CJEU limits processing air passengers’ personal data
The beginning of the summer holidays was marked by the Court of Justice of the EU (CJEU) ruling concerning air travel, passengers' personal data, and prevention of terrorism. The CJEU primarily addressed the validity of the Passenger Name Record (PNR) Directive and the compliance of the processing of air passengers' personal data with EU law. In its judgment, the CJEU concluded that EU law precludes national legislation requiring a systematic processing of passengers' personal data without the existence of a genuine and foreseeable terrorist threat.
The PNR Directive allows for the systematic collection of personal data of air passengers entering and leaving the EU to prevent, detect, investigate, and prosecute terrorist offences and serious crimes. Personal data include, for instance, the name, contact details, date of issue of the air ticket, seat number, luggage information, and even information about the passenger's frequent flyer programme.
Member states may also apply the directive to flights within the EU. In the case in question, Belgian legislation required air carriers to collect their passengers' personal data for intra-EU flights. However, according to the League of Human Rights organisation, such an extension of the scope of the directive may infringe the right to respect privacy and protect personal data. It may also indirectly reinstate border controls, disrupting the free movement of people within the EU.
The CJEU admitted that the PNR Directive entails serious interferences with the rights guaranteed by the EU Charter of Fundamental Rights, as it seeks to introduce continuous, non-targeted, and systematic surveillance, including the automated assessment of the personal data of all persons using air transport services. According to the CJEU, interference with these rights by a member state must meet strict conditions.
Thus, a member state can extend the application of the PNR Directive to all intra-EU flights in principle only in a situation where:
- it faces a terrorist threat which appears to be genuine and present or foreseeable on the basis of sufficiently solid grounds;
- the processing of such passengers' personal data is proportionate to the potential threat;
- the application of the directive does not go beyond the scope and time of what is strictly necessary to combat terrorism.
In the absence of such a threat, the transfer of passengers' personal data must be limited to certain routes, travel patterns, or certain airports where there are indications of a potential threat. The processing of passengers' personal data will also be subject to further restrictions. For example, the data can neither be processed for the purpose of detecting ordinary crime nor, with some exceptions, used after six months from being transferred by the air carrier to the competent authority. The CJEU also commented on the use of artificial intelligence (machine learning systems) in the preliminary assessment of PNR data and for identification of persons who should be further screened prior to arrival or departure. The competent authorities cannot use these technologies, in particular because of the margin of error.
To conclude: when processing air passengers’ personal data, air carriers and competent authorities of the member state must comply not just with applicable aviation legislation (e.g., the Civil Aviation Act), but also with EU legislation and case law on personal data protection. Otherwise, they may face severe fines for breaches of personal data protection rules.