January 27th, 2022
In his latest ruling regarding passenger rights, the European Court of Justice (ECJ) limited the disclosure of how passenger data is collected and when it can be used by law enforcement. Plaintiff argued that EU practices go too far and could “lead to mass surveillance and discrimination”.
The case concerned EU’s Passenger Name Record (PNR) Directive from 2016 (Directive (EU) 2016/681) and it allows the collection of passenger data on flights even within the EU in some cases. The dataset collected usually includes names and contact information of passengers, as well as flight numbers, number of bags, how they paid for the flight and who they travelled with.
That data is collected and processed by passenger information units in each EU member state, the units then countercheck the PNR with law enforcement databases. This personal data could be sent to state authorities afterwards. Currently, datasets are depersonalized after six months and can be saved up to five years — afterwards it must be deleted. ECJ, however, ruled that certain limitations must be set. Local authorities may only transfer and process passenger data for a “genuine and present or foreseeable terrorist threat.”
Even more, ECJ also banned the use of artificial intelligence (AI) in machine learning systems to harvest and process data on airline passengers.
Member states will now be forced to ajust their legislation regarding EU’s PNR-Directive (in Germany „Fluggastdatengesetz“). Which in turn will lead to several new challenges for airlines when it comes to harvesting data in the booking process: in order to meet ECJ’s expectations to keep a specific reference to terror or security threats it might be required to determine certain suspicious routes, endangered airports – without the sole use of artificial intelligence. According to ECJ without any threat data harvesting will have to be strictly limited to what is necessary.
European Court of Justice, June 21st 2022, File C-817/19