Skip to content

EU Court of Justice limits air transport surveillance to ‘strictly necessary’ –

The Court of Justice of the European Union ruled on Tuesday 21 June that the EU Directive on Passenger Name Record (PNR) data must be limited to be compatible with fundamental rights.

The PNR Directive was adopted in 2016, introducing a mechanism by which airlines must hand over to national authorities the data of all passengers entering or leaving the European Union for the purpose of preventing, detecting or investigating terrorist activities and serious crimes.

The directive allows member states to extend the same screening procedures to flights from other EU countries, provided they notify the European Commission. All EU countries except Austria and Ireland have notified the Commission of their intention to do so.

In Belgium, the transposition of the directive into national law was challenged by the Human Rights League, which brought an action for annulment before the Belgian Constitutional Court in July 2017. The NGO accused the legislation of putting in place surveillance generalized which undermines fundamental rights to privacy and data protection.

Furthermore, the civil society organization disputed that the directive also goes against the free movement of persons, one of the fundamental principles of the EU, considering that the collection and processing of data personnel on intra-EU flights effectively restored border controls.

Having doubts on how to interpret the implementation of EU legislation with certain key principles of EU law, the Belgian court referred the case to the Court of Justice of the EU, thus leading to this historic stop.

Limited to “strictly necessary”

In its verdict, the Court of Justice of the EU did not go so far as to repeal the entire legislation, as the Belgian NGO wanted, but it recognized that the directive seriously undermined the rights to the privacy and data protection, as it introduced a continuous, non-targeted and systemic surveillance mechanism.

The judges therefore specified that, as far as possible, Community law must be interpreted in such a way as not to affect the validity of primary law, in this case the Charter of Fundamental Rights of the European Union.

In other words, the Court interpreted the power conferred by the Directive on public authorities in a restrictive manner, ordering that these data processing and retention practices be limited to what is strictly necessary to combat terrorism and great crime.

“While the Court refrained from invalidating the directive outright, it imposed many detailed and demanding conditions and restrictions on the use of PNR data and above all on the use of data for profiling purposes”said Douwe Korff, Emeritus Professor of International Law at London Metropolitan University.

Mr Korff interpreted the ruling as having wider implications for future EU legislation, pointing out that “Rather than expand widespread data trawling, mining and profiling, as the EU wants to do through Europol, these invasive measures should be abandoned. »

In practice, the judgment finds that the information that public authorities can use is limited to that which is not explicitly covered by the directive and that the monitoring of passenger data can only take place if there is an objective link between terrorist activity or serious crime and one of the passengers on the plane.

Similarly, the extension of screening to intra-Community flights must also be limited to an existing or foreseeable terrorist threat, a decision which must be reviewed by a court or an independent national administrative body.

In the absence of an immediate threat, the Member State may only monitor certain routes, modes of travel or airports, provided that this is duly justified.

Human control and data retention

The judgment also orders that the automated systems used to identify suspicious persons be based on objective and non-discriminatory criteria. A human review should then compare the reported persons to the list of wanted or reported persons.

The decision also points out that automated systems cannot use machine learning techniques, because “Given the opacity that characterizes the way AI technologies work, it might be impossible to understand why any given program achieved a positive match. »

“In these months when the European institutions are working on the AI ​​law, the Court has underlined the importance of not using machine learning systems which can modify the methods of verifying potential suspects without human supervision. The Court thus also intends to avert the risk of automated mass surveillance.said Vincenzo Tiani, a partner at law firm Panetta.

In addition, the EU court established that the passenger data collected in this way cannot be used for any other purpose than those provided for by the directive and that the data of passengers who have not shown suspicious signs must be removed after six months.

“All EU member states will now have to limit their use of PNR data due to its intrusiveness. They must implement this judgment quickly and stop ignoring the decisions of the Court, in particular in the field of data retention”said Estelle Massé, head of European legislation at Access Now.

Leave a Reply

Your email address will not be published.