In a ruling that should have a significant impact on Canada’s privacy policies, the European Court of Justice (Opinion 1-15, July 26, 2017) has held that the agreement between Canada and the EU on the transfer of Passenger Name Record (PNR) data cannot be concluded because it violates fundamental privacy rights recognized by the EU as it is currently written.
The Court noted that the PNR data could reveal a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health. And since the data will be analyzed through an automated process, the Court also noted the analysis could provide additional personal information about the passengers.
In ruling that the transfer of the PNR data (and its potential subsequent retransfer) constituted an interference with the fundamental right to the protection of personal data, the court also looked at whether this fundamental violation could be justified.
First they noted that there was an objective of general interest (to ensure public security in the context of the fight against terrorist offences and serious transnational crime) and that a transfer of data measure was appropriate for the achievement of that objective.
But the court went on to find that since there was a risk of processing sensitive personal data contrary to the principle of non-discrimination, the transfer to Canada would require a more precise justification than was shown. The Court also noted that the continued storage of the data was not limited to what is strictly necessary.
The six measures which must be addressed in a revised version are:
- determine in a more clear and precise manner certain of the PNR data to be transferred;
- provide that the models and criteria used for the automated processing of PNR data will be specific, reliable and non-discriminatory;
- provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;
- provide that PNR data may be disclosed by the Canadian authorities to the government authorities of a non-EU country only if there is an agreement between the European Union and that country equivalent to the envisaged agreement or a decision of the European Commission in that field;
- provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data to other authorities or to individuals;
- guarantee that the oversight of the rules relating to the protection of air passengers with regard to the processing of their PNR data is carried out by an independent supervisory authority.
The court’s ruling serves as a reminder that the European Union takes its privacy commitments very seriously. In Europe, privacy is afforded a higher status in the legal hierarchy than it is given in Canada and much more so than in comparison with the United States. While Canada’s PIPEDA standards have been deemed in the past to be in compliance with the EU’s adequacy requirements, there is no guarantee this status of compliance will continue under the new GDPR regime.
Also, in this decision, the Court is showing sensitivity to the impacts and effects of technology on privacy issues, especially with regard to the processing of sensitive personal information. Canada should draw an inference that our PIPEDA principles would benefit from a thorough review to determine if they are keeping up with technological changes (I have addressed this issue in an earlier submission to the Office of the Privacy Commissioner and am expanding this discussion in forthcoming paper on the Internet of Things). I don’t think the correspondence between the Court’s order and basic privacy principles was an accident or a coincidence.
And perhaps of the greatest historical significance, the court noted its decision represents the first time it’s been called on to rule on the compatibility of a draft international agreement with the EU Charter of Fundamental Rights. The significance of this point should not be overlooked as Canada continues to engage in international agreements. NAFTA may not directly affect Canada’s trade relationship with the EU and its members. But Canada must avoid negotiating away any privacy protections which could lock the government into an untenable situation with respect to compliance with the EU’s increasingly robust privacy requirements. My sense is that the NAFTA negotiating demand from the United States (restricting limitations on trans-border data flows or other measures requiring local data processing) impedes the flexibility in privacy protections that Canada needs to maintain.
At the very least the Canadian government needs to issue a clear statement that Canadian privacy protections are NOT going to be subject to NAFTA negotiations, and this would be preferably accomplished by releasing a clear set of its negotiating objectives.
Today’s decision from the European Court only underlines these concerns and should send a clear message to the Canadian government that it needs to take privacy protections more seriously.