European Union countries can longer force airlines to hand over reams of passenger data — at least for flights within the 27-member bloc, according to an EU top court ruling on Tuesday.
The Court of Justice of the EU (CJEU) said requirements for airlines to shuttle passenger data to national authorities interfere with privacy rights. Judges stopped short of striking down the data-collection framework entirely.
The ruling on the Passenger Name Record Directive, or PNR, represents a bittersweet outcome for privacy activists who for years have campaigned against the framework, which was set up in the wake of the 9/11 attacks and subsequent terror incidents in Madrid and London.
“Considering the impact that the EU PNR Directive has on fundamental rights — as confirmed by the court — the law should have been invalidated,” said Estelle Massé, privacy lead for the digital rights NGO Access Now.
The ruling said that EU countries could only mandate data transfers for intra-EU travel if there is a “genuine and present or foreseeable terrorist threat.”
Luxembourg-based judges added that the PNR Directive “entails undeniably serious interferences” with EU privacy and data protection rights, but stopped short of striking down the rulebook entirely.
The judgment from Court of Justice of the European Union comes after campaign group Ligue des droits humains in 2017 filed legal action accusing Belgium’s transposition of the PNR Directive of violating EU privacy rights.
“The court concludes that the transfer, processing and retention of PNR data provided for by that directive may be regarded as being limited to what is strictly necessary for the purposes of combating terrorist offences and serious crime, provided that the powers provided for by that directive are interpreted restrictively,” a press release on the ruling said.
But the judgment did leave the door open for national capitals to interpret the criteria it set down and maintain the obligations on airlines, at least in part.
France, for instance, has previously legitimized other surveillance measures by suggesting its threat of being hit by terrorism is near-constant. It’s not inconceivable that EU states could use similar reasoning to keep their PNR regimes intact. “Never underestimate the creativity of governments to bypass the CJEU requirements,” said Chloé Berthélémy of digital rights outfit EDRi.
The ruling does offer privacy campaigners some red meat elsewhere, however.
Countries can no longer hang on to data for five years, for instance, unless it’s related to a suspect. Otherwise, data must be deleted after six months.
It’s also put a dampener on countries expanding PNR obligations beyond air travel, as many countries are keen to do for passengers using coaches, boats and trains.
By explicitly targeting its general ban on PNR data transfers for “intra-EU flights and transport operations carried out by other means within the European Union” the court seems to have preempted efforts to expand the scope of the framework across the 27-member bloc.
“This [ruling] could torpedo the ambitions of certain governments to expand PNR systems to buses and trains because it is not worth it,” said Berthélémy.
This article is part of POLITICO Pro
The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology
Exclusive, breaking scoops and insights
Customized policy intelligence platform
A high-level public affairs network