This document is an excerpt from the EUR-Lex website
Document 62019CJ0817
Judgment of the Court (Grand Chamber) of 21 June 2022.
Ligue des droits humains ASBL v Conseil des ministres.
Reference for a preliminary ruling – Processing of personal data – Passenger Name Record (PNR) data – Regulation (EU) 2016/679 – Article 2(2)(d) – Scope – Directive (EU) 2016/681 – Use of PNR data of air passengers of flights operated between the European Union and third countries – Power to include data of air passengers of flights operated within the European Union – Automated processing of those data – Retention period – Fight against terrorist offences and serious crime – Validity – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 21 as well as Article 52(1) – National legislation extending the application of the PNR system to other transport operations within the European Union – Freedom of movement within the European Union – Charter of Fundamental Rights – Article 45.
Case C-817/19.
Judgment of the Court (Grand Chamber) of 21 June 2022.
Ligue des droits humains ASBL v Conseil des ministres.
Reference for a preliminary ruling – Processing of personal data – Passenger Name Record (PNR) data – Regulation (EU) 2016/679 – Article 2(2)(d) – Scope – Directive (EU) 2016/681 – Use of PNR data of air passengers of flights operated between the European Union and third countries – Power to include data of air passengers of flights operated within the European Union – Automated processing of those data – Retention period – Fight against terrorist offences and serious crime – Validity – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 21 as well as Article 52(1) – National legislation extending the application of the PNR system to other transport operations within the European Union – Freedom of movement within the European Union – Charter of Fundamental Rights – Article 45.
Case C-817/19.
Court reports – general – 'Information on unpublished decisions' section
ECLI identifier: ECLI:EU:C:2022:491
Case C‑817/19
Ligue des droits humains
v
Conseil des ministres
(Request for a preliminary ruling from the Cour constitutionnelle (Belgium))
Judgment of the Court (Grand Chamber), 21 June 2022
(Reference for a preliminary ruling – Processing of personal data – Passenger Name Record (PNR) data – Regulation (EU) 2016/679 – Article 2(2)(d) – Scope – Directive (EU) 2016/681 – Use of PNR data of air passengers of flights operated between the European Union and third countries – Power to include data of air passengers of flights operated within the European Union – Automated processing of those data – Retention period – Fight against terrorist offences and serious crime – Validity – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 21 as well as Article 52(1) – National legislation extending the application of the PNR system to other transport operations within the European Union – Freedom of movement within the European Union – Charter of Fundamental Rights – Article 45)
Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Scope – Processing of personal data envisaged by national legislation intended to transpose Directives 2004/82, 2010/65 and 2016/681 – Included – Limits
(European Parliament and Council Regulation 2016/679, Arts 2(2)(d) and 23; European Parliament and Council Directives 2010/65, 2016/680 and 2016/681; Council Directive 2004/82)
(see paragraphs 67, 68, 73, 74, 80, 83, 84, operative part 1)
Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – PNR data – Scope – Air passengers and flights concerned – Automated processing of those data – Infringement of the rights to respect for private life and the protection of personal data – Absence
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 21 and 52(1); European Parliament and Council Directive 2016/681, Arts 1(2), 2, 3(2), (4), (8) and (9), 6, 12 and Annexes I and II)
(see paragraphs 94-97, 111, 122, 123, 129, 131-140, 152, 157, 162, 169-175, 184, 188, 197, 202, 213, 218-220, 223, 225-228, operative part 2)
Fundamental rights – Respect for private life – Protection of personal data – Limitations – Conditions
(Charter of Fundamental Rights of the European Union, Arts 7, 8, and 52(1))
(see paragraphs 115-118)
Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Processing of PNR data – Purposes – Processing for purposes other than those expressly provided for – Unlawful
(Charter of Fundamental Rights of the European Union, Arts 7, 8 and 52(1); European Parliament and Council Directive 2016/681, Arts 1(2) and 6)
(see paragraphs 233, 235, 237, 288, 289, operative part 3)
Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Disclosure of PNR data beyond six months after their transfer by air carriers – Condition – Approval by the competent national authority – Meaning – Passenger information unit – Precluded
