The agreement allows the transfer of PNR data to the Canadian authorities to combat terrorism and other transnational crime. It was signed in 2014, but it cannot take effect until the European Parliament consents, and the Parliament had asked the CJEU, Europe's highest court, to rule on whether the deal was valid under EU laws protecting individuals' privacy and data. A previous 2006 EU-Canada PNR agreement is still in effect.
PNR data can include any personal information collected during bookings for flights, including home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
The current text of the agreement gives too much scope for the storage and use of the data beyond that of preventing terrorism and other transnational crime, the advocate general said.
It allows Canada to use and keep sensitive data provided when a passenger requests specific services, like assistance, possibly revealing health or mobility problems, or special dietary requirements, which may reveal information about the health, ethnic origin and religious beliefs of a that passenger and their travelling companions. Such data cannot be processed under the PNR Directive.
It also allows Canada to store the information for up to five years, without any terrorism or transnational crime-related reason, and to pass the data on to another foreign body without sufficient controls on where it is then sent, the advocate general said.
Opinions of advocates general are not binding on the court, but are followed in the majority of cases.
The advocate general said that he reached his conclusions on the basis of the CJEU's rulings in a case involving Digital Rights Ireland, where the CJEU ruled the EU Data Retention Directive invalid, and one involving Max Schrems, where it invalidated the EU-US Safe Harbor scheme that allowed commercial transfers of personal data to certain US organisations.
Data protection expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com said: "This is the first time the CJEU has been asked to consider the compatibility of a draft international agreement with the EU Charter of Fundamental Rights. In the advocate general's view, when concluding international agreements under which EU individuals' personal data are transferred to foreign authorities the EU must ensure that the terms of those international agreements provide 'essentially equivalent' protection for privacy and personal data as is guaranteed under EU law. If the CJEU agrees with the advocate general, this will be an important constraint on EU institutions when negotiating international treaties, as well as when passing laws within the EU."
Mengozzi said in his opinion: "It is necessary that, at a time when modern technology allows public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely sophisticated methods of monitoring the private life of individuals and analysing their personal data, the Court should ensure that the proposed measures, even when they take the form of envisaged international agreements, reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data."
The European Parliament gave final approval to EU legislation on Passenger Name Records (PNR) in April, and the PNR Directive is now in force; EU countries must implement it nationally by 25 May 2018.
The law will oblige EU countries to pass laws requiring airlines to hand passengers' data to national authorities for all flights from third countries to the EU and vice versa. Although the Directive only applies to 'extra-EU flights', EU countries can extend it to flights between one another. They must notify the European Commission that they are doing so, and notifications will be published. EU countries can also choose to collect and process PNR data from travel agencies and tour operators.