Privacy and data protection versus national security in transnational flights: the EU–Canada PNR agreement

Privacy and data protection versus national security in transnational flights: the EU–Canada... Key Points In challenging times of international terrorism, the exchange, retention, and use of personal data are becoming increasingly crucial, due to their pivotal role in identifying potential threats to national security. Therefore, domestic and international lawmakers need to regulate such matter through legislation and international agreements. The exchange of passenger name record (PNR) data in transnational flights has been regulated both by EU law and international agreements signed with third countries, such as Australia, Canada, and the US. The latest EU–Canada PNR agreement was referred to the Court of Justice of the European Union (CJEU) by the European Parliament before its entry into force, pursuant to the procedure provided for by Article 218(11) TFEU, allowing EU institutions to ask for an opinion of the CJEU. In July 2017, the CJEU in Opinion 1/15 ruled the draft agreement incompatible with Article 7 (right to privacy), 8 (right to data protection) and 52 (principle of proportionality) of the Charter of Fundamental Rights of the European Union. Consequently, the agreement between the EU and Canada will be renegotiated. This analysis reads Opinion 1/15 in light of the previous case law of the CJEU about privacy and national security and examines its potential implications on both institutional balances and international relations. Focusing on some novelties and noteworthy passages of Opinion 1/15, this Article claims that the vital interest of democracy can be reconciled with the need to overcome security threats, as the CJEU’s stance showed. Introduction The relevant number of terrorist attacks, occurred in the past years, confirmed that the threat posed by international (and specifically jihadist) terrorism since the 9/11 events is very far from being history. Consequently, Western countries keep reacting by way of particularly restrictive policies and, in many cases, counter-terrorism legislation has undergone a crackdown over recent years. Within this context, the shift from an ex post facto approach (the punishment of criminal actions after their perpetration) to a preventive one (measures aimed at avoiding the occurrence of a terrorist offence) has made securitarian policies the rule in the fight against terrorism.1 Therefore, the role of intelligence has become a crucial one, in order to prevent and combat jihadist terrorism.2 Personal data—especially that related to passengers of transnational flights, collected or received by the country of destination and often retained even after their departure from such country—is regarded as a potential source of information about ongoing terrorist activities and their preparatory acts. This security-oriented approach results in an unavoidable interference with the rights to privacy and data protection.3 It is generally known that the right to privacy and the related right to data protection are typical ‘targets’ of counter-terrorism measures. Let us think, for instance, of surveillance measures that give public authorities wide powers to retain data collected indiscriminately in various circumstances, which is then accessed and analysed by intelligence agencies.4 Such bulk monitoring often derives not only from national lawmakers’ decisions, but also from guidelines of the European Union (EU). Many EU tools, with different binding force, explicitly call on Member States to enact and implement preventive measures consisting of the collection, retention and analysis of a wide range of data. Such information is very often related to individuals without any distinction, irrespectively of a suspicion that they are involved in terrorist networks. Mechanisms referred above—allowing collection, retention, and processing of data of all passengers boarding transnational flights, envisaged both by EU legislation, such as directives, and by international agreements between the EU and third countries—are paramount examples.5 Indeed, focusing on the EU level, not all institutions are firmly committed to a securitarian attitude. While the Council and the Commission frequently make security prevail over fundamental rights and personal freedoms, the European Parliament (‘the EP’ or ‘the Parliament’) has recently triggered the procedure aimed at testing the compatibility of antiterrorism measures with fundamental rights, as the present analysis will show. The EU body in charge of this review is the Court of Justice of the European Union (‘the CJEU’ or ‘the Court’), which, over the past years, has played a key role in striking a balance between the rights to privacy and data protection, on the one side, and security needs in the fight against international terrorism, on the other side. Examples of this settled case law range from the Digital Rights decision6 of 2014, which quashed the Data Retention Directive (the DRD)7 due to fundamental rights concerns, to the Schrems judgment8 of 2015 that invalidated the Safe Harbour scheme, ie the agreement regulating exchange of personal data between the EU and the US. Moreover, principles affirmed in Digital Rights have been reiterated in the most recent judgment on the matter, Tele2 Sverige,9 again dealing with data retention and fundamental rights after a request for preliminary ruling by British and Swedish courts. In Digital Rights, Schrems and Tele2 Sverige, the CJEU, although not imposing an absolute ban on mass surveillance, affirmed the need to carefully weigh fundamental rights against public security. Opinion 1/15 must be included in the trend described above. However, it presents some specific features due to the reason that it addresses a particular surveillance tool, ie the collection, retention and use of passenger name record (PNR) data in transnational flights. This data is rather different from data considered in other mentioned decisions, as will be specified further in this Article. The Opinion was issued by the CJEU upon request of the EP, pursuant to Article 218(11) of the Treaty on the Functioning of the European Union (TFEU). In January 2015, with Communication 138/24,10 the EP asked the CJEU to rule on the compatibility of the draft agreement between the EU and Canada on the exchange of PNR data with EU law. In July 2017, the Court found such agreement incompatible with fundamental rights enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’).11 This Article is divided as follows. The first section offers a general overview on PNR data and on agreements regulating its exchange between the EU and third countries. The second and third sections focus on the EU–Canada PNR agreement and its challenge before the CJEU respectively, examining the stance of the Advocate General and the Opinion of the Court on both procedural and substantive issues raised by the EP. The fourth section adopts a more analytical approach, dwelling on the reasons why Opinion 1/15 is to be considered as a landmark decision, although many of its statements are in line with the CJEU’s previous case law on privacy and data protection. To this aim, this section underlines some specific features of the Court’s approach that theoretically legitimized mass surveillance, but criticized the ways in which it has been concretely enacted. In this light, attention is drawn on the Court’s ‘quasi-legislative’ role, on the use of the Charter as a parameter setting ‘global’ standards in relation to data protection and on the refined and novel use of procedural issues with a view to ‘material’ objectives. This analysis is instrumental to discuss, in the conclusive section, the main claim of this Article, which is that rights can be safeguarded without giving up realism, as demonstrated by Opinion 1/15, hopefully, paving the way for further circulation of such attitude. The transnational flow of PNR data between the EU and third countries PNR data includes information such as names, travel dates, itineraries, seats, baggage, contact details, means of payment and many other facts related to habits and life of travellers. The transfer of this information, collected by airline carriers, to the authorities of third countries, towards which flights are heading,12 has been regulated over the years by several agreements, signed between the EU and non-EU countries to prevent and combat international terrorism. Data can be collected, alternatively, through the ‘pull’ or the ‘push’ method. The former means that the authority vested with the power to collect data has direct access to it; the latter implies a request of data from the competent authority to air carriers. Pursuant to Article 25 of Directive 95/46/EC (‘Directive 95/46’ or ‘DPD’),13 in order to allow the exchange of data (including PNR) between the EU and a third country, such country must ensure an ‘adequate level of protection’, certified by the European Commission (so-called adequacy decision) on the basis of the existence of appropriate guarantees in the third country’s domestic law or in its international commitments. Specifically, according to the CJEU’s recent case law, ‘the term “adequate level of protection” must be understood as requiring the third country to ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter’.14 Ultimately, what the CJEU demands EU institutions to perform is a comparative assessment between data protection standards offered by a third country and those provided by the EU itself.15 Heading back to PNR, the issue of how to deal with the exchange of this data arose for the first time in 2001, when US legislation16 obliged all airline carriers travelling to the US to transfer passengers’ data to the US Customs and Border Control.17 Therefore, the European Commission had to reach an agreement with US authorities on the transfer of PNR data. This agreement was signed on 28 May 200418 and included a number of controversial aspects. First of all, it provided direct access to data for US officers (so-called pull system), without any active part being taken by airline carriers in data transfer. In addition, a particularly vague statement of purpose (ie the reasons justifying data collection) was combined with quite a broad period of retention (three and a half years) to be extended in case an investigation was in place.19 For these reasons, the EU–US PNR agreement was challenged before the CJEU by the EP, calling for its annulment.20 The Court invalidated the agreement on procedural grounds, namely, a wrong legal basis (see further in this Article for a discussion on the substantive implications derived from the choice of the legal basis).21 As a consequence, EU institutions were urged to enter into a new agreement. On 23 July 2007, after a provisional deal approved in the immediate aftermath of the CJEU’s decision,22 working as an interim framework while waiting for the negotiation of a new one, the EU stipulated the second PNR agreement with the US.23 Indeed, this draft raised even more concerns in terms of fundamental rights than the first version had done. Particularly, the variety of data to be collected was widened, encompassing also some sensitive data24 (although a filtering mechanism was provided), and the retention period was extended (up to 7 years). Additionally, there were no ‘robust legal mechanisms’25 enabling individuals to challenge potential misuse of their data. The shift from the ‘pull’ to the ‘push’ system in data sharing marked the only improvement in terms of rights protection: US authorities could not directly access data, but they needed to ask air carriers for its transmission. However, once again, the EP considered guarantees for passengers’ rights to be insufficient. Hence, after refusing to ratify the agreement (a power that it had been vested with by the Treaty of Lisbon), the EP passed a resolution requiring its renegotiation.26 The third and current PNR agreement between the EU and the US has been into force since 1 July 2012.27 It secures quite a high number of important guarantees (eg by delimiting the purpose and duration of data retention), but it still leaves wide discretion to US authorities in determining exceptions to the retention period and to the anonymization of data.28 Rules similar to those passed in the US were enacted in Canada, as well.29 Thus, in 2005 the EU entered into an agreement with Canada.30 Yet, this text presented some flaws in terms of human rights, not very different from those identified in the abovementioned EU–US agreements. Although the EU–Canada agreement provided for a ‘push’ system and envisaged a difference in terms of retention, depending on whether or not passengers were under investigation, it included some controversial provisions on the (anonymization and) re-personalization of data and complex administrative procedures to file any kind of complaint.31 When it expired, in 2009, negotiations re-started and a new agreement was signed on 25 June 2014.32 Due to alleged violations of the rights to privacy and data protection, the agreement was though challenged by the EP, triggering the procedure under Article 218(11) TFEU, which entitles it to seek the opinion of the CJEU on the compatibility of an international agreement with the EU Treaties, before approving it and determining its definitive entry into force.33 The opinion of the Advocate General: casting doubts on the compatibility of the agreement with the Charter On 8 September 2016, Advocate General Paolo Mengozzi delivered his Opinion to the Court,34 holding that the EU–Canada PNR agreement should be rejected. The Advocate General argued that the agreement is patently contrary to Articles 7 (right to privacy), 8 (right to data protection) and 52 (principle of proportionality) of the Charter.35 As a preliminary point, addressing the existence of any interference with the rights to privacy and data protection, the Advocate General maintained that a serious interference does exist36 because of the intrinsic characteristics of the collected data. As a matter of fact, PNR data is able to reveal much about the passengers’ life and habits, involving the right to privacy under Article 7 and the ‘closely connected but nonetheless distinct’37 right to data protection under Article 8 of the Charter. The second step of Mengozzi’s Opinion focused on the legitimacy of such interference, assessed under the scheme set forth by Article 52 of the Charter. According to this provision, three aspects shall be taken into account: first, whether the interference is provided by law and respects the essence of the right; second, whether it pursues a legitimate aim and third, whether it complies with the principle of proportionality.38 As to the first criterion, from a formal point of view, the Advocate General considered the interference provided for by law: pursuant to the EU Treaties, once all phases for their approval are concluded, international agreements become an integral part of the EU legal order.39 From a substantive perspective, according to Advocate General Mengozzi, the agreement is clear, accessible, and foreseeable enough to meet the standards in terms of ‘quality of the law’ as required by the European Court of Human Rights case law.40 Last but not least, the essence of the right is not impaired, since the mechanism of gradual depersonalization of data does not allow to draw specific conclusions on the intimacy of the life of concerned persons.41 Given the connection between the intended aim of the agreement, ie combating terrorism and other transnational serious crime, and the ‘general interest’ prescribed by Article 52 of the Charter, the Advocate General examined the proportionality of the means employed by the agreement and stressed the necessity of a strict scrutiny, also in light of the Digital Rights and Schrems judgments.42 From this perspective, the Advocate General observed that, even if the means are suitable to pursue the aim,43 many elements indicate that they are not strictly necessary. According to his Opinion, on the one hand, sensitive data should not be included;44 on the other hand, an exhaustive list of ‘serious offences’ should be drawn. Moreover, the Advocate General criticized the very long retention period, not justified by objective reasons:45 pursuant to the agreement, all data must be retained for a maximum of 5 years from collection, although it must be masked after 30 days. However, in specific circumstances—ie when it is necessary to carry out investigations46—it is possible to unmask it. He also disapproved the indiscriminate application of the measures, irrespective of the existence of any suspicion of involvement in terrorist activities.47 Furthermore, these flaws were combined with the vague definition of Canadian authority tasked with processing data, the lack of strict rules on access to data and the uncertain reference to judicial remedies. Therefore, concluding his Opinion, Mr Mengozzi, although admitting that there would be ways to make PNR transfer compliant with human rights, stated this was not the case of the EU–Canada agreement.48 As a result, he warned EU institutions against the adoption of the text in its current version. The CJEU’s stance: between right protection and realism The Grand Chamber of the CJEU delivered its Opinion on 26 July 2017,49 essentially adhering to the Advocate General’s stance and asking for the renegotiation of the agreement. This Opinion is remarkable both for procedural and substantive aspects. In fact, in its ruling, the Court addressed both sides of the EP’s request. It considered the appropriate legal basis for the Council decision on the conclusion of the agreement and it tested the compatibility of the agreement with Articles 7 and 8, read in light of Article 52 of the Charter. As will be explained in this Article, the reasoning on the legal basis showed the material implications of an apparently procedural issue, whilst the approach to the substance of the agreement is coherent with previous case law, but with some relevant novelties. The procedural limb of the CJEU’s reasoning: the EU–Canada PNR agreement and its legal basis As to the first question, the Council decision was based on Articles 82(1)(d) and 87(1)–(2)(a) TFEU concerning measures that facilitate judicial cooperation among Member States in relation to criminal matters and collection of information aimed at police cooperation, respectively. Instead, the EP claimed that the correct legal basis was Article 16 TFEU.50 This provision ensures—at the first paragraph—the protection of personal data and provides—at the second paragraph—that measures aimed at its processing and free movement have to be regulated by the Council and the Parliament ‘acting in accordance with the ordinary legislative procedure’. Accepting the Advocate General’s stance on this point,51 the CJEU found that the agreement should be based on Articles 16 and 87 TFEU jointly,52 rather than on Article 82 TFEU. In particular, the Court remarked that there are no provisions envisaging a facilitation of judicial cooperation and the Canadian authority in charge of the use of PNR data is not a judicial authority, nor equivalent to it. As a result, Article 82 had to be excluded. In order to reach its conclusion about the legal basis, the Court underlined that the agreement has a two-fold aim: on the one side, the transfer of PNR data should ensure public security; on the other side, the protection of such data cannot be disregarded.53 These two components are, according to the CJEU, ‘inextricably linked’.54 The Court highlighted that such objectives are within the scope of both the Articles 16 TFEU and 87(2)(a) TFEU. On the one hand, the invocation of Article 16(2) was correct, as the adopted measures—enacted through an international agreement, which becomes a source of EU law—were aimed at protecting personal data. On the other hand, Article 87(2)(a) was invoked properly, as well, because it enables the EP and the Council to establish measures in the field