Language of document : ECLI:EU:C:2017:592

OPINION 1/15 OF THE COURT (Grand Chamber)

26 July 2017


Table of contents


I. The request for an Opinion

II. Legal context

A. The Chicago Convention

B. Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice

C. Protocol (No 22) on the position of Denmark

D. Directive 95/46/EC

E. Directive 2004/82/EC

III. The background to the envisaged agreement

IV. The draft Council decision on the conclusion of the envisaged agreement

V. The envisaged agreement

VI. The Parliament’s appraisal set out in its request for an Opinion

A. The appropriate legal basis for the Council decision on the conclusion of the envisaged agreement

B. The compatibility of the envisaged agreement with the provisions of the FEU Treaty and the Charter of Fundamental Rights of the European Union

VII. Summary of the observations submitted to the Court

A. The admissibility of the request for an Opinion

B. The appropriate legal basis for the Council decision on the conclusion of the envisaged agreement

C. The compatibility of the envisaged agreement with the provisions of the FEU Treaty and the Charter

VIII. Position of the Court

A. The admissibility of the request for an Opinion

B. The appropriate legal basis for the Council decision on the conclusion of the envisaged agreement

1. The purpose and content of the envisaged agreement

2. The appropriate legal basis having regard to the FEU Treaty

3. The compatibility of the procedures laid down in Article 16(2) and Article 87(2)(a) TFEU

C. The compatibility of the envisaged agreement with the provisions of the FEU Treaty and the Charter

1. The fundamental rights concerned and the interference with those rights

2. The justification for the interferences resulting from the envisaged agreement

(a) The basis for the processing of PNR data covered by the envisaged agreement

(b) The objective of general interest and respect for the essence of the fundamental rights in question

(c) The appropriateness of the processing of the PNR data covered by the envisaged agreement having regard to the objective of ensuring public security

(d) The necessity of the interferences entailed by the envisaged agreement

(1) The PNR data covered by the envisaged agreement

(i) Whether the envisaged agreement is sufficiently precise as regards the PNR data to be transferred

(ii) Sensitive data

(2) The automated processing of the PNR data

(3) The purposes for which PNR data may be processed

(i) The prevention, detection or prosecution of terrorist offences or serious transnational crime

(ii) Other purposes

(4) The Canadian authorities covered by the envisaged agreement

(5) The air passengers concerned

(6) The retention and use of PNR data

(i) The retention and use of PNR data before the arrival of air passengers, during their stay in Canada and on their departure

(ii) The retention and use of PNR data after the air passengers’ departure from Canada

(7) The disclosure of PNR data

(i) Disclosure of PNR data to government authorities

(ii) Disclosure of PNR data to individuals

3. The individual rights of air passengers

(a) The right to information, the right of access and the right to correction

(b) The right to redress

4. The oversight of PNR data protection safeguards

IX. Answer to the request for an Opinion


(Opinion pursuant to Article 218(11) TFEU — Draft agreement between Canada and the European Union — Transfer of Passenger Name Record data from the European Union to Canada — Appropriate legal bases — Article 16(2), point (d) of the second subparagraph of Article 82(1) and Article 87(2)(a) TFEU — Compatibility with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights of the European Union)

In Opinion procedure 1/15,

REQUEST for an Opinion pursuant to Article 218(11) TFEU, made on 30 January 2015 by the European Parliament,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Tizzano, Vice-President, L. Bay Larsen, T. von Danwitz (Rapporteur), J.L. da Cruz Vilaça, M. Berger, A. Prechal and M. Vilaras, Presidents of Chambers, A. Rosas, E. Levits, D. Šváby, E. Jarašiūnas and C. Lycourgos, Judges,

Advocate General: P. Mengozzi,

Registrar: V. Tourrès, Administrator,

having regard to the written procedure and further to the hearing on 5 April 2016,

after considering the observations submitted on behalf of:

–        the European Parliament, by F. Drexler, A. Caiola and D. Moore, acting as Agents,

–        the Bulgarian Government, by M. Georgieva and E. Petranova, acting as Agents,

–        the Estonian Government, by K. Kraavi-Käerdi, acting as Agent,

–        Ireland, by E. Creedon, G. Hodge and A. Joyce, acting as Agents, and D. Fennelly, Barrister-at-Law, and C. Doyle, Barrister-at-Law,

–        the Spanish Government, by A. Rubio González and M. Sampol Pucurull, acting as Agents,

–        the French Government, by G. de Bergues, D. Colas and F.‑X. Bréchot, acting as Agents,

–        the United Kingdom Government, by C. Brodie and D. Robertson, acting as Agents, and D. Beard QC and S. Ford, Barrister,

–        the Council of the European Union, by M.-M. Joséphidès, S. Boelaert and E. Sitbon, acting as Agents,

–        the European Commission, by P. Van Nuffel, D. Nardi, D. Maidani and P. Costa de Oliveira, acting as Agents,

–        the European Data Protection Supervisor (EDPS), by A. Buchta, G. Zanfir and R. Robert, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 8 September 2016,

gives the following

Opinion

I.      The request for an Opinion

1        The request for an Opinion submitted to the Court by the European Parliament is worded as follows:

‘Is the [envisaged agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data] compatible with the provisions of the Treaties (Article 16 TFEU) and the Charter of Fundamental Rights of the European Union (Articles 7, 8 and Article 52(1)) as regards the right of individuals to the protection of personal data?

Do [point (d) of the second subparagraph of Article 82(1) and Article 87(2)(a)] TFEU constitute the appropriate legal basis for the act of the Council [of the European Union] concluding the envisaged agreement or must this act be based on Article 16 TFEU?’

2        Amongst other documents, the Parliament has submitted the following documents to the Court as annexes to its request for an Opinion:

–        the draft Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (‘the envisaged agreement’);

–        the draft Council Decision on the conclusion, on behalf of the Union, of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (‘the draft Council decision on the conclusion of the envisaged agreement’), and

–        the letter of 7 July 2014, by which the Council sought the Parliament’s approval of the draft decision.

II.    Legal context

A.      The Chicago Convention

3        The Convention on International Civil Aviation, signed at Chicago on 7 December 1944 (United Nations Treaty Series, Volume 15, No 102, ‘the Chicago Convention’), was ratified by Canada and by all the Member States of the European Union, although the latter is not itself a party to that convention.

4        Article 13 of that convention provides:

‘The laws and regulations of a contracting State as to the admission to or departure from its territory of passengers, crew or cargo of aircraft, such as regulations relating to entry, clearance, immigration, passports, customs, and quarantine shall be complied with by or on behalf of such passengers, crew or cargo upon entrance into or departure from, or while within the territory of that State.’

5        The Chicago Convention established the International Civil Aviation Organisation (ICAO), the aim of which, under Article 44 of that convention, is, inter alia, to develop the principles and techniques of international air navigation.

B.      Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice

6        Article 1 of Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice (OJ 2010 C 83, p. 295, ‘Protocol No 21’), provides:

‘Subject to Article 3, the United Kingdom and Ireland shall not take part in the adoption by the Council of proposed measures pursuant to Title V of Part Three of the Treaty on the Functioning of the European Union. The unanimity of the members of the Council, with the exception of the representatives of the governments of the United Kingdom and Ireland, shall be necessary for decisions of the Council which must be adopted unanimously.

...’

7        Article 3(1) of that protocol is worded as follows:

‘The United Kingdom or Ireland may notify the President of the Council in writing, within three months after a proposal or initiative has been presented to the Council pursuant to Title V of Part Three of the Treaty on the Functioning of the European Union, that it wishes to take part in the adoption and application of any such proposed measure, whereupon that State shall be entitled to do so.’

C.      Protocol (No 22) on the position of Denmark

8        The third to fifth paragraphs of the preamble to Protocol (No 22) on the position of Denmark (OJ 2010 C 83, p. 299, ‘Protocol No 22’) state that the high contracting parties:

‘[are] conscious of the fact that a continuation under the Treaties of the legal regime originating in the Edinburgh decision will significantly limit Denmark’s participation in important areas of cooperation of the Union, and that it would be in the best interest of the Union to ensure the integrity of the acquis in the area of freedom, security and justice,

[wish] therefore to establish a legal framework that will provide an option for Denmark to participate in the adoption of measures proposed on the basis of Title V of Part Three of the Treaty on the Functioning of the European Union and [welcome] the intention of Denmark to avail itself of this option when possible in accordance with its constitutional requirements,

[note] that Denmark will not prevent the other Member States from further developing their cooperation with respect to measures not binding on Denmark.’

9        Article 1 of that protocol provides:

‘Denmark shall not take part in the adoption by the Council of proposed measures pursuant to Title V of Part Three of the Treaty on the Functioning of the European Union. The unanimity of the members of the Council, with the exception of the representative of the government of Denmark, shall be necessary for the decisions of the Council which must be adopted unanimously.

For the purposes of this Article, a qualified majority shall be defined in accordance with Article 238(3) of the Treaty on the Functioning of the European Union.’

10      Article 2 of that protocol is worded as follows:

‘None of the provisions of Title V of Part Three of the Treaty on the Functioning of the European Union, no measure adopted pursuant to that Title, no provision of any international agreement concluded by the Union pursuant to that Title, and no decision of the Court of Justice of the European Union interpreting any such provision or measure or any measure amended or amendable pursuant to that Title shall be binding upon or applicable in Denmark; and no such provision, measure or decision shall in any way affect the competences, rights and obligations of Denmark; and no such provision, measure or decision shall in any way affect the Community or Union acquis nor form part of Union law as they apply to Denmark. In particular, acts of the Union in the field of police cooperation and judicial cooperation in criminal matters adopted before the entry into force of the Treaty of Lisbon which are amended shall continue to be binding upon and applicable to Denmark unchanged.’

11      Article 2a of that protocol provides:

‘Article 2 of this Protocol shall also apply in respect of those rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty.’

D.      Directive 95/46/EC

12      Article 25 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) is worded as follows:

‘1.      The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2.      The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

...

6.      The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

...’

E.      Directive 2004/82/EC

13      Article 3(1) and (2) of Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ 2004 L 261, p. 24) provides:

‘1.      Member States shall take the necessary steps to establish an obligation for carriers to transmit at the request of the authorities responsible for carrying out checks on persons at external borders, by the end of check-in, information concerning the passengers they will carry to an authorised border crossing point through which these persons will enter the territory of a Member State.

2.      The information referred to above shall comprise:

–        the number and type of travel document used,

–        nationality,

–        full names,

–        the date of birth,

–        the border crossing point of entry into the territory of the Member States,

–        code of transport,

–        departure and arrival time of the transportation,

–        total number of passengers carried on that transport,

–        the initial point of embarkation.’

III. The background to the envisaged agreement

14      On 18 July 2005, the Council adopted Decision 2006/230/EC on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data (OJ 2006 L 82, p. 14), by which it approved that agreement (‘the 2006 Agreement’). As stated in the preamble thereto, that agreement was concluded having regard to ‘the Government of Canada requirement of air carriers carrying persons to Canada to provide Advance Passenger Information and Passenger Name Record (hereinafter API/PNR) data to the competent Canadian authorities, to the extent it is collected and contained in carriers’ automated reservation systems and departure control systems (DCS)’.

15      Under Article 1(1) of the 2006 Agreement, the purpose of that agreement was ‘to ensure that API/PNR data of persons on eligible journeys is provided in full respect of fundamental rights and freedoms, in particular the right to privacy’. Under Article 3(1) of that agreement, ‘the Parties [agreed] that API/PNR data of persons on eligible journeys [would] be processed as outlined in the Commitments made by the competent authority obtaining the API/PNR data’. In accordance with Annex I to that agreement, the competent authority for Canada was the Canada Border Services Agency (CBSA).

16      On the basis of those commitments, the Commission of the European Communities adopted, on 6 September 2005, Decision 2006/253/EC on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency (OJ 2006 L 91, p. 49). Article 1 of that decision stated that, ‘for the purposes of Article 25(2) of Directive [95/46], the [CBSA] is considered to ensure an adequate level of protection for PNR data transferred from the Community concerning flights bound for Canada in accordance with the [commitments by the CBSA in relation to its PNR program] set out in the Annex’ to that decision. Under Article 7 thereof, Decision 2006/253 ‘[was to] expire three years and six months after the date of its notification, unless extended in accordance with the procedure set out in Article 31(2) of Directive [95/46]’. No such extension took place.

17      Since the period of validity of the 2006 Agreement was, in accordance with Article 5(1) and (2) thereof, linked to that of Decision 2006/253, that agreement expired in September 2009.

18      On 5 May 2010, the Parliament adopted a Resolution on the launch of negotiations for Passenger Name Record (PNR) data agreements with the United States, Australia and Canada (OJ 2011 C 81 E, p. 70). At point 7 of that resolution, the Parliament called for ‘a coherent approach on the use of PNR data for law enforcement and security purposes, establishing a single set of principles to serve as a basis for agreements with third countries’ and invited ‘the Commission to present ... a proposal for such a single model and a draft mandate for negotiations with third countries’, and set out, in point 9 of that resolution, the minimum requirements that were to be met as regards the use of Passenger Name Record data in third countries.

19      On 2 December 2010, the Council adopted a decision, together with negotiation directives, authorising the Commission to open negotiations, on behalf of the Union, with Canada with a view to an agreement on the transfer and use of Passenger Name Records (‘PNR data’) to prevent and combat terrorism and other serious transnational crime.

20      The envisaged agreement, the result of the negotiations with Canada, was initialled on 6 May 2013. On 18 July 2013, the Commission adopted a proposal for a Council decision on the conclusion of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (COM(2013) 528 final, ‘the proposal for a Council decision on the conclusion of the envisaged agreement’) and a proposal for a Council decision on the signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (COM(2013) 529 final).

21      The explanatory memorandum to the proposal for a Council decision on the conclusion of the envisaged agreement contained the following passages:

‘Canadian legislation empowers the [CBSA] to ask each air carrier operating passenger flights to and from Canada to provide it with electronic access to Passenger Name Record (PNR) data prior to the passenger arriving or leaving Canada. The requests of the Canadian authorities are based on section 107.1 of the Customs Act, the Passenger Information (Customs) Regulations, paragraph 148(1)(d) of the Immigration and Refugee Protection Act and Regulation 269 of the Immigration and Refugee Protection Regulations.

This legislation aims at obtaining PNR data electronically in advance of a flight’s arrival and therefore significantly enhances the [CBSA’s] ability to conduct efficient and effective advance risk assessment of passengers and to facilitate bona fide travel, thereby enhancing the security of Canada. The European Union, in cooperating with Canada in the fight against terrorism and other serious transnational crime, views the transfer of PNR data to Canada as fostering international police and judicial cooperation. This will be achieved through the sharing of analytical information containing PNR data obtained by Canada with competent police and judicial authorities of Member States, as well as with Europol and Eurojust within their respective mandates.

...

Air carriers are under an obligation to provide the [CBSA] with access to certain PNR data to the extent it is collected and contained in the air carrier’s automated reservation and departure control systems.

The data protection laws of the [European Union] do not allow European and other carriers operating flights from the [European Union] to transmit the PNR data of their passengers to third countries which do not ensure an adequate level of protection of personal data without adducing appropriate safeguards. A solution is required that will provide the legal basis for the transfer of PNR data from the [European Union] to Canada as a recognition of the necessity and importance of the use of PNR data in the fight against terrorism and other serious transnational crime, whilst providing legal certainty for air carriers. In addition, this solution should be applied homogeneously throughout the European Union in order to ensure legal certainty for air carriers and respect of individuals’ rights to the protection of personal data as well as their physical security.

...’

22      On 30 September 2013, the European Data Protection Supervisor (EDPS) delivered his opinion on those proposals for decisions. The full text of that opinion, a summary of which was published in the Official Journal of the European Union (OJ 2014 C 51, p. 12), is available on the EDPS website.

23      On 5 December 2013, the Council adopted the decision on the signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data. On that same day, the Council decided that the Parliament’s approval would be sought on its draft decision on the conclusion of the envisaged agreement.

24      The envisaged agreement was signed on 25 June 2014.

25      By letter of 7 July 2014, the Council sought the Parliament’s approval of the draft Council decision on the conclusion of the envisaged agreement.

