As the European legal architecture on internal security is being built around large-scale databases, AI tools and other new technologies, the relationship between the public and private sectors has become increasingly complex. In this blog, we examine one aspect of the Court of Justice of the European Union (CJEU)’s recent judgment in Ligue des droits humains, namely the data protection rules applicable to cooperation between the public and private entities in personal data sharing.
As the private sector (e.g. banks, telecommunications companies) has, in many cases, outstripped the public sector in personal data collection and use, when the public sector seeks more information on people for criminal justice or internal security purposes, it increasingly requires the private sector to share personal data with it (e.g. in the field of anti-money laundering). Similarly, as data processing tools in the private sector have been developed and perfected for commercial purposes which enhance knowledge about individuals, the public sector has sought to capitalise on these increasing capacities, by requiring private sector entities to share results of personal data analyses.
The legality of both personal data and analysis sharing between the private and public sectors depends on compliance with EU data protection rules. Two legal regimes apply in parallel: First, the General Data Protection Regulation (GDPR), which places the individual’s right to data autonomy at the centre. Second, the Law Enforcement Directive (LED), which provides for personal data use in the field of prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The LED provides for exceptions to the strict rules on data autonomy which otherwise apply as a result of the GDPR.
In this blog post, we set out the challenges to both the public and private sectors regarding data transfers in the context of the cross-border movement of persons, in particular by air. We examine the issue of private transport sectors’ access to and collection of personal data, to which public authorities have less direct access, and the crystallisation of duties on the private transport sector to share this data with the public sector based on the Passenger Name Record (PNR) Directive. We explore the interpretation of the PNR Directive by the CJEU, which establishes clear lines on where each of the data protection standards lay. We conclude that the CJEU has protected the private sector from demands for data sharing by the public sector, which go beyond that permitted by the GDPR (unless the public sector can justify the demand on LED grounds). The judgment thus enhances the ‘personal data autonomy’ of individuals and requires public authorities to justify to a high standard any obligations it seeks to place on the private sector to share personal data related, directly or indirectly, to travel by air.
It Has Always Been a Bumpy Road: The Evolution of EU Law before the Ligue des droits humains Ruling
Large quantities of personal data are collected by the private sector in the normal pursuit of their business activities, and in that context, much of it is stored for varying periods for contractual purposes. Nowhere is this more evident than in the case of telecommunications companies and internet platforms, where subscribers provide their personal data most consciously for service provision and billing purposes, and the companies retain this data for provision and invoicing purposes. Less consciously, on the part of the consumer, and more controversially, internet platforms and other social media companies collect personal data about their customers from their use of the company’s tools and sell this onwards to make the activity profitable.
The interest of state authorities to access these (invaluable) sources of personal data for security-related purposes has developed as rapidly as the databases themselves. In 2014, the CJEU found that an EU Directive, which required telecoms providers to stock and make available on request to national law enforcement authorities personal data of their customers, was incompatible with the Charter of Fundamental Rights of the EU (Digital Rights Ireland). This judgement began a reappraisal of the relationship between private sector actors and EU law enforcement authorities, as regards the processing and transferring of personal data, the right to privacy and data protection considerations.
In 2017, the CJEU was once again faced with a case where the private sector, in the form of airlines and their agents, were required by state authorities to provide personal data about their customers for law enforcement purposes (fighting terrorism and other forms of serious crime). The issue challenged was the EU-Canada Passenger Name Record (PNR) Agreement of 2006, which required airlines (or their agents, as the collection and storing of PNR data is normally carried out by companies contracted by airlines for this purpose) to make available all PNR data on passengers travelling to Canada for the purpose of preventing and combating terrorism and related crimes and other serious crimes that are transnational in nature, including organised crime. In its Opinion 1/17, the CJEU did not find that the bulk transfer of data was contrary to the Charter rights to privacy and data protection. However, it did find that in so far as the agreement did not preclude the transfer of sensitive data from the EU to Canada and the use and retention of that data, it was incompatible with those Charter rights.
The CJEU’s Stance in Ligue des droits humains on Private/Public Collaboration in Data Transfers
In 2022, the CJEU was again faced with a challenge to the legality of the transfer of PNR data from airlines and their agents to state authorities (for the same law enforcement purposes as above), this time contained in the 2016 PNR Directive. Central to this judgment (Ligue des droits humains) was the data protection standards applicable to such transfers of personal data from the private sector to state authorities. The judgement is of great importance generally to the internal security-related legal architecture of the EU, many aspects of which are considered in other contributions to this blog series. Here we only examine the issue of personal data sharing between the private and public sectors.