of police cooperation with regard to the ‘collection, storage, processing, analysis and exchange of relevant information’. Here, in the CJEU’s view, the concept of ‘information’ includes ‘personal data’ and the activities regulated by the agreement consist exactly of ‘processing’ and ‘exchange’. At this point of its reasoning, pursuant to Article 25 DPD, the Court also reiterated that the transfer of PNR data towards third countries cannot take place unless an ‘adequate level of protection’ is certified by the Commission.55 This concept was interpreted by the CJEU in the Schrems judgment56 as an ‘essentially equivalent’ level of data protection ensured by the third country to which data is going to be transferred. ‘Essential equivalence’ does not mean that third countries have to guarantee safeguards that are identical to those offered by EU legislation, in terms of data protection (namely, according to the Schrems decision, the provisions of the DPD read in light of the Charter),57 but the standard of protection (ie essential safeguards) must be comparable. Thus, the ‘core’ of EU law on data protection has to be preliminary identified and, then, its respect has to be regarded as a conditio sine qua non for the processing of data beyond EU jurisdiction. For instance, the EU and a third country may establish supervisory bodies that differ as to their structure, composition, modus operandi, or other features; though, what matters is that, in practice, they work as independent entities, since Article 8(3) of the Charter requires so. Additionally, in Schrems, the CJEU declared that no excessive discretion must be granted to the Commission when it takes the so-called adequacy decision and, for this reason, it listed a number of criteria that the Commission itself has to consider.58 Notably, Article 45 of Regulation 679/2016, which is going to replace the DPD from 25 May 2018 onwards, incorporated such criteria.59 Since the rationale behind ‘adequacy’ (and, hence, ‘essential equivalence’) is to avoid any risk of indirect circumvention of EU guarantees related to data protection, if EU institutions did not require adequacy when they act in external relations, the effectiveness of the EU data protection framework would be, de facto, frustrated. In other words, high EU standard would cease to be applied on the international scene. This double standard would result in unjustified inequality between individuals whose data is processed within the EU and others whose information is transferred from the EU to third countries (for commercial reasons or for other purposes). Moreover, by claiming that essential equivalence has to be ascertained in relation to established EU standards, the CJEU granted EU law (and the Charter, especially) indirect extraterritorial implementation.60 This is a remarkable step in building a ‘global’ framework for data processing and, consequently, global standards of protection,61 in which the EU leading role has been increasing sharply over the past years. Such ‘globalisation’ of standards is coherent with a general attitude consisting of providing ‘harmonised’ legal rules on some topical issues (eg data protection, environment, transnational trade) that may have cross-border implications.62 The substantive limb of the CJEU’s reasoning: the EU–Canada PNR agreement and its compatibility with the Charter Moving to the second question, the CJEU tested the compatibility of the provisions set by the agreement with the standards established by the TFEU and the Charter. Indeed, the CJEU underlined that the agreement had to be assessed in relation to data protection only with regard to Article 8 of the Charter, without separately considering Article 16 TFEU, since the former is more specific than the latter. First of all, the CJEU determined the existence of an interference with the rights concerned, as PNR data includes information that allow the identification of individuals’ personal data, which is then processed within the meaning of Article 8 of the Charter.63 In order to assess whether (or not) such interference is justified, the CJEU started by considering the basis for such limitation, finding it64 to be legitimate and laid down by law, due to the pursuance of an objective of general interest (namely, public security). Moreover, this interference does not affect the essence of the concerned rights for several reasons. First, PNR data is processed for limited purposes; second, security, confidentiality and integrity of data are ensured by the agreement; and third, the agreement guarantees protection against unlawful access and processing.65 The most articulated part of the decision relates to the necessity of such interference. The CJEU found that several applicable standards—eg clarity and precision, purpose limitation—are not met by the current text of the agreement, which, instead, complies with EU law as to some other aspects. First, in line with the Advocate General’s reasoning, the Court argued that the concerned PNR data is not determined enough: it is not clear which type of data is covered by the agreement.66 For example, the use of the word ‘etc.’ was particularly criticized,67 as well as the expression ‘all available contact information’.68 In addition, the CJEU highlighted that the envisaged framework may include sensitive data,69 which is therefore transferred and processed without a solid justification. Notably, in the Court’s view, prevention of terrorism was not deemed to be such.70 Second, the CJEU addressed automatic processing. According to the agreement,71 such mechanism works as follows: data is collected and automatically processed; automatic analysis implies a cross-check with databases containing information on suspect terrorists; if some profiles match, the analysis is repeated in a non-automated way, in order to concretely assess whether it is necessary to take individual measures against targeted passengers. The Court praised the fact that automatic processing has to be followed by a re-examination through non-automated means.72 However, in accordance with the Advocate General’s Opinion, it specified that databases with which data is cross-checked must be ‘reliable, up to date and limited to databases used by Canada in relation to the fight against terrorism and serious transnational crime’.73 Third, the CJEU found some of the purposes for processing PNR data to be not clear, nor defined enough. Although the definitions of ‘terrorist offence’ and ‘serious transnational crime’ are well specified in the agreement itself,74 the text also allows PNR data to be processed for ‘other purposes’, which are not listed in detail.75 The fourth and fifth points analysed by the Court, ie the competent Canadian authority charged with the processing of data and categories of passengers concerned, respectively, were deemed to comply with EU law, since they are defined with sufficient clarity and precision.76 Sixth, there are no clear and precise rules in relation to the retention of data. The CJEU reminded that there must be a connection between the retention of personal data and the aim pursued by the agreement,77 to be established by way of objective criteria, which must result in the existence of substantive and procedural conditions governing the use of data.78 According to the agreement, data can be retained and used before the arrival of passengers, during their stay in Canada, at their departure and even after it.79 The CJEU stated that retention of data after passengers’ departure is particularly tricky. Since such data has already been checked and verified, it would not be necessary to continue to store it, unless there are objective reasons to do so.80 On the contrary, as to data retention and use before passengers’ arrival and during their stay in Canada, the Court acknowledged the existence of a connection between these activities and the pursued objective. Nonetheless, rules about retention and use were found to exceed what is strictly necessary,81 due to the lack of a review (carried out by a judicial or independent administrative body) on the use of data related to passengers staying on Canadian territory. Lastly, the CJEU analysed provisions concerning disclosure. The agreement allows disclosure of data to Canadian government authorities, to those of third countries and, in (unspecified) particular circumstances, to individuals. In all these cases, the concerned measures do not comply with the strict necessity test. More specifically, disclosure of data to Canadian authorities should be made in accordance with rules governing the use of data; nevertheless, such rules are not well-defined.82 Additionally, the Court noted that, in order to avoid that disclosure to third countries’ authorities hide a circumvention of guarantees enshrined in EU law, an agreement between the EU and the third country or a Commission adequacy decision should certify the same level of protection. The EU–Canada PNR agreement does not require this; as a result, disclosure is not limited to what is strictly necessary.83 As to disclosure to individuals, allowed when ‘legitimated interests of the individual [are] concerned’, the Court found a major flaw in the fact that the agreement does not specify legal requirements and limitations, concerned interests as well as envisaged purposes and applicable guarantees.84 After assessing the necessity and proportionality of the interference, the CJEU examined other two important aspects of the agreement: the guarantees for passengers enshrined in the text and the existence of safeguard related to oversight on concerned measures. As to the first issue, the CJEU condemned the lack of a system of notification; in other words, passengers should be made individually aware about the processing and use of their data.85 As to the second issue, the agreement states that data protection safeguards will be subject to the oversight of an ‘independent public authority’ or of an ‘authority created by administrative means that exercised its functions in an impartial manner and that has proven a record of autonomy’. According to the Court, the use of this alternative wording implies that the oversight, or at least part of it, may hypothetically be carried out by a body that is not completely independent.86 Hence, as stated by the Advocate General, full independence in the oversight process is not guaranteed by the agreement. Against this background, the agreement is going to be re-negotiated according to the CJEU’s guidelines. The procedure restarted in October 2017, when the Commission adopted a recommendation for a Council decision on the reopening of negotiations ‘in a manner which is compliant with the Court’s requirements’.87 Why is Opinion 1/15 a landmark case? In this Opinion the CJEU has succeeded in reconciling fundamental rights and security needs, working as a catalyst of its previous case law and leading it to further developments. In particular, combining previously settled concepts, the Court managed to reach new findings that make this decision a landmark one. In order to analyse this Opinion, it is worth focusing on some significant aspects. First, the CJEU did allow mass surveillance as a matter of principle. However, the requirements that surveillance measures have to meet are so detailed and specific that it may be not easy to implement them in practice. Actually, the Court’s case law, including the examined Opinion, shows that those standards have not been met yet. Therefore, there is a sort of discrepancy between what is theoretically admissible and what is practically achievable or, at least, has been achieved until this moment. Second, the CJEU performed the task of a legislative body, triggering a sort of ‘revolution’ in the EU institutional balance of powers, as demonstrated by several passages of the Opinion that censor the wording of the agreement88 and give guidelines to redraft it. Last but not least, the Court’s reasoning on the legal basis for the adoption of the agreement is not a merely formal passage of the ruling. The following analysis will focus on these points and develop them to highlight the importance of the Opinion and its remarkably innovative features. The legal basis: merely a matter of form? As outlined above, in this Opinion the CJEU found that the Council decision on the adoption of the agreement should be based on Articles 16 and 87 TFEU in conjunction. In doing so, the Court openly recognized the double aim of the agreement, seeking to protect, at the same time, personal data and public security. In clearer words, invoking these two Articles as the appropriate legal bases, the Court, in a still procedural limb of its reasoning, anticipated the essential need for a balance between two competing interests, which would be then implemented in the substantive limb of the decision. In addition, the CJEU’s stance on the legal basis paves the way for further considerations, mainly with regard to Article 16 TFEU. First of all, the invocation of Article 16 as legal basis for a Council decision on the conclusion of an international agreement is a novelty.89 Article 16 TFEU was introduced by the Treaty of Lisbon and enables the EU to act in order to guarantee data protection.90 Differently from other provisions governing data protection in EU law—namely, Article 286 of the EC Treaty (ie Article 16 TFEU’s predecessor, introduced by the Treaty of Amsterdam) and Directive 95/46/EC—it applies to all areas of law, including freedom, security and justice.91 At the same time, it differs from Article 8 of the Charter, which does not directly impose concrete legislative action on EU institutions.92 The legal basis of EU acts dealing with data retention and its exchange has represented a highly debated issue over the years, also in the case law of the CJEU. In this regard, it is worth mentioning the first case in which the Court ruled on a PNR agreement, determining the invalidation of the 2004 EU–US deal.93 In that decision, the Court held the inappropriateness of the Council decision’s legal basis, arguing that public security was the main aim of the international agreement. On the contrary, at that time, the Council decision on the signing of the agreement was based on Article 95 EC (first pillar provision), regulating the functioning of the internal market and ‘approximation of national laws’ to this aim. In order to take into account this decision, subsequent agreements with the US (signed in 2007) and with Canada (in place from 2006 to 2009) were based on two provisions of the third pillar (police and criminal cooperation), ie former Articles 24 and 38 of the Treaty on the European Union (TEU), whose combination allowed the exchange of information with third countries to enhance police cooperation.94 Moving the legal basis from the first to the third pillar meant for the EP to lose its chance to challenge the agreement95 (but things changed after the Lisbon Treaty, which eliminated the pillars structure). Further discussion on the legal basis of an EU act restricting the right to data protection was triggered when Ireland challenged the DRD,96 alleging the inappropriateness of Article 95 EC as its legal basis. In this case, the Court rejected the plea for annulment,97 arguing that there were sufficient elements to maintain that harmonization of retention rules was required in order to avoid distortion of the internal market, which was, consequently, the primary purpose of the act.98 Both those proceedings—the ‘PNR case’99 and the ‘data retention case’100—took place before the Lisbon Treaty, which introduced, through Article 16 TFEU, a ‘comprehensive legal framework for data protection’.101 In other words, by way of Article 16 TFEU, data protection ceased to be read in a mere market dimension and began to be fully perceived as an individual right. Nonetheless, both the PNR agreement with the US and the one with Australia in their current versions, entered into force in 2012, are not based on Article 16, but on Articles 82(1)(d) and 87(2) TFEU, ie two provisions relating to the area of freedom, security and justice.102 This choice was made in spite of the 2010 EP’s resolution, inviting to include Article 16 TFEU as a legal basis in the renegotiation of agreements on data transfer.103 Moreover, even the 2016 PNR Directive is based on Articles 82(1)(d) and 87(2) TFEU. Therefore, identifying Article 16 TFEU as an appropriate legal basis for the Council decision on PNR agreements, as the Court did in July 2017, may open a discussion on the appropriateness of the PNR Directive’s legal basis, as well. Notably, Directive 681/2016 was adopted within the framework of a more comprehensive reform of data protection rules at the EU level. This included the adoption of Regulation 679/2016104 and Directive 680/2016,105 establishing the general data protection framework after the repeal of Directive 95/46 and the specific regime with regard to data processing for the purpose of prevention, investigation, and prosecution of crimes, respectively. Both Regulation 679/2016 and Directive 680/2016 are based—exclusively—on Article 16 TFEU. Hence, it is not easy to understand why Directive 681/2016 did not follow this trend. Such a reluctance might be explained by the fact that the field of data exchange with third countries is regarded as raising more concerns in terms of judicial and police cooperation (ie a security-oriented approach), rather than in terms of genuine protection of individual rights (ie a rights-oriented approach). However, in light of this finding by Opinion 1/15, it is very likely that a national court, through a preliminary reference to the CJEU, will challenge the EU PNR Directive’s validity on the ground that its legal basis should be Article 16 TFEU. Irrespective of whether (or not) the issue of the PNR Directive’s legal basis will be raised before the CJEU, it is worth noting that the Court highly contributed to the reinforcement of the right to data protection as an autonomous right in all fields of EU law, by referring to Article 16 TFEU as an appropriate legal basis in this context. This approach is instrumental to bolster the role of the EU as an entity with its own (lato sensu) constitutional standing, even when it acts on the international scene and not only when it regulates internal matters. Indeed, at the legislative level, since Regulation 679/2016 and Directive 680/2016 have been based on Article 16 TFEU, some progress is being made in building a ‘comprehensive legal framework’ for EU data protection. A further step in this process would be represented by a systematic use of Article 16 TFEU as a legal basis, even when the EU institutions act in their international capacity. As a result, the legal basis ceased to be a merely formal issue and instead substantively fostered the EU’s role in protecting fundamental rights in an autonomous and effective way. PNR system: the Court’s material guidelines In the commented Opinion, the CJEU laid down some significant guidelines, which other EU institutions will have to follow when they redraft the agreement. Once again and more specifically than in other decisions, the Court clarified the circumstances and conditions under which the transfer, retention and use of PNR data can be deemed compliant with guarantees enshrined in EU law. In its previous judgments, the CJEU had implicitly admitted that mass surveillance was not to be rejected in toto. However, only in the latest decision it listed a set of rules to make surveillance tools proportionated to the goal of ensuring public security and thus legitimate. Such a thorough and accurate assessment deserves a further point-by-point analysis. First, in Opinion 1/15, the CJEU underlined that categories of PNR data covered by the agreement must be clearly and precisely indicated and this has not been done in all of the cases listed by the Annex to the envisaged agreement. From this standpoint, the Court even criticized the wording of some of its headlines, engaging in a careful and detailed analysis.106 In this passage, a strict scrutiny is