The European Court of Justice (ECJ) has set limits on how passenger data is collected and when it can be used by law enforcement, the court said in a ruling on Tuesday.
A rights group that brought the case argued the bloc’s practices go too far, saying they could lead to mass surveillance and discrimination.
What was allowed until now?
The case concerned the EU Passenger Name Record (PNR) Directive, which was passed in 2016.
The measure allows justice officials and police to access passenger data on people entering and exiting the block. It also allows the collection of data on passengers of flights within the EU in certain cases.
The directive aims to help authorities fight serious crime and prevent terrorism.
The data collected may include names and contact details of passengers, as well as flight numbers, number of bags, how they paid for the flight and with whom they traveled.
These data are collected and processed by passenger information units set up by each EU Member State. Units then verify passenger information with law enforcement databases. They can then send the personal data to the police, Europol and other authorities in the bloc “either spontaneously or in response to duly reasoned requests”, according to the European Commission.
This data is used to track known criminal suspects, but also to flag potentially suspicious thefts, including whether a passenger paid cash or isn’t bringing a lot of luggage on a long-haul flight, the report reported. German public broadcaster Deutschlandfunk.
Currently, data is “de-identified” after six months and may be retained for up to 5 years, after which it must be deleted.
How did the court decide?
The ECJ ruled, however, that if the directive is allowed, certain limits must be set so that the data collection does not violate EU law.
In a statement, the Court said “that respect for fundamental rights requires that the powers provided for by the PNR Directive be limited to what is strictly necessary”.
Authorities in the 27 EU member states can only transfer and process passenger data for a “real and present or foreseeable terrorist threat”.
The data can only be accessed by authorities when the person’s journey is suspected of being linked to criminal activity, which means they must be suspected of fleeing the scene of a crime or arriving at their destination with intent to commit a crime.
The court also disputed the retention period of the data, saying that much of the data should not be retained after six months. Law enforcement would only be allowed to retain the data for longer if there is an “objective connection” to potential terrorist activity or a serious crime.
The ECJ also banned the use of artificial intelligence (AI) in machine learning systems to harvest and process airline passenger data.
The judges said the data collection software’s algorithms must be clear and that machine learning cannot be used to determine which behaviors or markers could be considered suspicious, as this could lead to “direct or indirect discrimination”. .
Why is the decision important?
Tuesday’s ruling is significant as it is the first time the EU’s highest court has issued a ruling limiting the use of artificial intelligence, setting a precedent that could be used in future cases involving the AI.
Although the CJEU did not put an end to this practice, the decision is also a partial victory for data privacy advocates, who have argued that the PNR Directive violates data protection rights and the right to private life.
The CJEU was asked to rule on the case after the Belgian League for Human Rights (LDH) and other groups challenged the directive in a Belgian court in 2017.
They argued that the directive allowed authorities to collect too much passenger data from airlines. They said the way the data was collected, as well as its use by law enforcement, could lead to discrimination and profiling, as well as mass surveillance.
Tuesday’s decision means there are new restrictions on when EU authorities can access passenger data on flights taking place within the bloc.
rs/msh (dpa, Reuters)