– PNR in Europe: Guidance and Caution by the CJEU –
On 21st June, the CJEU rendered its judgment on the PNR scheme in the EU, based on a challenge brought by the Ligue des droits humains against the Belgian implementing PNR and API law. The present post focuses on the PNR provisions. First, the Court clarified the scope of application of the general data protection instruments in relation to PNR data processing: the LED applies to the personal data processing carried out by the Passenger Information Units (PIUs) and by the law enforcement authorities which obtain access to the PNR data. The private carriers collecting the passenger data and other authorities, e.g. immigration authorities, are subject to the GDPR. Second, the CJEU examined a series of questions concerning the fundamental rights compliance of the different data processing provisions in the framework of PNR data. For example, in relation to the usage of AI, in particular machine learning technologies, for the automated analysis of the PNR data, the Court warned that such technologies are ‘capable of modifying without human intervention or review the assessment process and, in particular, the assessment criteria on which the result of the application of that process is based as well as the weighting of those criteria’ and might hamper individual review, because ‘it might be impossible to understand the reason why a given program arrived at a positive match’. Third, the Court recalled that PNR data may be processed only for the purposes listed in the PNR Directive and not for other purposes, e.g. security and intelligence. Fourth, the Court clarified that if data are to be disclosed to the law enforcement authorities after the initial period of six months, then the disclosure must be approved by an independent competent authority which is different from the PIU. Fifth, as concerns the data retention period, the Court ruled that the five-year retention of data about persons in relation to whom there is no evidence that they pose any risk, is in breach of Articles 7, 8 and 52 (1) CFREU. Sixth, according to the Court, PNR schemes which apply indiscriminately to all intra-EU flights and which allow the processing of data for border control and immigration purposes are incompatible with EU law. Finally, the Court ruled that domestic courts may not limit ‘the temporal effects of a declaration of illegality which it is bound to make under national law’ as concerns national law which is incompatible with the PNR Directive and primary EU law. We note that the criticism expressed by the CJEU does not amount to an invalidation of PNR-like schemes as such, which does not come as a surprise after the Court’s Opinion in the framework of the EU-Canada PNR scheme. We also note that the reasoning and conclusions concerning the analysed PNR provisions, especially as concerns their compatibility with fundamental rights, provide general guidelines on the use of AI technologies in the law enforcement field.
– CJEU Considers Termination of DPO –
On 22nd June, the CJEU ruled in the case of Leistritz AG v LH. The case concerned a DPO, whose employment with a company was terminated without notice as the company had chosen to outsource the position. The DPO appealed to national courts and claimed that such a termination was not permissible by virtue of paragraphs 38(2) and 6(4) of the BDSG – German data protection law – under which limits to termination possibilities are outlined. ‘In those circumstances, the Bundesarbeitsgericht (Federal Labour Court, Germany) decided to stay the proceedings and to refer the following questions to the Court of Justice…‘(1) Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the [BDSG], which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his or her employer, to be impermissible, irrespective of whether his or her contract is terminated for performing his or her tasks? If the first question is answered in the affirmative: (2) Does the second sentence of Article 38(3) of the GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) of the GDPR, but is mandatory only in accordance with the law of the Member State? If the first question is answered in the affirmative: (3) Is the second sentence of Article 38(3) of the GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?’ The CJEU considered only the first question, and concluded in this regard: ‘the second sentence of Article 38(3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.’
– AG Delivers Opinion on Law Enforcement and Data Collection –
On June 30th, AG Pitruzzella delivered their Opinion in the case of Ministerstvo na vatreshnite raboti. The case concerned an individual, who had been indicted in relation to a number of crimes. The indicted individual was then asked to provide a series of types of personal data – including ‘recording[s] of…fingerprints, [a] photograph…and a sample to establish…[a] DNA profile’. The individual refused. A request was then made to the national courts to authorize the forced recording of the data in question. The relevant national court – ‘the Spetsializiran nakazatelen sad (specialized criminal court)’ – however, encountered a series of questions concerning the relevant national legislation. Whilst four questions were referred, the AG, following the request of the Court, focused on questions 3 and 4. These read: ‘3) Is it consistent with Article 6(a) of Directive 2016/680 [concerning differentiation between the personal data of different categories of data subjects, in particular differentiation concerning ‘persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence’] taken in conjunction with Article 48 of the [Charter] that a national law, namely Article 68(4) of the ZMVR provides that, if the person under investigation for an intentional offense prosecuted ex officio refuses to voluntarily cooperate in the recording of personal data (…photographs, dactyloscopy [data] and samples to establish a DNA profile), the court is obliged to order a forced collection of these personal data…[although it] does not have the power to assess whether there are serious grounds for considering that the person has committed the offense? 4) Is it consistent with Article 10, Article 4(1)(a) and (c), and Article 8(1) and (2) of Directive 2016/680 that a national law, namely Article 68, paragraphs 1 to 3, of the ZMVR, establishes as a general rule, [collection of] photographs, dactyloscopy [data] and swabs for the purpose of establishing a DNA profile of all persons charged with an intentional offense prosecuted ex officio?’