enacted. In other words, in the (successful) attempt to secure the highest level of protection to individuals, the Court did not stop at mere appearances, determining that the agreement’s wording is unacceptably vague, even if the list of PNR data provided by the Annex to the agreement contains a delimitative clause,107 hence being a closed one.108 In this way, the CJEU went beyond previous decisions in which it had abstractly affirmed the need for an exhaustive list.109 Not being satisfied with the mere existence of such catalogue, the Grand Chamber scrutinized its merits, thus demonstrating the substantive nature of its review. Moreover, the strong claim to exclude sensitive data from the scope of the agreement is particularly important in terms of human rights protection, but less striking as to its innovative features, since it seems to be mirrored in recent pieces of EU legislation. In this respect, the recent Directive 681/2016,110 dealing with PNR at EU level, prohibits the processing and use of sensitive data. Actually, the Court held that sensitive data could hypothetically be transferred to Canada if a ‘precise and solid justification’111 exists; however, and importantly, it considered that the general need to protect public security against terrorism is not such. This caveat is a clue of the predominantly right-protective stance of the CJEU, even when the terrorist threat leads it to embrace a realistic approach and admit mass surveillance.112 In other words, albeit the Court is leaning towards the acceptance of a certain amount of intrusiveness into everyone’s life, also when the concerned person is not suspected of any link with terrorism or other serious crime, it fixed strict limits beyond which it is (almost) not possible to stray. For example, a firm stance against discriminatory profiling lays behind the prohibition on the use of sensitive data.113 Prohibition of profiling seems, at first glance, the only absolute ban imposed by the Court due to its discriminatory implications.114 As a matter of fact, by relying on individuals’ sensitive data, such as religion or race, public authorities could be allowed to harshen measures against specific groups of people (eg Muslims), who might hence be treated as terrorist suspects par excellence. This would obviously result in a discrimination of such groups, targeted by counterterrorism measures in a different manner from others. By contrast, the apparently non-discriminatory approach emerging from the decision may seem partially incoherent with mass surveillance, de facto, target-oriented to selected groups. Nonetheless, a deeper insight into the issue displays that limited hypotheses in which profiling might be allowed, at least as a last resort tool, can be discerned. Specifically, this happens when public security becomes such a pressing need—and this should be assessed case-by-case—that it amounts to ‘a good reason’ justifying even the use of sensitive data.115 As a result, profiling in such very restricted cases would be permitted. Ultimately, although the ban on profiling is considered by the Court as a particularly rigid and solid barrier, also in light of the general prohibition of any discrimination that permeates all fields of EU law, some glimpse for overcoming it may be detected. Besides, a potential risk of discriminatory profiling is embodied in the PNR Directive,116 as well. Turning to the second passage of Opinion 1/15’s assessment of proportionality, data should not be processed only by automated means, but a non-automated re-examination should follow.117 The CJEU did not find the envisaged agreement to be flawed on this point, as it recognized that its Article 15 provides for non-automated analysis in cases in which it is necessary to take ‘decisions adversely affecting a passenger to a significant extent’. At any rate, the CJEU made a crucial statement in relation to the automated phase of processing, which implies a cross-checking of collected information with databases containing data of suspect terrorists. The Grand Chamber remarked that such activity should be carried out through safe and ‘reliable’ databases, limited to those used by Canada for counter-terrorism purposes. In this case, the statement of the Court is the result of a commendable attitude towards individual rights; nevertheless, the CJEU failed to issue concrete guidelines about the meaning of the adjective ‘reliable’. Concerns expressed by the Court against (merely) automatic analysis derive from its firm rejection of automated profiling, being the latter the effect of the former. As a matter of fact, if the whole mechanisms worked in an automated way, terrorist suspects would be mechanically selected on the grounds of certain features that, when matched, would result in sensitive data. The Court’s third point was that the PNR mechanisms have to be grounded on ‘good reasons’, namely strong justifying purposes. Consequently, the expression ‘other purposes’ does not meet the requested standard.118 In so doing, the Court remarked its rejection of vague wording. A fourth factor that the Court addressed and criticized was the crucial aspect of the retention and use of collected data. The Grand Chamber declared that data of passengers who have already left the Canadian territory should be stored only when there is ‘objective evidence’119 of a potential risk in relation to acts of terrorism and serious crime. This is a major point of the Opinion for two main reasons: its potential implications on the 2016 PNR Directive and its relationship with previous CJEU’s case law. With regard to the PNR Directive, such timing differentiation (among passengers before their arrival, during their stay, on their departure and after their departure) is not provided therein. This lack of distinction could cause legal challenges to such legislation. Therefore, while for some other aspects the PNR Directive is drafted in compliance with the Court’s guidelines (eg prohibition of using sensitive data120 and need for human intervention in the processing of data),121 this might be a tricky issue. In effect, if the agreement has to be renegotiated according to that differentiation, whilst the Directive remained in its current form, it would be easy to envisage a discrimination depending on whether data is collected in the EU territory or in non-EU jurisdictions (specifically, in Canada). Moreover, the addressed differentiation could impose the need to find a way to correlate the intelligence analysis of PNR data with mechanisms aimed at border control.122 With regard to the relationship between the current CJEU’s stance and its previous case law on retention, it is worth remarking several points. Undoubtedly, the CJEU’s reasoning is influenced by previous judgments on data retention, namely Digital Rights (mainly) and Tele2 (that mostly reiterated principles set in Digital Rights). Nonetheless, in Opinion 1/15 the CJEU appeared to go beyond Digital Rights, since it dealt with much more specific topics and addressed retention in greater detail. In Digital Rights, the CJEU quashed the provision of the DRD leaving Member States a leeway of choice between 6 and 24 months, while in this case a much longer period (maximum 5 years) is deemed appropriate. In spite of such (apparent) contradiction, there is no (real) inconsistency: what the CJEU criticized in Digital Rights was not the length of the period per se, but rather the fact that specific criteria to choose between the minimum (6 months) and the maximum (2 years) length were not set. On the contrary, in Opinion 1/15, the retention period fixed by the agreement (ie maximum 5 years, the same as the PNR Directive123) was taken into consideration per se. To a certain extent, what casts some doubts on the CJEU’s reasoning is the Court’s general criterion to assess the legitimacy of retention periods. One of the interpretative pathways that the Court may have followed (even if not explicitly) is the need to evaluate proportionality and necessity of each provision within the legal text under review (namely the DRD and the EU–Canada PNR agreement), both individually and with regard to their combined effect. From this perspective, what seems an inconsistency in the CJEU’s case law can be read—instead—as an effort towards a more careful balancing of the interests at stake. The focus on the retention period can be especially enlightening in this regard. A (quite long) maximum retention period of 5 years, as provided by the EU–Canada PNR agreement, may prima facie seem inconsistent with the Digital Rights principles. Nevertheless, it should be taken into account that the scope of such agreement is considerably narrower than that of the DRD, both in terms of the type and amount of concerned data and of the number of people potentially affected by data collection and retention. This distinction determines, in general, a different kind of surveillance. Furthermore, at least two more elements differentiate the DRD from the EU–Canada PNR agreement. Firstly, while the maximum period of retention is established in 5 years by the agreement, in case no use is made of collected data, identifying information should be masked after only 30 days and PNR data should be completely anonymized after 2 years. Secondly, the PNR agreement is considerably more precise than the DRD as regards the purposes for data retention. As to the mechanism of anonymization of data described above, it is worth noting the different approaches taken by the Advocate General and by the Court respectively. The former focused on it as a key tool for the safeguard of individual rights, in spite of the quite long retention period. The latter—by contrast—did not address such argument explicitly and this may convey the wrong idea that a 5-years term is justifiable per se. This lack of clarity, by the Court, may in fact cause further uncertainty that is something undesirable in such a delicate field. The fifth flaw of the agreement, according to the CJEU, was data disclosure. If Canadian authorities have to disclose collected data to a third country’s authority, an adequacy decision of the Commission or an international agreement in place between such country and the EU should be adopted, in order to avoid indirect circumvention of EU law standards. In relation to this, the CJEU strongly relied on Schrems, in which it definitively interpreted the meaning of ‘adequate level of protection’. The sixth critique of the Court concentrated on notification. According to the CJEU, data subjects should be individually notified when their PNR data is transferred and used by the competent Canadian authority or when data is disclosed. This is another key point. Together with the Court’s stance on oversight—which will be analysed immediately after—notification is part of the assessment on passengers’ individual rights. These two issues are addressed without applying the strict proportionality test, which is employed when an evaluation on the justification of an interference (ie a limitation of a right) is required. On the contrary, in this passage, the Court was called to a more general review on the appropriateness of a set of guarantees (in which no limitations of rights are involved). Referring to previous case law of the CJEU on data protection as a fundamental right, individual notification had not been expressly examined in detail in Digital Rights, but only in Tele2.124 This could be explained by the fact that Tele2 was issued by the Court at the end of 2016, when the abovementioned EU reform on personal data, giving high importance to the rights to access, erasure and redress, had already been approved.125 In both Opinion 1/15 and Tele2, the CJEU claimed that subjects, whose data is transferred and used by competent national authorities in charge of accessing it, have to be individually notified. Notification is instrumental to ensure the right to access to data, so as individuals can ascertain that data is processed in a correct and lawful manner (a guarantee that, according to the Court’s case law,126 is embodied in the right to privacy). Notification is hence aimed at giving the data subject the chance, if necessary, to obtain rectification or erasure, and to exercise the right to an effective remedy, implying judicial redress (Article 47 of the Charter). Consequently, notification is essential for the respect of a set of very important guarantees enshrined in EU law. Additionally, the CJEU linked the time in which notification can be issued to that in which such communication ‘is no longer able to jeopardise the investigations being carried out’.127 Thus, the Court applied a well-established principle of criminal law, seeking to ensure transparency (and, at the same time, the right to a defence, derived from the presumption of innocence), avoiding, simultaneously, any interference with investigations. Lastly, independent oversight should be provided.128 This may cast doubts on the mechanisms set forth by the Privacy Shield, ie the framework regulating the exchange of data between the EU and the US after that the previous one, the Safe Harbour agreement, was invalidated by the Schrems judgment. Indeed, the Privacy Shield took into account the Schrems principles, guaranteeing an effective comparative evaluation of standards, in compliance with the ‘essential equivalence’ requirement set by the CJEU.129 In this light, the Privacy Shield allows a more careful and continuous check on the adequacy of US guarantees. A much more detailed set of liability rules, stricter transparency clauses and a greater number of formal steps to be taken for self-certification are just some examples.130 Yet, alongside these positive aspects, many concerns on this new framework have recently been raised by both a resolution of the Committee on Civil Liberties, Justice and Home Affairs of the Parliament131 and the first Joint Review on the implementation of such regime,132 carried out by EU and US authorities in conjunction. Among other things, the insufficient independence of the body charged with oversight was pointed out by both documents. In sum, not only this Opinion will probably have significant repercussions on the PNR Directive and the Privacy Shield, but it will also impact on other PNR agreements, both existing (ie with the US and Australia)133 and future ones (relevantly, while this proceeding was pending, the Parliament asked for negotiations with Mexico to be suspended).134 The CJEU and counter-terrorism: a revolution in the EU institutional balance? From a more general point of view, it is worth remarking that this is the first time that the CJEU had to rule on the compatibility of an international agreement with guarantees enshrined in the Charter. In doing so, the Court marked a particularly important step for two main reasons. On the one hand, its Opinion reinforced the ‘constitutional’ value of the Charter,135 which works as the only parameter to decide whether challenged acts (among which international agreements) violate EU law. On the other hand, this resulted in the affirmation of the full capability of international agreements themselves to integrate EU law,136 with relevant consequences in terms of constitutional structure of the EU. This approach reflects the supremacy of EU constitutional values, even over what has been negotiated at the international level. Furthermore, both the Parliament and the CJEU made an effective use of the mechanism—explicitly envisaged by the EU Treaties—allowing to challenge an international treaty allegedly violating EU law. The former, although it preferred not to decide on such a politically strategic issue, especially in time of terrorism, at least chose to ask the Court’s Opinion, giving it the chance to rule on the matter. The Parliament might be hence considered as the only legislative body of the EU that is not totally yielding to a securitarian approach, differently from the Council and the Commission. Therefore, not all EU institutions taking part in (lato sensu) legislation-making are letting security prevail over rights; the attitude of the Parliament shows at least the existence of an internal cleavage on the matter. Additionally, by way of its request, the Parliament implicitly but strongly invited the CJEU to finally rule on the merits of a PNR’s agreement. As said, when it repealed the first agreement with the US,137 the Court decided on the basis of procedural grounds only; in such circumstance, the Parliament had not relied on the Charter to raise its human rights concerns, since it had a merely interpretative value before the Lisbon Treaty. For its part, the CJEU quickly took the opportunity to do what it had not done before, ie explicitly extending principles elaborated in a long series of mainstream decisions to EU external relations. This conveys the idea that the guarantees of the rights to privacy and to data protection must be affirmed on a global scale, in spite of challenging times. Notably, not only the CJEU affirmed this through a further elaboration of values emerging from Articles 7 and 8 of the Charter, but it even found a way to give a substantive dimension to apparently ‘formalistic’ arguments, as the one on the legal basis. The CJEU also did something else that is worth remarking: in carefully analysing the text of the agreement, even censoring its wording, it engaged in a task that can be defined ‘borderline’ with that of a legislative drafting committee. Again, this attitude of the CJEU is not totally new nor unexpected. Already in its previous decisions, such as Digital Rights, the Court had carefully scrutinized how provisions were written.138 Yet, in this occasion, the Court suggested other EU institutions the correct way to redraft the agreement, not only by way of principled declarations, but also through concrete examples of words and phrases to be substituted. Moreover, in Opinion 1/15, the CJEU’s guidelines are not aimed at redrafting an internal act—such as a directive—but an international treaty. This particularly high rate of ‘intrusiveness’ by the CJEU can be related to the gist of this decision, which can be synthesized as follows. Conceiving a legal framework in which surveillance has no role would be utopian, given the strength of the current terrorist threat; nonetheless, mass surveillance must be subject to particularly strict rules. Against this background, if the policy-maker proves unable to remain within these limits and guarantee that individual rights will not be totally sacrificed in the name of security, the Court will be increasingly called to play a pivotal role. This approach means going beyond its institutional attributions and bearing quasi-legislative (and political) responsibility, a task in which, this time, the CJEU engaged more vigorously and firmly than ever. This proactive approach is a praiseworthy, but further results could be more easily reached if each actor on the scene adopted a bit of the CJEU’s courageous approach seeking to concretely reconcile rights and security. In other words, a scenario in which other EU institutions, as well as Member States, cooperate in order to reach a fair balance between rights and security, rather than discharging on courts alone the responsibility to ‘draw the line’—as the EP itself did with the CJEU—would be far more preferable. Such desirable framework would also decrease the risk of distorting each body’s institutional role.139 Conclusion The Court’s Opinion on the EU–Canada PNR agreement is a landmark decision within the EU case law due to a number of reasons, which emerged in this Article. Being the first decision to assess the compatibility of an international agreement with the Charter, it goes far beyond the—careful and thorough—analysis of very technical issues, characterizing itself for many further features, which all converge towards the attempt to shape the tricky balance between rights and security in an increasingly detailed and rational manner.140 Its essence lies in two (apparently opposite, but indeed compatible) claims. On the one hand, the