26      On 25 November 2014, the Parliament adopted the resolution on seeking an opinion from the Court of Justice on the compatibility with the Treaties of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (OJ 2016 C 289, p. 2).

IV.    The draft Council decision on the conclusion of the envisaged agreement

27      The draft Council decision on the conclusion of the envisaged agreement designates point (d) of the second subparagraph of Article 82(1) TFEU and Article 87(2)(a) TFEU, in conjunction with Article 218(6)(a) TFEU, as the legal bases for that decision.

28      Recitals 5 and 6 of that draft decision are worded as follows:

‘(5)      In accordance with Article 3 of Protocol No 21 … [the United Kingdom and Ireland] have notified their wish to take part in the adoption of this Decision.

(6)      In accordance with Articles 1 and 2 of Protocol No 22 … Denmark is not taking part in the adoption of this Decision and is not bound by the Agreement or subject to its application.’

29      Article 1 of that draft decision states:

‘The Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data is hereby approved on behalf of the Union.

The text of the Agreement is attached to this Decision.’

V.      The envisaged agreement

30      The envisaged agreement is worded as follows:

‘Canada

and

The European Union,

(the “Parties”),

Seeking to prevent, combat, repress, and eliminate terrorism and terrorist-related offences, as well as other serious transnational crime, as a means of protecting their respective democratic societies and common values to promote security and the rule of law;

Recognising the importance of preventing, combating, repressing, and eliminating terrorism and terrorist-related offences, as well as other serious transnational crime, while preserving fundamental rights and freedoms, in particular rights to privacy and data protection;

Seeking to enhance and encourage cooperation between the Parties in the spirit of the partnership between Canada and the European Union;

Recognising that information sharing is an essential component of the fight against terrorism and related crimes and other serious transnational crime, and that in this context, the use of Passenger Name Record (PNR) data is a critically important instrument to pursue these goals;

Recognising that, in order to safeguard public security and for law enforcement purposes, rules should be laid down to govern the transfer of PNR data by air carriers to Canada;

Recognising that the Parties share common values with respect to data protection and privacy reflected in their respective law;

Mindful of the European Union’s commitments pursuant to Article 6 of the Treaty on European Union on respect for fundamental rights, the right to privacy with regard to the processing of personal data as stipulated in Article 16 of the Treaty on the Functioning of the European Union, the principles of proportionality and necessity concerning the right to private and family life, the respect for privacy, and the protection of personal data under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, Council of Europe Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data [, signed at Strasbourg on 28 January 1981,] and its additional Protocol 181[, signed at Strasbourg on 8 November 2001];

Having regard to the relevant provisions of the Canadian Charter of Rights and Freedoms and Canadian privacy legislation;

Noting the European Union’s commitment to ensuring that air carriers are not prevented from complying with Canadian law regarding the transfer of European Union-sourced PNR data to Canada pursuant to this Agreement;

Acknowledging the successful 2008 joint review of the 2006 Agreement between the Parties on the transfer of PNR data;

Recognising that this Agreement is not intended to apply to Advance Passenger Information which is collected and transmitted by air carriers to Canada for the purpose of border control;

Recognising also that this Agreement does not prevent Canada from continuing to process information from air carriers in exceptional circumstances where necessary to mitigate any serious and immediate threat to air transportation or national security respecting the strict limitations laid down in Canadian law and in any case without exceeding the limitations provided for in this Agreement;

Noting the interest of the Parties, as well as Member States of the European Union in exchanging information regarding the method of transmission of PNR data as well as the disclosure of PNR data outside Canada as set out in the relevant articles of this Agreement, and further noting the European Union’s interest in having this addressed in the context of the consultation and review mechanism set out in this Agreement;

Noting that the Parties may examine the necessity and feasibility of a similar Agreement for the processing of PNR data in the marine mode;

Noting the commitment of Canada that the Canadian Competent Authority processes PNR data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious transnational crime in strict compliance with safeguards on privacy and the protection of personal data, as set out in this Agreement;

Stressing the importance of sharing PNR data and relevant and appropriate analytical information containing PNR data obtained under this Agreement by Canada with competent police and judicial authorities of Member States of the European Union, Europol and Eurojust as a means to foster international police and judicial cooperation;

Affirming that this Agreement does not constitute a precedent for any future arrangements between Canada and the European Union, or between either of the Parties and any other Party, regarding the processing and transfer of PNR data or regarding data protection;

Having regard to the Parties’ mutual commitment to the application and further development of international standards for the processing of PNR data;

have agreed as follows:

General provisions

Article 1

Purpose of the Agreement

In this Agreement, the Parties set out the conditions for the transfer and use of Passenger Name Record (PNR) data to ensure the security and safety of the public and prescribe the means by which the data is protected.

Article 2

Definitions

For the purposes of this Agreement:

(a)      “air carrier” means a commercial transportation company using aircraft as its means of transport for passengers travelling between Canada and the European Union;

(b)      “[PNR data]” means the records created by an air carrier for each journey booked by or on behalf of any passenger, necessary for the processing and control of reservations. Specifically, as used in this Agreement, PNR data consists of the elements set out in the Annex to this Agreement;

(c)      “processing” means any operation or set of operations performed on PNR data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, calling-up, retrieval, consultation, use, transfer, dissemination, disclosure or otherwise making available, alignment or combination, blocking, masking, erasure, or destruction;

(d)      “Canadian Competent Authority” means the Canadian authority responsible for receiving and processing PNR data under this Agreement;

(e)      “sensitive data” means any information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information about a person’s health or sex life.

Article 3

Use of PNR data

1.      Canada shall ensure that the Canadian Competent Authority processes PNR data received pursuant to this Agreement strictly for the purpose of preventing, detecting, investigating or prosecuting terrorist offences or serious transnational crime.

2.      For the purposes of this Agreement, “terrorist offence” includes:

(a)      an act or omission that is committed for a political, religious or ideological purpose, objective or cause with the intention of intimidating the public with regard to its security, including its economic security, or with the intention of compelling a person, government or domestic or international organisation to do or refrain from doing any act, and that intentionally:

(i)      causes death or serious bodily harm;

(ii)      endangers an individual’s life;

(iii)      causes a serious risk to the health or safety of the public;

(iv)      causes substantial property damage likely to result in the harm referred to in (i) to (iii); or

(v)      causes serious interference with or serious disruption of an essential service, facility or system, other than as a result of lawful or unlawful advocacy, protest, dissent or stoppage of work, such as a strike, that is not intended to result in the harm referred to in (i) to (iii); or

(b)      activities constituting an offence within the scope and as defined in applicable international conventions and protocols relating to terrorism; or

(c)      knowingly participating in or contributing to or instructing a person, a group, or an organisation to carry out any activity for the purpose of enhancing a terrorist entity’s ability to facilitate or carry out an act or omission described in (a) or (b); or

(d)      committing an indictable offence where the act or omission constituting the offence is committed for the benefit of, at the direction of, or in association with a terrorist entity; or

(e)      collecting property or inviting a person, a group, or an organisation to provide, providing or making available property or financial or other related services for the purpose of carrying out an act or omission described in (a) or (b) or using or possessing property for the purpose of carrying out an act or omission described in (a) or (b); or

(f)      attempting or threatening to commit an act or omission described in (a) or (b), conspiring, facilitating, instructing or counselling in relation to an act or omission described in (a) or (b), or being an accessory after the fact, or harbouring or concealing for the purpose of enabling a terrorist entity to facilitate or carry out an act or omission described in (a) or (b).

(g)      For the purposes of this paragraph, “terrorist entity” means:

(i)      a person, a group, or an organisation that has as one of its purposes or activities facilitating or carrying out an act or omission described in (a) or (b); or

(ii)      a person, a group, or an organisation that knowingly acts on behalf of, at the direction of or in association with such a person, group or organisation in (i).

3.      Serious transnational crime means any offence punishable in Canada by a maximum deprivation of liberty of at least four years or a more serious penalty and as they are defined by the Canadian law, if the crime is transnational in nature.

For the purposes of this Agreement, a crime is considered as transnational in nature if it is committed in:

(a)      more than one country;

(b)      one country but a substantial part of its preparation, planning, direction or control takes place in another country;

(c)      one country but involves an organised criminal group that engages in criminal activities in more than one country;

(d)      one country but has substantial effects in another country; or

(e)      one country and the offender is in or intends to travel to another country.

4.      In exceptional cases, the Canadian Competent Authority may process PNR data where necessary to protect the vital interests of any individual, such as:

(a)      a risk of death or serious injury; or

(b)      a significant public health risk, in particular as required by internationally recognised standards.

5.      Canada may also process PNR data, on a case- by-case basis in order to:

(a)      ensure the oversight or accountability of the public administration; or

(b)      comply with the subpoena or warrant issued, or an order made, by a court.

Article 4

Ensuring PNR data is provided

1.      The European Union shall ensure that air carriers are not prevented from transferring PNR data to the Canadian Competent Authority pursuant to this Agreement.

2.      Canada shall not require an air carrier to provide elements of PNR data which are not already collected or held by the air carrier for reservation purposes.

3.      Canada shall delete upon receipt any data transferred to it by an air carrier, pursuant to this Agreement, if that data element is not listed in the Annex.

4.      The Parties shall ensure that air carriers may transfer PNR data to the Canadian Competent Authority through authorised agents, who act on behalf of and under the responsibility of the air carrier, for the purpose of and under the conditions laid down in this Agreement.

Article 5

Adequacy

Subject to compliance with this Agreement, the Canadian Competent Authority is deemed to provide an adequate level of protection, within the meaning of relevant European Union data protection law, for the processing and use of PNR data. An air carrier that provides PNR data to Canada under this Agreement is deemed to comply with European Union legal requirements for PNR data transfer from the European Union to Canada.

Article 6

Police and judicial cooperation

1.      Canada shall share, as soon as practicable, relevant and appropriate analytical information containing PNR data obtained under this Agreement with Europol, Eurojust, within the scope of their respective mandates, or the police or a judicial authority of a Member State of the European Union. Canada shall ensure that this information is shared in accordance with agreements and arrangements on law enforcement or information sharing between Canada and Europol, Eurojust, or that Member State.

2.      Canada shall share, at the request of Europol, Eurojust, within the scope of their respective mandates, or the police or a judicial authority of a Member State of the European Union, PNR data or analytical information containing PNR data obtained under this Agreement, in specific cases to prevent, detect, investigate, or prosecute within the European Union a terrorist offence or serious transnational crime. Canada shall make this information available in accordance with agreements and arrangements on law enforcement, judicial cooperation, or information sharing, between Canada and Europol, Eurojust or that Member State.

Safeguards applicable to the processing of PNR data

Article 7

Non-discrimination

Canada shall ensure that the safeguards applicable to the processing of PNR data apply to all passengers on an equal basis without unlawful discrimination.

Article 8

Use of sensitive data

1.      If the PNR data collected regarding a passenger includes sensitive data, Canada shall ensure that the Canadian Competent Authority masks sensitive data using automated systems. Canada shall ensure that the Canadian Competent Authority shall not further process such data except in accordance with paragraphs 3, 4 and 5.

2.      Canada shall provide the European Commission with a list of codes and terms identifying sensitive data that Canada is required to mask. Canada shall provide that list within 90 days of the entry into force of this Agreement.

3.      Canada may process sensitive data on a case-by-case basis in exceptional circumstances where such processing is indispensable because an individual’s life is in peril or there is a risk of serious injury.

4.      Canada shall ensure that sensitive data is processed in accordance with paragraph 3 exclusively under strict procedural measures, including the following:

(a)      processing of sensitive data is approved by the Head of the Canadian Competent Authority;

(b)      sensitive data is processed only by a specifically and individually authorised official; and

(c)      once unmasked, sensitive data is not processed using automated systems.

5.      Canada shall delete sensitive data no later than 15 days from the date that Canada receives it unless Canada retains it in accordance with Article 16(5).

6.      If, in accordance with paragraphs 3, 4 and 5, the Canadian Competent Authority processes sensitive data concerning an individual who is a citizen of a Member State of the European Union, Canada shall ensure that the Canadian Competent Authority notifies the authorities of that Member State of the processing at the earliest appropriate opportunity. Canada shall issue that notification in accordance with agreements and arrangements on law enforcement or information sharing between Canada and that Member State.

Article 9

Data security and integrity

1.      Canada shall implement regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss.

2.      Canada shall ensure compliance verification and the protection, security, confidentiality, and integrity of the data. Canada shall:

(a)      apply encryption, authorisation, and documentation procedures to the PNR data;

(b)      limit access to PNR data to authorised officials;

(c)      hold PNR data in a secure physical environment that is protected with access controls; and

(d)      establish a mechanism that ensures that PNR data queries are conducted in a manner consistent with Article 3.

3.      If an individual’s PNR data is accessed or disclosed without authorisation, Canada shall take measures to notify that individual, to mitigate the risk of harm, and to take remedial action.

4.      Canada shall ensure that the Canadian Competent Authority promptly informs the European Commission of any significant incidents of accidental, unlawful or unauthorised access, processing or loss of PNR data.

5.      Canada shall ensure that any breach of data security, in particular leading to accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or any unlawful forms of processing will be subject to effective and dissuasive corrective measures which might include sanctions.

Article 10

Oversight

1.      The data protection safeguards for the processing of PNR data under this Agreement will be subject to oversight by an independent public authority, or by an authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy (the “overseeing authority”). Canada shall ensure that the overseeing authority has effective powers to investigate compliance with the rules related to the collection, use, disclosure, retention, or disposal of PNR data. The overseeing authority may conduct compliance reviews and investigations, may report findings and make recommendations to the Canadian Competent Authority. Canada shall ensure that the overseeing authority has the power to refer violations of law related to this Agreement for prosecution or disciplinary action, when appropriate.

2.      Canada shall ensure that the overseeing authority ensures that complaints relating to non-compliance with this Agreement are received, investigated, responded to, and appropriately redressed.

Article 11

Transparency

1.      Canada shall ensure that the Canadian Competent Authority makes the following available on its website:

(a)      a list of the legislation authorising the collection of PNR data;

(b)      the reason for the collection of PNR data;

(c)      the manner of protecting the PNR data;

(d)      the manner and extent to which the PNR data may be disclosed;

(e)      information regarding access, correction, notation and redress; and

(f)      contact information for inquiries.

2.      The Parties shall work with interested parties, such as the air travel industry, to promote transparency, preferably at the time of booking, by providing the following information to passengers:

(a)      the reasons for PNR data collection;

(b)      the use of PNR data;

(c)      the procedure for requesting access to PNR data; and

(d)      the procedure for requesting the correction of PNR data.

Article 12

Access for individuals

1.      Canada shall ensure that any individual may access their PNR data.

2.      Canada shall ensure that the Canadian Competent Authority, within a reasonable time shall:

(a)      provide the individual with a copy of their PNR data if the individual makes a written request for their PNR data;

(b)      reply in writing to any request;

(c)      provide the individual with access to recorded information confirming that the individual’s PNR data has been disclosed, if the individual requests that confirmation;

(d)      set out the legal or factual reasons for any refusal to allow access to the individual’s PNR data;

(e)      inform the individual if the PNR data does not exist;

(f)      inform the individual that they may make a complaint and of the complaint procedure.

3.      Canada may make any disclosure of information subject to reasonable legal requirements and limitations, including any limitations necessary to prevent, detect, investigate, or prosecute criminal offences, or to protect public or national security, with due regard for the legitimate interests of the individual concerned.

Article 13

Correction or Annotation for individuals

1.      Canada shall ensure that any individual may request the correction of their PNR data.

2.      Canada shall ensure that the Canadian Competent Authority considers all written requests for correction and shall, within a reasonable time:

(a)      correct the PNR data and notify the individual that the correction has been made; or

(b)      refuse all or part of the correction, and:

(i)      attach a note to the PNR data reflecting any correction requested that was refused;

(ii)      notify the individual that:

i.      the request for correction is refused, and set out the legal or factual reasons for the refusal;

ii.      the note under subparagraph (i) is attached to the PNR data; and

(c)      inform the individual that they may make a complaint and of the complaint procedure.

