The aim of this work is to describe the framework of data protection principles within EU law. It will be described how the right to privacy and data protection have been evolving since their birth and how they became fundamental rights that need to be balanced with other crucial interests of the Union, namely, national or public security, with special regard to Passenger
Name Records (PNR).
A passenger name record consists in a set of data elements which concern each airline passenger's travel itinerary, such as the number and method of reservation , home address, email address, timestamped IP address, mobile and phone numbers, emergency contacts, travel details, payment methods, Frequent Flyer Numbers, and even other billing information as meals
or services required by the passengers.
In the first chapter it will be pointed out: at first, how the right to privacy was firstly debated within the domestic law of the United States; secondly, which international organizations laid down principles dedicated to the right to respect for private and
family life; eventually, how the European Union created a comprehensive set of data protection laws safeguarding data subjects' rights.
In this regard, there will be analysed also the most relevant principles of the former Directive 95/46/EC1 and the process that brought into the adoption of the General Data Protection Regulation.
Within the first chapter there will be also examined the most remarkable judgements given by the European Court of Justice, which established several benchmarks for the right to data protection, such as "Lindqvist" Case, "Google Spain", and "Schrems" Regulation 2016/679 will be the main object of the first chapter, as far as it represents nowadays a set of rules that put data
subjects' rights at the core of the discipline set out for data protection.
The final purpose of the first chapter is to explain the most relevant concepts and definitions of data protection. Understanding such principles is necessary to analyse appropriately the second and third chapter.
The third chapter will deal with the international agreements regarding "Passenger Name Record" that have been adopted by the EU with third countries. There will be even observed the main characteristics of "Passenger Name Records" pointing out
how they were perceived, at first, as commercial records and when they became useful for purposes of preventing terrorist offences and other serious crimes.
Table of Contents
1. The evolution of the European discipline concerning data protection: from Directive 95/46 to the new GDPR
1.1 A brief history of privacy and data protection
1.1.1 The role played by the European Union in data protection
1.2 Relevant Provisions of Directive 95/46/EC
1.3 The principles regarding data protection established in the case-laws of the European Court of Justice
1.3.1 “Bodil Lindqvist” Case: processing personal data by automatic means through internet pages
1.3.2 Google Spain SL & Google Inc v. l’Agencia Española de Protección de Datos & Costeja González
1.3.3 Schrems v. Data Protection Commissioner
1.4 The enactment of Regulation 679/2016: general structure and principles
1.4.1 Material and territorial scope of application
1.4.2 Key Definitions of the GDPR
1.4.3 General principles established for processing and the data quality principles
1.4.4 The rights of the data subject: Chapter III of the GDPR
1.4.5 Privacy by design and by default
1.4.7 Subjects ensuring compliance: The Data Protection Officer (DPO) and the European Data Protection Board (EDPB)
1.4.8 Supervisory Authorities (DPA)
1.4.9 Transfers of personal data to third countries or international organizations
2. The PNR Agreements adopted by the EU with third countries
2.1 What is a ‘Passenger Name Record’?
2.2 The EU-US PNR-Agreements
2.2.1 The 2004 Agreement, in the aftermath of 9/11
2.2.2 The Court’s Judgement in the joined cases C-317/04 & C-318/04 and the Opinion of the Advocate General Philippe Léger
2.2.3 Introduction to the 2007 Agreement and its risks for passengers’ right to privacy
2.2.4 The 2012 PNR Agreement between the US and the EU
2.3 The EU – Australia PNR Agreements
2.3.1 The 2008 EU – Australia PNR Agreement
2.3.2 The 2011 PNR Agreement between Australia and the European Union
2.4 The 2005 Agreement between the EU and Canada regarding processing of API/PNR Data
2.5 The Opinion 1/15 of the European Court of Justice
2.5.1 The ECJ’s analysis of the Draft Agreement with Canada and the Opinion of Advocate General Paolo Mengozzi
2.5.2 The ECJ’s reasonings
2.5.3 Will the Opinion 1/15 have “systematic” effects?
3. The process of adoption of PNR Directive 2016/681
3.1 The 2007 Proposal to establish a common framework on PNR in the EU
3.2 The 2011 Proposal for a Directive, in the aftermath of the Treaty of Lisbon
3. The principles established by the European Court of Justice for data retention
3.3 “Digital Rights Ireland” case: the invalidation of the Data Retention Directive
3.3.1 The Judgement of the Court and the principles set out for Data Retention
3.4 “Tele 2 Sverige and Watson” Case: a European digital rule of law?
3.4.1 The facts of the proceeding
3.4.2 The Judgement of the European Court of Justice
3.5 The adoption of Directive 2016/681
3.5.1 The provisions of the new EU PNR Directive
3.5.2 Scrutinizing Directive 2016/681
Research Objectives and Core Themes
This work aims to delineate the framework of data protection principles within EU law, examining how the rights to privacy and data protection have evolved into fundamental rights that must be balanced against vital interests like public and national security, particularly regarding Passenger Name Records (PNR).
