When Data Crosses the External Border: Data Sharing with Non-EU Third Countries

The Failed PNR Agreement with Canada and the Court of Justice’s Requirements Regarding the Transfer of Passenger Data

The evolution of data and progressive globalization have imposed a need to strengthen the instruments for cooperation between national data authorities covering the original European framework.^[1] A flight data transfer agreement was signed in 2006 with the US, which involved sharing information on 34 distinct data types of passengers travelling from Europe with a stopover or final destination in a US airport; the agreement allowed the storage of such data for over five years. The details of the agreement attracted criticism, leading to a review in 2012 which resulted in a reduction of shared data types to 19. A passenger data sharing agreement with Australia has also been in place since 2012.

Canada and the EU negotiated a similar agreement in 2010 on the processing and sharing of passenger name registration data (referred to henceforth as the Agreement). After signing the Agreement in 2014, the European Parliament requested an opinion from the Court of Justice of the European Union (CJEU) to determine whether it was in accordance with EU law. The response of the CJEU was laid out in its judgment of 26 July 2017, where it declared that this system of data sharing required an ‘interference in the fundamental right to respect for private life’ and ‘the protection of personal data’. The Court acknowledged that such interference with rights may be justified ‘for the purpose of public interest’, but qualified this with the criticism that the provisions of the Agreement ‘are not limited to what is strictly necessary and do not establish clear and precise rules’. In particular, there were not sufficient guarantees regarding “sensitive” data, that is, those revealing information about ‘racial or ethnic origin, political opinions, religious or philosophical convictions, membership of organizations or individual health or sexuality’.

Furthermore, the judges were of the opinion that, with regard to data storage by the Canadian authorities, such storage was not justified once the individual had left the country.

The judgment stated that the Agreement should also review the ‘clarity and precision’ of the data to be shared, and ensure that the ‘models and criteria’ used are ‘specific, reliable and non-discriminatory’ and that the data used by Canada are limited to the prevention of terrorism and serious international crimes. The Court also requested that Canada should only be able to communicate this information to a third country that is not a member of the EU if the latter country has an established agreement with the EU. It stated that Canada ought also to establish “passenger rights” in case authorities flout these regulations. Given the above, the judges of the CJEU found that ‘the Agreement cannot be concluded in its current form’.

• [1] Artemi Rallo Lombarte (n. 10) 747. 2 Council Decision 2012/472/EU of 26 April 2012 on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland and Security.