Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

The EU-Canada Agreement on Passenger Name Records (pnr): Turbulence Ahead!

Published by Gbaf News

Posted on August 9, 2017

9 min read

Last updated: January 21, 2026

Add as preferred source on Google

Swiss government confirms majority stake in Swisscom for security policy - Global Banking & Finance Review — Image depicting the Swiss government building, symbolizing the confirmation of Switzerland's majority stake in Swisscom. This decision highlights the importance of state involvement in telecom for security policy.

By Antoine Guilmain, Antoine Aylwin and Karl Delwaide

Since 2014, the European Union and Canada have been moving forward with an Agreement concerning the transfer and use of Passenger Name Record (“PNR”) data. Last week, on July 26, 2017, the European Union Court of Justice stated that the envisaged Agreement could not be concluded because it would be “incompatible” with the respect for private life and the protection of personal data within the meaning of the European Union Charter of Fundamental Rights. This does not mean, however, that the Agreement is condemned to remain ad vitamaeternamon the “black list”. While the Opinion questions several rules under the PNR system, it does not question its raison d’être. In other words, the EU-Canada Agreement is currently on the “gray list”, but could still take off…

The transfer of PNR data is intended to ensure the public’s safety and security. The preamble to the envisaged Agreement declares that the Parties are seeking to “prevent, combat, repress and eliminate terrorism” as well as “other serious transnational crime”, and that the sharing of PNR data is “a critically important instrument to pursue these goals”. The PNR system also includes provisions to protect PNR data that contain “personal information”, for example, the passenger’s name and contact information, reservation information, dates of intended travel and itinerary.

In this context, the purpose of the Agreement clearly states that the European Union and Canada “set out the conditions for the transfer and use of Passenger Name Record data to ensure the security and safety of the public and prescribe the means by which the data is protected” (Article 1). Therein lies the heart of the problem: balancing “public security” and “data protection”. The European Union Court of Justice correctly noted that these two components “are inextricably linked”, and are both to be considered “fundamental in nature”.

Public Security: Green Light. The Court observed that public security is an objective “of general interest of the European Union” that is “capable of justifying even serious interferences” with the respect for private life and the protection of personal data. It even states that “the protection of public security also contributes to the protection of the rights and freedoms of others”. Any invasion of privacy would be limited to air travel between Canada and the European Union, and the Agreement would contain provisions to protect PNR data. In those circumstances, everything seems to indicate that interferences under the Agreement are “capable of being justified by an objective of general interest {…} and are not liable to adversely affect the essence of the fundamental rights enshrined in Articles 7 and 8 of the Charter”. These are the words of the Court. Despite this encouraging observation, the PNR Agreement must still comply with a number of conditions on data protection.

Data Protection: Red Light. The Court noted a series of incompatibilities regarding the protection of PNR data, the most important of which are as follows. First, PNR data is not clearly and precisely defined in the Agreement. The expressions “etc.”, “all available contact information”, “any information”, considered too broad, are used. Furthermore, the transfer of “sensitive” data (concerning racial or ethnic origin, religious beliefs, a person’s health or sex life) requires a “precise and particularly solid justification”, which the Court considered to be missing from the Agreement. Moreover, given that the processing of PNR data is generally automated (using predictive algorithms), these methods must be reliable, specific and non-discriminatory. Recent research suggests that the programming of algorithms may be affected by a discriminatory bias. In addition, the retention of PNR data does not appear necessary when passengers have left Canada and no risk (terrorism or serious transnational crime) was identified before or during their stay. Last, air passengers whose PNR data is used or retained must be notified, and an independent supervisory authority should ensure compliance with the Agreement.

Conclusion: Yellow Light. Ultimately, according to the European Union Court of Justice, while the EU-Canada Agreement is in principle acceptable, its current form must be amended to better regulate and protect PNR data. The Court’s reasons are not that far removed from the principles underlying Canadian privacy laws, in particular with respect to necessity or transparency. On another note, the new General Data Protection Regulation expected to enter into force in May 2018 should again highlight the issues and challenges facing any collaboration between the EU and Canada.