(Charter of Fundamental Rights of the European Union, Arts 7 and 8; European Parliament and Council Directive 2016/681, Arts 4(1) to (3) and 12(3)(b))
(see paragraphs 244, 245, 247, operative part 4)
Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Retention period for PNR data – General retention period of five years, applicable indiscriminately to all air passengers – Unlawful
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 45 and 52(1); European Parliament and Council Directive 2016/681, Art. 12)
(see paragraphs 251, 255-259, 262, operative part 5)
Border controls, asylum and immigration – Obligation of carriers to communicate passenger data – Directive 2004/82 – Scope – Intra-EU flights – Precluded
(European Parliament and Council Directive 2016/681, Art. 2; Council Directive 2004/82, Arts 2(a), (b) and (d), 3(1) and (2), and 6 (1))
(see paragraphs 266-269, operative part 6)
Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Application of the directive to intra-EU flights – Application to all intra-EU flights and transport operations carried out by other means within the European Union in the absence of a genuine and present or foreseeable terrorist threat – Unlawful – Limited application – Whether permissible – Conditions
(Art. 3(2) TEU; Art. 67(2) TFEU; Charter of Fundamental Rights of the European Union, Arts 7, 8, 45 and 52(1); European Parliament and Council Directive 2016/681)
(see paragraphs 277-282, 285, 290, 291, operative part 7)
EU law – Primacy – Directive 2016/681 – Annulment, by the national court, of provisions of national law incompatible with that directive – Possibility of maintaining the effects of the provisions in question – Absence – Admissibility of the evidence obtained under those provisions – Application of national law – Limits – Respect for the principles of equivalence and effectiveness
(Art. 3(2) TEU; Art. 67(2) TFEU; Charter of Fundamental Rights of the European Union, Arts 7, 8, 45 and 52(1); European Parliament and Council Directive 2016/681)
(see paragraphs 293-298, operative part 8)
Résumé
PNR (Passenger Name Record) data are reservation information stored by air carriers in their reservation and departure control systems. The PNR Directive ( 1 ) requires those carriers to transfer the data of any passenger on an extra-EU flight operated between a third country and the European Union to the Passenger Information Unit (‘PIU’) of the Member State of destination or departure of the flight concerned, in the fight against terrorist offences and serious crime. The PNR data thus transferred are subject to advance assessment by the PIU ( 2 ) and are then retained for the purposes of a possible subsequent assessment by the competent authorities of the Member State concerned or those of another Member State. A Member State may decide to apply that directive also to intra-EU flights. ( 3 )
The Ligue des droits humains brought an action before the Cour constitutionnelle (Constitutional Court, Belgium) seeking annulment of the Law of 25 December 2016, ( 4 ) which transposes both the PNR Directive and the API Directive ( 5 ) into Belgian law. According to the applicant, that law infringes the right to respect for private life and to the protection of personal data. It criticises, first, the very broad nature of PNR data and, second, the general nature of the collection, transfer and processing of those data. The law also infringes the free movement of persons in that it indirectly restores border controls by extending the PNR system to intra-EU flights and to transport operations carried out by other means within the European Union.
In that context, the Belgian Constitutional Court referred 10 questions to the Court of Justice for a preliminary ruling relating, inter alia, to the validity and interpretation of the PNR Directive as well as to the applicability of the GDPR. ( 6 )
Those questions result in the Court taking another look at the processing of PNR data with regard to the fundamental rights to respect for private life and the protection of personal data ( 7 ) enshrined in the Charter of Fundamental Rights of the European Union. ( 8 ) By its judgment, delivered by the Grand Chamber, the Court confirms that the PNR Directive is valid in so far as it can be interpreted consistently with the Charter and clarifies the interpretation of some of its provisions. ( 9 )
Findings of the Court
After having specified which of the data processing operations provided for by national legislation, such as that at issue, intended to transpose both the API Directive and the PNR Directive are those to which the GDPR’s general rules apply, ( 10 ) the Court verifies the validity of the PNR Directive.