Article 14

Administrative and judicial redress

1.      Canada shall ensure that an independent public authority, or an authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy, will receive, investigate and respond to complaints lodged by an individual concerning their request for access, correction or annotation of their PNR data. Canada shall ensure that the relevant authority will notify the complainant of the means of seeking the judicial redress set out in paragraph 2.

2.      Canada shall ensure that any individual who is of the view that their rights have been infringed by a decision or action in relation to their PNR data may seek effective judicial redress in accordance with Canadian law by way of judicial review, or such other remedy which may include compensation.

Article 15

Decisions based on automated processing

Canada shall not take any decisions significantly adversely affecting a passenger solely on the basis of automated processing of PNR data.

Article 16

Retention of PNR data

1.      Canada shall not retain PNR data for more than five years from the date that it receives the PNR data.

2.      Canada shall restrict access to a limited number of officials specifically authorised by Canada.

3.      Canada shall depersonalise the PNR data through masking the names of all passengers 30 days after Canada receives it.

Two years after Canada receives the PNR data, Canada shall further depersonalise it through masking the following:

(a)      other names on PNR, including number of travellers on PNR;

(b)      all available contact information (including originator information);

(c)      general remarks including other supplementary information (OSI), special service information (SSI) and special service request (SSR) information, to the extent that it contains any information capable of identifying a natural person; and

(d)      any advance passenger information (API) data collected for reservation purposes to the extent that it contains any information capable of identifying a natural person.

4.      Canada may unmask PNR data only if on the basis of available information, it is necessary to carry out investigations under the scope of Article 3, as follows:

(a)      from 30 days to two years after initial receipt only by a limited number of specifically authorised officials; and

(b)      from two years to five years after initial receipt, only with prior permission by the Head of the Canadian Competent Authority, or a senior official specifically mandated by the Head.

5.      Notwithstanding paragraph 1:

(a)      Canada may retain PNR data, required for any specific action, review, investigation, enforcement action, judicial proceeding, prosecution, or enforcement of penalties, until concluded;

(b)      Canada shall retain the PNR data referred to in (a) for an additional two-year period only to ensure the accountability of or oversee public administration so that it may be disclosed to the passenger should the passenger request it.

6.      Canada shall destroy the PNR data at the end of the PNR data retention period.

Article 17

Logging and Documenting of PNR Data Processing

Canada shall log and document all processing of PNR data. Canada shall only use a log or document to:

(a)      self-monitor and to verify the lawfulness of data processing;

(b)      ensure proper data integrity;

(c)      ensure the security of data processing; and

(d)      ensure oversight and accountability of the public administration.

Article 18

Disclosure within Canada

1.      Canada shall ensure that the Canadian Competent Authority does not disclose PNR data to other government authorities in Canada unless the following conditions are met:

(a)      the PNR data is disclosed to government authorities whose functions are directly related to the scope of Article 3;

(b)      the PNR data is disclosed only on a case-by-case basis;

(c)      under the particular circumstances the disclosure is necessary for the purposes stated in Article 3;

(d)      only the minimum amount of PNR data necessary is disclosed;

(e)      the receiving government authority affords protection equivalent to the safeguards described in this Agreement; and

(f)      the receiving government authority does not disclose the PNR data to another entity unless the disclosure is authorised by the Canadian Competent Authority respecting the conditions laid down in this paragraph.

2.      When transferring analytical information containing PNR data obtained under this Agreement, the safeguards applying to PNR data in this Article shall be respected.

Article 19

Disclosure outside Canada

1.      Canada shall ensure that the Canadian Competent Authority does not disclose PNR data to government authorities in countries other than the Member States of the European Union unless the following conditions are met:

(a)      the PNR data is disclosed to government authorities whose functions are directly related to the scope of Article 3;

(b)      the PNR data is disclosed only on a case-by-case basis;

(c)      the PNR data is disclosed only if necessary for the purposes stated in Article 3;

(d)      only the minimum PNR data necessary is disclosed;

(e)      the Canadian Competent Authority is satisfied that:

(i)      the foreign authority receiving the PNR data applies standards to protect the PNR data that are equivalent to those set out in this Agreement, in accordance with agreements and arrangements that incorporate those standards; or

(ii)      the foreign authority applies the standards to protect the PNR data that it has agreed with the European Union.

2.      If, in accordance with paragraph 1, the Canadian Competent Authority discloses PNR data of an individual who is a citizen of a Member State of the European Union, Canada shall ensure that the Canadian Competent Authority notifies the authorities of that Member State of the disclosure at the earliest appropriate opportunity. Canada shall issue this notification in accordance with agreements and arrangements on law enforcement or information sharing between Canada and that Member State.

3.      When transferring analytical information containing PNR data obtained under this Agreement, the safeguards applying to PNR data in this Article shall be respected.

Article 20

Method of transfer

The Parties shall ensure that air carriers transfer PNR data to the Canadian Competent Authority exclusively on the basis of the push method and in accordance with the following procedures to be observed by air carriers:

(a)      transfer PNR data by electronic means in compliance with the technical requirements of the Canadian Competent Authority or, in case of technical failure, by any other appropriate means ensuring an appropriate level of data security;

(b)      transfer PNR data using a mutually accepted messaging format;

(c)      transfer PNR data in a secure manner using common protocols required by the Canadian Competent Authority.

Article 21

Frequency of transfer

1.      Canada shall ensure that the Canadian Competent Authority requires an air carrier to transfer the PNR data:

(a)      on a scheduled basis with the earliest point being up to 72 hours before scheduled departure; and

(b)      a maximum of five times, for a particular flight.

2.      Canada shall ensure that the Canadian Competent Authority informs air carriers of the specified times for the transfers.

3.      In specific cases where there is an indication that additional access is necessary to respond to a specific threat related to the scope as described in Article 3, the Canadian Competent Authority may require an air carrier to provide PNR data prior to, between or after the scheduled transfers. In exercising this discretion, Canada shall act judiciously and proportionately and use the method of transfer described in Article 20.

Implementing and final provisions

Article 22

PNR data received prior to the entry into force of this Agreement

Canada shall apply the terms of this Agreement to all PNR data which it holds at the time this Agreement enters into force.

Article 23

Reciprocity

1.      If the European Union adopts a PNR data processing regime for the European Union, the Parties shall consult to determine whether this Agreement should be amended to ensure full reciprocity.

2.      The respective authorities of Canada and the European Union shall cooperate to pursue the coherence of their PNR data processing regimes in a manner that further enhances the security of citizens of Canada, the European Union and elsewhere.

Article 24

Non-derogation

This Agreement shall not be construed to derogate from any obligation between Canada and Member States of the European Union or third countries to make or respond to an assistance request under a mutual assistance instrument.

...

Article 26

Consultation, review and amendments

...

2.      The Parties shall jointly review the implementation of this Agreement one year after its entry into force, at regular intervals thereafter, and additionally if requested by either Party and jointly decided.

...

Article 28

Duration

1.      Subject to paragraph 2, this Agreement remains in force for a period of seven years from the date of entry into force.

2.      At the end of every seven-year period, this Agreement automatically renews for an additional seven years, unless one Party advises the other that it does not intend to renew this Agreement. The Party must notify the other Party in writing through diplomatic channels, at least six months before the expiry of the seven-year period.

3.      Canada shall continue to apply the terms of this Agreement to all PNR data obtained before the termination of this Agreement.

...

Annex

[PNR] data elements referred to in Article 2(b)

1.      PNR locator code

2.      Date of reservation / issue of ticket

3.      Date(s) of intended travel

4.      Name(s)

5.      Available frequent flier and benefit information (free tickets, upgrades, etc.)

6.      Other names on PNR, including number of travellers on PNR

7.      All available contact information (including originator information)

8.      All available payment / billing information (not including other transaction details linked to a credit card or account and not connected to the travel transaction)

9.      Travel itinerary for specific PNR

10.      Travel agency / travel agent

11.      Code share information

12.      Split / divided information

13.      Travel status of passenger (including confirmations and check-in status)

14.      Ticketing information, including ticket number, one way tickets and Automated Ticket Fare Quote

15.      All baggage information

16.      Seat information, including seat number

17.      General remarks including Other Supplementary Information (OSI), Special Service Information (SSI) and Special Service Request (SSR) information

18.      Any Advance Passenger Information (API) data collected for reservation purposes

19.      All historical changes to the PNR data listed in numbers (1) to (18). ’

VI.    The Parliament’s appraisal set out in its request for an Opinion

A.      The appropriate legal basis for the Council decision on the conclusion of the envisaged agreement

31      According to the Parliament, although the envisaged agreement pursues two aims, in accordance with Article 1 thereof, namely to ensure the security and safety of the public and to prescribe the means by which PNR data will be protected, its principal aim is, however, the protection of personal data. EU law on the protection of data of that nature precludes the transfer of PNR data to non-member countries which do not ensure an adequate level of protection of personal data. Accordingly, the envisaged agreement seeks to create a form of ‘adequacy decision’, as provided for in Article 25(6) of Directive 95/46, in order provide a legal basis for the lawful transfer of PNR data from the European Union to Canada. That approach is identical to that previously adopted in the 2006 Agreement and Decision 2006/253, the latter having been taken on the basis of Article 25(6) of Directive 95/46.

32      Consequently, the choice of point (d) of the second subparagraph of Article 82(1) and Article 87(2)(a) TFEU as legal bases for the Council decision on the conclusion of the envisaged agreement is incorrect. That decision ought instead to have been based on Article 16 TFEU, since that article applies to all areas of EU law, including those referred to in Title V of Part Three of the FEU Treaty, relating to the area of freedom, security and justice, as is confirmed by the Declaration on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon (OJ 2010 C 83, p. 345).

33      According to the Parliament, the content of the envisaged agreement confirms its assessment that the main component of that agreement relates to the protection of personal data. Most of the provisions of the envisaged agreement, in particular, the key articles thereof, namely Article 4(1) and Article 5, which constitute the legal basis for the lawful transfer of PNR data from the European Union to Canada, concern the protection of personal data. Furthermore, that agreement does not provide for the transfer of PNR data by the European authorities to the Canadian authorities, but rather for the transfer of such data by private entities, namely the airline companies, to the Canadian authorities. Accordingly, it is difficult to conclude that those provisions come under judicial and police cooperation as such. Moreover, Article 6 of the envisaged agreement, entitled ‘Police and judicial cooperation’, is merely incidental compared with Articles 4 and 5 thereof, since it cannot be applied without those latter articles themselves being applied beforehand. Canada would not be able to communicate the information in question without having previously received the PNR data from the air carriers, which, for their part, may transfer the PNR data to Canada only on the basis of an ‘adequacy decision’. Furthermore, Article 6 does not regulate the exchange of information between the authorities concerned and merely refers to other international agreements in this area.

34      Should the Court nevertheless consider that the envisaged agreement pursues aims each inseparable from the others, the Council decision on the conclusion of that agreement could then be based on all three of Article 16, point (d) of the second subparagraph of Article 82(1) and Article 87(2)(a) TFEU. As regards the possible applicability of Protocol No 21 and Protocol No 22, the Parliament refers to the case-law of the Court resulting from the judgment of 27 February 2014, United Kingdom v Council (C‑656/11, EU:C:2014:97, paragraph 49), that the legality of the choice of the legal basis for a European Union measure is not affected by the consequence that that choice may have as regards whether one of the protocols annexed to the Treaties applies.

B.      The compatibility of the envisaged agreement with the provisions of the FEU Treaty and the Charter of Fundamental Rights of the European Union

35      The Parliament submits that, having regard to the serious doubts expressed by the EDPS, in particular, in his opinion of 30 September 2013, and to the case-law resulting from the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238), there is legal uncertainty as to whether the envisaged agreement is compatible with Article 16 TFEU and with Article 7, Article 8 and Article 52(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’).

36      According to the Parliament, the transfer of PNR data from the European Union to Canada for the purposes of the Canadian authorities possibly accessing that data, as provided for in the envisaged agreement, falls within the scope of Articles 7 and 8 of the Charter. That data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose PNR data is processed, such as their permanent or temporary places of residence, their movements and their activities. That agreement therefore entails wide-ranging and particularly serious interferences with the fundamental rights guaranteed in Articles 7 and 8 of the Charter.

37      Referring to the requirements set out in Article 52(1) and Article 8(2) of the Charter, the Parliament submits that the question therefore arises whether the envisaged agreement is a ‘law’ within the meaning of those provisions, and whether it may serve as the basis for limitations on the exercise of the rights guaranteed in Articles 7 and 8 of the Charter. Although the term ‘law’ dovetails with the notion of a ‘legislative act’ provided for in the FEU Treaty, an international agreement does not constitute such a legislative act, and the question therefore arises whether it might not be more appropriate to adopt an internal measure based on Article 16 TFEU, rather than to conclude an international agreement under Article 218 TFEU, such as the envisaged agreement.

38      As regards the principle of proportionality, the Parliament refers to the case-law of the Court resulting from the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 47 and 48), and submits that, in this instance, the EU legislature’s discretion is reduced and the judicial review of compliance with the conditions stemming from that principle must be strict since, in particular, interferences with fundamental rights are at issue.

39      Furthermore, it follows from the case-law of the European Court of Human Rights resulting from the judgment of that court of 1 July 2008, Liberty and Others v. the United Kingdom (CE:ECHR:2008:0701JUD005824300, §§ 62 and 63), and from the case-law of the Court of Justice resulting from the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 54 and the case-law cited), that the envisaged agreement ought to lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards, such that the persons whose personal data has been processed have sufficient guarantees to protect effectively that data against the risk of abuse and against any unlawful access and use of that data.

40      In the first place, the Parliament questions, in a general manner, whether the establishment of a ‘PNR system’ is necessary, within the meaning of the second sentence of Article 52(1) of the Charter. It submits that, to date, the Council and the Commission have not shown, on the basis of objective factors, that the conclusion of the envisaged agreement is in fact necessary.

41      In the second place, the Parliament submits that the envisaged agreement affects all air passengers in a comprehensive manner, without those passengers being in a situation liable to give rise to criminal prosecutions and without a link being required between their PNR data and a threat to public security. Not only is there a general absence of limits but the criteria and conditions laid down in that agreement are vague and do not serve to limit the processing of PNR data by the Canadian authorities to what is strictly necessary. The Parliament also notes that the agreement does not make access to that data by the Canadian authorities dependent on a prior review being carried out by a court, or by an independent administrative body, in order to ensure that the access to and use of such data is limited to that which is strictly necessary for the purposes of attaining the objective pursued, and that it takes place following a reasoned request addressed to that court or body, submitted in the framework of procedures of prevention, detection or criminal prosecutions.

42      In the third place, as regards the period during which the PNR data is to be retained, set at five years by Article 16 of the envisaged agreement, that period applies without any distinction to all air passengers. Furthermore, the Council has not provided any justification, based on objective criteria, as regards the choice of such a period. Even supposing that the three and a half-year period laid down in the 2006 Agreement were admissible, the question arises as to why it was necessary to extend that period to five years.

43      In the fourth place and lastly, the Parliament submits that the envisaged agreement does not guarantee that the measures which the Canadian authorities are to take will be adequate and will meet the essential requirements of Article 8 of the Charter and Article 16 TFEU.

VII. Summary of the observations submitted to the Court

44      Written observations relating to the present request for an Opinion were submitted by the Bulgarian and Estonian Governments, Ireland, the Spanish, French and United Kingdom Governments, and by the Council and the Commission.

45      Furthermore, the Court put a number of questions to the Member States and to the institutions, to be answered in writing, under Article 196(3) of the Rules of Procedure of the Court, and also invited the EDPS to respond thereto, pursuant to the second paragraph of Article 24 of the Statute of the Court of Justice of the European Union. The EDPS sent his observations to the Court.

A.      The admissibility of the request for an Opinion

46      The French Government and the Council question the admissibility of the second question of the present request for an Opinion. First, they submit that the Parliament has not, by asking that question, called in question the power of the European Union to conclude the envisaged agreement or the allocation of powers between the European Union and the Member States in that regard. Second, even if incorrect, recourse to Articles 82 and 87 TFEU does not affect the procedure to be followed for the adoption of the Council decision on the conclusion of the envisaged agreement, since both the application of Article 16 TFEU and the application of Articles 82 and 87 TFEU require the ordinary legislative procedure to be followed. Consequently, Article 218(6)(a)(v) TFEU would be applicable in either case and, therefore, the Parliament’s approval would be required.