CJEU has ultimately accepted that a generalized and indiscriminate control on travellers is a useful and legitimate tool in the fight against terrorism. On the other hand, it showed awareness of serious risks that bulk surveillance implies for individual rights, in particular when clear and precise criteria on the concrete implementation of such measures are lacking. As a result, the EU–Canada PNR agreement faced a very strict scrutiny. It is now necessary to take stock of the analysis (developed in this Article) with a view to drawing some conclusive remarks. First of all, with regard to the challenging balance between rights and security, the Court—in a fashion that also other EU and national institutions should replicate—took a firm stance towards the protection of individual rights, but avoided, at the same time, the pitfalls of a utopian approach. In other words, it remained steady on the realistic assumption that, if the Western world wants to protect itself from terrorism, some intrusion in individual rights must necessarily be endorsed. Consequently, the CJEU accepted mass surveillance. However, it set out several strict conditions to make legitimate such form of bulk control. In so doing, the Court’s decision increases the awareness that rights can be safeguarded also without giving up realism and plays a very pivotal role within the lively theoretical debate on rights and security. Notably, the CJEU even managed to do so by using apparently mere procedural issues in a way that is instrumental to its stance on substantive issues. Emblematically, the reasoning on the legal basis both anticipates balancing efforts of the Court (in addressing the material question raised by the EP, ie the compatibility of the agreement with fundamental rights) and strongly claims for the concrete establishment of a comprehensive legal framework for data protection. Thus, such a ‘substantive use’ of a procedural issue is noteworthy. Secondly, albeit the 1/15 Opinion resulted in the validation, reinforcement, refinement and specification of what the CJEU had already stated, in at least three previous decisions, in relation to the collection, retention and use of personal data, the Court addressed the PNR issue adopting a quasi-legislative approach. This attitude deserves to be underlined for both practical and more general reasons. As to practical consequences, the Opinion will impact on agreements in force between the EU and third countries on the exchange of PNR data as well as on those under negotiation. EU institutions are likely to renegotiate agreements already in place, in order to comply with the CJEU’s standards. Likewise, the Court’s dicta will act as negotiations guidelines in relation to forthcoming agreements (eg with Mexico). Thirdly, and from a more general perspective, the CJEU’s quasi-legislative attitude raises interesting remarks with regard to the role of the Court within the EU framework. Here, it is worth highlighting that, acting almost like a drafting committee, the CJEU took a quasi-political responsibility. This is the same political responsibility that the Parliament did not dare to take when it triggered the procedure under Article 218(11) TFEU and shifted the task to the Court, instead of directly blocking the adoption of the agreement, as this choice would be unpopular in times of international terrorism. Last but not least, the expanded role of the Charter emerged clearly in Opinion 1/15. Actually, not only did the CJEU use it as the only parameter—in line with its previous case law and enhancing the EU's (lato sensu) constitutional standing—but it even contributed to give the Charter (and rights enshrined therein) a ‘global’ dimension. As a matter of fact, Canada—or any other third country—will have to respect the Charter, if it wishes to preserve (economic) relationships with the EU. Therefore, the Charter is gaining extra-jurisdictional enforceability, following a process that may be defined as ‘globalisation of standards’, in which the EU is affirming its leadership. Therefore, for all these reasons, Opinion 1/15 is a landmark decision, even if for several aspects it is along the same general lines of previous decisions, which have been confirmed and reinforced. Ultimately, Opinion 1/15 conveys the idea that rights can be protected without giving up a realistic approach. In doing so, the CJEU increasingly shows its fully right-oriented nature, in spite of being born as a judge of ‘economic freedoms’ only. Should other institutions—both at the EU and national level—embrace a similar attitude, this would undoubtedly be helpful to develop an effective and workable counter-terrorism strategy, combing the vital interest of democracy with the need to tackle security threats. The Author would like to express her special gratitude to Chiara Graziani for research assistance. Footnotes 1 Didier Bigo and Anastassia Tsoukala (eds), Terror, Insecurity and Liberty (Routledge, New York, US 2008); Kim L Scheppele, ‘Global Security Law and the Challenge to Constitutionalism After 9/11’ (2011) PL 352; Aniceto Masferrer, ‘The Fragility of Fundamental Rights in the Origins of Modern Constitutionalism: Its Negative Impact in Protecting Human Rights in the “War on Terror” Era’ in Aniceto Masferrer and Clive Walker (eds), Counter-Terrorism, Human Rights and the Rule of Law. Crossing Legal Boundaries in Defence of the State (Edward Elgar, Cheltenham-Northampton, UK-US 2012) 37; Viktor V Ramraj and others (eds), Global Anti-Terrorism Law and Policy (CUP, Cambridge, UK 2012); Genevieve Lennon and Clive Walker (eds), Routledge Handbook of Law and Terrorism (Routledge, New York, US 2015). 2 David Barnard-Wills, ‘Security, Privacy and Surveillance in European Policy Documents’ (2013) 3 IDPL 170, showing, with comparative approach, high reliance of anti-terrorism policies on intelligence information sharing. 3 For an analysis on differences and correlations between these two rights, Christopher Dockesey, ‘Four Fundamental Rights: Finding the Balance’ (2016) 6 IDPL 195, 197; arguing that the right to data protection aims at safeguarding privacy in the information society. See also Orla Lynskey, ‘Deconstructing Data Protection: The “Added Value” of a Right to Data Protection in the European Legal Order’ (2014) 63 ICLQ 569. 4 For a recent analysis, David Cole and others (eds), Surveillance, Privacy and Transatlantic Relations (Hart Publishing, Oxford, UK 2017) and Maria Tzanou, The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance (Hart Publishing, Oxford, UK 2017) 107. For a comparative perspective, Ira S Rubinstein and others, ‘Systematic Government Access to Personal Data: A Comparative Analysis’ (2014) 4 IDPL 96. 5 The high reliance of securitarian policies on data collected during travels made scholars consider the concept of ‘aviation security’. See Olga Mironenko Enerstvedt, Aviation Security, Privacy, Data Protection and Other Human Rights: Technologies and Legal Principles (Springer, Cham, CH 2017). 6 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, Joined Cases C-293/12 and C-594/12 [2014] ECR I-238. See Arianna Vedaschi and Valerio Lubello, ‘Data Retention and Its Implications for the Fundamental Right to Privacy: A European Perspective’ (2015) 20 Tilburg LR 14; Orla Linskey, ‘The Data Retention Directive is Incompatible with the Rights to Privacy and Data Protection and Is Invalid in its Entirety: Digital Rights Ireland’ (2014) 51 CML Rev 1789; Tuomas Ojanen, ‘Privacy Is More Than Just a Seven-Letter Word: The Court of Justice of the European Union Sets Constitutional Limits on Mass Surveillance’ (2014) 10 EuConst 528. 7 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ 2006 L 105/54. See Roger Clarke, ‘Data Retention as Mass Surveillance: The Need for an Evaluative Framework’ (2015) 5 IDPL 121. 8 Maximillian Schrems v Data Protection Commissioner, Case C-362/14 [2015] All ER (D) 34. See Loïc Azoulai and Marjin Van der Sluis, ‘Institutionalizing personal data protection in times of global institutional distrust’ (2016) 53 CML Rev 1343; Tuomas Ojanen, ‘Making the Essence of Fundamental Rights Real: The Court of Justice of the European Union Clarifies the Structure of Fundamental Rights under the Charter’ (2016) 12 EUConst 318; Neal Cohen, ‘The Privacy Follies: A Look Back at the CJEU’s Invalidation of the EU/US Safe Harbor Framework’ (2015) 1 EDPL 240. 9 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department vTom Watson and Others, Case C-203/15 ECLI:EU:C:2016:970. See Iain Cameron, ‘Balancing Data Protection and Law Enforcement Needs: Tele2 Sverige and Watson’ (2017) 54 CML Rev 1467. 10 Request for an opinion submitted by the European Parliament pursuant to art 218(11) TFEU, OJ 2015 C 138/24. 11 Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389. 12 The equivalent of the PNR regime with regard to transfer of financial data is the Terrorist Finance Tracking Programme (TFTP). This agreement between the EU and the US came into force in 2010 and concerns transfer and processing of data for purposes of identifying, tracking, and pursuing terrorists and their networks. See Cian C Murphy, EU Counter-Terrorism Law (Hart Publishing, Oxford, UK 2015) 151. 13 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31. 14 Schrems (n 8) para 73. 15 See further in this article. 16 US Aviation and Transportation Security Act 2001, Pub L 107-71. It is also worth noting that the US restrictive approach towards privacy depends on the fact that, in such area, privacy is traditionally considered as a relative right, which can be limited by many competing interests. In general, on the US attitude towards privacy and data protection, Michael W Price, ‘Rethinking Privacy: Fourth Amendment Papers and the “Third-Party” Doctrine’ (2016) 8 JNSLP 247. 17 The main federal law enforcement agency among whose tasks there is the protection of borders from the entrance of terrorists and criminals in general. 18 Council Decision 2004/496/CE of 17 May 2004 on the conclusion of an Agreement between the European Community and the USA on the processing and transfer of PNR data by Air Carriers to the US Department of Homeland Security, Bureau of Customs and Border Protection, OJ 2004 L 183/84. 19 On the critical aspects of this system, see Birte Siemen, ‘The EU-US Agreement on Passenger Name Records and EC Law: Data Protection Competences and Human Rights Issues in International Agreement of the Community’ (2005) 47 German YrBk Int’l L 629. More in general on past PNR agreements, Vangelis Papakostantinou and Paul De Hert, ‘PNR Agreement and Transatlantic Antiterrorism Co-Operation: No Firm Human Rights Framework on Either Side of the Atlantic’ (2009) 46 CML Rev 885. 20 According to former art 230 of the Treaty on the European Community (current art 236 TFEU). The EP’s stance was joined by the European Data Protection Supervisor, intervening in the proceeding. 21 European Parliament v Council of the European Union and Commission of the European Community, Joined Cases C-317/04 and C-318/04 [2006] ECR I-4721. For an analysis of this decision, see Gráinne Gilmore and Jorrit Rijpma, ‘Joined Cases C-317/04 and C-318/04, European Parliament v Council and Commission, Judgment of the Grand Chamber of 30 May 2006 [2006] ECR I-4721’ (2007) 44 CML Rev 1081. 22 Agreement between the EU and the US on the processing and transfer of passenger name record (PNR) data by air carriers to the US Department of Homeland Security [2006] OJ 2006 L 298/29. 23 Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the EU, of an Agreement between the EU and the US on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security (DHS). This agreement had been preceded by an interim version, in which even many right-related concerns could be found. See Agreement between the EU and the US on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security, OJ 2007 L 204/16, 24 On the implications of the use of sensitive data, see further in this article. 25 Letter from Peter Hustinx, European Data Protection Supervisor, to Wolfgang Schäuble, Minister for the Interior (27 June 2007) <http://www.statewatch.org/news/2007/jun/eu-us-pnr-hustinx-letter.pdf> accessed 7 March 2018. 26 European Parliament Legislative Resolution of 5 May 2010 on the launch of negotiations for PNR agreements with the USA, Australia, and Canada P7_TA (2010)0143. 27 Agreement between the United States of America and the European Union on the use and transfer of PNRs to the US Department of Homeland Security, OJ 2012 L 215/13. 28 For an overview of the contents and critical aspects of this agreement, see Arianna Vedaschi and Gabriele Marino Noberasco, ‘From DRD to PNR: Looking for a New Balance Between Privacy and Security’ in David Cole and others (eds), (n 4) 67. cf Quirine Eikjman, ‘Accountability in Europe: Ethical Dilemmas in Terrorism Risk Management’ (2013) 6 J Pol & L 35, 39, arguing that data security guarantees enshrined in the 2012 agreement contribute to accountability of the EU political bodies. 29 Anti-Terrorism Act, SC 2001, C 41. 30 Council Decision 2006/230/EC of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data, OJ 2006 L 82/14. 31 For an overview of this regime, see Peter Hobbing, ‘Tracing Terrorists: The EU-Canada Agreement in PNR Matters’ Special Report, Center for European Policy Studies, 17 November 2008 < https://www.ceps.eu/publications/tracing-terrorists-eu-canada-agreement-pnr-matters> accessed 7 March 2018. 32 Council of the European Union, Agreement between Canada and the European Union on the transfer and processing of PNR, 2013/0250(NLE). 33 European Parliament Resolution of 25 November 2014 on seeking an opinion from the Court of Justice on the compatibility with the Treaties of the Agreement between Canada and the EU on the transfer and processing of PNR data P8_TA (2014) 0058. 34 Case A-1/15, Opinion of AG Mengozzi, 8 September 2016. For an analysis, Fanny Coudert, ‘The Legitimacy of Bulk Transfers of PNR Data to Law Enforcement Authorities under the Strict Scrutiny of AG Mengozzi’ (2016) 2 EDPL 596. 35 Indeed, before this the Advocate General remarked that art 16(2) TFEU can be invoked as an appropriate legal basis for such an agreement, together with art 87(2)(a) TFEU, read in conjunction with art 218(6)(a)(v). 36 Opinion of AG Mengozzi (n 34) para 180. 37 Ibid, para 170. 38 On which see Steve Peers and Sacha Prechal, ‘Article 52. Scope and Interpretation of Rights and Principles’ in Steve Peers and others (eds), The EU Charter of Fundamental Rights. A Commentary (Hart Publishing, Oxford, UK 2014) 1455; Jan Kühling, ‘Fundamental Rights’ in Armin von Bogdandy and Jürgen Bast (eds), Principles of European Constitutional Law (Hart Publishing, Oxford, UK 2009) 479. With specific regard to data protection, Charlotte Bagger Tranberg, ‘Proportionality and Data Protection in the Case Law of the European Court of Justice’ 1 (2011) IDPL 239. 39 Opinion of AG Mengozzi (n 34) para 192. 40 Ibid para 193. 41 Ibid para 186. 42 Ibid paras 199–204. 43 Ibid paras 205–06. 44 See further in this article for some insights on the implications of the use of such data. 45 Ibid para 279. 46 Art 4 of the agreement. 47 Ibid para 222. 48 Ibid para 285. Specifically, the masking and gradual depersonalization of data would guarantee respect for the concerned rights. 49 Opinion 1/15 (European Court of Justice, 26 July 2017) ECLI:EU:C:2016:656. For a short comment, see Arianna Vedaschi, ‘The European Court of Justice on the EU-Canada PNR Agreement’ (2018) 14 EUConst and Chiara Graziani, ‘PNR EU-Canada, la Corte di Giustizia blocca l’accordo: tra difesa dei diritti umani e implicazioni istituzionali’ (2017) DPCE online 959. 50 Opinion 1/15 (n 49) para 97. 51 Ibid para 135. 52 Ibid para 98. 53 The Advocate General, in its opinion to the Court, based its reasoning on the legal basis on similar argument. See Opinion of Advocate General Mengozzi (n 34) and Coudert (n 34) 597. 54 Opinion 1/15 (n 49) para 94. 55 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31. 56 Maximilian Schrems (n 8). Some scholars, before the CJEU issued Opinion 1/15, argued that Schrems would have a ‘domino effect’ on other European agreements, among which PNR deals: Yann Padova, ‘The Safe Harbour is Invalid: What Tools Remain for Data Transfer and What comes Next?’ (2016) 6 IDPL 139, 160. 57 Interpreted, as some scholars claim, also according to the case law of the European Court of Human Rights (ECtHR) on the right to privacy. Gabe Maldoff and Omer Tene, ‘Essential Equivalence and European Adequacy after Schrems: The Canadian Example’ (2016) 34 Wis Int’l LJ 211, 233–40. For a comparison between the CJEU and the ECtHR case law, with reference to most recent cases, Mark D Cole and Annelies Vandendriessche, ‘From Digital Rights Ireland and Schrems in Luxembourg to Zacharov and Szabó/Vissy in Strasbourg: What the ECtHR Made of the Deep Pass by the CJEU in the Recent Cases on Mass Surveillance’ (2016) 2 EDPL 121. 58 Namely, all circumstances in place in the third country deserve consideration; the Commission must periodically check whether adequacy persists; circumstances after the adoption of the adequacy decision has to be taken into account. See also n 129. 59 Paul Voigt and Axel von dem Bussche, The EU General Data Protection Regulation (GDPR) (Springer, Cham, CH 2017) 116. 60 Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German LJ 881, 893. 61 In other words, as sort of ‘global law’ in relation to privacy. On the development of ‘global law’ standards with regard to the fight against terrorism, Arianna Vedaschi, ‘Dalla global war al global law’ (2017) Quaderni costituzionali 424. 62 See specifically on the theoretical foundations of global law Neil Walker, Intimations of Global Law (CUP, Cambridge, UK 2015). 63 Opinion 1/15 (n 49) para 126. 64 Ie the agreement itself, and not consent. According to art 8 of the Charter, a limitation can be based, alternatively, on consent of the data subject or on another legitimate basis laid down by law. 65 Opinion 1/15 (n 49) paras 147–51. In order to support the appropriateness of the means at stake to ensure such objective of general interest, the Court referred to several documents and studies laid down by the EU and Canadian institutions. 66 Ibid para 163. 67 Ibid para 157. 68 Ibid para 158. 69 It is defined by art 2(e) of the agreement as data revealing ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership’ or relating to ‘a person’s health or sex life’. This list is very similar to that laid down by the recent PNR Directive. 70 Ibid para 165. 71 Art 15 of the agreement. 72 Opinion 1/15 (n 49) para 173. 73 Ibid para 172. 74 Therefore, this definition was not left to be determined by national law, as for example, in the DRD, where discretion afforded to Member States in this regard constituted one of the grounds for the declaration of invalidity. 75 Ibid para 181. 76 Ibid paras 185 and 189. 77 Ibid, paras 190–91. 78 Citing to Schrems (n 8) and Tele2 (n 9) decisions. 79 As already stated, the retention period is of 5 years (maximum). Notably, the Court deemed the length admissible (para 209 of the Opinion). 80 Opinion 1/15 (n 49) paras 204–07. 81 Ibid para 203. 82 Ibid para 212. 83 Ibid para 214. 84 Ibid paras 216–17. 85 Ibid para 225. 86 Ibid para 231. 87 COM(2017) 605 final. 88 On the activism of the CJEU, Gareth Davies, ‘Legislative Control of the European Court of Justice’ (2014) 51 CML Rev 1579, discussing the capacity of EU institutions to overcome the CJEU’s ruling with ‘excessive’ legislative effect. See also Mark Dawson, Bruno De Witte and Elise Muir (eds), Judicial Activism of the European Court of Justice (Edward Elgar, Cheltenham-Northampton, UK-US 2014). 89 This is likely to affect the PNR agreement with the US and Australia, since they are both based on arts 82(1)(a) and 87(2) TFEU. See further in this section. 90 For an overview on art 16 TFEU and obligations arising from it, Hielke Hijmans, The European Union as Guardian of Internet Privacy: The Story of Art. 16 TFEU (Springer, Cham, CH 2016). 