The validity of the PNR Directive
In its judgment, the Court holds that, since the Court’s interpretation of the provisions of the PNR Directive in the light of the fundamental rights guaranteed in Articles 7, 8 and 21 as well as Article 52(1) of the Charter ( 11 ) ensures that that directive is consistent with those articles, the examination of the questions referred has revealed nothing capable of affecting the validity of the said directive.
As a preliminary point, it recalls that an EU act must be interpreted, as far as possible, in such a way as not to affect its validity and in conformity with primary law as a whole and, in particular, with the provisions of the Charter, and the Member States must thus ensure that they do not rely on an interpretation thereof that would be in conflict with the fundamental rights protected by the EU legal order or with the other general principles recognised by EU law. As regards the PNR Directive, the Court states that many recitals and provisions of that directive require such a consistent interpretation, stressing the importance that the EU legislature, by referring to the high level of data protection, gives to the full respect for the fundamental rights enshrined in the Charter.
The Court finds that the PNR Directive entails undeniably serious interferences with the rights guaranteed in Articles 7 and 8 of the Charter, in so far, inter alia, as it seeks to introduce a surveillance regime that is continuous, untargeted and systematic, including the automated assessment of the personal data of everyone using air transport services. It points out that the question whether Member States may justify such an interference must be assessed by measuring its seriousness and by verifying that the importance of the objective of general interest pursued is proportionate to that seriousness.
The Court concludes that the transfer, processing and retention of PNR data provided for by that directive may be considered to be limited to what is strictly necessary for the purposes of combating terrorist offences and serious crime, provided that the powers provided for by that directive are interpreted restrictively. In that regard, the judgment delivered today states, inter alia, that:
– |
The system established by the PNR Directive must cover only clearly identifiable and circumscribed information under the headings set out in Annex I to that directive, which relates to the flight operated and the passenger concerned, which means, for some of the headings set out in that annex, that only the information expressly referred to is covered. ( 12 ) |
– |
Application of the system established by the PNR Directive must be limited to terrorist offences and only to serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air. As regards such serious crime, the application of that system cannot be extended to offences which, although meeting the criterion laid down by that directive relating to the threshold of severity and being referred to in, inter alia, Annex II to that directive, amount to ordinary crime having regard to the particular features of the domestic criminal justice system. |
– |
Any extension of the application of the PNR Directive to selected or all intra-EU flights, which a Member State may decide by exercising the power provided for in that directive, must be limited to what is strictly necessary. For that purpose, it must be open to effective review either by a court or by an independent administrative body whose decision is binding. In that regard, the Court states:
|
– |
For the purposes of the advance assessment of PNR data, the objective of which is to identify persons who require further examination before their arrival or departure and is carried out, as a first step, by means of automated processing, the PIU may, on the one hand, compare those data only against the databases on persons or objects sought or under alert. ( 14 ) Those databases must be non-discriminatory and exploited, by the competent authorities, in relation to the fight against terrorist offences and serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air. As regards, on the other hand, the advance assessment against pre-determined criteria, the PIU cannot use artificial intelligence technology in self-learning systems (‘machine learning’), capable of modifying, without human intervention and review, the assessment process and, in particular, the assessment criteria on which the result of the application of that process is based, as well as the weighting of those criteria. Those criteria must be determined in such a way that their application targets, specifically, individuals who might be reasonably suspected of involvement in terrorist offences or serious crime and takes into consideration both ‘incriminating’ as well as ‘exonerating’ circumstances, while not giving rise to direct or indirect discrimination. ( 15 ) |
– |
