Published online by Cambridge University Press: 04 July 2018
Full Professor of Comparative Public Law at Bocconi University of Milan.
1 For a recent analysis, Cole, D. et al. (eds.), Surveillance, Privacy and Transatlantic Relations (Hart Publishing 2017)Google Scholar and Tzanou, M., The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance (Hart Publishing 2017) p. 107 Google Scholar.
2 In reference to both Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ 2006, L 105/54 (Data Retention Directive, held invalid by the Court) and the recent Directive (EU) 2016/681 of the Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ 2016, L 119/132.
3 On the EU’s attitude towards security, Carrera, S. and Mitsilegas, V. (eds.), Effectiveness, Rule of Law and Rights in Countering Terrorism and Crime (CEPS 2017)Google Scholar; for a comparative overview of security measures enacted by Member States after 9/11, Vedaschi, A., À la guerre comme à la guerre? La disciplina della guerra nel diritto costituzionale comparato (Giappichelli 2007) p. 526 Google Scholar.
4 This attitude was opposed by the ECJ in the so-called Kadi saga. See further Gearty, C., ‘In Praise of Awkwardness: Kadi in the CJEU’, 10 EuConst (2014) p. 15 Google Scholar.
5 ECJ 8 April 2014, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others. See Vedaschi, A. and Lubello, V., ‘Data Retention and Its Implications for the Fundamental Right to Privacy: A European Perspective’, 20 Tilburg Law Review (2015) p. 14 CrossRefGoogle Scholar; Linskey, O., ‘The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland ’, 51 Common Market Law Review (2014) p. 1789 Google Scholar.
6 Directive 2006/24/EC, supra n. 2.
7 ECJ 6 October 2015, Case C-362/14, Maximillian Schrems v Data Protection Commissioner. See Azoulai, L. and Van der Sluis, M., ‘Institutionalizing personal data protection in times of global institutional distrust’, 53 Common Market Law Review (2016) p. 1343 Google Scholar and Ojanen, T., ‘Making the Essence of Fundamental Rights Real: The Court of Justice of the European Union Clarifies the Structure of Fundamental Rights under the Charter’, 12 EuConst (2016) p. 318 Google Scholar.
8 ECJ 21 December 2016, Case C-203/15, Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others.
9 The equivalent of the Passenger Name Record regime with regard to the transfer of financial data is the Terrorist Finance Tracking Programme. This Agreement between the EU and the US came into force in 2010 and concerns the transfer and processing of data for purposes of identifying, tracking and pursuing terrorists and their networks. See Murphy, C.C., EU Counter-Terrorism Law (Hart Publishing 2015) p. 151 Google Scholar.
10 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995, L 281/31.
11 Schrems, supra n. 7. See Epstein, R.A., ‘The ECJ’s Fatal Imbalance: Its Cavalier Treatment of National Security Issues Poses Serious Risk to Public Safety and Sounds Commercial Practices’, 12 EuConst (2016) p. 330 Google Scholar at p. 334, discussing the Court of Justice’s equation between ‘adequate protection’ and ‘essential equivalence’.
12 US Aviation and Transportation Security Act 2001, Pub L 107-71. It is also worth noting that the US restrictive approach towards privacy depends on the fact that, in such areas, privacy is traditionally considered to be a relative right which can be limited by many competing interests. On the US attitude towards privacy and data protection, Price, M.W., ‘Rethinking Privacy: Fourth Amendment Papers and the “Third-Party” Doctrine’, 8 Journal of National Security Law and Policy (2016) p. 247 Google Scholar.
13 The main federal law enforcement agency, whose tasks include the protection of borders from entry by terrorists and criminals in general.
14 Council Decision 2004/496/CE of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, OJ 2004, L 183/84.
15 On the controversial aspects of this system, see Siemen, B., ‘The EU-US Agreement on Passenger Name Records and EC Law: Data Protection Competences and Human Rights Issues in International Agreement of the Community’, 47 German Yearbook of International Law (2005) p. 629 Google Scholar. More widely on previous Passenger Name Record agreements, Papakostantinou, V. and De Hert, P. , ‘PNR Agreement and Transatlantic Antiterrorism Co-Operation: No Firm Human Rights Framework on Either Side of the Atlantic’, 46 Common Market Law Review (2009) p. 885 Google Scholar.