91 As noted by the EP. See Opinion 1/15, para 32, citing to the Declaration on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, OJ 2010 C 83, 45. See further on the issue Hielke Hijmans and Alfonso Scirocco, ‘Shortcomings in EU Data Protection in the Third and the Second Pillars. Can the Lisbon Treaty be Expected to Help?’ (2009) 46 CML Rev 1485. 92 However, the relationship between the two is very close, since art 8 of the Charter grants data protection the status of a fundamental right that must be respected as long as EU law applies. See Hijmans (n 90) 127. See also Angeles Gutiérrez Zarza, Exchange of Information and Data Protection in Cross-border Criminal Proceedings in Europe (Springer, Cham, CH 2014) 27. 93 European Parliament v Council of the European Union and Commission of the European Community (n 21). Scholars argue that these cases fixed the principle according to which the legal basis should be chosen in light of the aim and content of the act. Mario Mendez, The Legal Effects of EU Agreements. Maximalist Treaty Enforcement and Judicial Avoidance Techniques (OUP, Oxford, UK 2013) 78; Nadine Zipperle, EU International Agreements. An Analysis of Direct Effect and Judicial Review Re- and Post-Lisbon (Springer, Cham, CH 2017) 112. 94 Cristina Blasi Casagran, ‘The Future EU PNR System: Will Passenger Data Be Protected?’ (2015) 23 Eur J Crime Crim L & Crim Just 241, 244. 95 Elspeth Guild and Evelien Brouwer, ‘The Political Life of Data: The ECJ Decision on the PNR Agreement between Europe and the US’ (2006) Centre for European Policy Studies Policy Brief 109 <https://www.ceps.eu/publications/political-life-data-ecj-decision-pnr-agreement-between-eu-and-us> accessed 7 March 2018. 96 Directive 2006/24/EC (n 7). 97 Ireland v European Parliament and the Council, Case C-310/06, [2006] ECR I-4721. 98 Hijmans and Scirocco (n 91) 1504, arguing that what made the CJEU decide that art 95 was appropriate as a legal basis was the fact that, contrarily to PNR agreements, data retention rules did not imply the systematical transfer of data to public authorities. 99 European Parliament v Council of the European Union and Commission of the European Community (n 21). 100 Ireland v European Parliament and the Council (n 97). 101 Paul J Cardwell, EU External Relations Law and Policy in the Post-Lisbon Era (T.M.C. Asser Press, The Hague, NL 2012) 295. 102 Part II, Title IV TFEU. 103 European Parliament, Resolution of 11 November 2010 on the global approach to transfers of PNR data to third countries, and on the recommendations from the Commission to the Council to authorize the opening of negotiations between the EU and Australia, Canada and the US, P7_TA-PROV(2010)0397, point 5. 104 Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ 2016 L119/1. 105 Directive 2016/680/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA OJ 2016 L 119/89. 106 An emblematic example is criticism about the term ‘etc.’. See Opinion 1/15 (n 49) para 157. 107 Art 4(3) of the agreement, stating that all data that is not listed must be deleted. 108 Opinion 1/15 (n 49) para 162. 109 Eg in Digital Rights (n 6) where it claimed the need for a list of crimes that could justify retention. 110 Directive 2016/681/EU of the Parliament and of the Council of 27 April 2016 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ 2016 L 119/132. The Directive has to be implemented by Member States within May 2018. For a critical analysis, David Lowe, ‘The European Union Passenger Name Record Data Directive: Is It Fit for Purpose?’ (2017) 16 Intl Crim LRev 78. 111 Opinion 1/15 (n 49) para 165. 112 Michel Rosenfeld, ‘Judicial Balancing in Times of Stress: Comparing Diverses Approaches to the War on Terror’ (2005) Benjamin N Cardozo School of Law, Working Paper n 119; Arianna Vedaschi, ‘Has the Balancing of Rights Given Way to a Hierarchy of Values?’ 1 Comp LR 1. 113 Before the adoption of the agreement, scholars warned against the risk of profiling entailed by it and, more in general, by the forthcoming PNR scheme at the EU level. Franziska Boehm, ‘Tit for tat – Europe’ revenge for the Canadian and US PNR systems? The envisaged European model of analyzing flight passenger data’ (2010) 11 ERA Forum 251. 114 On profiling and its risks, Richard R Banks, ‘Racial Profiling and Antiterrorism Efforts’ (2004) 89 Cornell LR 1201; Daphne Barak-Erez, ‘Terrorism and Profiling: Shifting the Focus from Criteria to Effects’ (2007) 29 Cardozo LR 1; Helen Duffy, The ‘War on Terror’ and the Framework of International Law (CUP, Cambridge, UK 2015) 637. 115 Opinion 1/15 (n 49) para 165. 116 Paul de Hert and Vagelis Papakonstantinou, ‘Repeating the Mistakes of the Past Will Do Little Good for Air Passengers in the EU: The Come Back of the EU PNR Directive and a Lawyer’s Duty to Regulate Profiling’ (2015) 6 NJECL 160, 163. 117 Opinion 1/15 (n 49) paras 168–74. 118 Ibid para181. 119 Ibid para 204. 120 Directive 681/2016 (n 110) recital 37. 121 Ibid, art 12(5). For further analysis on potential effects of Opinion 1/15 on the PNR Directive, Elena Carpanelli and Nicole Lazzerini, ‘PNR: Passenger Name Record, Problems Not Resolved? The EU PNR Conundrum After Opinion 1/15 of the CJEU’ (2017) 42 Air & Space L 377, 391. They argue that the PNR directive is used as a ‘benchmark’ to evaluate the agreement, but, on some other points, it could itself bear the consequences of Opinion 1/15. 122 As noted by Raphael Bossong, ‘Passenger Name Records – from Canada back to the EU’ (Verfassungsblog, 28 July 2017) <https://verfassungsblog.de/passenger-name-records-from-canada-back-to-the-eu/> accessed 7 March 2018. 123 Whose masking period is, instead, 6 months. 124 Namely, Regulation 2016/679 (n 104), Directive 2016/680 (n 105) and Directive 2016/681 (n 110). All of them were approved on 21 April 2016. 125 Opinion 1/15 (n 49) para 220. 126 College van burgemeester en wethouders van Rotterdam v Rijkeboer, Case C-553/07 [2009] ECR I-03889. 127 Opinion 1/15 (n 49) para 224. 128 Opinion 1/15 (n 49) para 228. 129 ‘Essential equivalence’ was further elaborated, in preparation of the Privacy Shield, by the Statement of the Article 29 Working Party of 3 February 2016, 17/EN WP250, <ec.europa.eu/newsroom/document.cfm?doc_id=47741> accessed 7 March 2018, clarifying a set of principles of which ‘essential equivalences’ concretely consists. These principles are: a) clear, precise and accessible rules; b) strict necessity and proportionality; b) independent oversight; and d) effective redress. See on this point Maldoff and Tene (n 57) 239. 130 David Bender, ‘Having Mishandled Safe Harbor, Will the CJEU Do Better with Privacy Shield?’ (2016) 6 IDPL 117, 131. 131 European Parliament, resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP). 132 COM(2017) 611 final. 133 Even before this Opinion, scholars argued in favour of the annulment and subsequent renegotiation of the 2012 EU–US agreement. Douglas Louks, ‘(Fly) Anywhere but Here: Approaching EU-US Dialogue concerning PNR in the Era of Lisbon’ (2013) 23 Ind Int’l & Comp LR 479, 515. 134 Answer given to the European Parliament by Mr Avramopoulos on behalf of the Commission (4 November 2015). It is worth noting that negotiations may begin with Argentina and Japan, as well. 135 On the attitude of the CJEU, particularly in privacy-related cases, to behave as a ‘constitutional’ court, see Vedaschi and Lubello (n 6) 17. 136 Opinion 1/15 (n 49) para 67. 137 Joined Cases C-317/04 and C-318/04 (n 21). 138 Luisa Marin, ‘The Fate of the Data Retention Directive: about Mass Surveillance and Fundamental Rights in the EU Legal Order’ in Valsamis Mitsilegas, Maria Bergström and Theodore Konstadinides (eds), Research Handbook on EU Criminal Law (Edward Elgar, Cheltenham-Northampton, UK-US 2016) 210. 139 For a discussion on the ‘creative’ role of the courts, Otto Pfersmann, ‘Contre le néo-realisme juridique. Pour un débat sur l’interpretation’ [Against Legal Neo-Realism. For a Debate on Interpretation] (2002) Revue française de droit constitutionnel 790, arguing against the ‘legislative’ attitude of judges. 140 For more details on how the CJEU construed this complex balance in the commented Opinion, see Arianna Vedaschi, ‘L’Accordo internazionale sui dati dei passeggeri aviotrasportati (PNR) alla luce delle indicazioni della Corte di giustizia dell’Unione europea’ (2017) Giurisprudenza costituzionale 1913. © The Author(s) 2018. Published by Oxford University Press. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices) http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png International Data Privacy Law Oxford University Press

Privacy and data protection versus national security in transnational flights: the EU–Canada PNR agreement

International Data Privacy Law , Volume Advance Article (2) – May 7, 2018

Loading next page...
 
/lp/ou_press/privacy-and-data-protection-versus-national-security-in-transnational-p4oAkrf2F2
Publisher
Oxford University Press
Copyright
© The Author(s) 2018. Published by Oxford University Press. All rights reserved. For permissions, please email: journals.permissions@oup.com
ISSN
2044-3994
eISSN
2044-4001
D.O.I.
10.1093/idpl/ipy004
Publisher site
See Article on Publisher Site

Abstract

Key Points In challenging times of international terrorism, the exchange, retention, and use of personal data are becoming increasingly crucial, due to their pivotal role in identifying potential threats to national security. Therefore, domestic and international lawmakers need to regulate such matter through legislation and international agreements. The exchange of passenger name record (PNR) data in transnational flights has been regulated both by EU law and international agreements signed with third countries, such as Australia, Canada, and the US. The latest EU–Canada PNR agreement was referred to the Court of Justice of the European Union (CJEU) by the European Parliament before its entry into force, pursuant to the procedure provided for by Article 218(11) TFEU, allowing EU institutions to ask for an opinion of the CJEU. In July 2017, the CJEU in Opinion 1/15 ruled the draft agreement incompatible with Article 7 (right to privacy), 8 (right to data protection) and 52 (principle of proportionality) of the Charter of Fundamental Rights of the European Union. Consequently, the agreement between the EU and Canada will be renegotiated. This analysis reads Opinion 1/15 in light of the previous case law of the CJEU about privacy and national security and examines its potential implications on both institutional balances and international relations. Focusing on some novelties and noteworthy passages of Opinion 1/15, this Article claims that the vital interest of democracy can be reconciled with the need to overcome security threats, as the CJEU’s stance showed. Introduction The relevant number of terrorist attacks, occurred in the past years, confirmed that the threat posed by international (and specifically jihadist) terrorism since the 9/11 events is very far from being history. Consequently, Western countries keep reacting by way of particularly restrictive policies and, in many cases, counter-terrorism legislation has undergone a crackdown over recent years. Within this context, the shift from an ex post facto approach (the punishment of criminal actions after their perpetration) to a preventive one (measures aimed at avoiding the occurrence of a terrorist offence) has made securitarian policies the rule in the fight against terrorism.1 Therefore, the role of intelligence has become a crucial one, in order to prevent and combat jihadist terrorism.2 Personal data—especially that related to passengers of transnational flights, collected or received by the country of destination and often retained even after their departure from such country—is regarded as a potential source of information about ongoing terrorist activities and their preparatory acts. This security-oriented approach results in an unavoidable interference with the rights to privacy and data protection.3 It is generally known that the right to privacy and the related right to data protection are typical ‘targets’ of counter-terrorism measures. Let us think, for instance, of surveillance measures that give public authorities wide powers to retain data collected indiscriminately in various circumstances, which is then accessed and analysed by intelligence agencies.4 Such bulk monitoring often derives not only from national lawmakers’ decisions, but also from guidelines of the European Union (EU). Many EU tools, with different binding force, explicitly call on Member States to enact and implement preventive measures consisting of the collection, retention and analysis of a wide range of data. Such information is very often related to individuals without any distinction, irrespectively of a suspicion that they are involved in terrorist networks. Mechanisms referred above—allowing collection, retention, and processing of data of all passengers boarding transnational flights, envisaged both by EU legislation, such as directives, and by international agreements between the EU and third countries—are paramount examples.5 Indeed, focusing on the EU level, not all institutions are firmly committed to a securitarian attitude. While the Council and the Commission frequently make security prevail over fundamental rights and personal freedoms, the European Parliament (‘the EP’ or ‘the Parliament’) has recently triggered the procedure aimed at testing the compatibility of antiterrorism measures with fundamental rights, as the present analysis will show. The EU body in charge of this review is the Court of Justice of the European Union (‘the CJEU’ or ‘the Court’), which, over the past years, has played a key role in striking a balance between the rights to privacy and data protection, on the one side, and security needs in the fight against international terrorism, on the other side. Examples of this settled case law range from the Digital Rights decision6 of 2014, which quashed the Data Retention Directive (the DRD)7 due to fundamental rights concerns, to the Schrems judgment8 of 2015 that invalidated the Safe Harbour scheme, ie the agreement regulating exchange of personal data between the EU and the US. Moreover, principles affirmed in Digital Rights have been reiterated in the most recent judgment on the matter, Tele2 Sverige,9 again dealing with data retention and fundamental rights after a request for preliminary ruling by British and Swedish courts. In Digital Rights, Schrems and Tele2 Sverige, the CJEU, although not imposing an absolute ban on mass surveillance, affirmed the need to carefully weigh fundamental rights against public security. Opinion 1/15 must be included in the trend described above. However, it presents some specific features due to the reason that it addresses a particular surveillance tool, ie the collection, retention and use of passenger name record (PNR) data in transnational flights. This data is rather different from data considered in other mentioned decisions, as will be specified further in this Article. The Opinion was issued by the CJEU upon request of the EP, pursuant to Article 218(11) of the Treaty on the Functioning of the European Union (TFEU). In January 2015, with Communication 138/24,10 the EP asked the CJEU to rule on the compatibility of the draft agreement between the EU and Canada on the exchange of PNR data with EU law. In July 2017, the Court found such agreement incompatible with fundamental rights enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’).11 This Article is divided as follows. The first section offers a general overview on PNR data and on agreements regulating its exchange between the EU and third countries. The second and third sections focus on the EU–Canada PNR agreement and its challenge before the CJEU respectively, examining the stance of the Advocate General and the Opinion of the Court on both procedural and substantive issues raised by the EP. The fourth section adopts a more analytical approach, dwelling on the reasons why Opinion 1/15 is to be considered as a landmark decision, although many of its statements are in line with the CJEU’s previous case law on privacy and data protection. To this aim, this section underlines some specific features of the Court’s approach that theoretically legitimized mass surveillance, but criticized the ways in which it has been concretely enacted. In this light, attention is drawn on the Court’s ‘quasi-legislative’ role, on the use of the Charter as a parameter setting ‘global’ standards in relation to data protection and on the refined and novel use of procedural issues with a view to ‘material’ objectives. This analysis is instrumental to discuss, in the conclusive section, the main claim of this Article, which is that rights can be safeguarded without giving up realism, as demonstrated by Opinion 1/15, hopefully, paving the way for further circulation of such attitude. The transnational flow of PNR data between the EU and third countries PNR data includes information such as names, travel dates, itineraries, seats, baggage, contact details, means of payment and many other facts related to habits and life of travellers. The transfer of this information, collected by airline carriers, to the authorities of third countries, towards which flights are heading,12 has been regulated over the years by several agreements, signed between the EU and non-EU countries to prevent and combat international terrorism. Data can be collected, alternatively, through the ‘pull’ or the ‘push’ method. The former means that the authority vested with the power to collect data has direct access to it; the latter implies a request of data from the competent authority to air carriers. Pursuant to Article 25 of Directive 95/46/EC (‘Directive 95/46’ or ‘DPD’),13 in order to allow the exchange of data (including PNR) between the EU and a third country, such country must ensure an ‘adequate level of protection’, certified by the European Commission (so-called adequacy decision) on the basis of the existence of appropriate guarantees in the third country’s domestic law or in its international commitments. Specifically, according to the CJEU’s recent case law, ‘the term “adequate level of protection” must be understood as requiring the third country to ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter’.14 Ultimately, what the CJEU demands EU institutions to perform is a comparative assessment between data protection standards offered by a third country and those provided by the EU itself.15 Heading back to PNR, the issue of how to deal with the exchange of this data arose for the first time in 2001, when US legislation16 obliged all airline carriers travelling to the US to transfer passengers’ data to the US Customs and Border Control.17 Therefore, the European Commission had to reach an agreement with US authorities on the transfer of PNR data. This agreement was signed on 28 May 200418 and included a number of controversial aspects. First of all, it provided direct access to data for US officers (so-called pull system), without any active part being taken by airline carriers in data transfer. In addition, a particularly vague statement of purpose (ie the reasons justifying data collection) was combined with quite a broad period of retention (three and a half years) to be extended in case an investigation was in place.19 For these reasons, the EU–US PNR agreement was challenged before the CJEU by the EP, calling for its annulment.20 The Court invalidated the agreement on procedural grounds, namely, a wrong legal basis (see further in this Article for a discussion on the substantive implications derived from the choice of the legal basis).21 As a consequence, EU institutions were urged to enter into a new agreement. On 23 July 2007, after a provisional deal approved in the immediate aftermath of the CJEU’s decision,22 working as an interim framework while waiting for the negotiation of a new one, the EU stipulated the second PNR agreement with the US.23 Indeed, this draft raised even more concerns in terms of fundamental rights than the first