B.      The appropriate legal basis for the Council decision on the conclusion of the envisaged agreement

47      The Bulgarian and Estonian Governments, Ireland, the French and United Kingdom Governments, the Council and the Commission submit that the principal objective of the envisaged agreement is to ensure the security and safety of the public, as is clear, inter alia, from the first to third and fifth paragraphs of the preamble thereto, and from Articles 1 and 3 thereof. Were the protection of personal data also to be regarded as constituting an objective of that agreement, it would be incidental to the principal objective.

48      The Council and the Commission add that, although the transfer of PNR data to non-member countries must comply with the Charter, the stipulations in the envisaged agreement concerning the protection of such data nevertheless constitute merely the means by which that agreement pursues the objective of combating terrorism and serious transnational crime. Consequently, the fact that the agreement lays down, by means of a significant number of stipulations, the detailed rules and conditions for the transfer of PNR data in compliance with fundamental rights and may create a form of ‘adequacy decision’ does not affect the fact that the principal objective of the agreement remains the security and safety of the public. They submit that Article 16 TFEU would constitute the appropriate legal basis for an act only where the principal objective of that act is the protection of personal data. Conversely, acts having as their purpose the implementation of sectoral policies requiring certain processing of personal data should be based on the legal basis corresponding to the policy concerned and should comply with both Article 8 of the Charter and the European Union measures adopted on the basis of Article 16 TFEU.

49      As regards the possible combination of Article 16, point (d) of the second subparagraph of Article 82(1) and Article 87(2)(a) TFEU as substantive legal bases for the Council decision on the conclusion of the envisaged agreement, the French Government submits, in the alternative, that such a combination is conceivable where those legal bases are mutually compatible in that they all require the ordinary legislative procedure. It is true that, in principle, in the light of the fact that, in accordance with Protocol No 21 and Protocol No 22, Ireland and the United Kingdom and the Kingdom of Denmark do not take part in the adoption of acts pursuant to Title V of Part Three of the FEU Treaty, an act may not be based both on provisions falling within the scope of that title and on provisions which do not fall within the scope of that title. However, in the event of the adoption, on the basis of Article 16 TFEU, of rules relating to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or 5 of Title V of Part Three of the FEU Treaty, Ireland and the United Kingdom and the Kingdom of Denmark would not take part in the adoption of such rules since those Member States would not be bound by them in accordance with Article 6a of Protocol No 21 and Article 2a of Protocol No 22.

50      By contrast, according to the Council, the combination of Article 16 TFEU, on the one hand, and Articles 82 and 87 TFEU, on the other, would not be legally permissible, having regard to the specific rules governing the voting arrangements within the Council under Protocol No 21 and Protocol No 22 with regard to the participation of Ireland and the United Kingdom, and the Kingdom of Denmark, respectively.

C.      The compatibility of the envisaged agreement with the provisions of the FEU Treaty and the Charter

51      The Member States which submitted observations to the Court, the Council and the Commission all maintain, in essence, that the envisaged agreement is compatible with the provisions of the FEU Treaty and the Charter.

52      As regards the existence of an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, the Estonian and French Governments agree with the Parliament that the envisaged agreement entails such an interference since, under Article 4(1), it requires the European Union to not prevent the transfer of PNR data to the Canadian Competent Authority and, under Article 3, it provides for the processing of that data by that authority. Nonetheless, the French Government submits that such an interference should not be considered to be particularly serious, since it is less far-reaching than that which resulted from Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 24), which came before the Court in the case which gave rise to the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238). Furthermore, PNR data does not allow very precise conclusions to be drawn concerning the private life of air passengers.

53      The Member States which submitted observations, the Council and the Commission all maintain that the envisaged agreement pursues an objective of general interest, namely combating terrorism and serious transnational crime.

54      As regards the requirements stemming from the principle of proportionality, the Council and the Commission agree with the Parliament and observe, inter alia, referring to the case-law of the Court resulting from the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 54), and to Article 6(1)(c) of Directive 95/46, that the envisaged agreement must lay down clear and precise rules governing the scope and application of the interference in question and sufficient guarantees to protect effectively personal data against the risk of abuse and against any unlawful access to and use of that data.

55      As regards, in particular, whether the transfer of PNR data to Canada is necessary, the Commission accepts, as does the Council, that there are no precise statistics which make it possible to ascertain the contribution which that data makes to the prevention and detection of crime and terrorism, and to the investigation and prosecution of offences of those types. However, information from third countries and from Member States which already use that data for law enforcement purposes confirms that the use of PNR data is essential. In particular, the explanatory memorandum to the Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (COM(2011) 32 final), of 2 February 2011, states that the experience of certain countries shows that the use of PNR data has led to critical progress in the fight against drug trafficking, human trafficking and terrorism, and a better understanding of the composition and operations of terrorist and other criminal networks.

56      Furthermore, the Canadian authorities have provided information showing that PNR data has made a decisive contribution to the ability to identify potential suspects involved in terrorist acts or serious crime. Thus, whereas 28 million air passengers flew between the European Union and Canada between April 2014 and March 2015, that data made it possible to arrest 178, and to carry out drugs seizures in 71 cases and seizures of child pornography material in two cases. That data also made it possible to initiate or further pursue investigations in relation to terrorism in 169 cases. Lastly, the Communication from the Commission, of 21 September 2010, on the global approach to transfers of Passenger Name Record (PNR) data to third countries (COM(2010) 492 final, ‘Communication COM(2010) 492’), states that the European Union ‘has an obligation to itself and to third countries to cooperate with them in the fight against [terrorist threats and serious transnational crime]’.

57      The Estonian Government, Ireland, the Spanish, French and United Kingdom Governments, the Council and the Commission submit, in essence, that the envisaged agreement complies with the requirements stemming from the principle of proportionality and that the present case may be distinguished from the case which gave rise to the judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238). The mechanism provided for by that agreement is more akin to the systematic border checks conducted at external borders and to the security checks carried out in airports than to data retention such as that covered by Directive 2006/24. Furthermore, the agreement, the nature and effects of which are considerably more limited than those of that directive, contains, unlike that directive, strict rules concerning the conditions of and limits on access to and use of the data, as well as rules relating to the security of that data. Lastly, that agreement makes provision for oversight of compliance with those rules by an independent authority, for the persons concerned to be informed about the transfer and processing of their data, for a right of access to and correction of the data, as well as for administrative and judicial redress in order to ensure that the rights of those persons are safeguarded.

58      As regards the Parliament’s argument that the envisaged agreement does not make the transfer of PNR data conditional on the existence of a threat to public security, the Estonian, French and United Kingdom Governments and the Commission submit, in essence, that the use of such data is intended to identify persons hitherto unknown to the competent services who present a potential risk to security, while persons already known to present such a risk can be identified on the basis of advance passenger information data. If solely the transfer of PNR data concerning persons already reported as presenting a risk to security were authorised, the objective of prevention could consequently not be attained.

59      As regards the limits concerning the use of PNR data, the Council and the Commission submit that the reference to Canadian law in Article 3(3) of the envisaged agreement does not support the conclusion that that agreement is too vague. Those institutions observe in that regard that, in an international agreement, it is difficult to include concepts provided for only in EU law. As regards Article 3(5)(b) of that agreement, the Council and the Commission submit that that provision reflects the obligation which the Canadian Constitution imposes on all Canadian public authorities to comply with binding decisions issued by a judicial authority. Furthermore, that provision presupposes that access to the PNR data would be examined by the judicial authority in the light of the criteria of necessity and proportionality and that the reasons for such access would be set out in the judicial decision. Lastly, the Canadian authorities have never applied that provision in practice since the coming into force of the 2006 Agreement.

60      As regards the limits concerning the authorities and individuals having access to PNR data, the Council and the Commission submit that the failure to identify the Canadian Competent Authority in the envisaged agreement is a procedural issue which has no impact on the observance, in that agreement, of the principle of proportionality. In any event, in June 2014, Canada informed the European Union that the Canadian Competent Authority, within the meaning of Article 2(d) of that agreement, is the CBSA. Since, in accordance with Article 16(2) of the envisaged agreement, Canada is required to restrict access to PNR data to a ‘limited number of officials specifically authorised by Canada’, it follows that only members of staff of the CBSA are authorised to receive and process that data. Further additional safeguards are set out in Article 9(2)(a) and (b), and Article 9(4) and (5) of that agreement.

61      As regards the fact that the envisaged agreement does not make access to PNR data conditional on a prior review being carried out by a judicial or independent administrative authority, Ireland submits that such a review is not indispensable having regard to the safeguards already provided for under Articles 11 to 14, 16, 18 and 20 of that agreement. The Estonian and United Kingdom Governments submit that it is not possible to determine in advance the criteria corresponding to the PNR data that is to be processed and, therefore, it is not possible systematically to require prior authorisation to be obtained. Such authorisation could thus only be general and would not therefore add value.

62      As regards the disclosure of PNR data to other authorities, the Commission observes that Articles 1, 3, 18 and 19 of the envisaged agreement define strictly the purposes for which that data may be processed and the conditions under which it may be disclosed. In any event, that institution notes, any disclosure of PNR data must, in accordance with Article 17 of that agreement, be logged and documented, and is subject to a posteriorireview by the independent authority.

63      As regards the period during which PNR data is to be retained, the Estonian and French Governments, Ireland and the United Kingdom Government submit that this does not go beyond that which is strictly necessary within the overall context of the envisaged agreement. Given the complex and challenging nature of investigations into terrorism and serious transnational crime, a certain period of time may elapse between the journey undertaken by a passenger concerned and the time when law enforcement authorities need to access PNR data for the purposes of detecting, investigating or prosecuting such crimes. Criminal proceedings may, in some circumstances, be concluded more than five years after the transfer of PNR data. Furthermore, account should be taken of the provisions of Article 16 of that agreement which imposes strict rules on the masking and unmasking of PNR data with the aim of further protecting personal data, and of Article 8(5) of the agreement, which makes special provision for sensitive data.

64      The Council and the Commission add that the period during which PNR data is to be retained must be determined, in accordance with Article 6 of Directive 95/46, in the light of the necessity for that data for achieving the objectives pursued by its collection, so that the proportionality of a given retention period cannot be assessed in the abstract. Those institutions note that the five-year retention period laid down in the envisaged agreement was considered, by the parties to that agreement, to be strictly necessary for achieving the objectives pursued by it. They add that, conversely, a period of three and a half years, such as that laid down in the 2006 Agreement, would, according to Canada, be liable to prevent PNR data from being used effectively in order to detect situations presenting a high risk of terrorism or organised crime, in the light of the fact that the investigations take time. Furthermore, under Article 16(3), the envisaged agreement provides for an initial depersonalisation of PNR data 30 days after receipt thereof and for further depersonalisation after two years.

65      As regards the control, by an independent authority, of compliance with the rules on the protection of personal data required by Article 8(3) of the Charter and Article 16(2) TFEU, the Council and the Commission submit that the failure to identify the Canadian Competent Authority in the envisaged agreement does not call in question the adequacy of the measures that Canada is required to adopt. Those institutions add that the identity of the competent authorities referred to in Articles 10 and 14 of that agreement were communicated to the Commission.

66      As regards compliance with the case-law of the Court resulting, in particular, from the judgment of 9 March 2010, Commission v Germany (C‑518/07, EU:C:2010:125, paragraph 30), according to which a supervisory authority must enjoy independence allowing it to perform its duties without being subject to external influence, the Commission observes that the Privacy Commissioner of Canada is an independent authority at both an institutional level and an operational level. The Commission adds that, in the light of the fact that Canadian legislation does not provide for a right of access for foreign nationals not residing in Canada, provision had to be made, in Articles 10 and 14 of the envisaged agreement, for the establishment of ‘an authority created by administrative means’ in order to ensure that all persons potentially concerned may exercise their rights, including the right of access.

VIII. Position of the Court

67      As a preliminary point, it should be recalled that it is settled case-law of the Court that the provisions of an international agreement entered into by the European Union under Articles 217 and 218 TFEU form an integral part of the EU legal system as from the coming into force of that agreement (see, to that effect, judgments of 30 April 1974, Haegeman, 181/73, EU:C:1974:41, paragraph 5, and of 11 March 2015, Oberto and O’Leary, C‑464/13 and C‑465/13, EU:C:2015:163, paragraph 29; Opinion 2/13 (Accession of the European Union to the ECHR) of 18 December 2014, EU:C:2014:2454, paragraph 180). The provisions of such an agreement must therefore be entirely compatible with the Treaties and with the constitutional principles stemming therefrom.

A.      The admissibility of the request for an Opinion

68      Under Article 218(11) TFEU, a Member State, the Parliament, the Council or the Commission may obtain the opinion of the Court as to whether an agreement the conclusion of which is envisaged is compatible with the Treaties.

69      In accordance with the settled case-law of the Court, that provision has the aim of forestalling complications which would result from legal disputes concerning the compatibility with the Treaties of international agreements that are binding upon the European Union. A possible decision of the Court of Justice, after the conclusion of an international agreement that is binding upon the European Union, to the effect that such an agreement is, by reason either of its content or of the procedure adopted for its conclusion, incompatible with the provisions of the Treaties would inevitably provoke serious difficulties, not only in the internal EU context, but also in that of international relations, and might give rise to adverse consequences for all interested parties, including third countries (Opinion 2/13 (Accession of the European Union to the ECHR) of 18 December 2014, EU:C:2014:2454, paragraphs 145 and 146 and the case-law cited).

70      It must be possible, therefore, for all questions that are liable to give rise to doubts as to the substantive or formal validity of the agreement with regard to the Treaties to be examined in the context of the procedure provided for in Article 218(11) TFEU. A judgment on the compatibility of an agreement with the Treaties may in that regard depend, inter alia, not only on provisions concerning the powers, procedure or organisation of the institutions of the European Union, but also on provisions of substantive law (see, to that effect, concerning Article 300(6) EC, Opinion 1/08 (Agreements modifying the Schedules of Specific Commitments under the GATS) of 30 November 2009, EU:C:2009:739, paragraph 108 and the case-law cited). The same is true of a question relating to the compatibility of an international agreement with the first subparagraph of Article 6(1) TEU and, consequently, with the guarantees enshrined in the Charter, since the Charter has the same legal status as the Treaties.

71      As regards the question of the appropriate legal basis for the Council decision on the conclusion of the envisaged agreement, it should be recalled that the choice of the appropriate legal basis has constitutional significance, since, having only conferred powers, the European Union must link the acts which it adopts to provisions of the FEU Treaty which actually empower it to adopt such acts (see, to that effect, judgment of 1 October 2009, Commission v Council, C‑370/07, EU:C:2009:590, paragraph 47).

72      Consequently, proceeding on an incorrect legal basis is liable to invalidate the act concluding the agreement itself, and so vitiate the European Union’s consent to be bound by the agreement it has signed.

73      The argument of the French Government and of the Council that, in this instance, the potentially incorrect choice of legal basis does not affect the power of the European Union to conclude the envisaged agreement, the allocation of powers between the European Union and the Member States in this regard, or indeed the procedure for adoption to be followed, does not render the second question raised in the present request for an Opinion inadmissible.

74      Indeed, having regard to the function of the procedure provided for in Article 218(11) TFEU, recalled in paragraph 69 of this Opinion, which is to forestall, by a prior referral to the Court, possible complications at European Union level and at international level which would result from the invalidation of an act concluding an international agreement, the mere risk of such invalidation suffices for the referral to the Court to be allowed. Furthermore, the question of what practical effects, in a given case, the incorrect choice of legal basis or legal bases would have on the validity of an act concluding an international agreement, such as the Council decision on the conclusion of the envisaged agreement, is inextricably linked to the examination of the substance of the question of the appropriate legal basis and, therefore, cannot be assessed in the context of the admissibility of a request for an Opinion.

75      It follows from the foregoing that the present request for an Opinion is admissible in its entirety.

B.      The appropriate legal basis for the Council decision on the conclusion of the envisaged agreement

76      In accordance with settled case-law of the Court, the choice of the legal basis for a European Union act, including one adopted in order to conclude an international agreement, must rest on objective factors amenable to judicial review, which include the aim and the content of that measure (judgments of 6 May 2014, Commission v Parliament and Council, C‑43/12, EU:C:2014:298, paragraph 29, and of 14 June 2016, Parliament v Council, C‑263/14, EU:C:2016:435, paragraph 43 and the case-law cited).