16 According to former Art. 230 of the Treaty on the European Community (current Art. 236 TFEU).
17 ECJ 30 May 2006, Joined Cases C-317/04 and C-318/04, European Parliament v Council of the European Union and Commission of the European Community. For an analysis of this decision, see Gilmore, G. and Rijpma, J., ‘Joined Cases C-317/04 and C-318/04, European Parliament v Council and Commission, Judgment of the Grand Chamber of 30 May 2006  ECR-I04721’, 44 Common Market Law Review (2007) p. 1081 Google Scholar.
18 Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS). This Agreement had been preceded by an interim version, in which many rights-related concerns could be found. See the Agreement between the European Union and the United States on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security  OJ 2007, L 204/16,
19 Letter from Peter Hustinx, European Data Protection Supervisor, to Wolfgang Schäuble, Minister for the Interior (27 June 2007), <www.statewatch.org/news/2007/jun/eu-us-pnr-hustinx-letter.pdf>, visited 19 March 2018.
20 European Parliament Legislative Resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada P7 TA(2010)0144.
21 Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ 2012, L 215/5.
22 For an overview of the contents and critical aspects of this agreement, see A. Vedaschi and G. Marino Noberasco, ‘From DRD to PNR: Looking for a New Balance Between Privacy and Security’, in Cole, supra n. 1, p. 67.
23 Anti-Terrorism Act, SC 2001, C 41.
24 Council Decision 2006/230/EC of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data, OJ 2006, L 82/14.
25 For an overview of this regime, see P. Hobbing, ‘Tracing Terrorists: The EU-Canada Agreement in PNR Matters’, Special Report, Center for European Policy Studies, 17 November 2008, available at <aei.pitt.edu/11745/1/1704.pdf>, visited 19 March 2018.
26 Council of the European Union, Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data, 2013/0250 (NLE).
27 European Parliament Resolution of 25 November 2014 on seeking an opinion from the ECJ on the compatibility with the Treaties of the Agreement between Canada and the EU on the transfer and processing of Passenger Name Record data P8_TA (2014) 0058.
28 Case 1/15, Opinion of AG Mengozzi, 8 September 2016.
29 On the procedural side, the AG remarked that Art. 16(2) TFEU can be invoked as an appropriate legal basis for such an agreement, together with Art. 87(2)(a) TFEU, read in conjunction with Art. 218(6)(a)(v).
30 Opinion of AG Mengozzi, para. 180.
31 Ibid., para. 170.
32 On which, see Peers, S. and Prechal, S. , ‘ Article 52. Scope and Interpretation of Rights and Principles’, in S. Peers et al. (eds.), The EU Charter of Fundamental Rights. A Commentary (Hart Publishing 2014) p. 1455 CrossRefGoogle Scholar.
33 Opinion of AG Mengozzi, para. 192.
34 Ibid., para. 193.
35 Ibid., para. 186.
36 Ibid., paras. 199-204.
37 Ibid., paras. 205-206.
38 Ibid., para. 279.
39 On the use of anonymisation, see Cocq, C.C., ‘Encryption and Anonymisation Online: Challenges for Law Enforcement Authorities Within the EU’, in T. Bräutigam and S. Miettinen (eds.), Data Protection, Privacy and European Regulation in the Digital Age (Unigrafia 2016) p. 178 Google Scholar.
40 Ibid., para. 222.
41 Ibid., para. 285. Specifically, the masking and progressive depersonalisation of data would guarantee respect for the concerned rights.
42 ECJ 26 July 2017, Opinion 1/15. For a short comment, Graziani, C., ‘PNR EU-Canada, la Corte di Giustizia blocca l’accordo: tra difesa dei diritti umani e implicazioni istituzionali’, DPCE online (2017) p. 959 Google Scholar.
43 COM(2017) 605 final.
44 ECJ 26 July 2017, Opinion 1/15, para. 97.
45 Ibid., para. 98.
46 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995, L 281/31.
47 Maximilian Schrems v Data Protection Commissioner, supra n. 7, para. 73.
48 Opinion 1/15, para. 126.
49 I.e. the agreement itself, and not the consent. According to Art. 8 of Charter, a limitation can be based, alternatively, on explicit consent of data subjects or on another legitimate basis laid down by law.
