Canada-EU counter-terror data exchange is illegal, says top EU judge

The opinion of the attorney general of the Court of Justice of the EU is not binding on the court

An agreement to send Canadian authorities passenger name record (PNR) data for flights from the European Union cannot be entered into in its current form, a top European Union judge has said.

That's because parts of the draft agreement are incompatible with EU citizens' fundamental privacy rights, according to Paolo Mengozzi, Advocate General of the Court of Justice of the EU, in a legal opinion issued Thursday.

His opinion, on a case brought by the European Parliament, is only advisory, and it still remains for the CJEU to make a final ruling on the matter.

But if the court follows his advice, it could disrupt the European Commission's plans for a new directive on the sharing of PNR data among EU member states and with other countries. 

The agreement, which the EU and Canada began negotiating in 2010, concerns the transfer of PNR data to Canadian authorities for the purpose of combatting terrorism and other serious transnational crime. The passenger name records concerned contain 19 categories of information, covering the passenger's identity, nationality, address, contact details of the person making the reservation, payment information such as the number of the credit card used to reserve the flight, luggage details, and additional services requested concerning health problems, mobility, or dietary requirements. This might allow authorities to infer information about passengers' ethnic origin or religious beliefs.

The European Parliament refused to give its approval to the deal following its signature by the Council of the EU in 2014, preferring first to seek the opinion of the CJEU on its compatibility with EU laws on privacy and the protection of personal data.

In his opinion, Advocate General Mengozzi found five articles of the agreement incompatible with the provisions of the EU Charter of Fundamental Rights on the right to respect for private and family life, and the right to protection of personal data.

Those articles allow Canada to:
- process PNR data for reasons other than the agreement's public security objectives of preventing and detecting terrorist offenses and serious transnational crime;
- process, use and retain sensitive data;
- make unnecessary disclosures of the information;
- keep the data for up to five years for pretty much any reason, whether or not connected to the prevention of terrorism or serious crime, and
- transfer the data to a third country without being able to prevent that transfer to yet other countries.

Mengozzi identified 11 changes to the agreement needed in order to make it compatible with the charter, including:
- clearly defining the data to be transferred, and excluding sensitive data from the definition;
- exhaustively listing the offenses that constitute serious transnational crime, and
- informing EU member states when information about one of their citizens is passed on to other agencies.

His opinion was greeted with a mixture of delight and dismay.

Timothy Kirkhope MEP, Justice and Home Affairs spokesman of the European Conservatives and Reformists group, described the opinion as irresponsible and said: "Given the level of the threat you have to ask what planet some of these lawyers live on. Law enforcement authorities all say we are continually playing catch-up on information flow and analysis, and the CJEU now risks setting back our efforts even further."

But Joe McNamee, Executive Director of lobby group European Digital Rights, agreed with the advocate general's disapproval of the deal. "Once again, the European Court is confirming that the European Commission has failed to understand the law. The European Commission has -- again -- failed in its basic function as the 'guardian of the treaties,'" he said.

If the full court follows Mengozzi's advice, then the data sharing agreement may not enter into force until those amendments are made. The opinions of the court's advocates general are not binding, but the court follows them in the majority of cases.

Join the CSO newsletter!

Error: Please check your email address.

More about EUEuropean CommissionEuropean Parliament

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place