For the time being, the European Commission has undertaken to “carefully assess the Opinion and its potential impact”, while engaging “with Canada about ways of addressing the concerns raised by the European Court of Justice”. The Canada-EU Agreement can still be cleared for takeoff if it is amended to comply with the provisions of the Charter of Fundamental Rights of the European Union. Failing such amendments, and barring any treaty revisions, the Agreement cannot enter into force and will be condemned to circle the runway until such changes are made…

By Antoine Guilmain, Antoine Aylwin and Karl Delwaide

Since 2014, the European Union and Canada have been moving forward with an Agreement concerning the transfer and use of Passenger Name Record (“PNR”) data. Last week, on July 26, 2017, the European Union Court of Justice stated that the envisaged Agreement could not be concluded because it would be “incompatible” with the respect for private life and the protection of personal data within the meaning of the European Union Charter of Fundamental Rights. This does not mean, however, that the Agreement is condemned to remain ad vitamaeternamon the “black list”. While the Opinion questions several rules under the PNR system, it does not question its raison d’être. In other words, the EU-Canada Agreement is currently on the “gray list”, but could still take off…

The transfer of PNR data is intended to ensure the public’s safety and security. The preamble to the envisaged Agreement declares that the Parties are seeking to “prevent, combat, repress and eliminate terrorism” as well as “other serious transnational crime”, and that the sharing of PNR data is “a critically important instrument to pursue these goals”. The PNR system also includes provisions to protect PNR data that contain “personal information”, for example, the passenger’s name and contact information, reservation information, dates of intended travel and itinerary.

In this context, the purpose of the Agreement clearly states that the European Union and Canada “set out the conditions for the transfer and use of Passenger Name Record data to ensure the security and safety of the public and prescribe the means by which the data is protected” (Article 1). Therein lies the heart of the problem: balancing “public security” and “data protection”. The European Union Court of Justice correctly noted that these two components “are inextricably linked”, and are both to be considered “fundamental in nature”.

Public Security: Green Light. The Court observed that public security is an objective “of general interest of the European Union” that is “capable of justifying even serious interferences” with the respect for private life and the protection of personal data. It even states that “the protection of public security also contributes to the protection of the rights and freedoms of others”. Any invasion of privacy would be limited to air travel between Canada and the European Union, and the Agreement would contain provisions to protect PNR data. In those circumstances, everything seems to indicate that interferences under the Agreement are “capable of being justified by an objective of general interest {…} and are not liable to adversely affect the essence of the fundamental rights enshrined in Articles 7 and 8 of the Charter”. These are the words of the Court. Despite this encouraging observation, the PNR Agreement must still comply with a number of conditions on data protection.

Data Protection: Red Light. The Court noted a series of incompatibilities regarding the protection of PNR data, the most important of which are as follows. First, PNR data is not clearly and precisely defined in the Agreement. The expressions “etc.”, “all available contact information”, “any information”, considered too broad, are used. Furthermore, the transfer of “sensitive” data (concerning racial or ethnic origin, religious beliefs, a person’s health or sex life) requires a “precise and particularly solid justification”, which the Court considered to be missing from the Agreement. Moreover, given that the processing of PNR data is generally automated (using predictive algorithms), these methods must be reliable, specific and non-discriminatory. Recent research suggests that the programming of algorithms may be affected by a discriminatory bias. In addition, the retention of PNR data does not appear necessary when passengers have left Canada and no risk (terrorism or serious transnational crime) was identified before or during their stay. Last, air passengers whose PNR data is used or retained must be notified, and an independent supervisory authority should ensure compliance with the Agreement.

Conclusion: Yellow Light. Ultimately, according to the European Union Court of Justice, while the EU-Canada Agreement is in principle acceptable, its current form must be amended to better regulate and protect PNR data. The Court’s reasons are not that far removed from the principles underlying Canadian privacy laws, in particular with respect to necessity or transparency. On another note, the new General Data Protection Regulation expected to enter into force in May 2018 should again highlight the issues and challenges facing any collaboration between the EU and Canada.

For the time being, the European Commission has undertaken to “carefully assess the Opinion and its potential impact”, while engaging “with Canada about ways of addressing the concerns raised by the European Court of Justice”. The Canada-EU Agreement can still be cleared for takeoff if it is amended to comply with the provisions of the Charter of Fundamental Rights of the European Union. Failing such amendments, and barring any treaty revisions, the Agreement cannot enter into force and will be condemned to circle the runway until such changes are made…