77      If an examination of a European Union act reveals that it pursues a twofold purpose or that it comprises two components and if one of these is identifiable as the main one, whereas the other is merely incidental, the act must be based on a single legal basis, namely that required by the main or predominant purpose or component. Exceptionally, if it is established, however, that the act simultaneously pursues a number of objectives, or has several components, which are inextricably linked without one being incidental to the other, such that various provisions of the Treaties are applicable, such a measure will have to be founded on the various corresponding legal bases (judgment of 14 June 2016, Parliament v Council, C‑263/14, EU:C:2016:435, paragraph 44 and the case-law cited).

78      Nonetheless, recourse to a dual legal basis is not possible where the procedures laid down for each legal basis are incompatible with each other (judgment of 6 November 2008, Parliament v Council, C‑155/07, EU:C:2008:605, paragraph 37 and the case-law cited).

79      It is in the light of those considerations that it is necessary to determine the appropriate legal basis for the Council decision on the conclusion of the envisaged agreement.

1.      The purpose and content of the envisaged agreement

80      The contracting parties intend, as stated in the third paragraph of the preamble to the envisaged agreement, to enhance and encourage their cooperation by that agreement. To that end, Article 1 of the agreement, entitled ‘Purpose of Agreement’, states that ‘the Parties set out the conditions for the transfer and use of [PNR data] to ensure the security and safety of the public and prescribe the means by which the data is protected’.

81      As regards the objective of protecting the security and safety of the public set out in Article 1, the first paragraph of the preamble to the envisaged agreement states, inter alia, that the parties are seeking to prevent, combat, repress, and eliminate terrorism and terrorist-related offences, as well as other serious transnational crime. From that perspective, the preamble highlights, in the second and fourth paragraphs, the importance of the fight against terrorism and terrorist-related offences, as well as other serious transnational crime, and of the use of PNR data and of information sharing for the purposes of that fight. On the basis of those considerations, the fifth paragraph of the preamble states that rules should be laid down to govern the transfer of PNR data by air carriers to Canada in order to safeguard public security and for law enforcement purposes. Lastly, the sixteenth paragraph of the preamble highlights the importance of sharing PNR data and relevant and appropriate analytical information containing PNR data obtained by Canada with competent police and judicial authorities of Member States of the European Union, Europol and Eurojust as a means to foster international police and judicial cooperation.

82      Consequently, the envisaged agreement should be regarded as pursuing the objective of ensuring public security by means of the transfer of PNR data to Canada and use of that data within the framework of the fight against terrorist offences and serious transnational crime, including by means of sharing that data with the competent authorities of Member States of the European Union, Europol and Eurojust.

83      As regards the second objective set out in Article 1 of the envisaged agreement, namely that of prescribing the means by which PNR data is to be protected, it should be observed, first, that the second, sixth and seventh paragraphs of the preamble to that agreement highlight the need to respect fundamental rights, in particular, the right to respect for private life and the right to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter, respectively, in a manner that is consistent with the commitments of the European Union under Article 6 TEU, while recalling that the contracting parties share common values with respect to data protection and privacy.

84      Second, it follows from the provisions of Article 5 of the envisaged agreement that the rules with which the Canadian Competent Authority must comply when processing PNR data are deemed to ensure an adequate level of protection, required under EU law, as regards the protection of personal data and, therefore, that agreement also pursues the objective of ensuring such a level of data protection.

85      It is in the light of those considerations that Article 1 of the envisaged agreement sets out expressly the two objectives pursued by that agreement.

86      As regards the content of the envisaged agreement, it should be observed that the first part of the agreement, entitled ‘General provisions’ (Articles 1 to 6), contains Article 5 which states that, subject to compliance with the agreement, the Canadian Competent Authority is deemed to provide an adequate level of protection, within the meaning of relevant European Union data protection law, for the processing and use of PNR data, and that an air carrier that provides such data to Canada under the agreement is deemed to comply with European Union legal requirements for the transfer of that data from the European Union to Canada. The first part of the envisaged agreement also contains Article 4, paragraph 1 of which provides that the European Union is to ensure that air carriers are not prevented from transferring PNR data to the Canadian Competent Authority, that authority being the authority responsible for receiving and processing that data under Article 2(d) of that agreement. In addition, Article 3 of the envisaged agreement, which sets out the purposes justifying the processing of PNR data by the Canadian Competent Authority, states, in paragraph 1, that such processing is authorised strictly for the purpose of preventing, detecting, investigating or prosecuting terrorist offences or serious transnational crime, although Article 3(4) and (5) provides for very limited exceptions to that rule. Lastly, under Article 6 of that agreement, PNR data and relevant and appropriate analytical information containing such data are to be shared or made available to the competent judicial or police authorities of the Member States, Europol and Eurojust, in accordance with agreements and arrangements on law enforcement or information sharing.

87      In the second part, entitled ‘Safeguards applicable to the processing of PNR data’ (Articles 7 to 21), the envisaged agreement sets out the rules and principles that govern and delimit the use of PNR data in Canada by the Canadian Competent Authority and its disclosure to other government authorities of that non-member country and to government authorities of third countries. Thus, the envisaged agreement contains a non-discrimination clause in Article 7 and, in Article 8, a specific rule on sensitive data together with limiting conditions on the use of such data. The second part also lays down rules, set out in Articles 9 and 10 of that agreement, respectively, relating to security and integrity of PNR data and to oversight of compliance with the safeguards set out in the agreement. Articles 11 to 14 of the agreement lay down a rule regarding transparency and set out the rights of persons whose PNR data is concerned, such as the right of access to data, the right to request correction thereof and the right to redress.

88      In addition, the second part of the envisaged agreement requires, in Article 15, that Canada should not take decisions adversely affecting a passenger to a significant extent solely on the basis of the automated processing of PNR data and, in Article 16, lays down rules relating to, inter alia, the period during which that data may be retained and to the masking and unmasking of such data. Furthermore, the second part lays down, in Articles 18 and 19, rules concerning the disclosure of PNR data by the Canadian Competent Authority and, in Articles 20 and 21, rules governing the method and frequency of transfer of such data.

89      It is clear from the particulars of the content of the envisaged agreement that that agreement relates, in particular, to the establishment of a system consisting of a body of rules intended to protect personal data and with which Canada has undertaken to comply, as stated in the 15th paragraph of the preamble to that agreement, when processing PNR data.

90      Having regard both to its aims and its content, the envisaged agreement therefore has two components, one relating to the necessity of ensuring public security and the other to the protection of PNR data.

91      As regards which of those two components is the preponderant one, it should be observed that, admittedly, the transfer of PNR data by air carriers to Canada and the use of that data by the Canadian Competent Authority are justified, in themselves, only by the objective of ensuring public security in that non-member country and in the European Union.

92      However, the content of the envisaged agreement largely consists of detailed rules to ensure that the transfer of PNR data to Canada, with a view to its use for the purposes of the protection of public security and safety, takes place under conditions consistent with the protection of personal data.

93      In this connection, it must be pointed out that the transfer of personal data, such as PNR data, from the European Union to a non-member country is lawful only if there are rules in that country which ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union (see, to that effect, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraphs 68 and 74).

94      It follows that the two components of the envisaged agreement are inextricably linked. They must, therefore, both be considered to be fundamental in nature.

2.      The appropriate legal basis having regard to the FEU Treaty

95      Having regard to the foregoing considerations, the decision on the conclusion of the envisaged agreement relates, in the first place, directly to the objective pursued by Article 16(2) TFEU.

96      That provision constitutes, without prejudice to Article 39 TEU, an appropriate legal basis where the protection of personal data is one of the essential aims or components of the rules adopted by the EU legislature, including those falling within the scope of the adoption of measures covered by the provisions of the FEU Treaty relating to judicial cooperation in criminal matters and police cooperation, as is confirmed by Article 6a of Protocol No 21 and Article 2a of Protocol No 22, and the Declaration referred to in paragraph 32 of this Opinion.

97      It follows that the Council decision on the conclusion of the envisaged agreement must be based on Article 16 TFEU.

98      In the second place, that decision must also be based on Article 87(2)(a) TFEU. That provision states that, for the purposes of Article 87(1) TFEU, according to which the Union is to ‘establish police cooperation involving all the Member States’ competent authorities’, the Parliament and the Council may establish measures concerning ‘the collection, storage, processing, analysis and exchange of relevant information’.

99      In this connection, it should be observed, first, that relevant information, within the meaning of Article 87(2)(a) TFEU, in relation to the prevention, detection and investigation of criminal offences, may include personal data and, second, that the terms ‘processing’ and ‘exchange’ of such data cover both its transfer to the Member States’ competent authorities in this area and its use by those authorities. In those circumstances, measures concerning the transfer of personal data to competent authorities in relation to the prevention, detection and investigation of criminal offences and the processing of that data by those same authorities fall within the scope of the police cooperation referred to in Article 87(2)(a) TFEU and may be based on that provision.

100    In this instance, the envisaged agreement establishes, inter alia, rules governing both the transfer of PNR data to the Canadian Competent Authority and the use of that data by that authority. That authority is, in accordance with Article 2(d), read in conjunction with Article 3(1) of that agreement, competent to process PNR data for the purpose of preventing, detecting, investigating or prosecuting terrorist offences or serious transnational crime. Furthermore, Article 6 of that agreement provides that Canada is to share, as soon as is practicable, relevant and appropriate analytical information containing PNR data with Europol and Eurojust and the judicial and police authorities of a Member State. Article 6 also provides that, at the request of those agencies and authorities, Canada is to share PNR data or analytical information containing such data, in specific cases, for the purpose of preventing, detecting, investigating or prosecuting within the European Union a terrorist offence or serious transnational crime. As the Advocate General has observed in points 105 and 106 of his Opinion, the agreement therefore concerns the processing and exchange of relevant information within the meaning of Article 87(2)(a) TFEU and also relates, as is clear, inter alia, from paragraph 80 of this Opinion, to the objective set out in Article 87(1) TFEU.

101    In those circumstances, the fact that PNR data is initially collected by air carriers for commercial purposes and not by a competent authority in relation to the prevention, detection and investigation of criminal offences does not, contrary to what the Parliament claims, preclude Article 87(2)(a) TFEU from also constituting an appropriate legal basis for the Council decision on the conclusion of the envisaged agreement.

102    By contrast, that decision cannot be based on point (d) of the second subparagraph of Article 82(1) TFEU, which provides for the possibility for the Parliament and the Council to adopt measures to ‘facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions’.

103    As the Advocate General has observed in point 108 of his Opinion, none of the provisions of the envisaged agreement refer to facilitating such cooperation. As for the Canadian Competent Authority, that authority does not constitute a judicial authority, nor does it constitute an equivalent authority.

104    In those circumstances, having regard to the case-law cited in paragraph 77 of this Opinion, the Council decision on the conclusion of the envisaged agreement should be based on both Article 16(2) and Article 87(2)(a) TFEU, unless such a combination of legal bases is not possible in accordance with the case-law referred to in paragraph 78 of this Opinion.

3.      The compatibility of the procedures laid down in Article 16(2) and Article 87(2)(a) TFEU

105    As a preliminary point, it should be recalled that, in the context of the procedure for concluding an international agreement in accordance with Article 218 TFEU, it is the substantive legal bases of the decision concluding that agreement which determine the type of procedure applicable under Article 218(6) TFEU (judgment of 24 June 2014, Parliament v Council, C‑658/11, EU:C:2014:2025, paragraph 58).

106    The two substantive legal bases applicable in this instance, namely Article 16(2) and Article 87(2)(a) TFEU, provide for the use of the ordinary legislative procedure, which entails qualified majority voting in the Council and the Parliament’s full participation. Consequently, the use of both of those provisions does not entail, in principle, different adoption procedures.

107    However, the Council submits, in essence, that, on account of the provisions set out in Protocol No 21 and Protocol No 22, the voting rules within the Council differ according to whether a decision concluding an international agreement is based on Article 16(2) or on Article 87(2)(a) TFEU.

108    In this connection, it should be observed that it is true that the Court has held that Protocol No 21 and Protocol No 22 are not capable of having any effect whatsoever on the question of the correct legal basis for the adoption of the decision concerned (see, to that effect, judgment of 22 October 2013, Commission v Council, C‑137/12, EU:C:2013:675, paragraph 73).

109    Nevertheless, since a difference in the voting rules within the Council may result in the incompatibility of the legal bases in question (see, to that effect, judgments of 10 January 2006, Commission v Parliament and Council, C‑178/03, EU:C:2006:4, paragraph 58, and of 19 July 2012, Parliament v Council, C‑130/10, EU:C:2012:472, paragraphs 47 and 48), it is appropriate to verify the effect of those protocols on the voting rules within the Council in the event that recourse were to be had to both Article 16(2) and Article 87(2)(a) TFEU for founding the Council decision on the conclusion of the envisaged agreement.

110    So far as Protocol No 21 is concerned, it is apparent from recital 5 of the draft Council decision on the conclusion of the envisaged agreement that Ireland and the United Kingdom notified their wish to take part in the adoption of that decision. Consequently, as the Advocate General has observed in point 128 of his Opinion, the provisions of that protocol will not affect the voting rules within the Council in the event of recourse to both Article 16(2) and Article 87(2)(a) TFEU for founding that decision.

111    As regards Protocol No 22, as is apparent from the third to the fifth paragraphs of the preamble thereto and as the Advocate General has observed in point 132 of his Opinion, that protocol seeks to establish a legal framework which allows Member States to pursue the development of their cooperation in the area of freedom, security and justice through the adoption, without the Kingdom of Denmark taking part, of measures which do not bind that Member State, whilst affording that Member State the option of participating in the adoption of measures in that area and of being bound by them under the conditions set out in Article 8 of that protocol.

112    To that end, the first paragraph of Article 1 of Protocol No 22 states that the Kingdom of Denmark is not to take part in the adoption by the Council of proposed measures pursuant to Title V of Part Three of the FEU Treaty. Furthermore, Article 2 of that protocol provides that the Kingdom of Denmark is not bound by such measures. In accordance with Article 2a of that protocol, Article 2 thereof is ‘also [to] apply in respect of those rules laid down on the basis of Article 16 [TFEU] which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of that Treaty’, namely those which fall within the scope of police cooperation and judicial cooperation in criminal matters.

113    In this instance, since the decision on the conclusion of the envisaged agreement must be based on both Article 16 and Article 87 TFEU and falls, therefore, within the scope of Chapter 5 of Title V of Part Three of the FEU Treaty in so far as it must be founded on Article 87 TFEU, the Kingdom of Denmark will not be bound, in accordance with Articles 2 and 2a of Protocol No 22, by the provisions of that decision, nor, consequently, by the envisaged agreement. Furthermore, the Kingdom of Denmark will not take part in the adoption of that decision, in accordance with Article 1 of that protocol.

114    Contrary to what the Council appears to be suggesting, that conclusion is not affected by the fact that Article 2a of Protocol No 22 merely refers to Article 2 of that protocol without, however, expressly excluding participation by the Kingdom of Denmark in the adoption of rules which are founded on Article 16 TFEU and which are referred to therein.

115    In this connection, it is clear from a systematic reading of that protocol that Article 2 thereof may not be read and applied independently of Article 1 of that protocol. The rule laid down in Article 2 that the Kingdom of Denmark is not bound by the measures, provisions and decisions referred to therein is intrinsically linked to the rule laid down in Article 1 that that Member State is not to take part in the adoption of measures pursuant to Title V of Part Three of the FEU Treaty, and therefore neither of those rules can be understood without the other. In those circumstances, the reference in Article 2a to Article 2 of Protocol No 22 must necessarily be interpreted as also covering Article 1 thereof.

116    Furthermore, as the Advocate General has observed in point 132 of his Opinion, it would be contrary to the objective of Protocol No 22, recalled in paragraph 111 of this Opinion, to allow the Kingdom of Denmark to take part in the adoption of an EU act having as its legal basis both Article 16 TFEU and one of the provisions of the FEU Treaty relating to police and judicial cooperation in criminal matters, without being bound by that act.