In view of the margin of error inherent in such automated processing of PNR data and the fairly substantial number of ‘false positives’, resulting from the application thereof in 2018 and 2019, the appropriateness of the system established by the PNR Directive for the purpose of attaining the objectives pursued essentially depends on the proper functioning of the verification of positive results obtained under those processing operations, which the PIU carries out, as a second step, by non-automated means. In that regard, the Member States must lay down clear and precise rules capable of providing guidance and support for the analysis carried out by the PIU agents in charge of that individual review for the purposes of ensuring full respect for the fundamental rights enshrined in Articles 7, 8 and 21 of the Charter and, in particular, guarantee a uniform administrative practice within the PIU that observes the principle of non-discrimination. In particular, they must ensure that the PIU establishes objective review criteria enabling its agents to verify, on the one hand, whether and to what extent a positive match (‘hit’) concerns effectively an individual who may be involved in terrorist offences or serious crime, as well as, on the other hand, the non-discriminatory nature of automated processing operations. In that context, the Court also points out that the competent authorities must ensure that the person concerned is able to understand how those pre-determined assessment criteria and programs applying those criteria work, so that it is possible for that person to decide with full knowledge of the relevant facts, whether or not to exercise his or her right to a judicial redress. Similarly, in the context of such an action, the court responsible for reviewing the legality of the decision adopted by the competent authorities as well as, except in the case of threats to State security, the persons concerned themselves must have an opportunity to examine both all the grounds and the evidence on the basis of which the decision was taken, including the pre-determined assessment criteria and the operation of the programs applying those criteria. |
– |
The subsequent disclosure and assessment of PNR data, that is to say, after the arrival or departure of the person concerned, may be made only on the basis of new circumstances and objective material which either are capable of giving rise to a reasonable suspicion that that person is involved in serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air, or from which it can be inferred that those data could, in a given case, contribute effectively to the fight against terrorist offences having such a link. The disclosure of PNR data for the purposes of such a subsequent assessment must, as a general rule, except in the event of duly justified urgency, be subject to a prior review carried out either by a court or by an independent administrative authority, upon reasoned request by the competent authorities and irrespective of whether that request was introduced before or after the expiry of the six-month time limit after the transfer of those data to the PIU. ( 16 ) |
Interpretation of the PNR Directive
After establishing the validity of the PNR Directive, the Court provides further clarification as to the interpretation of that directive. First, it points out that the directive lists exhaustively the objectives pursued by the processing of PNR data. Therefore, that directive precludes national legislation which authorises PNR data to be processed for purposes other than the fight against terrorist offences and serious crime. Thus, national legislation that includes, among the purposes for which PNR data are to be processed, monitoring activities within the remit of the intelligence and security services is liable to disregard the exhaustive nature of that list. Likewise, the system established by the PNR Directive cannot be provided for the purposes of improving border controls and combating illegal immigration. ( 17 ) It also follows that PNR data may not be retained in a single database that may be consulted both for the purposes of the PNR Directive as well as for other purposes.
Second, the Court explains the concept of an independent national authority, competent to verify whether the conditions for the disclosure of PNR data, for the purposes of their subsequent assessment, are met and to approve such disclosure. In particular, the authority put in place as the PIU cannot be classified as such since it is not a third party in relation to the authority which requests access to the data. Since the members of its staff may be agents seconded from the authorities entitled to request such access, the PIU appears necessarily linked to those authorities. Accordingly, the PNR Directive precludes national legislation pursuant to which the authority put in place as the PIU is also designated as a competent national authority with power to approve the disclosure of PNR data upon expiry of the period of six months after the transfer of those data to the PIU.
Third, as regards the retention period of PNR data, the Court holds that Article 12 of the PNR Directive, read in the light of Articles 7 and 8 as well as Article 52(1) of the Charter, precludes national legislation which provides for a general retention period of five years for PNR data, applicable indiscriminately to all air passengers.
According to the Court, after expiry of the initial retention period of six months, the retention of PNR data does not appear to be limited to what is strictly necessary as regards air passengers for whom neither the advance assessment nor any verification carried out during the initial retention period of six months, nor any other circumstance, have revealed the existence of objective material – such as the fact that the PNR data of the passengers concerned have given rise to a verified positive match in the context of the advance assessment – capable of establishing a risk that relates to terrorist offences or serious crime having an objective link, even if only an indirect one, with those passengers’ air travel. By contrast, it takes the view that, during the initial period of six months, the retention of the PNR data of all air passengers subject to the system established by that directive does not appear, as a matter of principle, to go beyond what is strictly necessary.