The PNR Directive requires personal PNR data sharing by private actors with state competent authorities (law enforcement), exclusively for the purposes of the fight against terrorism and other forms of serious crime (Article 1(2)). The question referred to Luxembourg was on the correct legal basis in EU data protection law for such transfers. For the purposes of the competent law enforcement authorities, in so far as the use of the data is limited to action in respect of terrorism and serious crime, the EU’s Law Enforcement Directive is applicable. This Directive requires that personal data is processed lawfully, collected for specific, explicit and legitimate purposes and is not excessive in relation to the purpose for which it is processed (Article 4). However, in view of the subject matter of the Directive (i.e., data processing for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties), competent authorities in law enforcement have wider powers to collect and use personal data than private sector actors do, and there are fewer rights for the data subjects.
The data protection rules applicable to the private sector and state authorities not carrying out law enforcement activities as defined in the LED are set out in the GDPR, which allows for much more limited grounds for data collection, storage, use and transfer, coupled with higher safeguards for the data subjects. The exceptions which Member States can make to the applicable rules are strictly set out in Article 23, accompanied by areas carved out of its material scope (Article 2(2)). The question arose as to which EU legal regime was applicable to PNR data collected by the private sector and transferred in bulk to state competent law enforcement authorities. A related question was whether or not the PNR Directive can be regarded as a purely lex specialis instrument on data transfers and data protection, setting out self-standing standards independently from the above-mentioned horizontal pieces of EU data protection acquis.
The CJEU found that private sector actors (here: air carriers and their agents) – as entities not exercising public authority and not being entrusted with public powers – are obliged to fully comply with the GDPR. They cannot carry out data collection or processing operations, which can only be justified on the grounds of law enforcement exceptions in the LED. Secondly, data transfers from private sector actors to the competent state authorities (the Passenger Information Units – PIUs) can only take place in accordance with the GDPR. In all circumstances, the exception in Article 23(1)(f) GDPR (transfer for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security) must be interpreted consistently with the rights to privacy (Article 7) and protection of personal data (Article 8) in the Charter. Finally, the PIUs – and other competent law enforcement agencies within the meaning of the PNR Directive – must process the transferred personal data in accordance with GDPR rules unless there is a criminal justice (terrorism or serious crime) objective – in that case, the LED rules apply. The objective for which the PIUs process personal data will depend on the requests from competent authorities. Logically, this also means that if the law enforcement authority is an intelligence service under domestic law and the objective of data processing is fighting terrorism, the LED will apply – at least this flows from the CJEU’s Ligue des droits humains ruling. Reading Articles 2(2) and 3(7) LED in conjunction also supports this interpretation. Importantly, private sector actors cannot be asked to carry out processing actions which can only be authorised under the LED. Their duties all exclusively fall within the remit – and the higher data protection standards – of the GDPR. This is where we stand now regarding privacy protection obligations under multiple EU instruments.
Lessons for the Reform of Advance Passenger Information
With the above, the CJEU clarified, walking in the footsteps of the La Quadrature de Net jurisprudence, that when private entities and law enforcement authorities collaborate in mass data transfers and processing of personal data, a peculiar mix of standards and safeguards stemming from different strands of EU data protection legislation regulate such scenarios. Clear lines of data protection duties determine various steps of such collaboration. The PNR Directive may be seen as only partially constituting lex specialis, which blends the GDPR and the LED with some “own” PNR-specific standards regulating data processing and protection by both private and public actors.
Arguably, the lessons learnt for the data protection boundaries of private/public collaboration do not stop here. When zooming out and taking a broader look at the ramifications of the CJEU ruling, its implications on the future collection and processing of Advance Passenger Information (API) under EU law come to mind first, as the CJEU was explicitly asked to give authentic guidance on the applicable data protection regimes in this context, too. As regards processing API data, the CJEU closed the door on the applicability of the LED. In view of the core purposes of collecting API data, which are reinforcing border controls and curbing irregular migration, all API-related data processing operations must be governed by the GDPR. The LED only applies when API data is used and processed for law enforcement purposes as defined in national law (Article 6(1) of the API Directive).
Another related intriguing question is to what extent the European Commission’ new proposals reforming the use of API data across the Union tally with the CJEU’s findings applicable to the processing of API data. But this assessment is a story for another day. Until then and while pondering more generally on how to strike the fair balance between state security interests and the protection of fundamental rights of millions of data subjects, the wise caution by Advocate General Pitruzzella in the CJEU case at hand may echo in our ears: “[here] we have a contemporary twist on a classic theme of constitutionalism since, as The Federalist categorically asserted, men are not angels, which is why legal mechanisms are needed to constrain and monitor public authorities.”