50 Opinion 1/15, para. 163.
51 Ibid., para. 157.
52 Ibid., para. 158.
53 Ibid., para. 165.
54 Art. 15 of the Agreement.
55 Opinion 1/15, para. 173.
56 Ibid., para. 172.
57 See Art. 3(2)-(3) of the Agreement.
58 Opinion 1/15, para. 181.
59 Ibid., paras. 185 and 189.
60 Ibid., paras. 190-191.
61 Citing the Schrems and Tele2 decisions.
62 As already stated, the retention period is five years. Notably, the Court deemed this length admissible (para. 209 of the Opinion).
63 Opinion 1/15, paras. 204-207.
64 Ibid., para. 203.
65 Ibid., para. 212.
66 Ibid., para. 214.
67 Ibid., paras. 216-217.
68 Ibid., para. 225.
69 Ibid., para. 231.
70 An emblematic example is the criticism of the term ‘etc.’ in Heading 5. See Opinion 1/15, para. 157.
71 Art. 4(3) of the Agreement, stating that all data that are not listed must be deleted.
72 Opinion 1/15, para. 162.
73 E.g. in Digital Rights, in which it claimed the need for a list of crimes that could justify retention.
74 Directive (EU) 2016/681 of the Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ 2016, L 119/132. The Directive has to be implemented by Member States by May 2018. For an analysis, Lowe, D., ‘The European Union Passenger Name Record Data Directive: Is it Fit for Purpose?’ 16 International Criminal Law Review (2016) p. 78 CrossRefGoogle Scholar.
75 Rosenfeld, M., ‘Judicial Balancing in Times of Stress: Comparing the American, British, and Israeli Approaches to the War on Terror’, 27 Cardozo Law Review (2006) p. 2079 Google Scholar; Vedaschi, A., ‘Has the Balancing of Rights Given Way to a Hierarchy of Values?’, 1 Comparative Law Review (2010)Google Scholar p. 1.
76 Opinion 1/15, para. 165.
77 On profiling and its risks, Banks, R.R. , ‘ Racial Profiling and Antiterrorism Efforts’, 89 Cornell Law Review (2004) p. 1201 Google Scholar; Barak-Erez, D., ‘Terrorism and Profiling: Shifting the Focus from Criteria to Effects’, 29 Cardozo Law Review (2007) p. 1 Google Scholar.
78 Opinion 1/15, paras. 168-174.
79 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ 2016, L 119/1.
80 Opinion 1/15, para. 181.
81 Ibid., para. 204.
82 Directive 2016/681, recital 37.
83 Ibid., Art. 12(5).
84 As noted by R. Bossong, ‘Passenger Name Records – from Canada back to the EU’, Verfassungsblog, 28 July 2017, <verfassungsblog.de/passenger-name-records-from-canada-back-to-the-eu/>, visited 19 March 2018.
85 See supra.
86 Whose masking period is, instead, six months.
87 Opinion 1/15, para. 220.
88 Ibid., para. 228.
89 European Parliament, Resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield.
90 Answer given to the European Parliament by Mr Avramopoulos on behalf of the Commission (4 November 2015). It is worth noting that negotiations may begin with Argentina and Japan as well.
91 On the attitude of the Court of Justice, particularly in privacy-related cases, to behaving as a ‘constitutional’ court, see A. Vedaschi and V. Lubello, supra n 5, at p. 17.
92 As explicitly stated by the Court of Justice, in the commented Opinion, para. 67.
93 Joined Cases C-317/04 and C-318/04.
94 See supra.
95 For a discussion of the ‘creative’ role of the courts, Pfersmann, O., ‘Contre le néo-realisme juridique. Pour un débat sur l’interpretation’, Revue française de droit constitutionnel (2002) p. 789 at p. 790CrossRefGoogle Scholar.
96 For more detail on how the Court approached this complex balance in the commented Opinion, see Vedaschi, A., ‘L’Accordo internazionale sui dati dei passeggeri aviotrasportati (PNR) alla luce delle indicazioni della Corte di giustizia dell’Unione europea’, 62 Giurisprudenza costituzionale (2017) p. 1913 Google Scholar.