Request for a preliminary ruling from the Verwaltungsgericht Wiesbaden (Germany) lodged on 19 May 2020 — JV v Bundesrepublik Deutschland
(Case C-215/20)
Language of the case: German
Referring court
Verwaltungsgericht Wiesbaden
Parties to the main proceedings
Applicant: JV
Defendant: Bundesrepublik Deutschland
Questions referred
In the light of its objective and the need for clarity and proportionality, is Directive (EU) 2016/681 1 of the European Parliament and of the Council of 27 April 2016 on the [use of passenger name record (PNR) data for the] prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘the PNR Directive’), under which air carriers transfer comprehensive data on every single passenger to the passenger information units (PIUs) established by the Member States, where the data are used without justification for automated comparison against databases and profiles, after which they are retained for a period of five years[,] compatible with the Charter of Fundamental Rights of the European Union, especially Articles 7, 8 and 52 thereof?
In particular:
In the light of the need for sufficient clarity and proportionality and inasmuch as it defines the term ‘serious crime’ within the meaning of the PNR Directive as the offences listed in Annex II that are punishable by a custodial sentence or a detention order for a maximum period of at least three years under the national law of a Member State, is point (9) of Article 3 of the PNR Directive, read in conjunction with Annex II to the PNR Directive, compatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union?
Inasmuch as they require the transfer of the name (first sentence of Article 8(1) of the PNR Directive, read in conjunction with point (4) of Annex I to the Directive), frequent flyer information (first sentence of Article 8(1) of the PNR Directive, read in conjunction with point (8) of Annex I to the Directive) and general remarks in a ‘free text’ box (first sentence of Article 8(1) of the PNR Directive, read in conjunction with point (12) of Annex I to the Directive), are the passenger name record data (‘PNR data’) to be transferred defined with sufficient clarity to justify interference with the rights set out in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union?
Is the fact that data are collected not only on passengers, but also on third parties, such as travel agency/travel agent (point (9) of Annex I to the PNR Directive), guardians of minors (point (12) of Annex I to the PNR Directive) and other travellers (point (17) of Annex I to the PNR Directive), compatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and the purpose of the PNR Directive?
Inasmuch as the PNR data of minor passengers are transferred, processed and retained, is the PNR Directive compatible with Articles 7, 8 and 24 of the Charter of Fundamental Rights of the European Union?
Inasmuch as the PNR data of minor passengers are transferred, processed and retained, is the PNR Directive compatible with Articles 7, 8 and 24 of the Charter of Fundamental Rights of the European Union?
As the legal basis for determining the criteria for data comparison (‘profiles’), is Article 6(4) of the PNR Directive a sufficient legitimate basis laid down by law within the meaning of Article 8(2) and Article 52 of the Charter of Fundamental Rights of the European Union and Article 16(2) TFEU?
As the data transferred are retained by the PIUs of the Member States for a period of five years, does Article 12 of the PNR Directive limit interference with the rights enacted in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union to what is strictly necessary?
Where depersonalisation in accordance with Article 12(2) of the PNR Directive is no more than pseudonymisation that can be reversed at any time, does it reduce the personal data to the minimum required under Articles 8 and 52 of the Charter of Fundamental Rights of the European Union?
Are Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union to be interpreted as meaning that the passengers whose data are de-depersonalised during passenger data processing (Article 12(3) of the PNR Directive) must be notified accordingly and thus afforded the opportunity to seek a judicial review?
Inasmuch as it allows PNR data to be transferred to third countries which do not have an appropriate level of data protection, is Article 11 of the PNR Directive compatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union?
As the ‘free text’ box for ‘general remarks’ (point (12) of Annex I to the PNR Directive) can be used to transfer information such as choice of meal, from which particular categories of personal data can be inferred, does the fourth sentence of Article 6(4) of the PNR Directive afford adequate protection against the processing of those particular categories of personal data within the meaning of Article 9 of Regulation (EU) 2016/679 2 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and Article 10 of Directive (EU) 2016/680 3 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA?
Is the fact that air carriers simply refer passengers on their website to the national transposing legislation (in this case, the Gesetz über die Verarbeitung von Fluggastdaten zur Umsetzung der Richtlinie (EU) 2016/681 (Law on the Processing of Passenger Name Record (PNR) Data for the purpose of transposing Directive (EU) 2016/681) of 6 June 2017 (BGBl (Federal Law Gazette) I, p. 1484) compatible with Article 13 of the General Data Protection Regulation?
____________
1 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ 2016 L 119, p. 132).
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1).
3 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89).