version had done. Particularly, the variety of data to be collected was widened, encompassing also some sensitive data24 (although a filtering mechanism was provided), and the retention period was extended (up to 7 years). Additionally, there were no ‘robust legal mechanisms’25 enabling individuals to challenge potential misuse of their data. The shift from the ‘pull’ to the ‘push’ system in data sharing marked the only improvement in terms of rights protection: US authorities could not directly access data, but they needed to ask air carriers for its transmission. However, once again, the EP considered guarantees for passengers’ rights to be insufficient. Hence, after refusing to ratify the agreement (a power that it had been vested with by the Treaty of Lisbon), the EP passed a resolution requiring its renegotiation.26 The third and current PNR agreement between the EU and the US has been into force since 1 July 2012.27 It secures quite a high number of important guarantees (eg by delimiting the purpose and duration of data retention), but it still leaves wide discretion to US authorities in determining exceptions to the retention period and to the anonymization of data.28 Rules similar to those passed in the US were enacted in Canada, as well.29 Thus, in 2005 the EU entered into an agreement with Canada.30 Yet, this text presented some flaws in terms of human rights, not very different from those identified in the abovementioned EU–US agreements. Although the EU–Canada agreement provided for a ‘push’ system and envisaged a difference in terms of retention, depending on whether or not passengers were under investigation, it included some controversial provisions on the (anonymization and) re-personalization of data and complex administrative procedures to file any kind of complaint.31 When it expired, in 2009, negotiations re-started and a new agreement was signed on 25 June 2014.32 Due to alleged violations of the rights to privacy and data protection, the agreement was though challenged by the EP, triggering the procedure under Article 218(11) TFEU, which entitles it to seek the opinion of the CJEU on the compatibility of an international agreement with the EU Treaties, before approving it and determining its definitive entry into force.33 The opinion of the Advocate General: casting doubts on the compatibility of the agreement with the Charter On 8 September 2016, Advocate General Paolo Mengozzi delivered his Opinion to the Court,34 holding that the EU–Canada PNR agreement should be rejected. The Advocate General argued that the agreement is patently contrary to Articles 7 (right to privacy), 8 (right to data protection) and 52 (principle of proportionality) of the Charter.35 As a preliminary point, addressing the existence of any interference with the rights to privacy and data protection, the Advocate General maintained that a serious interference does exist36 because of the intrinsic characteristics of the collected data. As a matter of fact, PNR data is able to reveal much about the passengers’ life and habits, involving the right to privacy under Article 7 and the ‘closely connected but nonetheless distinct’37 right to data protection under Article 8 of the Charter. The second step of Mengozzi’s Opinion focused on the legitimacy of such interference, assessed under the scheme set forth by Article 52 of the Charter. According to this provision, three aspects shall be taken into account: first, whether the interference is provided by law and respects the essence of the right; second, whether it pursues a legitimate aim and third, whether it complies with the principle of proportionality.38 As to the first criterion, from a formal point of view, the Advocate General considered the interference provided for by law: pursuant to the EU Treaties, once all phases for their approval are concluded, international agreements become an integral part of the EU legal order.39 From a substantive perspective, according to Advocate General Mengozzi, the agreement is clear, accessible, and foreseeable enough to meet the standards in terms of ‘quality of the law’ as required by the European Court of Human Rights case law.40 Last but not least, the essence of the right is not impaired, since the mechanism of gradual depersonalization of data does not allow to draw specific conclusions on the intimacy of the life of concerned persons.41 Given the connection between the intended aim of the agreement, ie combating terrorism and other transnational serious crime, and the ‘general interest’ prescribed by Article 52 of the Charter, the Advocate General examined the proportionality of the means employed by the agreement and stressed the necessity of a strict scrutiny, also in light of the Digital Rights and Schrems judgments.42 From this perspective, the Advocate General observed that, even if the means are suitable to pursue the aim,43 many elements indicate that they are not strictly necessary. According to his Opinion, on the one hand, sensitive data should not be included;44 on the other hand, an exhaustive list of ‘serious offences’ should be drawn. Moreover, the Advocate General criticized the very long retention period, not justified by objective reasons:45 pursuant to the agreement, all data must be retained for a maximum of 5 years from collection, although it must be masked after 30 days. However, in specific circumstances—ie when it is necessary to carry out investigations46—it is possible to unmask it. He also disapproved the indiscriminate application of the measures, irrespective of the existence of any suspicion of involvement in terrorist activities.47 Furthermore, these flaws were combined with the vague definition of Canadian authority tasked with processing data, the lack of strict rules on access to data and the uncertain reference to judicial remedies. Therefore, concluding his Opinion, Mr Mengozzi, although admitting that there would be ways to make PNR transfer compliant with human rights, stated this was not the case of the EU–Canada agreement.48 As a result, he warned EU institutions against the adoption of the text in its current version. The CJEU’s stance: between right protection and realism The Grand Chamber of the CJEU delivered its Opinion on 26 July 2017,49 essentially adhering to the Advocate General’s stance and asking for the renegotiation of the agreement. This Opinion is remarkable both for procedural and substantive aspects. In fact, in its ruling, the Court addressed both sides of the EP’s request. It considered the appropriate legal basis for the Council decision on the conclusion of the agreement and it tested the compatibility of the agreement with Articles 7 and 8, read in light of Article 52 of the Charter. As will be explained in this Article, the reasoning on the legal basis showed the material implications of an apparently procedural issue, whilst the approach to the substance of the agreement is coherent with previous case law, but with some relevant novelties. The procedural limb of the CJEU’s reasoning: the EU–Canada PNR agreement and its legal basis As to the first question, the Council decision was based on Articles 82(1)(d) and 87(1)–(2)(a) TFEU concerning measures that facilitate judicial cooperation among Member States in relation to criminal matters and collection of information aimed at police cooperation, respectively. Instead, the EP claimed that the correct legal basis was Article 16 TFEU.50 This provision ensures—at the first paragraph—the protection of personal data and provides—at the second paragraph—that measures aimed at its processing and free movement have to be regulated by the Council and the Parliament ‘acting in accordance with the ordinary legislative procedure’. Accepting the Advocate General’s stance on this point,51 the CJEU found that the agreement should be based on Articles 16 and 87 TFEU jointly,52 rather than on Article 82 TFEU. In particular, the Court remarked that there are no provisions envisaging a facilitation of judicial cooperation and the Canadian authority in charge of the use of PNR data is not a judicial authority, nor equivalent to it. As a result, Article 82 had to be excluded. In order to reach its conclusion about the legal basis, the Court underlined that the agreement has a two-fold aim: on the one side, the transfer of PNR data should ensure public security; on the other side, the protection of such data cannot be disregarded.53 These two components are, according to the CJEU, ‘inextricably linked’.54 The Court highlighted that such objectives are within the scope of both the Articles 16 TFEU and 87(2)(a) TFEU. On the one hand, the invocation of Article 16(2) was correct, as the adopted measures—enacted through an international agreement, which becomes a source of EU law—were aimed at protecting personal data. On the other hand, Article 87(2)(a) was invoked properly, as well, because it enables the EP and the Council to establish measures in the field of police cooperation with regard to the ‘collection, storage, processing, analysis and exchange of relevant information’. Here, in the CJEU’s view, the concept of ‘information’ includes ‘personal data’ and the activities regulated by the agreement consist exactly of ‘processing’ and ‘exchange’. At this point of its reasoning, pursuant to Article 25 DPD, the Court also reiterated that the transfer of PNR data towards third countries cannot take place unless an ‘adequate level of protection’ is certified by the Commission.55 This concept was interpreted by the CJEU in the Schrems judgment56 as an ‘essentially equivalent’ level of data protection ensured by the third country to which data is going to be transferred. ‘Essential equivalence’ does not mean that third countries have to guarantee safeguards that are identical to those offered by EU legislation, in terms of data protection (namely, according to the Schrems decision, the provisions of the DPD read in light of the Charter),57 but the standard of protection (ie essential safeguards) must be comparable. Thus, the ‘core’ of EU law on data protection has to be preliminary identified and, then, its respect has to be regarded as a conditio sine qua non for the processing of data beyond EU jurisdiction. For instance, the EU and a third country may establish supervisory bodies that differ as to their structure, composition, modus operandi, or other features; though, what matters is that, in practice, they work as independent entities, since Article 8(3) of the Charter requires so. Additionally, in Schrems, the CJEU declared that no excessive discretion must be granted to the Commission when it takes the so-called adequacy decision and, for this reason, it listed a number of criteria that the Commission itself has to consider.58 Notably, Article 45 of Regulation 679/2016, which is going to replace the DPD from 25 May 2018 onwards, incorporated such criteria.59 Since the rationale behind ‘adequacy’ (and, hence, ‘essential equivalence’) is to avoid any risk of indirect circumvention of EU guarantees related to data protection, if EU institutions did not require adequacy when they act in external relations, the effectiveness of the EU data protection framework would be, de facto, frustrated. In other words, high EU standard would cease to be applied on the international scene. This double standard would result in unjustified inequality between individuals whose data is processed within the EU and others whose information is transferred from the EU to third countries (for commercial reasons or for other purposes). Moreover, by claiming that essential equivalence has to be ascertained in relation to established EU standards, the CJEU granted EU law (and the Charter, especially) indirect extraterritorial implementation.60 This is a remarkable step in building a ‘global’ framework for data processing and, consequently, global standards of protection,61 in which the EU leading role has been increasing sharply over the past years. Such ‘globalisation’ of standards is coherent with a general attitude consisting of providing ‘harmonised’ legal rules on some topical issues (eg data protection, environment, transnational trade) that may have cross-border implications.62 The substantive limb of the CJEU’s reasoning: the EU–Canada PNR agreement and its compatibility with the Charter Moving to the second question, the CJEU tested the compatibility of the provisions set by the agreement with the standards established by the TFEU and the Charter. Indeed, the CJEU underlined that the agreement had to be assessed in relation to data protection only with regard to Article 8 of the Charter, without separately considering Article 16 TFEU, since the former is more specific than the latter. First of all, the CJEU determined the existence of an interference with the rights concerned, as PNR data includes information that allow the identification of individuals’ personal data, which is then processed within the meaning of Article 8 of the Charter.63 In order to assess whether (or not) such interference is justified, the CJEU started by considering the basis for such limitation, finding it64 to be legitimate and laid down by law, due to the pursuance of an objective of general interest (namely, public security). Moreover, this interference does not affect the essence of the concerned rights for several reasons. First, PNR data is processed for limited purposes; second, security, confidentiality and integrity of data are ensured by the agreement; and third, the agreement guarantees protection against unlawful access and processing.65 The most articulated part of the decision relates to the necessity of such interference. The CJEU found that several applicable standards—eg clarity and precision, purpose limitation—are not met by the current text of the agreement, which, instead, complies with EU law as to some other aspects. First, in line with the Advocate General’s reasoning, the Court argued that the concerned PNR data is not determined enough: it is not clear which type of data is covered by the agreement.66 For example, the use of the word ‘etc.’ was particularly criticized,67 as well as the expression ‘all available contact information’.68 In addition, the CJEU highlighted that the envisaged framework may include sensitive data,69 which is therefore transferred and processed without a solid justification. Notably, in the Court’s view, prevention of terrorism was not deemed to be such.70 Second, the CJEU addressed automatic processing. According to the agreement,71 such mechanism works as follows: data is collected and automatically processed; automatic analysis implies a cross-check with databases containing information on suspect terrorists; if some profiles match, the analysis is repeated in a non-automated way, in order to concretely assess whether it is necessary to take individual measures against targeted passengers. The Court praised the fact that automatic processing has to be followed by a re-examination through non-automated means.72 However, in accordance with the Advocate General’s Opinion, it specified that databases with which data is cross-checked must be ‘reliable, up to date and limited to databases used by Canada in relation to the fight against terrorism and serious transnational crime’.73 Third, the CJEU found some of the purposes for processing PNR data to be not clear, nor defined enough. Although the definitions of ‘terrorist offence’ and ‘serious transnational crime’ are well specified in the agreement itself,74 the text also allows PNR data to be processed for ‘other purposes’, which are not listed in detail.75 The fourth and fifth points analysed by the Court, ie the competent Canadian authority charged with the processing of data and categories of passengers concerned, respectively, were deemed to comply with EU law, since they are defined with sufficient clarity and precision.76 Sixth, there are no clear and precise rules in relation to the retention of data. The CJEU reminded that there must be a connection between the retention of personal data and the aim pursued by the agreement,77 to be established by way of objective criteria, which must result in the existence of substantive and procedural conditions governing the use of data.78 According to the agreement, data can be retained and used before the arrival of passengers, during their stay in Canada, at their departure and even after it.79 The CJEU stated that retention of data after passengers’ departure is particularly tricky. Since such data has already been checked and verified, it would not be necessary to continue to store it, unless there are objective reasons to do so.80 On the contrary, as to data retention and use before passengers’ arrival and during their stay in Canada, the Court acknowledged the existence of a connection between these activities and the pursued objective. Nonetheless, rules about retention and use were found to exceed what is strictly necessary,81 due to the lack of a review (carried out by a judicial or independent administrative body) on the use of data related to passengers staying on Canadian territory. Lastly, the CJEU analysed provisions concerning disclosure. The agreement allows disclosure of data to Canadian government authorities, to those of third countries and, in (unspecified) particular circumstances, to individuals. In all these cases, the concerned measures do not comply with the strict necessity test. More specifically, disclosure of data to Canadian authorities should be made in accordance with rules governing the use of data; nevertheless, such rules are not well-defined.82 Additionally, the Court noted that, in order to avoid that disclosure to third countries’ authorities hide a circumvention of guarantees enshrined in EU law, an agreement between the EU and the third country or a Commission adequacy decision should certify the same level of protection. The EU–Canada PNR agreement does not require this; as a result, disclosure is not limited to what is strictly necessary.83 As to disclosure to individuals, allowed when ‘legitimated interests of the individual [are] concerned’, the Court found a major flaw in the fact that the agreement does not specify legal requirements and limitations, concerned interests as well as envisaged purposes and applicable guarantees.84 After assessing the necessity and proportionality of the interference, the CJEU examined other two important aspects of the agreement: the guarantees for passengers enshrined in the text and the existence of safeguard related to oversight on concerned measures. As to the first issue, the CJEU condemned the lack of a system of notification; in other words, passengers should be made individually aware about the processing and use of their data.85 As to the second issue, the agreement states that data protection safeguards will be subject to the oversight of an ‘independent public authority’ or of an ‘authority created by administrative means that exercised its functions in an impartial manner and that has proven a record of autonomy’. According to the Court, the use of this alternative wording implies that the oversight, or at least part of it, may hypothetically be carried out by a body that is not completely independent.86 Hence, as stated by the Advocate General, full independence in the oversight process is not guaranteed by the agreement. Against this background, the agreement is going to be re-negotiated according to the CJEU’s guidelines. The procedure restarted in October 2017, when the Commission adopted a recommendation for a Council decision on the reopening of negotiations ‘in a manner which is compliant with the Court’s requirements’.87 Why is Opinion 1/15 a landmark case? In this Opinion the CJEU has succeeded in reconciling fundamental rights and security needs, working as a catalyst of its previous case law and leading it to further developments. In particular, combining previously settled concepts, the Court managed to reach new findings that make this decision a landmark one. In order to analyse this Opinion, it is worth focusing on some significant