LUXEMBOURG (Reuters) – A deal between the European Union and Canada to share airline passenger data must be revised as parts of it violate privacy and data protection laws beyond what could be justified for fighting terrorism, the EU’s top court said.
The European Court of Justice said that while transfer, retention and use of passenger data was allowed in general, the envisaged rules for handling sensitive personal data “are not limited to what is strictly necessary”.
The EU’s 28 states and Canada negotiated the deal in 2014 but the European Parliament – where the collection of data including names, travel dates, itineraries and contact details has been debated fiercely – asked for the ECJ stance.
“The PNR (passenger name records) agreement may not be concluded in its current form because several of its provisions are incompatible with the fundamental rights recognized by the EU,” the court said on Wednesday.
The ruling will come as a blow to governments in Europe who have stepped up their arguments in favor of data retention after a spate of militant attacks over the past years.
The EU also has a PNR agreement with the United States and Australia, as well as an internal one, and they could face challenges in light of the ruling.
The European Digital Rights group campaigning for protecting rights and freedoms in the digital environment, welcomed the ruling saying that authorizing massive databases of sensitive personal data carried “unacceptable” risks.
“The proposed EU/Canada PNR agreement was considered to be the least restrictive of all of the EU’s PNR agreements. To respect the ruling, the EU must now immediately suspend its deals with Australia and the United States,” it said.
The ECJ said PNR data can reveal travel and dietary habits of people, their existing relationships, health conditions and financial situation.
The agreement allows Canada to keep this data for up to five years and possibly share it with other non-EU states, which the ECJ said constituted an “interference with the fundamental right to respect private life” and to personal data protection.
Privacy advocates says the schemes are ineffective in battling terrorism while infringing people’s privacy.
The ruling comes after the court’s adviser said last September that the deal with Canada had to be redrafted before it could be signed because it allowed authorities to use the data beyond what is strictly necessary to combat terrorist offences and serious transnational crime.
On Wednesday, the ECJ specified that a reworked agreement should spell out more clearly the types of data that can be transferred and must ensure that automated analysis is non-discriminatory and relates exclusively to fighting terrorism and cross-border crime.
Additional reporting by Michele Sinner; Writing by Gabriela Baczynska; Editing by Alison Williams