Case C‑817/19
Ligue des droits humains
v
Conseil des ministres
(Request for a preliminary ruling from the Cour constitutionnelle (Belgium))
Judgment of the Court (Grand Chamber), 21 June 2022
(Reference for a preliminary ruling – Processing of personal data – Passenger Name Record (PNR) data – Regulation (EU) 2016/679 – Article 2(2)(d) – Scope – Directive (EU) 2016/681 – Use of PNR data of air passengers of flights operated between the European Union and third countries – Power to include data of air passengers of flights operated within the European Union – Automated processing of those data – Retention period – Fight against terrorist offences and serious crime – Validity – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 21 as well as Article 52(1) – National legislation extending the application of the PNR system to other transport operations within the European Union – Freedom of movement within the European Union – Charter of Fundamental Rights – Article 45)
1. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Scope – Processing of personal data envisaged by national legislation intended to transpose Directives 2004/82, 2010/65 and 2016/681 – Included – Limits
(European Parliament and Council Regulation 2016/679, Arts 2(2)(d) and 23; European Parliament and Council Directives 2010/65, 2016/680 and 2016/681; Council Directive 2004/82)
(see paragraphs 67, 68, 73, 74, 80, 83, 84, operative part 1)
2. Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – PNR data – Scope – Air passengers and flights concerned – Automated processing of those data – Infringement of the rights to respect for private life and the protection of personal data – Absence
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 21 and 52(1); European Parliament and Council Directive 2016/681, Arts 1(2), 2, 3(2), (4), (8) and (9), 6, 12 and Annexes I and II)
(see paragraphs 94-97, 111, 122, 123, 129, 131-140, 152, 157, 162, 169-175, 184, 188, 197, 202, 213, 218-220, 223, 225-228, operative part 2)
3. Fundamental rights – Respect for private life – Protection of personal data – Limitations – Conditions
(Charter of Fundamental Rights of the European Union, Arts 7, 8, and 52(1))
(see paragraphs 115-118)
4. Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Processing of PNR data – Purposes – Processing for purposes other than those expressly provided for – Unlawful
(Charter of Fundamental Rights of the European Union, Arts 7, 8 and 52(1); European Parliament and Council Directive 2016/681, Arts 1(2) and 6)
(see paragraphs 233, 235, 237, 288, 289, operative part 3)
5. Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Disclosure of PNR data beyond six months after their transfer by air carriers – Condition – Approval by the competent national authority – Meaning – Passenger information unit – Precluded
(Charter of Fundamental Rights of the European Union, Arts 7 and 8; European Parliament and Council Directive 2016/681, Arts 4(1) to (3) and 12(3)(b))
(see paragraphs 244, 245, 247, operative part 4)
6. Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Retention period for PNR data – General retention period of five years, applicable indiscriminately to all air passengers – Unlawful
(Charter of Fundamental Rights of the European Union, Arts 7, 8, 45 and 52(1); European Parliament and Council Directive 2016/681, Art. 12)
(see paragraphs 251, 255-259, 262, operative part 5)
7. Border controls, asylum and immigration – Obligation of carriers to communicate passenger data – Directive 2004/82 – Scope – Intra-EU flights – Precluded
(European Parliament and Council Directive 2016/681, Art. 2; Council Directive 2004/82, Arts 2(a), (b) and (d), 3(1) and (2), and 6 (1))
(see paragraphs 266-269, operative part 6)
8. Police cooperation – Judicial cooperation in criminal matters – Use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime – Directive 2016/681 – Application of the directive to intra-EU flights – Application to all intra-EU flights and transport operations carried out by other means within the European Union in the absence of a genuine and present or foreseeable terrorist threat – Unlawful – Limited application – Whether permissible – Conditions
(Art. 3(2) TEU; Art. 67(2) TFEU; Charter of Fundamental Rights of the European Union, Arts 7, 8, 45 and 52(1); European Parliament and Council Directive 2016/681)
(see paragraphs 277-282, 285, 290, 291, operative part 7)
9. EU law – Primacy – Directive 2016/681 – Annulment, by the national court, of provisions of national law incompatible with that directive – Possibility of maintaining the effects of the provisions in question – Absence – Admissibility of the evidence obtained under those provisions – Application of national law – Limits – Respect for the principles of equivalence and effectiveness
