorities and individuals was not acceptable. The Court recalled that transferring personal data from the EU to a non-member country may only take place if that country ensures a level of protection of fundamental rights and freedoms that is equivalent to that guaranteed within the EU.108

The sixth deficiency concerned the fact that passengers are not notified when their PNR data has been used and retained or even disclosed to other government authorities or individuals.109

Although the Court also emphasized some strong points of the envisaged agreement, it concluded that the envisaged agreement is incompatible with articles 7, 8 and 52(1) of the CFR. By criticists, the Court is on the one hand being praised for ensuring privacy and data protection standards so seriously despite the threat of terrorism and serious crime,110_{and on the other hand}

criticism is that the Court might did not go far enough with this Opinion.111_{Others however,}

argue that the Court stepped into the EU legislator’s shoes and therefore acted too much as a policy maker instead of a judge.112

2.3.3.4. The PNR Directive in the light of Opinion 1/15

The fact that the Opinion will necessarily have some implications for other already existing legislative acts, is beyond doubt.113_{It is therefore to be considered what ramifications this}

Opinion has for the EU’s own PNR regime.114_{When assessing the PNR Directive in the light}

of Opinion 1/15, one can easily find some shortcomings: first, the PNR data headings do not comply with the standard of clarity and precision as identified by the Court. For example, heading 5 on ‘address and contact information’ raises the question whether the contact information is only that relating to passengers or also to third persons.115 Also heading 12 on ‘general remarks’ casts problems, because the heading contains the word ‘including’, which highlights that it is not exhaustive.116 Second, the retention regime of data transmitted to the

108_{ibid paras 112-115.} 109_{ibid paras 221-225.} 110_{Mendez (n 40) 812.} 111_{ibid 813.}

112_{Carpanelli and Lazzerini (n 9) 288.}

113_{Opinion 1/15 of the Court (grand Chamber) [2017] Digital reports, Opinion of AG Mengozzi (Opinion 1/15}

AG Mengozzi) para 4.

114_{Mendez (n 40) 817.}

115_{Carpanelli and Lazzerini (n 9) 393.} 116_{ibid 394.}

(23)

18 PIU’s could be a problem, because Opinion 1/15 indicates that PNR data relating to air passengers landing in the EU should not be stored for a longer period of time than their stay in the EU. Additionally, retention of PNR data of passengers flying outside the EU should be limited to cases in which the automated treatment gave a positive match. A connection between the retention of the data and the stay of passengers is completely absent in the EU PNR Directive.117 Third, the list of serious crime is probably not sufficiently clear and precise. Fourth, the criteria on which transfer to third countries is possible might not provide enough safeguards and fifth, the right of passengers to be informed when their PNR data is transferred is probably not sufficient in the PNR Directive.118

117_ibid.

(24)

19

Chapter 3: the national implementations of the PNR Directive

At the time of writing119, fourteen Member States have transposed the PNR Directive into their national law.120 In this Chapter, the implementations of the Netherlands, Belgium and the United Kingdom will be analysed.

As explained in Chapter 1, the analysis will focus on articles 11 and 13 of the PNR Directive: the protection of personal data and the transfer of data to third countries. Some paragraphs of articles will be taken together as one element because they provide a similar rule.121 Furthermore, for the assessment of article 13(4) will also be looked at the implementation of article 6(4) of the PNR Directive, because both provide rules about sensitive data. Table 1 below provides for an overview of the most important elements of the two articles. These separate elements will be focused on when examining the implementations of the Netherlands, Belgium and the United Kingdom.

119_{17 July 2018}

120_{‘EUR-Lex - 32016L0681 - EN - EUR-Lex’}

<https://eur-lex.europa.eu/legal-content/EN/NIM/?uri=CELEX:32016L0681> accessed 4 June 2018.

121_{Member States have done the same in their national implementations. See for instance article 17 of the Dutch}

(25)

20 3.1 Implementation of the Netherlands

The Dutch minister of Safety & Justice proposed a legislative proposal in order to implement the PNR Directive to the Dutch House of Representatives on the 8th of January 2018, in this thesis referred to as ‘Wet Passagiersgegevens’.122_{Even though the implementation deadline has} passed yet123, the ‘Wet Passagiersgegevens’ still did not go into force, since it still did not pass both the Chambers of Representatives of the Netherlands.124 For the assessment of the legislative proposal, the most recent text of the proposal will be used, which is the one of 11 April 2018 called ‘24861, bijgewerkt t/m nr. 7 (NvW d.d. 11 april 2018)’.

