PNR data can include any personal information collected during bookings for flights, including home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
The agreement was negotiated and signed in 2014, and passed to the European Parliament for approval. The Parliament, in turn, referred the matter to the CJEU to determine whether provisions relating to respect for private life and the protection of personal data were compatible with the EU Charter of Fundamental Rights.
The CJEU has found that several of the provisions are incompatible with the fundamental rights recognised by the EU. Although the systematic transfer, retention and use of passenger data is allowed, the rules in the agreement are "are not limited to what is strictly necessary".
The agreement would allow PNR data to be transferred to Canadian authorities to be used, retained and possible transferred to other authorities and non-member countries for the purposes of combatting terrorism and other transnational crime. Data can be stored for five years, with requirements on data security and integrity, masking of sensitive data, rights of access to and correction of data, and administrative and judicial redress.
However, taken as a whole PNR data could reveal an entire travel itinerary, travel habits and relationships between individuals as well as health and other sensitive information, the CJEU said. The five year retention period is also a particularly long period for information on the private lives of passengers to be available. These rules entail an interference with the fundamental right to respect for private life and an interference with the fundamental right to the protection of personal data, it said.
While rules could be justified by the "pursuit of an objective of general interest", in this case to ensure public security in the context of the fight against terrorist offences and serious transnational crime, the CJEU found that several provisions are not limited to what is strictly necessary and do not lay down clear and precise rules.
The parties to the agreement have accepted that sensitive data may be transferred to Canada. Sensitive data covers any information that reveals ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership’ or concerning ‘a person’s health or sex life’. This requires "a precise and particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime. In this instance, however, there is no such justification," the Court said.
The agreement does not go beyond what is necessary in transferring data, using it or storing it while passengers are in Canada, the CJEU said, but storage after passengers leave the country is not limited to what is strictly necessary.
The agreement should be more clear and precise about the data to be transferred, create specific, reliable and non-discriminatory models and criteria for processing data, and make sure that the databases used will be limited to those used by Canada in fighting terrorism and serious transnational crime.
It must also ensure that PNR data can only be disclosed to the government authorities of a non-EU country if there is an equivalent agreement between the EU and that country or a relevant decision by the European Commission.
Air passengers should also receive individual notification when their data is used or transferred, during of after their stay in Canada.
The rules should be overseen by an independent supervisory authority, the CJEU said.
The CJEU decision confirms an opinion published by advocate general Paolo Mengozzi last year.
The advocate general said that he reached his conclusions on the basis of the CJEU's rulings in a case involving Digital Rights Ireland, where the CJEU ruled the EU Data Retention Directive invalid, and one involving Max Schrems, where it invalidated the EU-US Safe Harbor scheme that allowed commercial transfers of personal data to certain US organisations.
The European Parliament gave final approval to EU legislation on Passenger Name Records (PNR) in April, and the PNR Directive is now in force; EU countries must implement it nationally by 25 May 2018.
The law will oblige EU countries to pass laws requiring airlines to hand passengers' data to national authorities for all flights from third countries to the EU and vice versa. Although the Directive only applies to 'extra-EU flights', EU countries can extend it to flights between one another. They must notify the European Commission that they are doing so, and notifications will be published. EU countries can also choose to collect and process PNR data from travel agencies and tour operators.