(Art. 3(2) TEU; Art. 67(2) TFEU; Charter of Fundamental Rights of the European Union, Arts 7, 8, 45 and 52(1); European Parliament and Council Directive 2016/681)
(see paragraphs 293-298, operative part 8)
Résumé
PNR (Passenger Name Record) data are reservation information stored by air carriers in their reservation and departure control systems. The PNR Directive (1) requires those carriers to transfer the data of any passenger on an extra-EU flight operated between a third country and the European Union to the Passenger Information Unit (‘PIU’) of the Member State of destination or departure of the flight concerned, in the fight against terrorist offences and serious crime. The PNR data thus transferred are subject to advance assessment by the PIU (2) and are then retained for the purposes of a possible subsequent assessment by the competent authorities of the Member State concerned or those of another Member State. A Member State may decide to apply that directive also to intra-EU flights. (3)
The Ligue des droits humains brought an action before the Cour constitutionnelle (Constitutional Court, Belgium) seeking annulment of the Law of 25 December 2016, (4) which transposes both the PNR Directive and the API Directive (5) into Belgian law. According to the applicant, that law infringes the right to respect for private life and to the protection of personal data. It criticises, first, the very broad nature of PNR data and, second, the general nature of the collection, transfer and processing of those data. The law also infringes the free movement of persons in that it indirectly restores border controls by extending the PNR system to intra-EU flights and to transport operations carried out by other means within the European Union.
In that context, the Belgian Constitutional Court referred 10 questions to the Court of Justice for a preliminary ruling relating, inter alia, to the validity and interpretation of the PNR Directive as well as to the applicability of the GDPR. (6)
Those questions result in the Court taking another look at the processing of PNR data with regard to the fundamental rights to respect for private life and the protection of personal data (7) enshrined in the Charter of Fundamental Rights of the European Union. (8) By its judgment, delivered by the Grand Chamber, the Court confirms that the PNR Directive is valid in so far as it can be interpreted consistently with the Charter and clarifies the interpretation of some of its provisions. (9)
Findings of the Court
After having specified which of the data processing operations provided for by national legislation, such as that at issue, intended to transpose both the API Directive and the PNR Directive are those to which the GDPR’s general rules apply, (10) the Court verifies the validity of the PNR Directive.
The validity of the PNR Directive
In its judgment, the Court holds that, since the Court’s interpretation of the provisions of the PNR Directive in the light of the fundamental rights guaranteed in Articles 7, 8 and 21 as well as Article 52(1) of the Charter (11) ensures that that directive is consistent with those articles, the examination of the questions referred has revealed nothing capable of affecting the validity of the said directive.
As a preliminary point, it recalls that an EU act must be interpreted, as far as possible, in such a way as not to affect its validity and in conformity with primary law as a whole and, in particular, with the provisions of the Charter, and the Member States must thus ensure that they do not rely on an interpretation thereof that would be in conflict with the fundamental rights protected by the EU legal order or with the other general principles recognised by EU law. As regards the PNR Directive, the Court states that many recitals and provisions of that directive require such a consistent interpretation, stressing the importance that the EU legislature, by referring to the high level of data protection, gives to the full respect for the fundamental rights enshrined in the Charter.
The Court finds that the PNR Directive entails undeniably serious interferences with the rights guaranteed in Articles 7 and 8 of the Charter, in so far, inter alia, as it seeks to introduce a surveillance regime that is continuous, untargeted and systematic, including the automated assessment of the personal data of everyone using air transport services. It points out that the question whether Member States may justify such an interference must be assessed by measuring its seriousness and by verifying that the importance of the objective of general interest pursued is proportionate to that seriousness.