117    Protocol No 22 cannot, therefore, in this instance, result in different voting rules within the Council in the event of recourse to both Article 16(2) and Article 87(2)(a) TFEU.

118    In those circumstances, the answer to the second question of the present request for an Opinion is that the Council decision on the conclusion of the envisaged agreement must be based jointly on Article 16(2) and Article 87(2)(a) TFEU.

C.      The compatibility of the envisaged agreement with the provisions of the FEU Treaty and the Charter

119    In so far as the question relating to the compatibility of the envisaged agreement with the provisions of the FEU Treaty and the Charter refers to Article 16 TFEU and Articles 7 and 8 of the Charter, and in the light of the Parliament’s appraisal set out in its request for an Opinion, the Parliament must be regarded as seeking the Opinion of the Court on the compatibility of the envisaged agreement with, in particular, the right to respect for private life and the right to the protection of personal data.

120    To the extent that the assessments that follow relate to the compatibility of the envisaged agreement with the right to the protection of personal data, enshrined in both Article 16(1) TFEU and Article 8 of the Charter, the Court will refer solely to the second of those provisions. Although both of those provisions state that everyone has the right to the protection of personal data concerning him or her, only Article 8 of the Charter lays down in a more specific manner, in paragraph 2 thereof, the conditions under which such data may be processed.

1.      The fundamental rights concerned and the interference with those rights

121    As set out in the Annex to the envisaged agreement, the PNR data covered by that agreement includes, inter alia, and besides the name(s) of the air passenger(s), information necessary to the reservation, such as the dates of intended travel and the travel itinerary, information relating to tickets, groups of persons checked-in under the same reservation number, passenger contact information, information relating to the means of payment or billing, information concerning baggage and general remarks regarding the passengers.

122    Since the PNR data therefore includes information on identified individuals, namely air passengers flying between the European Union and Canada, the various forms of processing to which, under the envisaged agreement, that data may be subject, namely its transfer from the European Union to Canada, access to that data with a view to its use or indeed its retention, affect the fundamental right to respect for private life, guaranteed in Article 7 of the Charter. Indeed, that right concerns any information relating to an identified or identifiable individual (see, to that effect, judgments of 9 November 2010, Volker und Markus Schecke and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 52; of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 42; and of 17 October 2013, Schwarz, C‑291/12, EU:C:2013:670, paragraph 26).

123    Furthermore, the processing of the PNR data covered by the envisaged agreement also falls within the scope of Article 8 of the Charter because it constitutes the processing of personal data within the meaning of that article and, accordingly, must necessarily satisfy the data protection requirements laid down in that article (see, to that effect, judgments of 9 November 2010, Volker und Markus Schecke and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 49; of 5 May 2011, Deutsche Telekom, C‑543/09, EU:C:2011:279, paragraph 52; and of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 29).

124    As the Court has held, the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental right enshrined in Article 7 of the Charter, whatever the subsequent use of the information communicated. The same is true of the retention of personal data and access to that data with a view to its use by public authorities. In this connection, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference (see, to that effect, judgments of 20 May 2003, Österreichischer Rundfunk and Others, C‑465/00, C‑138/01 and C‑139/01, EU:C:2003:294, paragraphs 74 and 75; of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 33 to 35; and of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 87).

125    Consequently, both the transfer of PNR data from the European Union to the Canadian Competent Authority and the framework negotiated by the European Union with Canada of the conditions concerning the retention of that data, its use and its subsequent transfer to other Canadian authorities, Europol, Eurojust, judicial or police authorities of the Member States or indeed to authorities of third countries, which are permitted, inter alia, by Articles 3, 4, 6, 8, 12, 15, 16, 18 and 19 of the envisaged agreement, constitute interferences with the right guaranteed in Article 7 of the Charter.

126    Those operations also constitute an interference with the fundamental right to the protection of personal data guaranteed in Article 8 of the Charter since they constitute the processing of personal data (see, to that effect, judgments of 17 October 2013, Schwarz, C‑291/12, EU:C:2013:670, paragraph 25, and of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 36).

127    In this connection, it must be observed, first, that the envisaged agreement permits the systematic and continuous transfer of PNR data of all air passengers flying between the European Union and Canada.

128    Second, even if some of the PNR data, taken in isolation, does not appear to be liable to reveal important information about the private life of the persons concerned, the fact remains that, taken as a whole, the data may, inter alia, reveal a complete travel itinerary, travel habits, relationships existing between air passengers and the financial situation of air passengers, their dietary habits or state of health, and may even provide sensitive information about those passengers, as defined in Article 2(e) of the envisaged agreement.

129    The inherent characteristics of the regime relating to the transfer and processing of PNR data, provided for in the envisaged agreement, bear out the genuine nature of the interferences authorised by that agreement.

130    That data has thus to be transferred, in accordance with Article 21(1) of the envisaged agreement, before the scheduled departure of the air passenger concerned and is used mainly, as is clear, inter alia, from the observations of the Council, the Commission and the EDPS and from Section 2.1 of Communication COM(2010) 492, as an ‘intelligence tool’.

131    To that end, as is clear from Section 2.2 of that communication, and as the Parliament, the Council, the Commission and the EDPS have confirmed in their answers to the questions posed by the Court, the PNR data transferred is, on the basis of the envisaged agreement, intended to be analysed systematically before the arrival of the aircraft in Canada by automated means, based on pre-established models and criteria. The data may also be verified automatically by cross-checking with other databases. Thus, such processing may provide additional information on the private lives of air passengers.

132    Those analyses may also give rise to additional checks at borders in respect of air passengers identified as being liable to present a risk to public security and, if appropriate, on the basis of those checks, to the adoption of individual decisions having binding effects on them. Furthermore, the analyses are carried out without there being reasons based on individual circumstances that would permit the inference that the persons concerned may present a risk to public security. Lastly, since the period during which the PNR data may be retained may, in accordance with Article 16(1) of the envisaged agreement, last for up to five years, that agreement makes it possible for information on the private lives of air passengers to be available for a particularly long period of time.

2.      The justification for the interferences resulting from the envisaged agreement

133    Article 7 of the Charter guarantees everyone the right to respect for his or her private and family life, home and communications. Furthermore, Article 8(1) of the Charter expressly confers on everyone the right to the protection of personal data concerning him or her.

134    That right to the protection of personal data requires, inter alia, that the high level of protection of fundamental rights and freedoms conferred by EU law continues where personal data is transferred from the European Union to a non-member country. Even though the means intended to ensure such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from EU law are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union (see, by analogy, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraphs 72 to 74).

135    In that context, it should be observed that, under the fourth paragraph of the preamble to the Charter, it is necessary ‘to strengthen the protection of fundamental rights in the light of changes in society, social progress and scientific and technological developments’.

136    However, the rights enshrined in Articles 7 and 8 of the Charter are not absolute rights, but must be considered in relation to their function in society (see, to that effect, judgments of 12 June 2003, Schmidberger, C‑112/00, EU:C:2003:333, paragraph 80; of 9 November 2010, Volker und Markus Schecke and Eifert, C‑92/09 and C‑93/09, EU:C:2010:662, paragraph 48; and of 17 October 2013, Schwarz, C‑291/12, EU:C:2013:670, paragraph 33).

137    In this connection, it should also be observed that, under Article 8(2) of the Charter, personal data must, inter alia, be processed ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’.

138    Furthermore, in accordance with the first sentence of Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms. Under the second sentence of Article 52(1) of the Charter, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

139    It should be added that the requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned (see, to that effect, judgment of 17 December 2015, WebMindLicenses, C‑419/14, EU:C:2015:832, paragraph 81).

140    As regards observance of the principle of proportionality, the protection of the fundamental right to respect for private life at EU level requires, in accordance with settled case-law of the Court, that derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary (judgments of 16 December 2008, Satakunnan Markkinapörssi and Satamedia, C‑73/07, EU:C:2008:727, paragraph 56; of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 51 and 52; of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 92; and of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraphs 96 and 103).

141    In order to satisfy that requirement, the legislation in question which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary. The need for such safeguards is all the greater where personal data is subject to automated processing. Those considerations apply particularly where the protection of the particular category of personal data that is sensitive data is at stake (see, to that effect, judgments of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 54 and 55, and of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraphs 109 and 117; see, to that effect, ECtHR, 4 December 2008, S. and Marper v. the United Kingdom, CE:ECHR:2008:1204JUD003056204, § 103).

(a)    The basis for the processing of PNR data covered by the envisaged agreement

142    As regards the question whether the transfer of PNR data to Canada and subsequent processing of that data is based on the ‘consent’ of air passengers or on ‘some other legitimate basis laid down by law’, within the meaning of Article 8(2) of the Charter, it should be pointed out that the processing of PNR data under the envisaged agreement pursues a different objective from that for which that data is collected by air carriers.

143    Consequently, the processing cannot be regarded as being based on the consent of the air passengers to the collection of that data by the air carriers for reservation purposes, and it therefore itself requires either the air passengers’ own consent or some other legitimate basis laid down by law.

144    Since no provision of the envisaged agreement makes the transfer to Canada of PNR data and the subsequent processing thereof conditional on the consent of the air passengers concerned, it is necessary to determine whether that agreement constitutes another legitimate basis laid down by law, within the meaning of Article 8(2) of the Charter.

145    In this connection, it should be pointed out that the Parliament’s argument that the envisaged agreement does not fall within the notion of ‘law’, within the meaning of Article 8(2) of the Charter and, therefore, of Article 52(1) thereof inasmuch as it does not constitute a ‘legislative act’, cannot succeed in any event.

146    First, Article 218(6) TFEU reflects, externally, the division of powers between the institutions that applies internally and establishes a symmetry between the procedure for adopting EU measures internally and the procedure for adopting international agreements in order to guarantee that the Parliament and the Council enjoy the same powers in relation to a given field, in compliance with the institutional balance provided for by the Treaties (judgment of 24 June 2014, Parliament v Council, C‑658/11, EU:C:2014:2025, paragraph 56). Consequently, the conclusion of international agreements covering fields to which, internally, the ordinary legislative procedure, provided for in Article 294 TFEU, applies requires, under Article 218(6)(a)(v) TFEU, the approval of the Parliament, and therefore, as the Advocate General has observed in point 192 of his Opinion, such an agreement may be regarded as being the equivalent, externally, of that which is a legislative act internally. Second, it has not in any way been argued in the present procedure that the envisaged agreement may not meet the requirements as to accessibility and predictability required for the interferences which it entails to be regarded as being laid down by law within the meaning of Article 8(2) and Article 52(1) of the Charter.

147    It follows that the transfer of PNR data to Canada is based on ‘some other basis’ that is ‘laid down by law’, within the meaning of Article 8(2) of the Charter. As regards the question whether that basis is legitimate within the meaning of that provision, that issue is, in this instance, indissociable from the question whether the objective pursued by the envisaged agreement is an objective of general interest, which will be examined in paragraph 148 et seq. of this Opinion.

(b)    The objective of general interest and respect for the essence of the fundamental rights in question

148    As stated in paragraph 82 of this Opinion, the envisaged agreement is intended, inter alia, to ensure public security by means of a transfer of PNR data to Canada and the use of that data within the framework of the fight against terrorist offences and serious transnational crime.

149    That objective constitutes, as is apparent from the case-law of the Court, an objective of general interest of the European Union that is capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter. Moreover, the protection of public security also contributes to the protection of the rights and freedoms of others. In this connection, Article 6 of the Charter states that everyone has the right not only to liberty but also to security of the person (see, to that effect, judgments of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraphs 42 and 44, and of 15 February 2016, N., C‑601/15 PPU, EU:C:2016:84, paragraph 53).

150    As regards the essence of the fundamental right to respect for private life, enshrined in Article 7 of the Charter, even if PNR data may, in some circumstances, reveal very specific information concerning the private life of a person, the nature of that information is limited to certain aspects of that private life, in particular, relating to air travel between Canada and the European Union. As for the essence of the right to the protection of personal data, enshrined in Article 8 of the Charter, the envisaged agreement limits, in Article 3, the purposes for which PNR data may be processed and lays down, in Article 9, rules intended to ensure, inter alia, the security, confidentiality and integrity of that data, and to protect it against unlawful access and processing.

151    In those circumstances, the interferences which the envisaged agreement entails are capable of being justified by an objective of general interest of the European Union and are not liable adversely to affect the essence of the fundamental rights enshrined in Articles 7 and 8 of the Charter.

(c)    The appropriateness of the processing of the PNR data covered by the envisaged agreement having regard to the objective of ensuring public security

152    As regards whether the transfer of PNR data to Canada and subsequent processing of that data in that non-member country is appropriate for the purpose of ensuring public security, it is clear from Section 2.2 of Communication COM(2010) 492 that the assessment of the risks presented by air passengers by means of analysing that data before their arrival ‘largely facilitates and expedites security and border control checks’. Furthermore, the Commission has noted in its written observations that, according to the information provided by the CBSA, the processing of PNR data has, amongst other results, enabled the arrest of 178 persons from among the 28 million travellers who flew between the European Union and Canada in the period from April 2014 to March 2015.

153    In those circumstances, the transfer of PNR data to Canada and subsequent processing of that data may be regarded as being appropriate for the purpose of ensuring that the objective relating to the protection of public security and safety pursued by the envisaged agreement is achieved.

(d)    The necessity of the interferences entailed by the envisaged agreement

154    As regards the necessity of the interferences entailed by the envisaged agreement, it is necessary to check, in accordance with the case-law cited in paragraphs 140 to 141 of this Opinion, whether they are limited to what is strictly necessary and, in that context, whether that agreement lays down clear and precise rules governing the scope and application of the measures provided for.

(1)    The PNR data covered by the envisaged agreement

(i)    Whether the envisaged agreement is sufficiently precise as regards the PNR data to be transferred

155    So far as the data covered by the envisaged agreement is concerned, that agreement should define in a clear and precise manner the PNR data which the air carriers are required to transfer to Canada under the agreement.

156    In this connection, although the 19 PNR data headings set out in the Annex to the envisaged agreement correspond, according to the observations of the Commission, to Appendix 1 to the Guidelines of the International Civil Aviation Organisation (ICAO) on PNR data, it should nonetheless be stated, as the Advocate General has observed in point 217 of his Opinion, that heading 5, which refers to ‘available frequent flyer and benefit information (free tickets, upgrades, etc.)’, and heading 7, which covers ‘all available contact information (including originator information)’, do not define in a sufficiently clear and precise manner the PNR data to be transferred.

157    Thus, as regards heading 5, the use of the term ‘etc.’ does not specify to the requisite standard the scope of the data to be transferred. Furthermore, it is not clear from the terms of that heading whether it covers information concerning merely the status of air passengers in customer loyalty programmes or whether, on the contrary, it covers all information relating to air travel and transactions carried out in the context of such programmes.

158    Similarly, the use of the terms ‘all available contact information’ in heading 7 does not specify sufficiently the scope of the data to be transferred. In particular, it does not specify what type of contact information is covered, nor does it specify whether that contact information also covers, as may be inferred from the Commission’s written answer to the questions posed by the Court, the contact information of third parties who made the flight reservation for the air passenger, third parties through whom an air passenger may be contacted, or indeed third parties who are to be informed in the event of an emergency.

159    As regards heading 8, that heading relates to ‘all available payment / billing information (not including other transaction details linked to a credit card or account and not connected to the travel transaction)’. It is true that that heading may appear to be particularly broad inasmuch as it employs the expression ‘all available information’. Nevertheless, as is clear from the Commission’s answer to the questions posed by the Court, that heading must be regarded as covering information relating solely to the payment methods for, and billing of, the air ticket, to the exclusion of any other information not directly relating to the flight. Construed in that way, heading 8 may therefore be regarded as meeting the requirements as to clarity and precision.

160    As regards heading 17, that heading refers to ‘general remarks including Other Supplementary Information (OSI), Special Service Information (SSI) and Special Service Request (SSR) information’. According to the explanations provided, inter alia, by the Commission, that heading constitutes a ‘free text’ heading, intended to include ‘all supplementary information’, in addition to that listed elsewhere in the Annex to the envisaged agreement. Consequently, such a heading provides no indication as to the nature and scope of the information to be communicated, and it may even encompass information entirely unrelated to the purpose of the transfer of PNR data. Furthermore, since the information referred to in that heading is listed only by way of example, as is shown by the use of the term ‘including’, heading 17 does not set any limitation on the nature and scope of the information that could be set out thereunder. In those circumstances, heading 17 cannot be regarded as being delimited with sufficient clarity and precision.