The Raad van State handed down its advice for the Wet Passagiersgegevens on 13 October 2017.125 In the advice, first, reference is made to the binding advice of the CJEU in Opinion 1/15. The Raad van State argued that the PNR Directive and the Dutch legislative proposal contain similar provisions in comparison with the EU-Canada PNR Agreement.126 It therefore stated that the implications of Opinion 1/15 on the one hand, and the obligation of transposing Directive 2016/681 into national law on the other, put the Dutch government in a difficult situation. It therefore strongly advised the government to explain how the implementation of the PNR Directive relates to the obligation of respecting the fundamental rights of the CFR. Furthermore, the Authority for Personal Data gave its advice on the Wet passagiersgegevens.127 Amongst other things, it also asked the Dutch government how it took into account the possibility that Opinion 1/15 will finally has as its result that the Wet Passagiersgegevens cannot be maintained.128 Also, all the biggest political parties of the Netherlands (VVD129, CDA130,

122_{Regels ter implementatie van richtlijn (EU) 2016/681 van het Europees Parlement en de Raad van 27 april}

2016 over het gebruik van persoonsgegevens van passagiers (PNR-gegevens) voor het voorkomen, opsporen, onderzoeken en vervolgen van terroristische misdrijven en ernstige criminaliteit (PbEU 2016, L 119) (Wet gebruik van passagiersgegevens voor de bestrijding van terroristische en ernstige misdrijven) (Wet Passagiersgegevens)[2018].

123_{At the time of writing it is 17 July 2018.}

124_{Ministerie van Justitie en Veiligheid, ‘Wet gebruik van passagiersgegevens voor de bestrijding van}

terroristische en ernstige misdrijven’ (10 July 2017)

<https://wetgevingskalender.overheid.nl/Regeling/WGK007488> accessed 8 May 2018.

125_{Ministerie van Justitie en Veiligheid (n 12).} 126_{ibid 1.}

127_{Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, ‘Wet bescherming persoonsgegevens’ art 51(2).}

Before 25 May 2018, this authority had to be asked to give advice on legislative proposals that concern the processing of personal data. <http://wetten.overheid.nl/BWBR0011468/2018-05-01> accessed 6 June 2018.

128_{Tweede Kamer der Staten-Generaal, ‘Wet Gebruik van Passagiersgegevens Voor de Bestrijding van}

Terroristische En Ernstige Misdrijven, Memorie van Toelichting, Kamerstukken 34 861 Nr. 3’ 34

<https://zoek.officielebekendmakingen.nl/dossier/34861/kst-34861-3?resultIndex=23&sorttype=1&sortorder=4> accessed 19 July 2018.

129_{Staten-Generaal, ‘Wet gebruik van passagiersgegevens voor de bestrijding van terroristische en ernstige}

misdrijven, Nota n.a.v. het (nader/tweede nader/enz.) verslag, Kamerstukken 34 861 nr. 6’ (n 28) question 20, 21.

(26)

21 GroenLinks131, D66132, ChristenUnie133) have showed elaboratively their concerns about the potential incompatibility of the PNR Directive due to Opinion 1/15 and asked the Dutch government questions about how the Dutch implementation respects the fundamental rights of the CFR and if the implementation can be changed in order to adjust it to Opinion 1/15. Despite the concerns of the compatibility of the PNR Directive with the CFR of both the advisory boards and the political parties, the Dutch government has clearly declared that it does not find it necessary to address the concerns resulted from Opinion 1/15, because this Opinion did not change anything about the obligation of the government to transpose the PNR Directive into national law. Although the Government realizes that in the future – perhaps via a preliminary reference procedure – the CJEU might take its position on the PNR Directive, this is not the situation now or yet.134 135 Furthermore, it states that by implementing the PNR Directive, it cannot depart from the content of the Directive because otherwise the purpose of the Directive will not be realized and the cooperation with other Member States will be jeopardized, because deficiencies and differences in the legal frameworks of different Member States will arise.136

3.1.1. The right of access, rectification, erasure, restriction, compensation and judicial redress Article 17 makes several articles of the Dutch ‘law of police records’ applicable to the PNR implementation. In order to implement article 13(1) of the PNR Directive, the Wet Passagiersgegevens refers to articles 25-31 of the law of police records137, in which the right of access138, rectification, erasure and restriction139 and compensations and judicial redress140 of the data subject are established.

131_{ibid question 27.} 132_{ibid question 24, 25, 26.} 133_{ibid question 28, 29.}

134_{Memorie van Toelichting Kamerstukken 34 861 [2018] Memorie van Toelichting of Wet Passagiersgegevens}

34, 38.

135_{Staten-Generaal, ‘Kamerstukken 34 861 Nr. 3’ (n 128) 34, 38.}

136_{Staten-Generaal, ‘Wet gebruik van passagiersgegevens voor de bestrijding van terroristische en ernstige}

misdrijven, Nota n.a.v. het (nader/tweede nader/enz.) verslag, Kamerstukken 34 861 nr. 6’ (n 28) 21.

