EU court sets limits for use of passenger flight data

The European Court of Justice (ECJ) set boundaries on how passenger data is collected and when it can be used by law enforcement, the court announced in a ruling on Tuesday.

A rights group who brought the case argued that the bloc's practices go too far, saying they could lead to mass surveillance and discrimination.

What was allowed until now?

The case concerned the EU's Passenger Name Record (PNR) Directive, which was adopted in 2016.

The measure permits justice officials and police to access passenger data on people flying into and out of the bloc. It also permits the collection of passenger data on flights within the EU in some cases.

The directive seeks to aid authorities in combating serious crime and preventing terrorism.

The data collected can include the names and contact information of passengers, as well as flight numbers, number of bags, how they paid for the flight and who they traveled with.

That data is collected and processed by passenger information units set up by each EU member state. The units then cross check the passenger information with law enforcement databases. They can then send the personal data to police, Europol and other bloc authorities "either spontaneously or in response to duly reasoned requests," according to the European Commission.

This data is used to track known criminal suspects, but also to flag potentially suspicious flights — including if a passenger paid in cash or if they aren't bringing lots of luggage on a long-haul flight, German public broadcaster Deutschlandfunk reported.

Currently, the data is "depersonalized" after six months and can be saved up to 5 years — after which, it must be deleted.

How did the court rule?

The ECJ, however, ruled that while the directive is permissible, certain limitations must be set so that the data collection does not violate EU law.

In a statement, the court said "that respect for fundamental rights requires that the powers provided for by the PNR Directive be limited to what is strictly necessary."

Authorities in the EU's 27 member  states may only transfer and process passenger data for a "genuine and present or foreseeable terrorist threat."

The data can only be accessed by authorities when the person's travel is believed to be connected to criminal activity — meaning they must be suspected of fleeing the scene of a crime, or arriving at a destination with an intent to commit a crime.

The court also took issue with the length of time that the data is saved, saying much of the data should not be stored after six months. Law enforcement agencies would be permitted to keep the data for longer only if there is an "objective link" to potential terrorist activity or a serious crime.

The ECJ also banned the use of artificial intelligence (AI) in machine learning systems to harvest and process data on airline passengers.

The judges said the algorithms in the data collection software need to be clear, and that machine learning cannot be used to determine which behaviors or markers could be considered suspicious — as this could lead to "direct or indirect discrimination."

Why is the decision significant?

Tuesday's decision is significant in that it is the first time the EU's top court issued a ruling curbing the use of artificial intelligence — setting a precedent that could be used in future cases where AI is concerned.

While the ECJ did not halt the practice outright, the ruling is also a partial-win for data privacy advocates, who argued that the PNR directive violated data protection rights and the right to privacy.

The ECJ was asked to rule on the case after Belgium's Human Rights League (LDH) and other groups challenged the directive in a Belgian court in 2017.

They argued that the directive allowed authorities to collect too much data on airline passengers. They said the way the data was harvested, as well as its use by law enforcement could lead to discrimination and profiling, as well as amount to mass surveillance.

Tuesday's ruling means that there are further curbs on when authorities in the EU can access passenger data on flights taking place within the bloc.

rs/msh (dpa, Reuters)