161    Lastly, as regards heading 18, that heading relates to ‘any Advance Passenger Information (API) data collected for reservation purposes’. According to the clarifications provided by the Council and the Commission, that information corresponds to the information referred to in Article 3(2) of Directive 2004/82, namely the number and type of travel document used, nationality, full names, the date of birth, the border crossing point of entry into the territory of the Member States, code of transport, departure and arrival time of the transportation, total number of passengers carried on that transport, and the initial point of embarkation. That heading, in so far as it is construed as covering only the information expressly referred to in that provision, may be regarded as meeting the requirements as to clarity and precision.

162    The provisions of Article 4(3) of the envisaged agreement, which require Canada to delete any PNR data transferred to it if it is not listed in the Annex to that agreement, do not serve to offset the lack of precision of headings 5, 7 and 17 of that annex. Since that list does not itself delimit with sufficient clarity and precision the PNR data to be transferred, those provisions are incapable of resolving the uncertainties as to the PNR data to be transferred.

163    In those circumstances, as regards the PNR data to be transferred to Canada, headings 5, 7 and 17 of the Annex to the envisaged agreement do not delimit in a sufficiently clear and precise manner the scope of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter.

(ii) Sensitive data

164    As regards the transfer of sensitive data within the meaning of Article 2(e) of the envisaged agreement, that provision defines such data as any information that reveals ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership’, or concerning ‘a person’s health or sex life’. Although none of the 19 headings set out in Annex to that agreement expressly refers to data of that nature, as, inter alia, the Commission confirmed in its answer to the questions posed by the Court, such information could nevertheless fall within the scope of heading 17. Furthermore, the fact that Articles 8 and 16 of the envisaged agreement lay down specific rules relating to the use and retention of sensitive data necessarily implies that the parties to that agreement have accepted that such data may be transferred to Canada.

165    In this connection, it must be pointed out that any measure based on the premiss that one or more of the characteristics set out in Article 2(e) of the envisaged agreement may be relevant, in itself or in themselves and regardless of the individual conduct of the traveller concerned, having regard to the purpose for which PNR data is to be processed, namely combating terrorism and serious transnational crime, would infringe the rights guaranteed in Articles 7 and 8 of the Charter, read in conjunction with Article 21 thereof. Having regard to the risk of data being processed contrary to Article 21 of the Charter, a transfer of sensitive data to Canada requires a precise and particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime. In this instance, however, there is no such justification.

166    Moreover, it must be pointed out that the EU legislature has prohibited the processing of sensitive data in Article 6(4), Article 7(6) and Article 13(4) of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ 2016 L 119, p. 132).

167    Having regard to the assessments set out in the two preceding paragraphs, it must be held that Articles 7, 8 and 21 and Article 52(1) of the Charter preclude both the transfer of sensitive data to Canada and the framework negotiated by the European Union with that non-member State of the conditions concerning the use and retention of such data by the authorities of that non-member State.

(2)    The automated processing of the PNR data

168    As stated in paragraphs 130 to 132 of this Opinion and as the Advocate General has noted in point 252 of his Opinion, the PNR data transferred to Canada is mainly intended to be subject to analyses by automated means, based on pre-established models and criteria and on cross-checking with various databases.

169    The assessment of the risks to public security presented by air passengers is carried out, as is clear from paragraphs 130 and 131 of this Opinion, by means of automated analyses of the PNR data before the arrival of those air passengers in Canada. Since those analyses are carried out on the basis of unverified personal data and are based on pre-established models and criteria, they necessarily present some margin of error, as, inter alia, the French Government and the Commission conceded at the hearing.

170    As stated in point 30 of the Opinion of the EDPS on the draft Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes (OJ 2008 C 110, p. 1), to which the EDPS referred in his answer to the questions posed by the Court, that margin of error appears to be significant.

171    It is true that, as regards the consequences of the automated processing of PNR data, Article 15 of the envisaged agreement provides that Canada is not to take ‘any decisions significantly adversely affecting a passenger solely on the basis of automated processing of PNR data’. Similarly, Article 3 of that agreement, which defines the purposes for which the Canadian Competent Authority may process that data, and Article 7 of that agreement, which contains a non-discrimination clause, apply to processing of that type.

172    That being so, the extent of the interference which automated analyses of PNR data entail in respect of the rights enshrined in Articles 7 and 8 of the Charter essentially depends on the pre-established models and criteria and on the databases on which that type of data processing is based. Consequently, and having regard to the considerations set out in paragraphs 169 and 170 of this Opinion, the pre-established models and criteria should be specific and reliable, making it possible, as the Advocate General has observed at point 256 of his Opinion, to arrive at results targeting individuals who might be under a ‘reasonable suspicion’ of participation in terrorist offences or serious transnational crime and should be non-discriminatory. Similarly, it should be stated that the databases with which the PNR data is cross-checked must be reliable, up to date and limited to databases used by Canada in relation to the fight against terrorism and serious transnational crime.

173    Furthermore, since the automated analyses of PNR data necessarily involve some margin of error, as stated in paragraph 169 of this Opinion, any positive result obtained following the automated processing of that data must, under Article 15 of the envisaged agreement, be subject to an individual re-examination by non-automated means before an individual measure adversely affecting the air passengers concerned is adopted. Consequently, such a measure may not, under Article 15, be based solely and decisively on the result of automated processing of PNR data.

174    Lastly, in order to ensure that, in practice, the pre-established models and criteria, the use that is made of them and the databases used are not discriminatory and are limited to that which is strictly necessary, the reliability and topicality of those pre-established models and criteria and databases used should, taking account of statistical data and results of international research, be covered by the joint review of the implementation of the envisaged agreement, provided for in Article 26(2) thereof.

(3)    The purposes for which PNR data may be processed

(i)    The prevention, detection or prosecution of terrorist offences or serious transnational crime

175    Article 3(1) of the envisaged agreement provides that PNR data may be processed by the Canadian Competent Authority only for the purpose of preventing, detecting, investigating or prosecuting terrorist offences or serious transnational crime.

176    So far as the term ‘terrorist offences’ is concerned, Article 3(2) of that agreement defines in a clear and precise manner both the activities covered by that term and the persons, groups and organisations liable to be regarded as a ‘terrorist entity’.

177    Similarly, as regards the term ‘serious transnational crime’, the first subparagraph of Article 3(3) of the envisaged agreement defines with clarity and precision the degree of seriousness of the offences concerned, by requiring that they be punishable by a maximum deprivation of liberty of at least four years or a more serious penalty. Furthermore, as regards the nature of those offences, that provision must also be regarded as being sufficiently precise inasmuch as it refers to offences defined by Canadian law. Lastly, the second subparagraph of Article 3(3) of that agreement sets out in a clear and precise manner the different situations in which a crime is considered to be transnational in nature.

178    In those circumstances, Article 3(1) to (3) of the envisaged agreement contains clear and precise rules limited to what is strictly necessary.

(ii) Other purposes

179    Article 3(4) of the envisaged agreement permits the Canadian Competent Authority, in exceptional cases, to process PNR data where necessary to protect the vital interests of any individual, such as a risk of death or serious injury or a significant public health risk, in particular, as required by internationally recognised standards. Furthermore, Article 3(5)(a) and (b) of that agreement authorises Canada to process PNR data ‘on a case-by-case basis’ in order to ‘ensure the oversight or accountability of the public administration’ and to ‘comply with the subpoena or warrant issued, or an order made, by a court’, respectively.

180    Since Article 3(4) of the envisaged agreement restricts the cases in which the Canadian Competent Authority may use PNR data collected under the agreement for purposes unconnected with those inherent in the envisaged agreement relating to combating terrorism and serious transnational crime to the protection of the vital interests of individuals, that provision defines in a clear and precise manner the cases in which such use is permissible. Moreover, in so far as Article 3(4) provides that it is only in exceptional cases that the Canadian Competent Authority is so authorised, it must be held that that provision contains rules that are limited to what is strictly necessary.

181    By contrast, the wording of the cases in which Canada may process PNR data under Article 3(5)(a) and (b) of the envisaged agreement is too vague and general to meet the requirements as to clarity and precision required. The rules set out in that provision are not therefore limited to what is strictly necessary to attain the objective pursued by that agreement.

(4)    The Canadian authorities covered by the envisaged agreement

182    In accordance with Article 2(d) of the envisaged agreement, the Canadian Competent Authority is responsible for receiving and processing PNR data under that agreement. Under Article 5 thereof, that authority is deemed to guarantee an adequate level of protection within the meaning of EU law for the processing and use of such data. Furthermore, as is clear from the 15th paragraph of the preamble to that agreement, Canada commits to that authority complying with the safeguards on privacy and the protection of personal data set out in the agreement.

183    Although the identity of the Canadian Competent Authority is not set out as such in the envisaged agreement, Article 30(2)(a) thereof requires Canada to notify the Commission of the identity of that authority before the entry into force of the agreement. Consequently, the agreement is sufficiently clear and precise as regards the identity of the Canadian Competent Authority.

184    Furthermore, it should, admittedly, be pointed out that Article 18(1) of the agreement does not specify the identities of the ‘other government authorities in Canada’ to which the Canadian Competent Authority is authorised to disclose PNR data, under the conditions laid down in that provision. However, it is clear from Article 18(1)(a), (c) and (e) of the envisaged agreement that PNR data may be disclosed only to those authorities ‘whose functions are directly related to the scope of Article 3’, where the disclosure is ‘necessary for the purposes stated in Article 3’ and subject to those authorities affording ‘protection equivalent to the safeguards described in this Agreement’.

185    In so far as several provisions of the envisaged agreement, namely Article 3(5), Article 6(1) and (2), Article 8(3) to (5), Article 12(3), Article 16 and Article 17 of that agreement, designate ‘Canada’ as the entity responsible for the processing of PNR data referred to in those provisions, the agreement must be understood as designating either the Canadian Competent Authority, or the authorities referred to in Article 18 thereof. Construed in that way, Article 3(5), Article 6(1) and (2), Article 8(3) to (5), Article 12(3), Article 16 and Article 17 of the envisaged agreement may be regarded as meeting the requirements as to clarity and precision.

(5)    The air passengers concerned

186    The envisaged agreement covers the PNR data of all air passengers flying between the European Union and Canada. The transfer of that data to Canada is to take place regardless of whether there is any objective evidence permitting the inference that the passengers are liable to present a risk to public security in Canada.

187    In this connection, it should be pointed out that, as recalled in paragraphs 152 and 169 of this Opinion, the PNR data is intended, inter alia, to be subject to automated processing. As several of the interveners have stated, that processing is intended to identify the risk to public security that persons, who are not, at that stage, known to the competent services, may potentially present, and who may, on account of that risk, be subject to further examination. In that respect, the automated processing of that data, before the arrival of the passengers in Canada, facilitates and expedites security checks, in particular at borders. Furthermore, the exclusion of certain categories of persons, or of certain areas of origin, would be liable to prevent the achievement of the objective of automated processing of PNR data, namely identifying, through verification of that data, persons liable to present a risk to public security from amongst all air passengers, and make it possible for that verification to be circumvented.

188    Moreover, in accordance with Article 13 of the Chicago Convention, to which, in particular, the Council and the Commission have referred in their answers to the questions posed by the Court, all air passengers must, upon entrance into, departure from, or while within the territory of a contracting State, comply with the laws and regulations of that State as to air passengers’ admission to or departure from its territory. All air passengers who wish to enter or depart from Canada are, therefore, on the basis of that article, subject to border control and are required to comply with the conditions on entry and departure laid down by the Canadian law in force. Furthermore, as is clear from paragraphs 152 and 187 of this Opinion, the identification, by means of PNR data, of passengers liable to present a risk to public security forms part of border control. Consequently, since they are subject to that control, air passengers who wish to enter and spend time in Canada are, on account of the very nature of that measure, subject to verification of their PNR data.

189    In those circumstances, the envisaged agreement does not exceed the limits of what is strictly necessary in so far as it permits the transfer of the PNR data of all air passengers to Canada.

(6)    The retention and use of PNR data

190    In order to ensure that the retention of the PNR data transferred, the access to that data by the Canadian authorities referred to in the envisaged agreement and the use of that data by those authorities is limited to what is strictly necessary, the envisaged agreement should, in accordance with the settled case-law of the Court cited in paragraph 141 of this Opinion, lay down clear and precise rules indicating in what circumstances and under which conditions those authorities may retain, have access to and use such data.

191    So far as the retention of personal data is concerned, it must be pointed out that the legislation in question must, inter alia, continue to satisfy objective criteria that establish a connection between the personal data to be retained and the objective pursued (see, to that effect, judgments of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 93, and of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 110).

192    As regards the use, by an authority, of legitimately retained personal data, it should be recalled that the Court has held that EU legislation cannot be limited to requiring that access to such data should be for one of the objectives pursued by that legislation, but must also lay down the substantive and procedural conditions governing that use (see, by analogy, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraphs 117 and 118 and the case-law cited).

193    In this instance, as stated in paragraph 171 of this Opinion, the envisaged agreement defines the purposes for which the Canadian Competent Authority may use PNR data in Article 3, sets out a non-discrimination clause in Article 7, and contains a provision relating to the taking of decisions by Canada based on automated processing of that data in Article 15.

194    Furthermore, Article 16(1) of the envisaged agreement provides that PNR data may be retained by Canada for five years from the date of receipt thereof, and Article 16(3) of that agreement specifies that part of that data must be masked 30 days or two years after that date. Since those provisions do not differentiate between the passengers concerned, they therefore permit the PNR data of all air passengers to be retained.

195    Lastly, under Article 16(4) of that agreement, masked data may be unmasked if it is necessary to carry out investigations falling within the scope of Article 3 thereof; the unmasking to be carried out, as the case may be, by a limited number of specifically authorised officials, or with prior permission by the Head of the Canadian Competent Authority or a senior official specifically mandated by the Head of that authority.

(i)    The retention and use of PNR data before the arrival of air passengers, during their stay in Canada and on their departure

196    The envisaged agreement accordingly permits, throughout the retention period, the use of the PNR data of all air passengers for the purposes referred to in Article 3 thereof.

197    As regards the retention of PNR data and its use up to the air passengers’ departure from Canada, it should be noted that PNR data, inter alia, facilitates security checks and border control checks. Its retention and use for that purpose may not, on account of its very nature, be restricted to a particular circle of air passengers, nor can it be subject to prior authorisation by a court or by an independent administrative body. Consequently, and in accordance with the assessments set out in paragraphs 186 to 188 of this Opinion, it must be held that, for as long as the air passengers are in Canada or are due to leave that non-member country, the necessary connection between that data and the objective pursued by that agreement exists, and the agreement therefore does not exceed the limits of what is strictly necessary merely because it permits the systematic retention and use of the PNR data of all air passengers.

198    Similarly, the systematic use of PNR data for the purpose of verifying the reliability and topicality of the pre-established models and criteria on which the automated processing of that data is based, as indicated in paragraph 174 of this Opinion, or of defining new models and criteria for such processing, is directly related to carrying out the checks referred to in the preceding paragraph of this Opinion, and must, therefore, also be considered to not exceed the limits of what is strictly necessary.

199    Furthermore, it must be pointed out that, during the air passengers’ stay in Canada and irrespective of the results of the automated analysis of the PNR data carried out prior to their arrival in that non-member country, cases may arise in which the Canadian Competent Authority has information, collected during that stay, indicating that use of their data might be necessary in order to combat terrorism and serious transnational crime.

200    As regards the use of PNR data in the situations referred to in the preceding paragraph, however, it should be pointed out that, since the air passengers have been allowed to enter the territory of that non-member country, following verification of their PNR data, the use of that data during their stay in Canada must be based on new circumstances justifying that use. That use therefore requires, in accordance with the case-law cited in paragraphs 141 and 192 of this Opinion, rules laying down the substantive and procedural conditions governing that use in order, inter alia, to protect that data against the risk of abuse. Such rules must be based on objective criteria in order to define the circumstances and conditions under which the Canadian authorities referred to in the envisaged agreement are authorised to use that data.