- In relation to the third question, the AG concluded: ‘Article 6(a) of Directive 2016/680, read in the light of Articles 47 and 48 of the Charter, must be interpreted as not [being in opposition to] national legislation, such as that at issue in the main proceedings, which provides that the control of the competent criminal court…[regarding] a request for authorization of the forced execution of the police recording of personal data…[particularly] biometric and genetic data…which the person under investigation for an intentional offense prosecuted ex officio has refused…is limited to…[consideration of the] decision of the indictment and the refusal of the person concerned, without being able to assess the existence of the sufficiency of the evidence that led to the decision to put the…person under investigation… [This is because] the sufficiency of the evidence…can be usefully raised before the judge…during a later phase of the criminal procedure.’
- In relation to the fourth question, the AG concluded: ‘The nature and amount of personal data processed must be strictly adequate and consistent with the objective and purpose pursued. In that regard, national law must pursue one of the aims pursued by Directive 2016/680. It must also indicate…the concrete objectives pursued likely to contribute to the achievement of this purpose. The reasons for…[this] must also be specified in a concrete manner. National law must, moreover, clearly set out the conditions of the processing in all its dimensions, i.e. from the conditions of collection to the conditions of access to data and their erasure, including the precise and necessarily strictly limited determination of the personal scope of the collection and processing measure…These conditions must be limited to what is strictly necessary. The regime thus defined must prove to be such as to effectively protect individuals against the risks of abuse represented, in particular, by the processing of genetic data. It is for the referring court to ensure that all of these requirements are complied with.’
As always, it remains to be seen whether, and to what degree, the Court will follow the AG’s Opinion. Unfortunately, at the time of writing, the Opinion was not available in a language in which the author is fluent. The author has thus relied on electronic translation. Whilst this is not ideal, the editors found the Opinion interesting and worthy of discussion and thus made the decision to include it in this news-letter. The authors cannot, however, rule out the possibility that errors were made in translation or that these errors were reproduced in this report. Accordingly, the authors urge all readers interested in the decision to consult the primary materials themselves.
– EDPS Concerned about the New Europol Regulation –
On 27th June, when the new Europol Regulation was published in the Official Journal, the EDPS issued a press release criticizing the new provisions anchored in the Regulation. The main concern is that they ‘weaken the fundamental right to data protection and do not ensure an appropriate oversight of […] (Europol).’ The novelties allow the enhanced exchange of personal data between Europol and private companies, the deployment of AI technologies and the processing of Big Data, including the personal data of individuals who are not in any way related to criminal activities. In that respect, Member States may now retroactively authorize Europol to process personal data which they had transferred to Europol prior to the entry into force of the new Europol Regulation. This effectively legalizes the practices which the EDPS concluded were illegal, as a result of which the EDPS had ordered the deletion of the data of persons with no link to criminal activities at the beginning of the year. Finally, the EDPS notes that Europol’s Management Board should put in place adequate safeguards against abuse which could result from the new powers given to Europol and that the EDPS expects to be consulted on these safeguards.
– EDPB Adopts Documents in June Plenary –
On 30th June 2022, the EDPB announced it had adopted the following documents in its June Plenary:
- ‘Guidelines on certification as a tool for transfers’
- ‘EDPB response to EDRi regarding the structural and procedural enforcement of the GDPR and its work to promote and safeguard data protection’
- ‘EDPB response to the European Commission’s targeted consultation on a digital euro’
The documents are available on the EDPB’s website at the link below.
– Council of State Rules in Favour of the CNIL Enforcement Powers in Relation to Amazon –
On 27th June, the French Council of State confirmed the € 35 million fine imposed by the CNIL in 2020 on Amazon Europe Core for the placement of advertisement cookies on users’ devices without proper consent and adequate information. In particular, individuals were not informed about the purposes of the cookies and the opt-out opportunities. The CNIL had established two violations on the basis of the French law implementing the e-Privacy Directive. For its part, the Council of State, following the logic of its judgment in the Google case from January 2022, confirmed that the CNIL is competent to impose sanctions on Amazon outside the one-stop-shop mechanism established by the GDPR. It recalled that the CNIL is competent to impose fines even where the controller is not established in France, but where it processes personal data in pursuit of activities on French territory, in casu the pursuit of marketing and advertisement activities. In addition, the Council of State confirmed CNIL’s decision in substance – i.e. the Council confirmed (1) the establishment of a breach due to the lack of consent and adequate information and (2) the amount of the fine, which was deemed proportionate in view of ‘the seriousness of the breaches, the scope of the processing and the financial capacity of the company’.