Douwe Korff, comparative and international lawyer specialising in human rights and data protection
In Case-817/19, Belgium’s Constitutional Court has asked the EU Court of Justice whether the PNR Directive (2016/681) is compatible with the Charter of Fundamental Rights. An Advocate-General’s opinion in this case is expected in the New Year.
In my opinion, the appropriate tests to be applied to mass surveillance measures such as are carried out under the PNR Directive (and were carried out under the Data Retention Directive, and are still carried out under the national data retention laws of the EU Member States that continue to apply in spite of the CJEU case-law) are:
Have the entities that apply the mass surveillance measure – i.e., in the case of the PNR Directive (and the DRD), the European Commission and the EU Member States — produced reliable, verifiable evidence:
- that those measures have actually, demonstrably contributed significantly to the stated purpose of the measures, i.e., in relation to the PNR Directive, to the fight against PNR-relevant crimes (and in relation the DRD, to the fight against “serious crime as defined by national law”); and
- that those measures have demonstrably not seriously negatively affected the interests and fundamental rights of the persons to whom they were applied?
If the mass surveillance measures do not demonstrably pass both these tests, they are fundamentally incompatible with European human rights and fundamental rights law and the Charter of Fundamental Rights; this means the measures must be justified, by the entities that apply them, on the basis of hard, verifiable, peer-reviewable data.
The conclusion reached by the European Commission and Dutch Minister of Justice: that overall, the PNR Directive, respectively the Dutch PNR law, had been “effective” because the EU Member States said so (Commission) or because PNR data were quite widely used and the competent authorities said so (Dutch Minister) is fundamentally flawed, given that this conclusion was reached in the absence of any real supporting data. Rather, my analyses show that:
- Full PNR data are disproportionate to the purpose of basic identity checks;
- The necessity of the PNR checks against Interpol’s Stolen and Lost Travel Document database is questionable;
- The matches against unspecified national databases and “repositories” are not based on foreseeable legal rules and are therefore not based on “law”;
- The necessity and proportionality of matches against various simple, supposedly “suspicious” elements (tickets bought from a “suspicious” travel agent; “suspicious” travel route; etc.) is highly questionable; and
- The matches against more complex “pre-determined criteria” and profiles are inherently and irredeemably flawed and lead to tens, perhaps hundreds of thousands of innocent travellers wrongly being labelled to be a person who “may be” involved in terrorism or serious crime, and are therefore unsuited (D: ungeeignet) to the purpose of fighting terrorism and serious crime.
The hope must be that the Court will stand up for the rights of individuals, enforce the Charter of Fundamental Rights, and declare the PNR Directive (like the Data Retention Directive) to be fundamentally in breach of the Charter.
For my full 149-page opinion, and an executive summary of it, see here.
Reblogged from the Data Protection and Digital Competition blog
Photo credit: Konstantin von Wedelstaedt, via wikicommons