On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”). However, the CJEU also decided that the PNR Directive limits the way in which Member State laws transpose some of its provisions, particularly in relation to the collection of passenger information for intra-EU flights. Its decision will require Belgium to amend its law transposing the PNR Directive, mainly in relation to the PNR data competent authorities may receive and how they can process this data. It is likely to indirectly impact air carriers and tour operators operating in Belgium, as it will reduce the amount of data they need to share with competent authorities under such a revised legal framework.
The CJEU decision also considers, as well, Member State laws transposing (1) the Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (API Directive) and (2) Directive 2010/65/EU on reporting formalities for ships arriving in and/or departing from ports of the Member States.
The case was lodged on October 31, 2019, by the non-profit organization Ligue des Droits Humainsbefore the Belgian courts in relation to the Belgian law transposing the PNR and API Directives. The Belgian Constitutional Court referred certain questions to the CJEU.
The CJEU decided the following:
- that the General Data Protection Regulation (“GDPR”) applies to (1) private entities processing personal data according to these directives and (2) public authorities processing personal data according to Directive 2004/82/EC and Directive 2010/65/EU, while other processing operations conducted by competent national authorities and national passenger information units (“PIUs”) may be subject to Directive 216/680, the GDPR’s “twin” that regulates the processing of data by public authorities strictly for law enforcement purposes;
- that although the PNR Directive entails an “undeniably serious interference” with the fundamental rights of the Charter calling for (1) respect for private and family life and (2) protection of personal data, the PNR Directive is compatible with the Charter if EU Member States interpret its provisions in light of the Charter;
- that Member States may not adopt laws that:
- authorize the processing of PNR data (collected in accordance with the Directive) for purposes other than those expressly mentioned in the Directive, including the processing of PNR data by its intelligence and security services for monitoring purposes;
- allow PIUs to approve the disclosure of PNR data to law enforcement authorities upon the expiry of the six month data retention period set out by the Directive; such approval can only be given by another authority or court, which has the independence and impartiality required to carry out the prior review of the law enforcement authorities’ request to access the PNR data;
- requiring PIUs to retain PNR data of all air passengers for five years;
- require air carriers and tour operators to transfer to the PIUs PNR data of all flights and transport operations between EU Members States;
- that Member States may:
- only require air carriers and tour operators to transfer to competent authorities PNR data of flights and/or transport operations relating, among others, to certain selected routes or travel patterns or to certain airports, stations or seaports for which there are indications that such processing is necessary and proportionate for the purpose of combating terrorist offences and serious crime; and
- not require the transfer of PNR data to competent authorities for the purposes of improving external border controls and combating illegal immigration; this is one of the processing purposes of Council Directive 2004/82/EC, which has a different scope of application;
- that Directive 2004/82/EC only applies to flights between an EU Member State and a non-EU Member State and not to flights between EU Member States; and
- that if a national court decides that a Member State law transposing the PNR Directive is incompatible with this Directive, the court cannot allow that Member State law to remain in effect for a certain period of time for the purpose of ensuring legal certainty. This means that if the Belgian court decides that the Belgian law transposing the Directive is incompatible with the PNR Directive (as it likely will in accordance with this CJEU judgement), the Belgian law ceases to apply immediately. It is unclear whether the Belgian court will decide the illegality of the entire Belgian law or only some of its provisions.
* * *
There are currently 48 data protection cases pending before the CJEU. The Covington team will keep monitoring and reporting on any data protection related judgment issued by the CJEU.