The Court concludes that the transfer, processing and retention of PNR data provided for by that directive may be considered to be limited to what is strictly necessary for the purposes of combating terrorist offences and serious crime, provided that the powers provided for by that directive are interpreted restrictively. In that regard, the judgment delivered today states, inter alia, that:
– The system established by the PNR Directive must cover only clearly identifiable and circumscribed information under the headings set out in Annex I to that directive, which relates to the flight operated and the passenger concerned, which means, for some of the headings set out in that annex, that only the information expressly referred to is covered. (12)
– Application of the system established by the PNR Directive must be limited to terrorist offences and only to serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air. As regards such serious crime, the application of that system cannot be extended to offences which, although meeting the criterion laid down by that directive relating to the threshold of severity and being referred to in, inter alia, Annex II to that directive, amount to ordinary crime having regard to the particular features of the domestic criminal justice system.
– Any extension of the application of the PNR Directive to selected or all intra-EU flights, which a Member State may decide by exercising the power provided for in that directive, must be limited to what is strictly necessary. For that purpose, it must be open to effective review either by a court or by an independent administrative body whose decision is binding. In that regard, the Court states:
– Only in a situation where that Member State finds that there are sufficiently solid grounds for considering that it is confronted with a terrorist threat which is shown to be genuine and present or foreseeable, the application of that directive to all intra-EU flights from or to the said Member State, for a period of time that is limited to what is strictly necessary but may be extended, does not exceed what is strictly necessary. (13)
– In the absence of such a terrorist threat, the application of that directive cannot cover all intra-EU flights, but must be limited to intra-EU flights relating, inter alia, to certain routes or travel patterns or to certain airports in respect of which there are, according to the assessment of the Member State concerned, indications that are such as to justify that application. The strictly necessary nature of that application to intra-EU flights thus selected must be reviewed regularly, in accordance with changes in the circumstances that justified their selection.
– For the purposes of the advance assessment of PNR data, the objective of which is to identify persons who require further examination before their arrival or departure and is carried out, as a first step, by means of automated processing, the PIU may, on the one hand, compare those data only against the databases on persons or objects sought or under alert. (14) Those databases must be non-discriminatory and exploited, by the competent authorities, in relation to the fight against terrorist offences and serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air. As regards, on the other hand, the advance assessment against pre-determined criteria, the PIU cannot use artificial intelligence technology in self-learning systems (‘machine learning’), capable of modifying, without human intervention and review, the assessment process and, in particular, the assessment criteria on which the result of the application of that process is based, as well as the weighting of those criteria. Those criteria must be determined in such a way that their application targets, specifically, individuals who might be reasonably suspected of involvement in terrorist offences or serious crime and takes into consideration both ‘incriminating’ as well as ‘exonerating’ circumstances, while not giving rise to direct or indirect discrimination. (15)
– In view of the margin of error inherent in such automated processing of PNR data and the fairly substantial number of ‘false positives’, resulting from the application thereof in 2018 and 2019, the appropriateness of the system established by the PNR Directive for the purpose of attaining the objectives pursued essentially depends on the proper functioning of the verification of positive results obtained under those processing operations, which the PIU carries out, as a second step, by non-automated means. In that regard, the Member States must lay down clear and precise rules capable of providing guidance and support for the analysis carried out by the PIU agents in charge of that individual review for the purposes of ensuring full respect for the fundamental rights enshrined in Articles 7, 8 and 21 of the Charter and, in particular, guarantee a uniform administrative practice within the PIU that observes the principle of non-discrimination. In particular, they must ensure that the PIU establishes objective review criteria enabling its agents to verify, on the one hand, whether and to what extent a positive match (‘hit’) concerns effectively an individual who may be involved in terrorist offences or serious crime, as well as, on the other hand, the non-discriminatory nature of automated processing operations. In that context, the Court also points out that the competent authorities must ensure that the person concerned is able to understand how those pre-determined assessment criteria and programs applying those criteria work, so that it is possible for that person to decide with full knowledge of the relevant facts, whether or not to exercise his or her right to a judicial redress. Similarly, in the context of such an action, the court responsible for reviewing the legality of the decision adopted by the competent authorities as well as, except in the case of threats to State security, the persons concerned themselves must have an opportunity to examine both all the grounds and the evidence on the basis of which the decision was taken, including the pre-determined assessment criteria and the operation of the programs applying those criteria.
