Why sharing passenger data doesn’t fly for the EU’s top court

Soon after the September 11 terrorist attacks, the US government pioneered the use of airline passenger name records (PNR) as a tool to secure international air travel. Today, airlines flying to and from the United States must share with the US Department of Homeland Security (DHS) passengers’ names and telephone and credit-card numbers, among other information, shortly after their booking. Then DHS screens them for terrorist or criminal threats before flights depart. 

Over the past two decades, many other governments, including the European Union (EU), have followed suit through their own border-security agencies, demanding PNR on many flight routes. Over the last ten years, Washington and Brussels have had a well-functioning agreement under which DHS receives EU-origin PNR for use in screening transatlantic flights. 

But collecting so much personal data has never sat well with the Court of Justice of the European Union (CJEU), which has periodically stymied the EU’s embrace of PNR analysis through judgments challenging its compatibility with the rights to privacy and data protection enshrined in the EU’s Charter of Fundamental Rights. In its latest decision, handed down in a Belgian case on June 21, it ruled that the EU-wide PNR directive (under which Belgium had legislated its national PNR law) did not violate the charter—though it also found key features of the country’s domestic interpretation to be inconsistent with it.

As a result of the ruling, member states may no longer allow their border authorities to share PNR data with intelligence and security services for monitoring purposes. Nor can they retain all passengers’ PNR data for five years (as Belgium’s law had authorized). Instead, data must be deleted after six months, with longer retention justified only if the government has already linked an individual to terrorism or another serious crime. The CJEU also barred governments from collecting PNR on all intra-EU flights, insisting that they select only those routes and airports facing a terrorist or other serious threat.

While governments outside Europe also wrestle with properly balancing security and privacy for air transport, only in the EU has it become a continual judicial contest—with potentially wide-ranging consequences for the safety of international air passengers. The restrictions reflect a basic disagreement between proponents of PNR systems and the EU’s highest court: While law enforcement believes collecting personal data on such a broad basis helps detect terrorist and other criminal conspiracies that may only reveal themselves over time, the CJEU sees it as deeply intrusive into the privacy of innocent citizens.

That’s why it has set sharp boundaries, generally limiting its use to situations of already-suspected criminality. The same dynamic has played out in the commercial context, where the CJEU has struck down the EU-US Privacy Shield Framework and triggered ongoing negotiations to restore a reliable legal foundation for data transfers essential to the transatlantic economy.

Agree to disagree… for now?

Although the June 21 judgment—issued in a case brought by Belgian human-rights group Ligue des Droits Humains—affects only PNR systems within Europe, it also clouds the future of the EU’s international agreements with the United States and other countries. Last year, the European Commission publicly conceded that the 2012 EU-US PNR agreement is “not fully in line” with CJEU jurisprudence. For example, DHS’s current ability to retain all EU-origin PNR for five years or longer—and to share it with other parts of the US government—stand in glaring contrast to the court’s edicts. This ruling only reinforces that conclusion, while offering the Commission little negotiating room with its international partner.

In other words, the court appears to be calling the shots when it comes to PNR in Europe—and there’s little executive authorities can do about it.

The US government has resisted the prospect of renegotiating the 2012 agreement, and so far the European Commission has not pressed the point. (Washington is currently receiving European-origin PNR under terms that wouldn’t pass muster with the EU court.) Instead, the Commission has concentrated on its ongoing renegotiation of a PNR agreement with Canada and on an internal rethink of its entire approach to international transfers of PNR data. But the resolution of the Ligue des Droits Humains case has advanced the day of reckoning for both Washington and Brussels by showing that the CJEU is unlikely to revisit its earlier rulings cracking down on PNR. A difficult negotiation on a truncated transatlantic PNR agreement is inevitably approaching.

Ironically, both the European Commission and EU member states have become as convinced as the United States of the importance of international PNR-sharing for aviation security purposes. The Commission’s Directorate General for Home Affairs publicly supports PNR-sharing (as do individual member states). And as European governments grudgingly comply with the latest CJEU judgment, they may develop even more sympathy for third countries like the United States that also are subject to the court’s robust data-protection case law.

But solidarity may not count for much in the inevitable negotiations: In this chapter of the transatlantic data-privacy debate, there is no denying the dominance of the EU’s judiciary over its other institutions and the central role played by fundamental rights considerations.

Kenneth Propp is a nonresident senior fellow in the Atlantic Council’s Europe Center and teaches European Union law at Georgetown University Law Center.

Further reading

Image: Passengers carry their luggage inside Brussels Zaventem Airport on June 23, 2022. Photo by Nicolas Economou/NurPhoto/REUTERS