EU-Canada Data-Sharing Deal May Go Too Far

     (CN) — An agreement between the European Union and Canada to share airline passenger data doesn’t sit well with an EU court adviser, who said Thursday that the plan goes far beyond what’s necessary to prevent terrorism and transnational crime.
     The EU and Canada began negotiating an agreement to share passenger name record data in 2010 in order to thwart terrorism and other crimes. Included in the agreement is all the typical EU privacy requirements — masking of sensitive data, right of access, rights to correct and erase data, storage time limits and passengers’ rights to judicial redress.
     With the agreement finally signed in 2014, EU lawmakers sent the final draft to the European Court of Justice for a constitutional check — a first for an international agreement.
     But on Thursday, Advocate General Paolo Mengozzi said the agreement as currently drafted runs contrary to the EU constitution on several points — particularly in light of the high court’s recent decisions in high-profile personal data cases like Schrems — which led to the dismantling of the U.S.-EU data-sharing agreement — and Digital Rights Ireland, which gutted the EU’s data-mining directive.
     Aside from transferring way too much personal data to Canada’s control — and giving Canada too much power over how it uses the data — Mengozzi said the agreement allows for more than is necessary to prevent and detect terrorist offenses and serious forms of transnational crime.
     “The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable size and a not insignificant gravity,” Mengozzi wrote. “It systematically affects all passengers flying between Canada and the union, several tens of millions of persons a year. Furthermore, as most of the interested parties have confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers, which includes sensitive data requiring by definition automated processing, and the retention of that data for a period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with preestablished patterns of behavior that is ‘at risk’ or ‘of concern,’ in connection with terrorist activities and/or serious transnational crime, in order to identify persons not hitherto known to the police or not suspected.
     “Those characteristics, apparently inherent in the passenger name record scheme put in place by the agreement envisaged, are capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects,” Mengozzi added.
     The adviser’s opinion is not binding on the court, which has begun its own deliberations in the case.
     Mengozzi is not the first EU official to question the passenger name record scheme. In late 2015, the union’s data czar urged lawmakers to rethink plans to collect personal data from every person who boards an airplane to, from and within Europe — echoing Mengozzi’s concerns that doing so essentially turns all passengers into de facto criminal suspects.

%d bloggers like this: