The EU Court asks for more privacy for airline passengers
The decision of the Court On 21 June the European Court of Justice ruled on the Belgian request, denying the directive's opposition to the Charter of Fundamental Rights of the European Union, but placing some important obstacles. The Court recalled that any European standard must be read in the light of the Charter. Therefore, even what is permitted by the Pnr directive cannot be brought to consequences such as to jeopardize fundamental rights, including the protection of personal data.
In the specific case, the violation of personal data and passenger privacy can be justified by the directive only if properly balanced by the need to protect another public interest such as that of security, but it must not lead to mass surveillance indiscriminate. In this sense, the threat to security must therefore be serious and proportionate to the compression of these rights and must concern only crimes of terrorism or of the same level, and not any crime, with which there is a connection that justifies the treatment and conservation of those data.
The Court is therefore firm in establishing that, even if possible, states will be able to request passenger data for intra-EU flights only if there is a concrete, future or imminent possibility of a terrorist attack and only for the time deemed strictly necessary. This time frame will then have to be assessed by a third and independent subject such as a court or an administrative authority. In the absence of a threat, however, the monitoring of internal flights can only be done on certain routes and airports considered at risk and even in this case this choice will have to be periodically reassessed.
No artificial intelligence without human control For as regards the use of these data, they can only be compared with a database of suspects and only in the search for a possible terrorist who is suspected to have traveled by plane. In this research, artificial intelligence and machine learning systems cannot be used without human supervision and which do not take into account all the elements, both those against and against the suspect. States will have to provide law enforcement with clear guidelines on how to use these software and verify that there are no errors in the evaluation or that the results are not the result of discrimination, as already reported by the New York Times more than once in cases of use of facial recognition by law enforcement. Passengers stopped for the use of these technologies must be clearly explained why they were stopped, so that they can decide whether or not to exercise their rights.
The use and transmission of these data after the passenger's departure or arrival will only be permitted in the presence of new clues and evidence that may lead to a reasonable suspicion that the passenger is connected to terrorist activities. Except in cases of urgency, this possibility must in any case be subject to a reasoned request to the competent authority.
Delete the data after six months The Court has ruled on a point that has been much discussed for years, conservation of that data for 5 years. For the Court, in fact, this time frame is not justified if applied indiscriminately to all passengers. The maximum retention time must therefore be six months for those passengers for whom no connection with possible terrorist activities has been found. Lastly, the Court ruled that the data obtained within the scope of the PNR Directive cannot be used to improve border control or to combat illegal immigration.
This Court judgment still demonstrates a once how the choice between privacy and security is distorted as, with due care and safeguards, both can be guaranteed.
