Thursday, August 18, 2022 | Back issues
Courthouse News Service Courthouse News Service

Top EU court limits use of air passenger data 

The court curtailed a 2016 EU law that required member states to store the names of passengers, travel dates and even their baggage information for five years.

LUXEMBOURG (CN) — The European Union’s high court on Tuesday restricted how countries can use data collected from airline passengers.

The European Court of Justice upheld the 2016 Passenger Name Record, or PNR, Directive but curtailed its scope, finding the information collected can only be used in the event of “a genuine and present or foreseeable terrorist threat.” 

The Belgian branch of the Human Rights League, Ligue des droits humains, sued in 2017 to stop the regulation, claiming its requirements are too broad and don’t sufficiently protect personal information. Eventually, the Belgian Constitutional Court referred the case to EU’s highest court, asking if the directive conflicts with other regulations protecting personal data. 

The directive requires EU countries to collect the personal data of millions of passengers on flights to and from Europe as well as travelers on flights within the EU, including names, dates of travel, payment methods, baggage information and seat numbers. Countries are required to store the information for five years. 

The Luxembourg-based court took issue with the breadth of the regulation, finding it could seriously infringe on the privacy rights of EU citizens.

The court wrote that the directive "seeks to introduce a surveillance regime that is continuous, untargeted and systematic, including the automated assessment of the personal data of everyone using air transport services."

To limit how pervasive the PNR Directive is, the court concluded the data could only be used in the event of an imminent threat.

“In the absence of a genuine and present or foreseeable terrorist threat to a member state, EU law precludes national legislation providing for the transfer and processing of the PNR data,” the court said in a statement. 

Specifically, the ruling outlawed the use of machine learning to collect information and required that decisions to use the information had to be reviewed by an independent administrative body or a court. The EU court also limited how long countries can keep any data they do collect to a maximum of six months. 

Early this year, Advocate General Giovanni Pitruzzella concluded in a nonbinding opinion for the court that the PNR Directive complies with EU privacy rules if there are sufficient safeguards. 

The Court of Justice has frequently found fault with EU or national regulations requiring the retention of personal data. In 2014, it struck down an EU law requiring telecommunications providers to collect and retain subscribers’ traffic and location data and in 2016 concluded that providers cannot keep customer data indefinitely. Spy agencies were told in 2020 that they can only keep data in the event of national emergencies. 

Other challenges to the PNR Directive from Slovenia and Germany are currently pending before the court. 

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.

Loading
Loading...