Ex ante, the July 2022 ruling by the Court of Justice of the EU on Passenger Name Records had a very specific scope — the use of passenger name records by government agencies. Upon closer inspection, however, it has important implications for the governance of algorithms more generally. That is true especially for the proposed AI Act, which is currently working its way through the EU institutions. It highlights, ultimately, how national, or in this case European, legal orders may limit the scope for international regulatory harmonization and cooperation. Continue reading >>
The Ligue des droits humains ruling regarding automated predictive threat detection has implications for the European Travel Information and Authorisation System (ETIAS) Regulation and the EU Commission’s proposal for a Regulation on combating online child sexual abuse material (CSAM). Both legal instruments entail the use of potentially self-learning algorithms, and are spiritual successors to the PNR Directive (the subject of Ligue des droits humains). Continue reading >>
Core state functions, such as law enforcement, are increasingly delegated to private actors. Nowhere is this more apparent than in the development and use of security technologies. This public-private collaboration harbours detrimental consequences for fundamental rights and the rule of law; in particular, for the principle of legality. The policy outcomes which result from this collaboration are not democratically accountable, and allow human rights to be superseded by private, profit-driven interests.
Continue reading >>
In Ligue des droits humains, the Court of Justice of the European Union explicitly addresses the fact that the use of AI and self-learning risk models may deprive data subjects of their right to effective judicial protection as enshrined in the Charter. The importance of this judgment cannot be understated for non-EU citizens and at the European borders more generally.
Continue reading >>
The rule of law cannot be reconciled with the existence of secret laws, unclear laws and laws which cannot be obeyed. However, this may be difficult to realise in practice, where full transparency is at odds with the legislative goals; where a certain degree of flexibility of rules is necessary to address changing circumstances, in which these rules function; and where a disconnect occurs between the visions of the lawmaker and reality created by modern technologies that are utilized to pursue them. The CJEU's ruling in Lige des droits humains on Passenger Name Record Directive underscores the difficulty of foreseeability of algorithmic measures and the rule of law. Continue reading >>
As the European legal architecture on internal security is being built around large-scale databases, AI tools and other new technologies, the relationship between the public and private sectors has become increasingly complex. We examine one aspect of the Court of Justice of the European Union’s recent judgment in Ligue des droits humains, namely the data protection rules applicable to cooperation between the public and private entities in personal data sharing. The judgment enhances the ‘personal data autonomy’ of individuals and requires public authorities to justify to a high standard any obligations it seeks to place on the private sector to share personal data related, directly or indirectly, to travel by air. Continue reading >>
At a time when the European security architecture is evolving, and when national lawmakers must pay greater attention to an evolving set of common standards and safeguards to prevent disproportionate government access to data, it is essential to shed critical light on their implementation in actual practice. As different as the EU PNR Directive and the German legal framework are, they both include provisions that seek to prevent disproportionate government access and to ensure effective and independent review of data collection and subsequent data processing. Continue reading >>
The EU Passenger Name Records Directive is based on the logic of preventive security. Th CJEU ruling, Ligue des droits humains, offers an opportunity for national judges to question more radically the idea of generalised preventive security that seeks to anticipate human behaviour through the creation of risk profiles and statistical correlations (instead of causality). Continue reading >>
Automated processing of personal data, which is what Passenger Name Record data are, can lead to forms of profiling; certain individuals or groups of people are more likely to be excluded based on the transfer of their data than others. In its Passenger Name Record judgment, the CJEU extensively discusses discrimination risks, and it set a number of conditions to prevent them. Unfortunately, not all of its considerations are perfectly clear and some of the solutions the CJEU proposes are not entirely satisfactory. Continue reading >>
On 21 June 2022, the Court of Justice of the European Union released its judgment regarding the compatibility of the EU Directive on Passenger Name Record Data with the rights to privacy and personal data protection. Ligue des droits humains has already qualified as a landmark decision, where the Court had the opportunity, among other aspects, to provide comprehensive guidelines on how large-scale predictive policing should take place. The ruling could be used as an inspiration for the legal assessment of various new security law instruments
which require automated predictive threat detection instruments. Continue reading >>
This debate series is dedicated to Ligue des Droits Humains – a case in which the Court of Justice of the European Union decided on the fate of one of the main drivers of this development: the Directive on on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The PNR Directive, being one of the first major EU-wide examples of predictive policing, is not just interesting in itself. It exemplifies the emergence and gradual consolidation of a new security architecture in Europe.
Continue reading >>