137_{‘Wet politiegegevens’ <http://wetten.overheid.nl/BWBR0022463/2018-05-01> accessed 3 June 2018.} 138_{ibid art 25.}

139_{ibid art 28.} 140_{ibid art. 29.}

(27)

22 3.1.2. Sensitive data

According to article 7, the criteria that are used for the assessment of passengers prior to their arrival, must be determined by the PIU and in accordance with the competent authorities and must be regularly reviewed.141 Furthermore, the criteria must be targeted, proportionate and specific.142 Additionality, they may not be based on religion, race or ethnic origin, political conviction, health, sexual life or sexual orientation or trade union membership.143 The last paragraph of this article adds that further general administrative orders can determine how the criteria will be drawn up and changed and which guarantees have to apply. Also, concerning the processing of data, the PIU has to delete any data concerning religion, race or ethnic origin, political conviction, health, sexual life or sexual orientation or trade membership immediately upon the receival.144

3.1.3. Documentation

Article 22 and 23 almost literally implement article 13(5) and 13(6) of the PNR Directive. A written register will be recorded with the names and contact details of the PIU employees, the names and contact details of the competent authorities, the authorizations for data access that are awarded and all the requests for PNR data that are received.145 Furthermore, automatic logging for the collection, consultation, disclosure and erasure of PNR data will take place and this logging must contain at least information about the aim, the date, the time and the identity of the person who processed or received the data.146 The record will be kept for a period of 5 years and can only be used for specific aims: for controlling the lawfulness of the processing, for self-monitoring, of ensuring integrity, data security and for criminal proceedings.147 The latter slightly differs from the PNR Directive, because the PNR Directive uses the word ‘auditing’ and the Wet Passagiersgegevens uses ‘criminal proceedings’.

3.1.4. Appropriate technical and organizational measures and procedures

The high level of security appropriate to the risk represented by the processing and the nature of PNR data is established in Article 17, with reference to the Dutch law on police records.

141_{Wet Passagiersgegevens (n 122) art 7(1).} 142_{ibid art 7(2).}

143_{ibid art 7(3).} 144_{ibid art 19.}

145_{ibid art 22(1), art 22(2).} 146_{ibid art 23(1), art 23(3).} 147_{ibid art 23(3).}

(28)

23 According to article 4(3) of this law, sufficient and appropriate technical and organizational measures to ensure the safety of the data will be established. For example, this article guarantees that measures for unauthorized access or unauthorized processing have to be established.148

3.1.5. Communication to the data subject and national supervisory authority

The one responsible for the processing of PNR data must immediately inform the data subject and the Authority for Personal Data when the safety measures are breached, unless it is not likely that the breach will be a risk for the rights and freedoms of persons.149

3.1.6. Transfer to third countries

Criteria for the exchange of PNR data to third countries are established in Article 13. Exchange to third countries can only take place if it is necessary for the purposes of the proposal150_{; the} third country has to agree with only sending the data to another third country if this is strictly necessary and if authorization for that transfer is given151_{; if the request is duly motivated}152_{; if} the authority of the third country who will receive the data is responsible for police tasks and can guarantee a sufficient level of data protection153; and if the criteria about the processing of data by third countries which will be drawn up in a separate general administrative act, are fulfilled.154 PNR data can only be transferred without prior consent if it is of essential importance to react on a specific and actual threat relating to terrorist offences or serious crime and if it was not possible to receive prior consent in time.155 Also, if the latter happens, the authority who is responsible for giving consent must be informed, and the transfer must be recorded and verified afterwards.156 Finally, the data protection officer must be informed about any transfer that took place to a third country.157 Basically, this article is a literal implementation of article 11 of the PNR Directive.

148_{‘Wet politiegegevens’ (n 137) art 3(2).} 149_{Wet Passagiersgegevens (n 122) art 21.} 150_{ibid art 13(1)(a).}

151_{ibid art 13(1)(b).}

152_{ibid art 13(1)(c), art 10(3).}

153_{ibid art 13(1)(d) which refers to the Dutch ‘Wet politiegegevens’; ‘Wet politiegegevens’ (n 137).} 154_{Wet Passagiersgegevens (n 122) art 13(1)(e).}

155_{ibid art 13(2).} 156_{ibid art 13(3).} 157_{ibid art 13(4).}

(29)

