ECJ: Processing of passenger data only possible to a limited extent
Address, telephone number, luggage details – data like this is often processed when flying. This should help in the fight against terrorism. But are some EU countries going too far?
Luxembourg. According to a ruling by the European Court of Justice, the processing of passenger data by EU countries must be limited to what is absolutely necessary for the fight against terrorism.
In addition, the European Supreme Court made it clear in the judgment of June 21 that the processing of data on flights within the EU violates EU law, provided there is no threat of terrorism (Case C-817/19).
The so-called PNR directive (Passenger Name Record) of the European Union provides for the systematic processing of large numbers of passenger data when crossing an external EU border. This is intended to prevent and detect terrorist offenses and other serious crimes. The stored data includes, for example, address, luggage details, telephone number and the names of fellow travelers.
Human rights organization sees data protection violated
The Belgian human rights organization Ligue des droits humains (League for Human Rights) complained about how Belgium implements the EU rules. Among other things, she sees the right to respect for private life and the protection of personal data as being violated. In addition, the extension of the system to flights within the EU and to transport by means of transport other than air would indirectly reintroduce border controls.
According to Belgian law, airline, train, bus, ferry and travel companies are obliged to pass on the data of their passengers who are traveling across national borders to a central office in which, among other things, the police and secret services are represented. The judgment in the Belgian case must now be made by a national court. According to the judgment of the ECJ, however, the Belgian rules are likely to violate EU law.
PNR policy also for intra-European flights?
The same should apply to the German implementation of the EU directive, since Germany has extended the rules to all intra-European flights. The Administrative Court of Wiesbaden and the District Court of Cologne submitted questions to the ECJ in 2020 on the PNR Directive. Here, too, the ECJ should clarify, among other things, whether the directive is compatible with fundamental rights to respect for private and family life and the protection of personal data.
With regard to the Belgian case, the ECJ now first of all states that the directive is in line with the relevant parts of the European Charter of Fundamental Rights. At the same time, the Court emphasizes that the rules unquestionably constitute a serious interference with, for example, the right to respect for private and family life and the protection of personal data.
According to the ECJ, the powers under the directive must be interpreted narrowly. Then the transmission, processing and storage of the data in question could be considered limited to what is absolutely necessary in the fight against terrorism and serious crime.
Application only in the event of a terrorist threat
This means that the system put in place by the PNR Directive may only cover the information specified in the Annex to the Directive. Also, the system must be limited to terrorist offenses and serious crime with an objective link to the carriage of passengers. Criminal offenses that are mentioned in the directive but fall under common crime in the respective EU country should not be included.
In addition, the extension of the system to some or all EU flights must be limited to what is absolutely necessary. The PNR Directive should only be applied to all EU flights when a country is confronted with a terrorist threat. Basically, the ECJ emphasizes that the directive should not be used to improve border controls and strengthen the fight against illegal immigration. (dpa)