Last 21 June, following the criteria previously defined at Digital Rights Ireland (Joined Cases C‑293/12 and C‑594/12, of 8 April 2014), as enhanced by other decisions (Tele2 Sverige, Joined Cases C-203/15 and C-698/15, of 21 December 2016, and La Quadrature du Net and Others, Joined Cases C-511/18, C-512/18 and C-520/18, of 6 October 2020, namely), as well as those stated about the Draft agreement between Canada and the European Union on the Transfer of Passenger Name Record data from the European Union to Canada (Opinion 1/2015, of 26 July 2017), the Court of Justice of the European Union, with its decision in the Ligue des droits humains preliminary ruling procedure (Case C‑817/19), put Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime in a straitjacket.

In short, the rules on the massive retention of traveller’s personal data foreseen by the PNR Directive were found not to comply sufficiently with the rights and the principle of proportionality, as enshrined by the Charter of Fundamental Rights of the European Union.

Therefore and going much further than the Opinion delivered by Advocate General Giovanni Pitruzzella, but also falling short of annulling the PNR Directive, the CJEU placed under review all transposition laws. From now on, enforcement authorities will have to take into strict consideration the adequacy of national rules with the standards stated at the Judgement, if possible through a consistent interpretation, if not overturning them. The detailed red-lines were summarized by the Press and Information Unit of the Court, here, being already the subject of the first position and academic papers.

Besides and beyond travel related issues, this Judgement might have rather relevant implications as the Court dealt with the use of Artificial Intelligence and Big Data for law enforcement purposes, including predictive analytics. Thus and for instance, the Regulation (EU) 2022/991 of the European Parliament and of the Council of 8 June 2022 amending Regulation (EU) 2016/794, as regards Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role in research and innovation, intended to overcome the rules that founded the order to delete all data about individuals with no established link to a criminal activity from the European Data Protection Supervisor, last 3rd January.

Even more important, this ruling will be at the core of the debates and negotiations currently taking place at the Council of Ministers and at the European Parliament concerning the Proposal for a Regulation laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts (COM(2021) 206 final), presented by the Commission the 21 April 2021.

 

Manuel David Masseno, Professor of Law and DPO

Polytechnic of Beja, Portugal