24 3.2 Implementation of Belgium

On the 4th of October 2016, the Belgium government introduced its ‘Wetsontwerp betreffende de verwerking van passagiersgegevens’.158_{On the 22th of December 2016 the Belgium House} of Representatives voted in favour of the law, the law was therefore publicated on the 25th of January 2017. In between the time of the first proposal and the finally adopted law, the text has been subject to several amendments, the opinion of the ‘Raad van State’159_{and the opinion} of‘the ‘Committee for the protection of private life’(hereafter: Privacy Committee)160_{. The} ultimate version is used for the assessment of this thesis.161 At the time of writing162, it is not yet determined when the law will go into force.163

The Privacy Committee was a bit critical in its first advice about the legislative proposal.164_In

this advice, it payed attention to the meaning of Article 8 ECHR and referred to caselaw of the Belgium Supreme Court, the ECtHR and the CJEU. The Privacy Committee asked the Belgium Government to specify which databases exactly will be used.165_{Concerning the scope of the}

legislative proposal, the Privacy Committee referred to the DRI case in order to emphasize the importance of the necessity principle.166_{Finally, it determined that the Government should}

provide more insight in how the retention period of five years was decided.167_{In its second}

advice it did not really provide an in depth analysis again and probably found that the proposal improved, because it gave a positive advice for the definitive act.168

passagiersgegevens [2016] Doc 54 2069/001; ‘De Belgische Kamer van Volksvertegenwoordigers’

<http://www.dekamer.be/kvvcr/showpage.cfm?section=flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm ?dossierID=2069&legislat=54&inst=K> accessed 28 May 2018.

159_{The Belgium Raad van State is both an advisory and judicial board. The board is authorized to suspend and}

annul administrative regulations, to advise the government about legislation and also has the role of the Supreme Court. ‘Bevoegdheden - Over de Instelling - Raad van State’

<http://www.raadvanstate.be/?page=about_competent&lang=nl> accessed 30 May 2018.

160_{Before the 25th of May 2018, this Committee was authorised to ensure that personal data was processed in}

compliance with the legislative act on the protection of private life. Since the GDPR went into force, this Committee is replaced by the ‘Gegevensbeschermingsautoriteit’. ‘Privacy (Verwerking van Persoonsgegevens) En Openbaarheid van Bestuur | Vlaanderen Intern’ <https://overheid.vlaanderen.be/privacy-verwerking-van-persoonsgegevens-en-openbaarheid-van-bestuur> accessed 30 May 2018; ‘Privacycommission.be’ (Data

Protection Authority) <https://www.privacycommission.be> accessed 30 May 2018.

passagiersgegevens [2016] Doc 54 2069/012 12.

162_{17 July 2018.} 163_{‘LOI - WET’}

<http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&table_name=wet&cn=2016122543> accessed 28 May 2018 See: ‘Inwerkingtreding: onbepaald’.

164_{Commissie voor de Bescherming van de Persoonlijke Levenssfeer, Advies nr. 55/2015 2015.} 165_{ibid 19.}

166_{ibid 22.} 167_{ibid 32.}

(30)

25 The Raad van State only gave a very precise and textual advice about how the provisions in the Wetsontwerp should be formulated and will therefore not be discussed. Furthermore, as already assessed in Chapter 1, during the negotiations of the implementation, members of the Belgian Green and Socialist Parties did touch upon the probable incompatibleness of the PNR Directive with fundamental rights.169

The Belgian government did not mention this probable incompatibleness of the PNR Directive explicitly but emphasized that the Belgian proposal considers more data protection guarantees than the actual PNR Directive.

3.2.1. The right of access, rectification, erasure, restriction, compensation and judicial redress Article 15 third paragraph refers to articles of the Belgian law for the protection of private life, in which these rights are established.170

3.2.2. Sensitive data

Article 10 states that the PNR data may not concern a person’s race/ethnic origin, religion or philosophical belief, political opinions, trade union membership, health, sexual life or sexual orientation. Furthermore, in article 25 paragraph 2 and 3, is established that for the assessment of passengers prior to their scheduled arrival, the criteria can neither be based on these elements or on the identification of an individual. Also, these criteria need to be targeted, proportionate and specific. However, it seems that the Belgium Wetsontwerp did not implement one specific part of article 6(4) of the PNR Directive, since it does not establish that the criteria must be regularly reviewed by the PIU.171

3.2.3. Documentation

According to article 23, the PIU will make sure that of all procedures for which the PIU is authorized, records will be kept.172 All the names and contact details of the PIU and its employees will be documentated.

169_{Wetsontwerp passagiersgegevens nr. 003 (n 11) 17, 20.} 170_{Wetsontwerp passagiersgegevens nr. 012 (n 161) art 13(5).} 171_{ibid art 25.}

Tension between the call for security and data protection in the EU : A legal comparative analysis of the implementation of the PNR Directive in three different Member States