The highest court of the European Union will be reviewing the legality of the directive adopted by the EU in 2017 requiring airlines to send Passenger Name Record (PNR) data to the government of each EU member state, and requiring each EU member state to establish a “Passenger Information Unit” to carry out PNR-based surveillance and profiling of air travelers.
National courts first in Belgium and more recently in Germany have referred questions concerning the legality under European Union human rights law of government access to and use of Passenger Name Records (PNRs) to the Court of Justice of the European Union (CJEU).
The legal case challenging the “transposition” of the EU PNR directive into Belgian law was brought by the League des Droits Humains (LDH). We reported last year on the lawsuit in Germany that led to the latest referral to the CJEU. That legal case is part of the NoPNR.eu campaign by the Gesellschaft für Freiheitsrechte (GFF) in Germany and epicenter.works – Plattform Grundrechtspolitik in Austria, funded in part by a grant from the Digital Freedom Fund (DFF) for impact litigation. Cases brought in Austria as part of the same campaign may also lead to referrals to the CJEU. An update about this campaign (in English) was presented at the Chaos Communication Congress (36C3) last month in Leipzig.
We are pleased that European courts are addressing questions about the compatibility of PNR-based dragnet surveillance and profiling of travelers that US courts have to date avoided. But it is unfortunate that, while the CJEU struck down the EU agreement to exchange PNR data with Canada as an infringement of fundamental rights, and will now review the EU PNR directive, the CJEU has not yet been asked to rule on the legality of the EU agreement with the USA on PNR data, which in fact provides the model for internationalization of the PNR-based surveillance, profiling, and control of air travelers which was pioneered and continues to be driven by the US government.