aspects. First, the CJEU did allow mass surveillance as a matter of principle. However, the requirements that surveillance measures have to meet are so detailed and specific that it may be not easy to implement them in practice. Actually, the Court’s case law, including the examined Opinion, shows that those standards have not been met yet. Therefore, there is a sort of discrepancy between what is theoretically admissible and what is practically achievable or, at least, has been achieved until this moment. Second, the CJEU performed the task of a legislative body, triggering a sort of ‘revolution’ in the EU institutional balance of powers, as demonstrated by several passages of the Opinion that censor the wording of the agreement88 and give guidelines to redraft it. Last but not least, the Court’s reasoning on the legal basis for the adoption of the agreement is not a merely formal passage of the ruling. The following analysis will focus on these points and develop them to highlight the importance of the Opinion and its remarkably innovative features. The legal basis: merely a matter of form? As outlined above, in this Opinion the CJEU found that the Council decision on the adoption of the agreement should be based on Articles 16 and 87 TFEU in conjunction. In doing so, the Court openly recognized the double aim of the agreement, seeking to protect, at the same time, personal data and public security. In clearer words, invoking these two Articles as the appropriate legal bases, the Court, in a still procedural limb of its reasoning, anticipated the essential need for a balance between two competing interests, which would be then implemented in the substantive limb of the decision. In addition, the CJEU’s stance on the legal basis paves the way for further considerations, mainly with regard to Article 16 TFEU. First of all, the invocation of Article 16 as legal basis for a Council decision on the conclusion of an international agreement is a novelty.89 Article 16 TFEU was introduced by the Treaty of Lisbon and enables the EU to act in order to guarantee data protection.90 Differently from other provisions governing data protection in EU law—namely, Article 286 of the EC Treaty (ie Article 16 TFEU’s predecessor, introduced by the Treaty of Amsterdam) and Directive 95/46/EC—it applies to all areas of law, including freedom, security and justice.91 At the same time, it differs from Article 8 of the Charter, which does not directly impose concrete legislative action on EU institutions.92 The legal basis of EU acts dealing with data retention and its exchange has represented a highly debated issue over the years, also in the case law of the CJEU. In this regard, it is worth mentioning the first case in which the Court ruled on a PNR agreement, determining the invalidation of the 2004 EU–US deal.93 In that decision, the Court held the inappropriateness of the Council decision’s legal basis, arguing that public security was the main aim of the international agreement. On the contrary, at that time, the Council decision on the signing of the agreement was based on Article 95 EC (first pillar provision), regulating the functioning of the internal market and ‘approximation of national laws’ to this aim. In order to take into account this decision, subsequent agreements with the US (signed in 2007) and with Canada (in place from 2006 to 2009) were based on two provisions of the third pillar (police and criminal cooperation), ie former Articles 24 and 38 of the Treaty on the European Union (TEU), whose combination allowed the exchange of information with third countries to enhance police cooperation.94 Moving the legal basis from the first to the third pillar meant for the EP to lose its chance to challenge the agreement95 (but things changed after the Lisbon Treaty, which eliminated the pillars structure). Further discussion on the legal basis of an EU act restricting the right to data protection was triggered when Ireland challenged the DRD,96 alleging the inappropriateness of Article 95 EC as its legal basis. In this case, the Court rejected the plea for annulment,97 arguing that there were sufficient elements to maintain that harmonization of retention rules was required in order to avoid distortion of the internal market, which was, consequently, the primary purpose of the act.98 Both those proceedings—the ‘PNR case’99 and the ‘data retention case’100—took place before the Lisbon Treaty, which introduced, through Article 16 TFEU, a ‘comprehensive legal framework for data protection’.101 In other words, by way of Article 16 TFEU, data protection ceased to be read in a mere market dimension and began to be fully perceived as an individual right. Nonetheless, both the PNR agreement with the US and the one with Australia in their current versions, entered into force in 2012, are not based on Article 16, but on Articles 82(1)(d) and 87(2) TFEU, ie two provisions relating to the area of freedom, security and justice.102 This choice was made in spite of the 2010 EP’s resolution, inviting to include Article 16 TFEU as a legal basis in the renegotiation of agreements on data transfer.103 Moreover, even the 2016 PNR Directive is based on Articles 82(1)(d) and 87(2) TFEU. Therefore, identifying Article 16 TFEU as an appropriate legal basis for the Council decision on PNR agreements, as the Court did in July 2017, may open a discussion on the appropriateness of the PNR Directive’s legal basis, as well. Notably, Directive 681/2016 was adopted within the framework of a more comprehensive reform of data protection rules at the EU level. This included the adoption of Regulation 679/2016104 and Directive 680/2016,105 establishing the general data protection framework after the repeal of Directive 95/46 and the specific regime with regard to data processing for the purpose of prevention, investigation, and prosecution of crimes, respectively. Both Regulation 679/2016 and Directive 680/2016 are based—exclusively—on Article 16 TFEU. Hence, it is not easy to understand why Directive 681/2016 did not follow this trend. Such a reluctance might be explained by the fact that the field of data exchange with third countries is regarded as raising more concerns in terms of judicial and police cooperation (ie a security-oriented approach), rather than in terms of genuine protection of individual rights (ie a rights-oriented approach). However, in light of this finding by Opinion 1/15, it is very likely that a national court, through a preliminary reference to the CJEU, will challenge the EU PNR Directive’s validity on the ground that its legal basis should be Article 16 TFEU. Irrespective of whether (or not) the issue of the PNR Directive’s legal basis will be raised before the CJEU, it is worth noting that the Court highly contributed to the reinforcement of the right to data protection as an autonomous right in all fields of EU law, by referring to Article 16 TFEU as an appropriate legal basis in this context. This approach is instrumental to bolster the role of the EU as an entity with its own (lato sensu) constitutional standing, even when it acts on the international scene and not only when it regulates internal matters. Indeed, at the legislative level, since Regulation 679/2016 and Directive 680/2016 have been based on Article 16 TFEU, some progress is being made in building a ‘comprehensive legal framework’ for EU data protection. A further step in this process would be represented by a systematic use of Article 16 TFEU as a legal basis, even when the EU institutions act in their international capacity. As a result, the legal basis ceased to be a merely formal issue and instead substantively fostered the EU’s role in protecting fundamental rights in an autonomous and effective way. PNR system: the Court’s material guidelines In the commented Opinion, the CJEU laid down some significant guidelines, which other EU institutions will have to follow when they redraft the agreement. Once again and more specifically than in other decisions, the Court clarified the circumstances and conditions under which the transfer, retention and use of PNR data can be deemed compliant with guarantees enshrined in EU law. In its previous judgments, the CJEU had implicitly admitted that mass surveillance was not to be rejected in toto. However, only in the latest decision it listed a set of rules to make surveillance tools proportionated to the goal of ensuring public security and thus legitimate. Such a thorough and accurate assessment deserves a further point-by-point analysis. First, in Opinion 1/15, the CJEU underlined that categories of PNR data covered by the agreement must be clearly and precisely indicated and this has not been done in all of the cases listed by the Annex to the envisaged agreement. From this standpoint, the Court even criticized the wording of some of its headlines, engaging in a careful and detailed analysis.106 In this passage, a strict scrutiny is enacted. In other words, in the (successful) attempt to secure the highest level of protection to individuals, the Court did not stop at mere appearances, determining that the agreement’s wording is unacceptably vague, even if the list of PNR data provided by the Annex to the agreement contains a delimitative clause,107 hence being a closed one.108 In this way, the CJEU went beyond previous decisions in which it had abstractly affirmed the need for an exhaustive list.109 Not being satisfied with the mere existence of such catalogue, the Grand Chamber scrutinized its merits, thus demonstrating the substantive nature of its review. Moreover, the strong claim to exclude sensitive data from the scope of the agreement is particularly important in terms of human rights protection, but less striking as to its innovative features, since it seems to be mirrored in recent pieces of EU legislation. In this respect, the recent Directive 681/2016,110 dealing with PNR at EU level, prohibits the processing and use of sensitive data. Actually, the Court held that sensitive data could hypothetically be transferred to Canada if a ‘precise and solid justification’111 exists; however, and importantly, it considered that the general need to protect public security against terrorism is not such. This caveat is a clue of the predominantly right-protective stance of the CJEU, even when the terrorist threat leads it to embrace a realistic approach and admit mass surveillance.112 In other words, albeit the Court is leaning towards the acceptance of a certain amount of intrusiveness into everyone’s life, also when the concerned person is not suspected of any link with terrorism or other serious crime, it fixed strict limits beyond which it is (almost) not possible to stray. For example, a firm stance against discriminatory profiling lays behind the prohibition on the use of sensitive data.113 Prohibition of profiling seems, at first glance, the only absolute ban imposed by the Court due to its discriminatory implications.114 As a matter of fact, by relying on individuals’ sensitive data, such as religion or race, public authorities could be allowed to harshen measures against specific groups of people (eg Muslims), who might hence be treated as terrorist suspects par excellence. This would obviously result in a discrimination of such groups, targeted by counterterrorism measures in a different manner from others. By contrast, the apparently non-discriminatory approach emerging from the decision may seem partially incoherent with mass surveillance, de facto, target-oriented to selected groups. Nonetheless, a deeper insight into the issue displays that limited hypotheses in which profiling might be allowed, at least as a last resort tool, can be discerned. Specifically, this happens when public security becomes such a pressing need—and this should be assessed case-by-case—that it amounts to ‘a good reason’ justifying even the use of sensitive data.115 As a result, profiling in such very restricted cases would be permitted. Ultimately, although the ban on profiling is considered by the Court as a particularly rigid and solid barrier, also in light of the general prohibition of any discrimination that permeates all fields of EU law, some glimpse for overcoming it may be detected. Besides, a potential risk of discriminatory profiling is embodied in the PNR Directive,116 as well. Turning to the second passage of Opinion 1/15’s assessment of proportionality, data should not be processed only by automated means, but a non-automated re-examination should follow.117 The CJEU did not find the envisaged agreement to be flawed on this point, as it recognized that its Article 15 provides for non-automated analysis in cases in which it is necessary to take ‘decisions adversely affecting a passenger to a significant extent’. At any rate, the CJEU made a crucial statement in relation to the automated phase of processing, which implies a cross-checking of collected information with databases containing data of suspect terrorists. The Grand Chamber remarked that such activity should be carried out through safe and ‘reliable’ databases, limited to those used by Canada for counter-terrorism purposes. In this case, the statement of the Court is the result of a commendable attitude towards individual rights; nevertheless, the CJEU failed to issue concrete guidelines about the meaning of the adjective ‘reliable’. Concerns expressed by the Court against (merely) automatic analysis derive from its firm rejection of automated profiling, being the latter the effect of the former. As a matter of fact, if the whole mechanisms worked in an automated way, terrorist suspects would be mechanically selected on the grounds of certain features that, when matched, would result in sensitive data. The Court’s third point was that the PNR mechanisms have to be grounded on ‘good reasons’, namely strong justifying purposes. Consequently, the expression ‘other purposes’ does not meet the requested standard.118 In so doing, the Court remarked its rejection of vague wording. A fourth factor that the Court addressed and criticized was the crucial aspect of the retention and use of collected data. The Grand Chamber declared that data of passengers who have already left the Canadian territory should be stored only when there is ‘objective evidence’119 of a potential risk in relation to acts of terrorism and serious crime. This is a major point of the Opinion for two main reasons: its potential implications on the 2016 PNR Directive and its relationship with previous CJEU’s case law. With regard to the PNR Directive, such timing differentiation (among passengers before their arrival, during their stay, on their departure and after their departure) is not provided therein. This lack of distinction could cause legal challenges to such legislation. Therefore, while for some other aspects the PNR Directive is drafted in compliance with the Court’s guidelines (eg prohibition of using sensitive data120 and need for human intervention in the processing of data),121 this might be a tricky issue. In effect, if the agreement has to be renegotiated according to that differentiation, whilst the Directive remained in its current form, it would be easy to envisage a discrimination depending on whether data is collected in the EU territory or in non-EU jurisdictions (specifically, in Canada). Moreover, the addressed differentiation could impose the need to find a way to correlate the intelligence analysis of PNR data with mechanisms aimed at border control.122 With regard to the relationship between the current CJEU’s stance and its previous case law on retention, it is worth remarking several points. Undoubtedly, the CJEU’s reasoning is influenced by previous judgments on data retention, namely Digital Rights (mainly) and Tele2 (that mostly reiterated principles set in Digital Rights). Nonetheless, in Opinion 1/15 the CJEU appeared to go beyond Digital Rights, since it dealt with much more specific topics and addressed retention in greater detail. In Digital Rights, the CJEU quashed the provision of the DRD leaving Member States a leeway of choice between 6 and 24 months, while in this case a much longer period (maximum 5 years) is deemed appropriate. In spite of such (apparent) contradiction, there is no (real) inconsistency: what the CJEU criticized in Digital Rights was not the length of the period per se, but rather the fact that specific criteria to choose between the minimum (6 months) and the maximum (2 years) length were not set. On the contrary, in Opinion 1/15, the retention period fixed by the agreement (ie maximum 5 years, the same as the PNR Directive123) was taken into consideration per se. To a certain extent, what casts some doubts on the CJEU’s reasoning is the Court’s general criterion to assess the legitimacy of retention periods. One of the interpretative pathways that the Court may have followed (even if not explicitly) is the need to evaluate proportionality and necessity of each provision within the legal text under review (namely the DRD and the EU–Canada PNR agreement), both individually and with regard to their combined effect. From this perspective, what seems an inconsistency in the CJEU’s case law can be read—instead—as an effort towards a more careful balancing of the interests at stake. The focus on the retention period can be especially enlightening in this regard. A (quite long) maximum retention period of 5 years, as provided by the EU–Canada PNR agreement, may prima facie seem inconsistent with the Digital Rights principles. Nevertheless, it should be taken into account that the scope of such agreement is considerably narrower than that of the DRD, both in terms of the type and amount of concerned data and of the number of people potentially affected by data collection and retention. This distinction determines, in general, a different kind of surveillance. Furthermore, at least two more elements differentiate the DRD from the EU–Canada PNR agreement. Firstly, while the maximum period of retention is established in 5 years by the agreement, in case no use is made of collected data, identifying information should be masked after only 30 days and PNR data should be completely anonymized after 2 years. Secondly, the PNR agreement is considerably more precise than the DRD as regards the purposes for data retention. As to the mechanism of anonymization of data described above, it is worth noting the different approaches taken by the Advocate General and by the Court respectively. The former focused on it as a key tool for the safeguard of individual rights, in spite of the quite long retention period. The latter—by contrast—did not address such argument explicitly and this may convey the wrong idea that a 5-years term is justifiable per se. This lack of clarity, by the Court, may in fact cause further uncertainty that is something undesirable in such a delicate field. The fifth flaw of the agreement, according to the CJEU, was data disclosure. If Canadian authorities have to disclose collected data to a third country’s authority, an adequacy decision of the Commission or an international agreement in place between such country and the EU should be adopted, in order to avoid indirect circumvention of EU law standards. In relation to this, the CJEU strongly relied on Schrems, in which it definitively interpreted the meaning of ‘adequate level of protection’. The sixth critique of the Court concentrated on notification. According to the CJEU, data subjects should be individually notified when their PNR data is transferred and used by the competent Canadian authority or when data is disclosed. This is another key point. Together with the Court’s stance on oversight—which will be analysed immediately after—notification is part of the assessment on passengers’ individual rights. These two issues are addressed without applying the strict proportionality test, which is employed when an evaluation on the justification of an interference (ie a limitation of a right) is required. On the contrary, in this passage, the Court was called to a more general