- The historical evolution of privacy and data protection within the EU and its judicial interpretation by the European Court of Justice.
- The transition from Directive 95/46/EC to the General Data Protection Regulation (GDPR) and the establishment of new data subject rights.
- The dialectic between EU institutions regarding the regulation of international PNR data transfers to third countries.
- A detailed analysis of the international agreements governing PNR data and the judicial scrutiny of these agreements, especially regarding their impact on fundamental rights.
- The adoption process and critical scrutiny of Directive 2016/681 in light of EU data protection benchmarks.
Excerpt from the Book
1.3.1 “Bodil Lindqvist” Case: processing personal data by automatic means through internet pages
“Lindqvist” case regards a criminal proceeding against Bodil Lindqvist. She was a Swedish church worker who published on the homepage of her personal website personal information concerning the parish workers. These data included their names, telephone numbers and hobbies. There were even some descriptions of her colleagues in a playful and not offensive way. Her aim was to give some useful information to those who wanted to receive the saint Confirmation. Considering that Mrs. Lindqvist did not obtain their consent, a criminal proceeding started in Sweden. Obviously, the data protection Directive applied even if the data processed were trivial or inoffensive.
The Swedish Court argued that Bodil Lindqvist had processed personal data without notifying the Swedish data protection regulator, that she did not obtain an explicit consent to process sensitive data (which are the particular categories of data revealing ethnic origin, sex life, etc) and she even transferred personal data to a third country without authorisation.
The European Court of Justice was then referred for a preliminary ruling and it stated that the act of loading personal information in an Internet page onto a server, making it available to all other internet users involves automatic operations and certainly it falls within the scope of the definition of ‘processing’ given by Directive 95/46/EC.
Summary of Chapters
1. The evolution of the European discipline concerning data protection: from Directive 95/46 to the new GDPR: This chapter traces the development of data protection in the EU, highlighting the shift from a focus on the internal market to the recognition of fundamental rights, and details the structural changes introduced by the GDPR.
2. The PNR Agreements adopted by the EU with third countries: This chapter examines the controversial history of PNR agreements with the US, Australia, and Canada, focusing on the tensions between national security demands and the protection of individual privacy rights.
3. The process of adoption of PNR Directive 2016/681: This chapter analyzes the legislative journey and the legal framework of the PNR Directive, scrutinizing whether it aligns with the standards established by the ECJ regarding data retention and fundamental rights.
Keywords
Data protection, Privacy, GDPR, Passenger Name Records (PNR), EU law, European Court of Justice (ECJ), Data retention, National security, Directive 2016/681, Fundamental rights, Privacy by design, Data subject rights, International agreements, Supervisory Authorities, Data transfers
Frequently Asked Questions
What is the primary objective of this dissertation?
The study aims to describe the legal framework of data protection in the EU and how these principles are balanced against national and public security, specifically concerning the processing and transfer of Passenger Name Records (PNR).
What are the main thematic areas covered?
The work covers the evolution of EU data protection legislation, the role of the European Court of Justice in setting benchmarks, the legal history of PNR agreements with third countries, and the adoption of the PNR Directive 2016/681.
What is the central research focus regarding PNR data?
The research focuses on the "dialectic" between EU institutions regarding whether international PNR transfers are essential for crime prevention or whether they infringe upon the fundamental rights to privacy and data protection.
Which scientific method is applied in this analysis?
The work employs a legal-analytical approach, focusing on the interpretation of directives, regulations, and landmark case-law from the European Court of Justice to assess the compliance of PNR policies with fundamental rights.
What is the significance of the "Opinion 1/15" mentioned in the text?
Opinion 1/15 by the ECJ is treated as a core development, establishing the first-time guidelines for negotiations between the EU and third countries regarding PNR agreements, balancing public security and fundamental privacy rights.
Which concepts are essential for understanding the transition to the GDPR?
Key concepts include "privacy by design and by default," the "accountability principle," and the expansion of data subject rights, which are critical for analyzing the preventive and restorative measures established by the new regulation.
How does the author evaluate the "Push" versus "Pull" systems for PNR data access?
The author discusses these systems in the context of security versus privacy, noting that the "Push" system provides more control and oversight to the data-exporting party compared to the direct access characteristic of the "Pull" system.
What is the author's conclusion on the new PNR Directive 2016/681?
The author concludes that while the PNR Directive is a step forward in establishing a framework compared to previous agreements, it still lacks sufficient objective criteria and might face future criticism from the ECJ regarding its proportionality.
- Quote paper
- Antonio Boscarino (Author), 2018, Passenger Name Records in the Framework of EU Principles of Data Protection, Munich, GRIN Verlag, https://www.grin.com/document/495959