– The subsequent disclosure and assessment of PNR data, that is to say, after the arrival or departure of the person concerned, may be made only on the basis of new circumstances and objective material which either are capable of giving rise to a reasonable suspicion that that person is involved in serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air, or from which it can be inferred that those data could, in a given case, contribute effectively to the fight against terrorist offences having such a link. The disclosure of PNR data for the purposes of such a subsequent assessment must, as a general rule, except in the event of duly justified urgency, be subject to a prior review carried out either by a court or by an independent administrative authority, upon reasoned request by the competent authorities and irrespective of whether that request was introduced before or after the expiry of the six-month time limit after the transfer of those data to the PIU. (16)
Interpretation of the PNR Directive
After establishing the validity of the PNR Directive, the Court provides further clarification as to the interpretation of that directive. First, it points out that the directive lists exhaustively the objectives pursued by the processing of PNR data. Therefore, that directive precludes national legislation which authorises PNR data to be processed for purposes other than the fight against terrorist offences and serious crime. Thus, national legislation that includes, among the purposes for which PNR data are to be processed, monitoring activities within the remit of the intelligence and security services is liable to disregard the exhaustive nature of that list. Likewise, the system established by the PNR Directive cannot be provided for the purposes of improving border controls and combating illegal immigration. (17) It also follows that PNR data may not be retained in a single database that may be consulted both for the purposes of the PNR Directive as well as for other purposes.
Second, the Court explains the concept of an independent national authority, competent to verify whether the conditions for the disclosure of PNR data, for the purposes of their subsequent assessment, are met and to approve such disclosure. In particular, the authority put in place as the PIU cannot be classified as such since it is not a third party in relation to the authority which requests access to the data. Since the members of its staff may be agents seconded from the authorities entitled to request such access, the PIU appears necessarily linked to those authorities. Accordingly, the PNR Directive precludes national legislation pursuant to which the authority put in place as the PIU is also designated as a competent national authority with power to approve the disclosure of PNR data upon expiry of the period of six months after the transfer of those data to the PIU.
Third, as regards the retention period of PNR data, the Court holds that Article 12 of the PNR Directive, read in the light of Articles 7 and 8 as well as Article 52(1) of the Charter, precludes national legislation which provides for a general retention period of five years for PNR data, applicable indiscriminately to all air passengers.
According to the Court, after expiry of the initial retention period of six months, the retention of PNR data does not appear to be limited to what is strictly necessary as regards air passengers for whom neither the advance assessment nor any verification carried out during the initial retention period of six months, nor any other circumstance, have revealed the existence of objective material – such as the fact that the PNR data of the passengers concerned have given rise to a verified positive match in the context of the advance assessment – capable of establishing a risk that relates to terrorist offences or serious crime having an objective link, even if only an indirect one, with those passengers’ air travel. By contrast, it takes the view that, during the initial period of six months, the retention of the PNR data of all air passengers subject to the system established by that directive does not appear, as a matter of principle, to go beyond what is strictly necessary.
Fourth, the Court provides guidance on the possible application of the PNR Directive, for the purposes of combating terrorist offences and serious crime, to other modes of transport carrying passengers within the European Union. The directive, read in the light of Article 3(2) TEU, Article 67(2) TFEU and Article 45 of the Charter, precludes a system for the transfer and processing of the PNR data of all transport operations carried out by other means within the European Union in the absence of a genuine and present or foreseeable terrorist threat with which the Member State concerned is confronted. In such a situation, as in the case of intra-EU flights, the application of the system established by the PNR Directive must be limited to PNR data of transport operations relating, inter alia, to certain routes or travel patterns, or to certain stations or certain seaports for which there are indications that are such as to justify that application. It is for the Member State concerned to select the transport operations for which there are such indications and to review regularly that application in accordance with changes in the circumstances that justified their selection.