TOOLS ADOPTED BY THE EDPB IN DECEMBER 2022
By Mugurel Olariu, RPD protectie date
The European Data Protection Board – EDPB adopted several documents in the plenary sessions of December 5 and 13/14 respectively, among which we point out the most important of them, as follows:
√ three Decisions from the consistency mechanism that have as their object the relevant objections regarding the draft decision of APD Ireland regarding Meta Platforms Ireland Limited (Meta IE) – Facebook, Instagram and WhatsApp Ireland Limited platforms, pursuant to art. 65 para. (1) letter (a) of the GDPR.
√ Statement 5/2022 on the implications of Decision C-817/19 of the European Court of Justice of the EU regarding the implementation of Directive (EU) 2018/681 on the use of PNR data in the member states*1.
Next, we present the aspects developed by the said statement:
On 21 June 2022, on a referral from the Belgian Constitutional Court, the Court of Justice of the European Union (CJEU) rendered its judgement on the Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (hereinafter PNR Directive).
The Court found that the validity of the PNR Directive was not affected. At the same time, the Court ruled that, in order to ensure compliance with the Charter, the PNR Directive needs to be interpreted as including important limitations to the processing of personal data. This is of particular importance with a view to the serious interferences with the rights guaranteed in Articles 7 and 8 of the Charter.
To limit these interferences to what is strictly necessary, the Court identifies several aspects that national laws transposing the Directive must comply with. Among the most relevant are in particular:
– limitation to the purposes set out in the PNR Directive, which are exhaustive,
– application of the PNR system only to terrorist offences and serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air and thus also exclusion of ordinary crime,
– limitation of the application of the PNR Directive with regard to intra-EU flights and other means of transport,
– no indiscriminate application of the general retention period of five years to all air passengers’ personal data.
With its ruling, the Court set out comprehensively the strict limitations to be respected when transposing and applying the PNR Directive. This interpretation significantly narrows the ways in which Member States may process PNR data.
It is therefore likely, that the current processing of PNR data in many, if not most Member States, does not fully comply with the PNR Directive as interpreted by the CJEU. As a consequence, PNR systems across the EU may continue to interfere disproportionately with the fundamental rights of data subjects every day.
The EDPB therefore calls on Member States to instantly take all necessary steps to ensure that the respective national implementations of the PNR Directive are in line with the Charter, in particular with the fundamental right to protection of personal data. These steps may encompass legislative measures, but should also identify measures to be put into practice promptly, e.g. by their respective Passenger Information Unit, in order to effectively protect the fundamental rights of the data subjects. In this regard, the EDPB notes that supervisory authorities are fully competent to investigate compliance with EU data protection requirements at national level.
To deepen the issues, we note that both the CJEU Decision in case C-817/19 and the Advocate General’s Conclusions have been published on the CJEU website and can be consulted*2.
—————————————————–
*1 https://edpb.europa.eu/ourwork-tools/our-documents/statements/statement-implications-cjeu-judgment-c-81719-use-pnr-member_ro
*2 https://curia.europa.eu/juris/liste.jsf?lgrec=fr&td=%3BALL&language=en&num=C-817/19&jur=C