Fourth, the Court provides guidance on the possible application of the PNR Directive, for the purposes of combating terrorist offences and serious crime, to other modes of transport carrying passengers within the European Union. The directive, read in the light of Article 3(2) TEU, Article 67(2) TFEU and Article 45 of the Charter, precludes a system for the transfer and processing of the PNR data of all transport operations carried out by other means within the European Union in the absence of a genuine and present or foreseeable terrorist threat with which the Member State concerned is confronted. In such a situation, as in the case of intra-EU flights, the application of the system established by the PNR Directive must be limited to PNR data of transport operations relating, inter alia, to certain routes or travel patterns, or to certain stations or certain seaports for which there are indications that are such as to justify that application. It is for the Member State concerned to select the transport operations for which there are such indications and to review regularly that application in accordance with changes in the circumstances that justified their selection.
( 1 ) Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ 2016 L 119, p. 132) (‘the PNR Directive’).
( 2 ) The purpose of that advance assessment is to identify persons who require further examination by the competent authorities, in view of the fact that such persons may be involved in a terrorist offence or serious crime. It is to be carried out systematically and by automated means, by comparing PNR data against ‘relevant’ databases or by processing them against pre-determined criteria under Article 6(2)(a) and (3) of the PNR Directive.
( 3 ) Making use of the possibility provided for in Article 2 of the PNR Directive.
( 4 ) Loi du 25 décembre 2016 relative au traitement des données des passagers (Law of 25 December 2016 on the processing of passenger data (Moniteur belge of 25 January 2017, p. 12905)).
( 5 ) Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ 2004 L 261, p. 24) (‘the API Directive’). That directive regulates the transfer of advance passenger information data by air carriers to the competent national authorities (such as the number and type of travel document used as well as nationality) for the purpose of improving border controls and combating illegal immigration.
( 6 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
( 7 ) ‘The fundamental rights guaranteed in Articles 7 and 8 of the Charter’. The Court has already examined the compatibility with those rights of the system for the collection and processing of PNR data envisaged by the draft agreement between Canada and the European Union on the transfer and processing of passenger name record data (Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592)).
( 8 ) ‘The Charter’.
( 9 ) In particular, Article 2 (‘Application of [the] Directive to intra-EU flights’), Article 6 (‘Processing of PNR data’) and Article 12 (‘Period of data retention and depersonalisation’) of the PNR Directive.
( 10 ) The Court clarifies that the GDPR is applicable to the processing of personal data provided for by such legislation, as regards, on the one hand, data processing operations carried out by private operators and, on the other hand, data processing operations carried out by public authorities covered, solely or in addition, by the API Directive. By contrast, the GDPR does not apply to the operations envisaged by such legislation which are covered only by the PNR Directive, and are carried out by the PIU or by the competent authorities in order to combat terrorist offences and serious crime.
( 11 ) In accordance with that provision, any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms. In addition, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.
( 12 ) Thus, in particular, ‘forms of payment information’ (heading 6 of the annex) must be limited to the payment methods and billing of the air ticket, to the exclusion of any other information not directly relating to the flight, and the ‘general remarks’ (heading 12) can relate only to the information expressly listed in that heading, relating to passengers who are minors.
( 13 ) The existence of that threat is, in itself, capable of establishing a connection between, on the one hand, the transfer and processing of the data concerned and, on the other, the fight against terrorism. Therefore, making provision for the application of the PNR Directive to all intra-EU flights from or to the said Member State, for a limited period of time, does not go beyond what is strictly necessary, and the decision providing for that application must be open to effective review either by a court or by an independent administrative body.
( 14 ) Namely databases concerning persons or objects sought or under alert within the meaning of Article 6(3)(a) of the PNR Directive. By contrast, analyses using various databases could take the form of ‘data mining’ and could lead to a disproportionate use of those data, providing the means of establishing a detailed profile of the individuals concerned solely because they intend to travel by air.
( 15 ) Pre-determined criteria must be targeted, proportionate and specific, and be regularly reviewed (Article 6(4) of the PNR Directive). The advance assessment against pre-determined criteria must be carried out in a non-discriminatory manner. According to the fourth sentence of Article 6(4) of the PNR Directive, the criteria are in no circumstances to be based on a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.
( 16 ) Under Article 12(1) and (3) of the PNR Directive, such control is expressly provided for only in respect of requests for disclosure of PNR data made after the six-month time limit after the transfer of those data to the PIU.
( 17 ) That is to say, the objective of the API Directive.