Douwe
Korff, comparative and international lawyer specialising in human rights
and data protection
In Case-817/19,
Belgium’s Constitutional Court has asked the EU Court of Justice whether the PNR Directive
(2016/681) is compatible with the Charter of Fundamental Rights. An
Advocate-General’s opinion in this case is expected in the New Year.
In my opinion, the appropriate
tests to be applied to mass surveillance measures such as are carried out under
the PNR Directive (and were carried out under the Data
Retention Directive, and are still carried out under the national data
retention laws of the EU Member States that continue to apply in spite of the
CJEU case-law) are:
Have the entities that apply the mass surveillance measure – i.e., in
the case of the PNR Directive (and the DRD), the European Commission and the EU
Member States — produced reliable, verifiable evidence:
-
that
those measures have actually, demonstrably contributed
significantly to the stated purpose of the measures, i.e., in relation
to the PNR Directive, to the fight against PNR-relevant crimes (and in relation
the DRD, to the fight against “serious crime as defined by national law”); and
-
that
those measures have demonstrably not seriously negatively affected the
interests and fundamental rights of the persons to whom they were applied?
If the mass surveillance measures
do not demonstrably pass both these tests, they are fundamentally
incompatible with European human rights and fundamental rights law and the
Charter of Fundamental Rights; this means the measures must be justified, by
the entities that apply them, on the basis of hard, verifiable,
peer-reviewable data.
The conclusion reached by the
European Commission and Dutch Minister of Justice: that overall, the PNR
Directive, respectively the Dutch PNR law, had been “effective” because the EU
Member States said so (Commission) or because PNR data were quite widely used
and the competent authorities said so (Dutch Minister) is fundamentally
flawed, given that this conclusion was reached in the absence of any real
supporting data. Rather, my analyses show that:
-
Full PNR data are disproportionate to
the purpose of basic identity checks;
-
The necessity of the PNR checks against
Interpol’s Stolen and Lost Travel Document database is questionable;
-
The matches against unspecified national
databases and “repositories” are not based on foreseeable legal rules and are
therefore not based on “law”;
-
The necessity and proportionality of matches
against various simple, supposedly “suspicious” elements (tickets bought from a
“suspicious” travel agent; “suspicious” travel route; etc.) is highly
questionable; and
-
The matches against more complex “pre-determined
criteria” and profiles are inherently and irredeemably flawed and
lead to tens, perhaps hundreds of thousands of innocent travellers wrongly
being labelled to be a person who “may be” involved in terrorism or serious
crime, and are therefore unsuited (D: ungeeignet) to the purpose
of fighting terrorism and serious crime.
The hope must be that the Court will stand up for the rights of
individuals, enforce the Charter of Fundamental Rights, and declare the PNR
Directive (like the Data Retention Directive) to be fundamentally in breach of
the Charter.
For my full 149-page opinion, and
an executive summary of it, see here.
Reblogged
from the Data Protection and Digital Competition blog
Photo credit: Konstantin
von Wedelstaedt, via wikicommons
No comments:
Post a Comment