Here’s one flight delay that European Union citizens might appreciate: The European Parliament has grounded an agreement that would have sent more passenger data winging its way to Canadian law enforcers. And like other flight delays, it could have huge repercussions—in this case for similar data exchange deals with the U.S. and Australia.
Members of the European Parliament voted 383 to 271 to refer the Canadian flight data deal to the Court of Justice of the European Union (CJEU) for an opinion on whether it is in line with data protection rules enshrined in EU treaties and the EU’s Charter of Fundamental Rights.
Canada and the EU are in the process of renegotiating a 2006 deal to exchange so-called passenger name record (PNR) data for the purposes of fighting terrorism and serious crime. This includes information provided by passengers when they book or check in for flights, and data collected by airlines for commercial purposes. It consists of about 60 elements, including itineraries, ticket references, contact details, travel dates, means of payment used, seat numbers and baggage information.
The EU Council of Ministers signed the revised deal with Canada in June, but it still needs the European Parliament’s approval before it can enter into force.
Parliament is concerned that building such a database to retain and share passengers’ personal data could be illegal in the light of a ruling by the CJEU in May. That judgment invalidated EU laws requiring communications providers to retain metadata—in much the same way as flight data would be retained under the PNR agreement—because the laws interfered with fundamental privacy rights.
Privacy groups welcomed the Parliament’s decision Tuesday, and said that the CJEU ruling could have a big impact on similar deals.
The vote might also have consequences for the EU’s existing PNR sharing deals with the U.S. and Australia, said Alexander Sander, managing director of German digital rights group Digitale Gesellschaft, welcoming the decision.
“If the court rules this is not in line with EU fundamental rights they would first of all have to stop the already existing agreements with the U.S. and Australia,” he said.
It doesn’t stop there though. The court ruling could also affect the EU-U.S. Terrorist Finance Tracking Program (TFTP) Agreement under which some data from the SWIFT international bank messaging system is transmitted to U.S. authorities, again to fight terrorism. “That deal is really similar to the PNR agreement, and I’m really sure that we have to rethink it as well,” if the CJEU’s opinion on the deal is in line with the April data retention ruling, Sander said.
Joe McNamee, executive director of European digital rights group EDRi was also delighted by the Parliament’s decision.
“We oppose all data storage and exchange schemes whose necessity and proportionality have not been demonstrated—as is the case for all of the PNR agreements imposed so far,” he said, adding that he hoped that the referral will mean that the “because... terrorism” argument won’t be accepted in the future.
Sophie in ‘t Veld, the liberal MEP who called for the referral of the EU-Canada PNR deal, also welcomed the outcome of the vote. A ruling from the CJEU could provide legal certainty for EU citizens and air carriers—not just with regard to the EU-Canada agreement but also as a bench mark for future agreements with other countries which involve the mass collection of European citizens’ personal data, she said.
“Russia, Mexico and Korea and other countries with lower data protection rules are collecting passenger flight information and might want to negotiate their own agreements soon. It should be clear that any agreements, present or future, must be compatible with the European treaties and fundamental rights and must not be used as a means to lower European data protection standards via the back door,” she said.