Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

THE EU-CANADA AGREEMENT ON PASSENGER NAME RECORDS (PNR): TURBULENCE AHEAD!

By Antoine Guilmain, Antoine Aylwin and Karl Delwaide

Since 2014, the European Union and Canada have been moving forward with an Agreement concerning the transfer and use of Passenger Name Record (“PNR”) data. Last week, on July 26, 2017, the European Union Court of Justice stated that the envisaged Agreement could not be concluded because it would be “incompatible” with the respect for private life and the protection of personal data within the meaning of the European Union Charter of Fundamental Rights. This does not mean, however, that the Agreement is condemned to remain ad vitamaeternamon the “black list”. While the Opinion questions several rules under the PNR system, it does not question its raison d’être. In other words, the EU-Canada Agreement is currently on the “gray list”, but could still take off…

The transfer of PNR data is intended to ensure the public’s safety and security. The preamble to the envisaged Agreement declares that the Parties are seeking to “prevent, combat, repress and eliminate terrorism” as well as “other serious transnational crime”, and that the sharing of PNR data is “a critically important instrument to pursue these goals”. The PNR system also includes provisions to protect PNR data that contain “personal information”, for example, the passenger’s name and contact information, reservation information, dates of intended travel and itinerary.

In this context, the purpose of the Agreement clearly states that the European Union and Canada “set out the conditions for the transfer and use of Passenger Name Record data to ensure the security and safety of the public and prescribe the means by which the data is protected” (Article 1). Therein lies the heart of the problem: balancing “public security” and “data protection”. The European Union Court of Justice correctly noted that these two components “are inextricably linked”, and are both to be considered “fundamental in nature”.

Public Security: Green Light. The Court observed that public security is an objective “of general interest of the European Union” that is “capable of justifying even serious interferences” with the respect for private life and the protection of personal data. It even states that “the protection of public security also contributes to the protection of the rights and freedoms of others”. Any invasion of privacy would be limited to air travel between Canada and the European Union, and the Agreement would contain provisions to protect PNR data. In those circumstances, everything seems to indicate that interferences under the Agreement are “capable of being justified by an objective of general interest {…} and are not liable to adversely affect the essence of the fundamental rights enshrined in Articles 7 and 8 of the Charter”. These are the words of the Court. Despite this encouraging observation, the PNR Agreement must still comply with a number of conditions on data protection.

Data Protection: Red Light. The Court noted a series of incompatibilities regarding the protection of PNR data, the most important of which are as follows. First, PNR data is not clearly and precisely defined in the Agreement. The expressions “etc.”, “all available contact information”, “any information”, considered too broad, are used. Furthermore, the transfer of “sensitive” data (concerning racial or ethnic origin, religious beliefs, a person’s health or sex life) requires a “precise and particularly solid justification”, which the Court considered to be missing from the Agreement. Moreover, given that the processing of PNR data is generally automated (using predictive algorithms), these methods must be reliable, specific and non-discriminatory. Recent research suggests that the programming of algorithms may be affected by a discriminatory bias. In addition, the retention of PNR data does not appear necessary when passengers have left Canada and no risk (terrorism or serious transnational crime) was identified before or during their stay. Last, air passengers whose PNR data is used or retained must be notified, and an independent supervisory authority should ensure compliance with the Agreement.

Conclusion: Yellow Light. Ultimately, according to the European Union Court of Justice, while the EU-Canada Agreement is in principle acceptable, its current form must be amended to better regulate and protect PNR data. The Court’s reasons are not that far removed from the principles underlying Canadian privacy laws, in particular with respect to necessity or transparency. On another note, the new General Data Protection Regulation expected to enter into force in May 2018 should again highlight the issues and challenges facing any collaboration between the EU and Canada.

For the time being, the European Commission has undertaken to “carefully assess the Opinion and its potential impact”, while engaging “with Canada about ways of addressing the concerns raised by the European Court of Justice”. The Canada-EU Agreement can still be cleared for takeoff if it is amended to comply with the provisions of the Charter of Fundamental Rights of the European Union. Failing such amendments, and barring any treaty revisions, the Agreement cannot enter into force and will be condemned to circle the runway until such changes are made…