201    In this connection, where there is objective evidence from which it may be inferred that the PNR data of one or more air passengers might make an effective contribution to combating terrorist offences and serious transnational crime, the use of that data does not exceed the limits of what is strictly necessary (see, by analogy, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 119 and the case-law cited).

202    Furthermore, in order to ensure that, in practice, the conditions set out in the two preceding paragraphs are fully respected, it is essential that the use of retained PNR data, during the air passengers’ stay in Canada, should, as a general rule, except in cases of validly established urgency, be subject to a prior review carried out either by a court, or by an independent administrative body, and that the decision of that court or body be made following a reasoned request by the competent authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime (see, by analogy, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 120 and the case-law cited).

203    In so far as the envisaged agreement does not meet the requirements set out in the two preceding paragraphs, that agreement does not ensure that the use of the PNR data of air passengers during their stay in Canada, by the Canadian authorities referred to in the agreement, will be limited to what is strictly necessary.

(ii) The retention and use of PNR data after the air passengers’ departure from Canada

204    Air passengers who have left Canada have, as a general rule, been subject to checks on entry to and on departure from Canada. Similarly, their PNR data has been verified before their arrival in Canada and, as the case may be, during their stay and on their departure from that non-member country. In those circumstances, those passengers should be regarded as not presenting, in principle, a risk as regards terrorism or serious transnational crime, in so far as neither those checks and verifications, nor any other circumstance, have revealed the existence of objective evidence to that effect. In any event, it is not apparent that all air passengers who have travelled to Canada would present, after their departure from that country, a higher risk than other persons who have not travelled to that country during the previous five years and in respect of whom Canada does not therefore hold PNR data.

205    Consequently, as regards air passengers in respect of whom no such risk has been identified on their arrival in Canada and up to their departure from that non-member country, there would not appear to be, once they have left, a connection — even a merely indirect connection — between their PNR data and the objective pursued by the envisaged agreement which would justify that data being retained. The considerations put forward before the Court, inter alia, by the Council and the Commission regarding the average lifespan of international serious crime networks and the duration and complexity of investigations relating to those networks, do not justify the continued storage of the PNR data of all air passengers after their departure from Canada for the purposes of possibly accessing that data, regardless of whether there is any link with combating terrorism and serious transnational crime (see, by analogy, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 119).

206    The continued storage of the PNR data of all air passengers after their departure from Canada is not therefore limited to what is strictly necessary.

207    However, in so far as, in specific cases, objective evidence is identified from which it may be inferred that certain air passengers may present a risk in terms of the fight against terrorism and serious transnational crime even after their departure from Canada, it seems permissible to store their PNR data beyond their stay in Canada (see, by analogy, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 108).

208    As regards the use of PNR data so stored, such use should, in accordance with the case-law cited in paragraphs 201 and 202 of this Opinion, be based on objective criteria in order to define the circumstances and conditions under which the Canadian authorities referred to in the envisaged agreement may have access to that data in order to use it. Similarly, that use should, except in cases of validly established urgency, be subject to a prior review carried out either by a court, or by an independent administrative body; the decision of that court or body authorising the use being made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.

209    As regards the period during which the PNR data of the air passengers referred to in paragraph 207 of this Opinion may be retained, it should be observed that the general period, provided for in Article 16(1) of the envisaged agreement, has been extended by one and a half years by comparison with the period provided for in the 2006 Agreement. In this connection, it must nevertheless be accepted, in the light, inter alia, of the considerations put forward, in particular, by the Council and the Commission, mentioned in paragraph 205 of this Opinion, that the five-year retention period provided for in Article 16(1) of that agreement does not exceed the limits of what is strictly necessary for the purposes of combating terrorism and serious transnational crime.

210    Lastly, in so far as Article 9(2) of the envisaged agreement, which provides that Canada is to hold PNR data ‘in a secure physical environment that is protected with access controls’, means that that data has to be held in Canada, and in so far as Article 16(6) of that agreement, under which Canada is to destroy the PNR data at the end of the PNR data retention period, must be understood as requiring the irreversible destruction of that data, those provisions may be regarded as meeting the requirements as to clarity and precision (see, by analogy, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 122 and the case-law cited).

211    Having regard to the considerations set out in paragraphs 204 to 206 and 208 of this Opinion, that agreement does not ensure that the retention and use of PNR data by the Canadian authorities after the air passengers’ departure from Canada is limited to what is strictly necessary.

(7)    The disclosure of PNR data

(i)    Disclosure of PNR data to government authorities

212    Articles 18 and 19 of the envisaged agreement allow PNR data to be disclosed by the Canadian Competent Authority to other Canadian government authorities and to government authorities of third countries. In so far as, de facto, such disclosure confers on those authorities access to that data and the possibility of using it, that disclosure must comply with the conditions governing the use of that data, as stated in paragraphs 200 to 202 and 208 of this Opinion.

213    As regards, specifically, the disclosure of PNR data to government authorities of third countries, it should also be added that Article 19(1)(e) of the envisaged agreement confers on the Canadian Competent Authority a discretionary power to assess the level of protection guaranteed in those countries.

214    In this connection, it must be recalled that a transfer of personal data from the European Union to a non-member country may take place only if that country ensures a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union. That same requirement applies in the case of the disclosure of PNR data by Canada to third countries, referred to in Article 19 of the envisaged agreement, in order to prevent the level of protection provided for in that agreement from being circumvented by transfers of personal data to third countries and to ensure the continuity of the level of protection afforded by EU law (see, by analogy, judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraphs 72 and 73). In those circumstances, such disclosure requires the existence of either an agreement between the European Union and the non-member country concerned equivalent to that agreement, or a decision of the Commission, under Article 25(6) of Directive 95/46, finding that the third country ensures an adequate level of protection within the meaning of EU law and covering the authorities to which it is intended PNR data be transferred.

215    In so far as Articles 18 and 19 of the envisaged agreement do not meet the requirements referred to in paragraphs 212 to 214 of this Opinion, that agreement does not ensure that the disclosure of PNR data by the Canadian Competent Authority to other Canadian government authorities or to government authorities of third countries will be limited to what is strictly necessary.

(ii) Disclosure of PNR data to individuals

216    Article 12(3) of the envisaged agreement allows Canada to ‘make any disclosure of information subject to reasonable legal requirements and limitations ... with due regard for the legitimate interests of the individual concerned’. However, that agreement does not delimit the nature of the information that may be disclosed, nor the persons to whom such disclosure may be made, nor even the use that is to be made of that information.

217    Moreover, the envisaged agreement does not define the terms ‘legal requirements and limitations’ or the terms ‘legitimate interests of the individual concerned’, nor does it require that the disclosure of PNR data to an individual be linked to combating terrorism and serious transnational crime or that the disclosure be conditional on the authorisation of a judicial authority or an independent administrative body. In those circumstances, that provision exceeds the limits of what is strictly necessary.

3.      The individual rights of air passengers

218    The second sentence of Article 8(2) of the Charter guarantees that persons whose personal data has been collected have the right to access that data and to have it rectified.

219    Furthermore, as regards Article 7 of the Charter, the Court has held that the fundamental right to respect for private life, enshrined in that article, means that the person concerned may be certain that his personal data are processed in a correct and lawful manner. In order to carry out the necessary checks, that person must have a right of access to the data relating to him which is being processed (see, to that effect, judgment of 7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 49).

220    In order to ensure that those rights are complied with, air passengers must be notified of the transfer of their PNR data to Canada and of its use as soon as that information is no longer liable to jeopardise the investigations being carried out by the government authorities referred to in the envisaged agreement. That information is, in fact, necessary to enable the air passengers to exercise their rights to request access to PNR data concerning them and, if appropriate, rectification of that data, and, in accordance with the first paragraph of Article 47 of the Charter, to an effective remedy before a tribunal (see, by analogy, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 121 and the case-law cited).

(a)    The right to information, the right of access and the right to correction

221    Although Articles 12 and 13 of the envisaged agreement establish, for the benefit of air passengers, a right of access to their PNR data and a right to request the correction of that data, those provisions do not require that those passengers be notified of the transfer of their PNR data to Canada and of its use.

222    In this connection, that agreement merely lays down, in Article 11, a rule regarding transparency requiring the Canadian Competent Authority to make available on its website certain information of a general nature relating to the transfer of PNR data and its use, and does not establish any obligation to notify air passengers individually.

223    It is true that that rule regarding transparency serves to inform air passengers, to the requisite standard, about the transfer of their PNR data to Canada and the systematic use of that data referred to in paragraphs 197 and 198 of this Opinion, for the purposes of security checks and border control checks. On the other hand, the general information provided to air passengers under Article 11 of the envisaged agreement does not afford them the possibility of knowing whether their data has been used by the Canadian Competent Authority for more than those checks. Consequently, in the situations referred to in paragraphs 199 and 207 of this Opinion, in which there is objective evidence justifying such use and necessitating the prior authorisation of a judicial authority or an independent administrative body, it is necessary to notify air passengers individually. The same is true in the cases in which air passengers’ PNR data is disclosed to other government authorities or to individuals.

224    However, that information must, in accordance with the case-law cited in paragraph 220 of this Opinion, be provided only once it is no longer liable to jeopardise the investigations being carried out by the government authorities referred to in the envisaged agreement.

225    The envisaged agreement should therefore specify that air passengers whose PNR data has been used and retained by the Canadian Competent Authority in the cases referred to in paragraphs 199 and 207 of this Opinion, and those whose data has been disclosed to other government authorities or to individuals, are to be notified, by that authority, of such use and such disclosure under the conditions set out in the preceding paragraph of this Opinion.

(b)    The right to redress

226    As regards air passengers’ right to redress, Article 14(2) of the envisaged agreement provides that Canada is to ensure that any individual who is of the view that their rights have been infringed by a decision or action in relation to their PNR data may seek effective judicial redress, in accordance with Canadian law, or such other remedy which may include compensation.

227    Since that provision refers to ‘any individual who is of the view that their rights have been infringed’, it covers all air passengers, regardless of their nationality, their residence, their domicile or their presence in Canada. Furthermore, it must, as the Council has observed, be understood as meaning that air passengers have a legal remedy before a tribunal, as required by the first paragraph of Article 47 of the Charter. The fact that Article 14(2) of the envisaged agreement provides that the ‘effective judicial redress’ may also take the form of an action for compensation does not, contrary to what the Parliament claims, have the effect of depriving air passengers of such an effective remedy, but rather strengthens, as the Advocate General has observed in point 324 of his Opinion, judicial protection for the persons concerned.

4.      The oversight of PNR data protection safeguards

228    Under Article 8(3) of the Charter, compliance with the requirements stemming from Article 8(1) and (2) thereof is subject to control by an independent authority.

229    In accordance with the settled case-law of the Court, the guarantee of the independence of such a supervisory authority, the establishment of which is also provided for in Article 16(2) TFEU, is intended to ensure the effectiveness and reliability of the monitoring of compliance with the rules concerning protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. The establishment of an independent supervisory authority is therefore an essential component of the protection of individuals with regard to the processing of personal data (judgments of 9 March 2010, Commission v Germany, C‑518/07, EU:C:2010:125, paragraph 25; of 8 April 2014, Commission v Hungary, C‑288/12, EU:C:2014:237, paragraph 48; and of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 41).

230    In this instance, the first sentence of Article 10(1) of the envisaged agreement states that the data protection safeguards for the processing of PNR data will be subject to oversight by an ‘independent public authority’ or by an ‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy’. In so far as that provision provides that the oversight is to be carried out by an independent authority, it corresponds to the requirement set out in Article 8(3) of the Charter. By contrast, its formulation in the alternative seems to permit the oversight to be carried out, partly or wholly, by an authority which does not carry out its tasks with complete independence, but which is subordinate to a further supervisory authority, from which it may receive instructions, and which is therefore not free from any external influence liable to have an effect on its decisions.

231    In those circumstances, and as the Advocate General has observed in point 316 of his Opinion, Article 10 of the envisaged agreement does not guarantee in a sufficiently clear and precise manner that the oversight of compliance with the rules laid down in that agreement relating to the protection of individuals with regard to the processing of PNR data will be carried out by an independent authority, within the meaning of Article 8(3) of the Charter.

IX.    Answer to the request for an Opinion

232    In the light of all the foregoing considerations, it must be held that:

(1)      the Council decision on the conclusion of the envisaged agreement must be based jointly on Article 16(2) and Article 87(2)(a) TFEU;

(2)      the envisaged agreement is incompatible with Articles 7, 8 and 21 and Article 52(1) of the Charter in so far as it does not preclude the transfer of sensitive data from the European Union to Canada and the use and retention of that data;

(3)      the envisaged agreement must, in order to be compatible with Articles 7 and 8 and Article 52(1) of the Charter:

(a)      determine in a clear and precise manner the PNR data to be transferred from the European Union to Canada;

(b)      provide that the models and criteria used in the context of automated processing of PNR data will be specific and reliable and non-discriminatory; provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;

(c)      save in the context of verifications in relation to the pre-established models and criteria on which automated processing of PNR data is based, make the use of that data by the Canadian Competent Authority during the air passengers’ stay in Canada and after their departure from that country, and any disclosure of that data to other authorities, subject to substantive and procedural conditions based on objective criteria; make that use and that disclosure, except in cases of validly established urgency, subject to a prior review carried out either by a court or by an independent administrative body, the decision of that court or body authorising the use being made following a reasoned request by those authorities, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime;

(d)      limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime;

(e)      make the disclosure of PNR data by the Canadian Competent Authority to the government authorities of a third country subject to the condition that there be either an agreement between the European Union and that third country equivalent to the envisaged agreement, or a decision of the Commission, under Article 25(6) of Directive 95/46, covering the authorities to which it is intended that PNR data be disclosed;

(f)      provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data by the Canadian Competent Authority to other authorities or to individuals; and

(g)      guarantee that the oversight of the rules laid down in the envisaged agreement relating to the protection of air passengers with regard to the processing of PNR data concerning them will be carried out by an independent supervisory authority.

Consequently, the Court (Grand Chamber) gives the following Opinion:

1.      The Council Decision on the conclusion, on behalf of the Union, of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data must be based jointly on Article 16(2) TFEU and Article 87(2)(a) TFEU.

2.      The Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data is incompatible with Articles 7, 8 and 21 and Article 52(1) of the Charter of Fundamental Rights of the European Union in so far as it does not preclude the transfer of sensitive data from the European Union to Canada and the use and retention of that data.

3.      The Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data must, in order to be compatible with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights:

(a)      determine in a clear and precise manner the PNR data to be transferred from the European Union to Canada;

(b)      provide that the models and criteria used in the context of automated processing of PNR data will be specific and reliable and non-discriminatory; provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;

(c)      save in the context of verifications in relation to the pre-established models and criteria on which automated processing of Passenger Name Record data is based, make the use of that data by the Canadian Competent Authority during the air passengers’ stay in Canada and after their departure from that country, and any disclosure of that data to other authorities, subject to substantive and procedural conditions based on objective criteria; make that use and that disclosure, except in cases of validly established urgency, subject to a prior review carried out either by a court or by an independent administrative body, the decision of that court or body authorising the use being made following a reasoned request by those authorities, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime;

(d)      limit the retention of Passenger Name Record data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime;

(e)      make the disclosure of Passenger Name Record data by the Canadian Competent Authority to the government authorities of a third country subject to the condition that there be either an agreement between the European Union and that third country equivalent to the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data, or a decision of the European Commission, under Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, covering the authorities to which it is intended that Passenger Name Record data be disclosed;

(f)      provide for a right to individual notification for air passengers in the event of use of Passenger Name Record data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data by the Canadian Competent Authority to other authorities or to individuals; and


(g)      guarantee that the oversight of the rules laid down in the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data relating to the protection of air passengers with regard to the processing of Passenger Name Record data concerning them will be carried out by an independent supervisory authority.


von Danwitz      Da Cruz Vilaça      Berger

Prechal      Vilaras       Rosas

Levits        Šváby        Jarašiūnas

A. Calot Escobar

 

K. Lenaerts

Registrar

 

President