review on the appropriateness of a set of guarantees (in which no limitations of rights are involved). Referring to previous case law of the CJEU on data protection as a fundamental right, individual notification had not been expressly examined in detail in Digital Rights, but only in Tele2.124 This could be explained by the fact that Tele2 was issued by the Court at the end of 2016, when the abovementioned EU reform on personal data, giving high importance to the rights to access, erasure and redress, had already been approved.125 In both Opinion 1/15 and Tele2, the CJEU claimed that subjects, whose data is transferred and used by competent national authorities in charge of accessing it, have to be individually notified. Notification is instrumental to ensure the right to access to data, so as individuals can ascertain that data is processed in a correct and lawful manner (a guarantee that, according to the Court’s case law,126 is embodied in the right to privacy). Notification is hence aimed at giving the data subject the chance, if necessary, to obtain rectification or erasure, and to exercise the right to an effective remedy, implying judicial redress (Article 47 of the Charter). Consequently, notification is essential for the respect of a set of very important guarantees enshrined in EU law. Additionally, the CJEU linked the time in which notification can be issued to that in which such communication ‘is no longer able to jeopardise the investigations being carried out’.127 Thus, the Court applied a well-established principle of criminal law, seeking to ensure transparency (and, at the same time, the right to a defence, derived from the presumption of innocence), avoiding, simultaneously, any interference with investigations. Lastly, independent oversight should be provided.128 This may cast doubts on the mechanisms set forth by the Privacy Shield, ie the framework regulating the exchange of data between the EU and the US after that the previous one, the Safe Harbour agreement, was invalidated by the Schrems judgment. Indeed, the Privacy Shield took into account the Schrems principles, guaranteeing an effective comparative evaluation of standards, in compliance with the ‘essential equivalence’ requirement set by the CJEU.129 In this light, the Privacy Shield allows a more careful and continuous check on the adequacy of US guarantees. A much more detailed set of liability rules, stricter transparency clauses and a greater number of formal steps to be taken for self-certification are just some examples.130 Yet, alongside these positive aspects, many concerns on this new framework have recently been raised by both a resolution of the Committee on Civil Liberties, Justice and Home Affairs of the Parliament131 and the first Joint Review on the implementation of such regime,132 carried out by EU and US authorities in conjunction. Among other things, the insufficient independence of the body charged with oversight was pointed out by both documents. In sum, not only this Opinion will probably have significant repercussions on the PNR Directive and the Privacy Shield, but it will also impact on other PNR agreements, both existing (ie with the US and Australia)133 and future ones (relevantly, while this proceeding was pending, the Parliament asked for negotiations with Mexico to be suspended).134 The CJEU and counter-terrorism: a revolution in the EU institutional balance? From a more general point of view, it is worth remarking that this is the first time that the CJEU had to rule on the compatibility of an international agreement with guarantees enshrined in the Charter. In doing so, the Court marked a particularly important step for two main reasons. On the one hand, its Opinion reinforced the ‘constitutional’ value of the Charter,135 which works as the only parameter to decide whether challenged acts (among which international agreements) violate EU law. On the other hand, this resulted in the affirmation of the full capability of international agreements themselves to integrate EU law,136 with relevant consequences in terms of constitutional structure of the EU. This approach reflects the supremacy of EU constitutional values, even over what has been negotiated at the international level. Furthermore, both the Parliament and the CJEU made an effective use of the mechanism—explicitly envisaged by the EU Treaties—allowing to challenge an international treaty allegedly violating EU law. The former, although it preferred not to decide on such a politically strategic issue, especially in time of terrorism, at least chose to ask the Court’s Opinion, giving it the chance to rule on the matter. The Parliament might be hence considered as the only legislative body of the EU that is not totally yielding to a securitarian approach, differently from the Council and the Commission. Therefore, not all EU institutions taking part in (lato sensu) legislation-making are letting security prevail over rights; the attitude of the Parliament shows at least the existence of an internal cleavage on the matter. Additionally, by way of its request, the Parliament implicitly but strongly invited the CJEU to finally rule on the merits of a PNR’s agreement. As said, when it repealed the first agreement with the US,137 the Court decided on the basis of procedural grounds only; in such circumstance, the Parliament had not relied on the Charter to raise its human rights concerns, since it had a merely interpretative value before the Lisbon Treaty. For its part, the CJEU quickly took the opportunity to do what it had not done before, ie explicitly extending principles elaborated in a long series of mainstream decisions to EU external relations. This conveys the idea that the guarantees of the rights to privacy and to data protection must be affirmed on a global scale, in spite of challenging times. Notably, not only the CJEU affirmed this through a further elaboration of values emerging from Articles 7 and 8 of the Charter, but it even found a way to give a substantive dimension to apparently ‘formalistic’ arguments, as the one on the legal basis. The CJEU also did something else that is worth remarking: in carefully analysing the text of the agreement, even censoring its wording, it engaged in a task that can be defined ‘borderline’ with that of a legislative drafting committee. Again, this attitude of the CJEU is not totally new nor unexpected. Already in its previous decisions, such as Digital Rights, the Court had carefully scrutinized how provisions were written.138 Yet, in this occasion, the Court suggested other EU institutions the correct way to redraft the agreement, not only by way of principled declarations, but also through concrete examples of words and phrases to be substituted. Moreover, in Opinion 1/15, the CJEU’s guidelines are not aimed at redrafting an internal act—such as a directive—but an international treaty. This particularly high rate of ‘intrusiveness’ by the CJEU can be related to the gist of this decision, which can be synthesized as follows. Conceiving a legal framework in which surveillance has no role would be utopian, given the strength of the current terrorist threat; nonetheless, mass surveillance must be subject to particularly strict rules. Against this background, if the policy-maker proves unable to remain within these limits and guarantee that individual rights will not be totally sacrificed in the name of security, the Court will be increasingly called to play a pivotal role. This approach means going beyond its institutional attributions and bearing quasi-legislative (and political) responsibility, a task in which, this time, the CJEU engaged more vigorously and firmly than ever. This proactive approach is a praiseworthy, but further results could be more easily reached if each actor on the scene adopted a bit of the CJEU’s courageous approach seeking to concretely reconcile rights and security. In other words, a scenario in which other EU institutions, as well as Member States, cooperate in order to reach a fair balance between rights and security, rather than discharging on courts alone the responsibility to ‘draw the line’—as the EP itself did with the CJEU—would be far more preferable. Such desirable framework would also decrease the risk of distorting each body’s institutional role.139 Conclusion The Court’s Opinion on the EU–Canada PNR agreement is a landmark decision within the EU case law due to a number of reasons, which emerged in this Article. Being the first decision to assess the compatibility of an international agreement with the Charter, it goes far beyond the—careful and thorough—analysis of very technical issues, characterizing itself for many further features, which all converge towards the attempt to shape the tricky balance between rights and security in an increasingly detailed and rational manner.140 Its essence lies in two (apparently opposite, but indeed compatible) claims. On the one hand, the CJEU has ultimately accepted that a generalized and indiscriminate control on travellers is a useful and legitimate tool in the fight against terrorism. On the other hand, it showed awareness of serious risks that bulk surveillance implies for individual rights, in particular when clear and precise criteria on the concrete implementation of such measures are lacking. As a result, the EU–Canada PNR agreement faced a very strict scrutiny. It is now necessary to take stock of the analysis (developed in this Article) with a view to drawing some conclusive remarks. First of all, with regard to the challenging balance between rights and security, the Court—in a fashion that also other EU and national institutions should replicate—took a firm stance towards the protection of individual rights, but avoided, at the same time, the pitfalls of a utopian approach. In other words, it remained steady on the realistic assumption that, if the Western world wants to protect itself from terrorism, some intrusion in individual rights must necessarily be endorsed. Consequently, the CJEU accepted mass surveillance. However, it set out several strict conditions to make legitimate such form of bulk control. In so doing, the Court’s decision increases the awareness that rights can be safeguarded also without giving up realism and plays a very pivotal role within the lively theoretical debate on rights and security. Notably, the CJEU even managed to do so by using apparently mere procedural issues in a way that is instrumental to its stance on substantive issues. Emblematically, the reasoning on the legal basis both anticipates balancing efforts of the Court (in addressing the material question raised by the EP, ie the compatibility of the agreement with fundamental rights) and strongly claims for the concrete establishment of a comprehensive legal framework for data protection. Thus, such a ‘substantive use’ of a procedural issue is noteworthy. Secondly, albeit the 1/15 Opinion resulted in the validation, reinforcement, refinement and specification of what the CJEU had already stated, in at least three previous decisions, in relation to the collection, retention and use of personal data, the Court addressed the PNR issue adopting a quasi-legislative approach. This attitude deserves to be underlined for both practical and more general reasons. As to practical consequences, the Opinion will impact on agreements in force between the EU and third countries on the exchange of PNR data as well as on those under negotiation. EU institutions are likely to renegotiate agreements already in place, in order to comply with the CJEU’s standards. Likewise, the Court’s dicta will act as negotiations guidelines in relation to forthcoming agreements (eg with Mexico). Thirdly, and from a more general perspective, the CJEU’s quasi-legislative attitude raises interesting remarks with regard to the role of the Court within the EU framework. Here, it is worth highlighting that, acting almost like a drafting committee, the CJEU took a quasi-political responsibility. This is the same political responsibility that the Parliament did not dare to take when it triggered the procedure under Article 218(11) TFEU and shifted the task to the Court, instead of directly blocking the adoption of the agreement, as this choice would be unpopular in times of international terrorism. Last but not least, the expanded role of the Charter emerged clearly in Opinion 1/15. Actually, not only did the CJEU use it as the only parameter—in line with its previous case law and enhancing the EU's (lato sensu) constitutional standing—but it even contributed to give the Charter (and rights enshrined therein) a ‘global’ dimension. As a matter of fact, Canada—or any other third country—will have to respect the Charter, if it wishes to preserve (economic) relationships with the EU. Therefore, the Charter is gaining extra-jurisdictional enforceability, following a process that may be defined as ‘globalisation of standards’, in which the EU is affirming its leadership. Therefore, for all these reasons, Opinion 1/15 is a landmark decision, even if for several aspects it is along the same general lines of previous decisions, which have been confirmed and reinforced. Ultimately, Opinion 1/15 conveys the idea that rights can be protected without giving up a realistic approach. In doing so, the CJEU increasingly shows its fully right-oriented nature, in spite of being born as a judge of ‘economic freedoms’ only. Should other institutions—both at the EU and national level—embrace a similar attitude, this would undoubtedly be helpful to develop an effective and workable counter-terrorism strategy, combing the vital interest of democracy with the need to tackle security threats. The Author would like to express her special gratitude to Chiara Graziani for research assistance. Footnotes 1 Didier Bigo and Anastassia Tsoukala (eds), Terror, Insecurity and Liberty (Routledge, New York, US 2008); Kim L Scheppele, ‘Global Security Law and the Challenge to Constitutionalism After 9/11’ (2011) PL 352; Aniceto Masferrer, ‘The Fragility of Fundamental Rights in the Origins of Modern Constitutionalism: Its Negative Impact in Protecting Human Rights in the “War on Terror” Era’ in Aniceto Masferrer and Clive Walker (eds), Counter-Terrorism, Human Rights and the Rule of Law. Crossing Legal Boundaries in Defence of the State (Edward Elgar, Cheltenham-Northampton, UK-US 2012) 37; Viktor V Ramraj and others (eds), Global Anti-Terrorism Law and Policy (CUP, Cambridge, UK 2012); Genevieve Lennon and Clive Walker (eds), Routledge Handbook of Law and Terrorism (Routledge, New York, US 2015). 2 David Barnard-Wills, ‘Security, Privacy and Surveillance in European Policy Documents’ (2013) 3 IDPL 170, showing, with comparative approach, high reliance of anti-terrorism policies on intelligence information sharing. 3 For an analysis on differences and correlations between these two rights, Christopher Dockesey, ‘Four Fundamental Rights: Finding the Balance’ (2016) 6 IDPL 195, 197; arguing that the right to data protection aims at safeguarding privacy in the information society. See also Orla Lynskey, ‘Deconstructing Data Protection: The “Added Value” of a Right to Data Protection in the European Legal Order’ (2014) 63 ICLQ 569. 4 For a recent analysis, David Cole and others (eds), Surveillance, Privacy and Transatlantic Relations (Hart Publishing, Oxford, UK 2017) and Maria Tzanou, The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance (Hart Publishing, Oxford, UK 2017) 107. For a comparative perspective, Ira S Rubinstein and others, ‘Systematic Government Access to Personal Data: A Comparative Analysis’ (2014) 4 IDPL 96. 5 The high reliance of securitarian policies on data collected during travels made scholars consider the concept of ‘aviation security’. See Olga Mironenko Enerstvedt, Aviation Security, Privacy, Data Protection and Other Human Rights: Technologies and Legal Principles (Springer, Cham, CH 2017). 6 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, Joined Cases C-293/12 and C-594/12 [2014] ECR I-238. See Arianna Vedaschi and Valerio Lubello, ‘Data Retention and Its Implications for the Fundamental Right to Privacy: A European Perspective’ (2015) 20 Tilburg LR 14; Orla Linskey, ‘The Data Retention Directive is Incompatible with the Rights to Privacy and Data Protection and Is Invalid in its Entirety: Digital Rights Ireland’ (2014) 51 CML Rev 1789; Tuomas Ojanen, ‘Privacy Is More Than Just a Seven-Letter Word: The Court of Justice of the European Union Sets Constitutional Limits on Mass Surveillance’ (2014) 10 EuConst 528. 7 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ 2006 L 105/54. See Roger Clarke, ‘Data Retention as Mass Surveillance: The Need for an Evaluative Framework’ (2015) 5 IDPL 121. 8 Maximillian Schrems v Data Protection Commissioner, Case C-362/14 [2015] All ER (D) 34. See Loïc Azoulai and Marjin Van der Sluis, ‘Institutionalizing personal data protection in times of global institutional distrust’ (2016) 53 CML Rev 1343; Tuomas Ojanen, ‘Making the Essence of Fundamental Rights Real: The Court of Justice of the European Union Clarifies the Structure of Fundamental Rights under the Charter’ (2016) 12 EUConst 318; Neal Cohen, ‘The Privacy Follies: A Look Back at the CJEU’s Invalidation of the EU/US Safe Harbor Framework’ (2015) 1 EDPL 240. 9 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department vTom Watson and Others, Case C-203/15 ECLI:EU:C:2016:970. See Iain Cameron, ‘Balancing Data Protection and Law Enforcement Needs: Tele2 Sverige and Watson’ (2017) 54 CML Rev 1467. 10 Request for an opinion submitted by the European Parliament pursuant to art 218(11) TFEU, OJ 2015 C 138/24. 11 Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389. 12 The equivalent of the PNR regime with regard to transfer of financial data is the Terrorist Finance Tracking Programme (TFTP). This agreement between the EU and the US came into force in 2010 and concerns transfer and processing of data for purposes of identifying, tracking, and pursuing terrorists and their networks. See Cian C Murphy, EU Counter-Terrorism Law (Hart Publishing, Oxford, UK 2015) 151. 13 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31. 14 Schrems (n 8) para 73. 15 See further in this article. 16 US Aviation and Transportation Security Act 2001, Pub L 107-71. It is also worth noting that the US restrictive approach towards privacy depends on the fact that, in such area, privacy is traditionally considered as a relative right, which can be limited by many competing interests. In general, on the US attitude towards privacy and data protection, Michael W Price, ‘Rethinking Privacy: Fourth Amendment Papers and the “Third-Party” Doctrine’ (2016) 8 JNSLP 247. 17 The main federal law enforcement agency among whose tasks there is the protection of borders from the entrance of terrorists and criminals in general. 18 Council Decision 2004/496/CE of 17 May 2004 on the conclusion of an Agreement between the European Community and the USA on the processing and transfer of PNR data by Air Carriers to the US Department of Homeland Security, Bureau of Customs and Border Protection, OJ 2004 L 183/84. 19 On the critical aspects of this system, see Birte Siemen, ‘The EU-US Agreement on Passenger Name Records and EC Law: Data Protection Competences and Human Rights Issues in International Agreement of the Community’ (2005) 47 German YrBk Int’l L 629. More in general on past PNR agreements, Vangelis Papakostantinou and Paul De Hert, ‘PNR Agreement and Transatlantic Antiterrorism Co-Operation: No Firm Human Rights Framework on Either Side of the Atlantic’ (2009) 46 CML Rev 885. 20 According to former art 230 of the Treaty on the European Community (current art 236 TFEU). The EP’s stance was joined by the European Data Protection Supervisor, intervening in the proceeding. 21 European Parliament v Council of the European Union and Commission of the European Community, Joined Cases C-317/04 and C-318/04 [2006] ECR I-4721. For an analysis of this decision, see Gráinne Gilmore and Jorrit Rijpma, ‘Joined Cases C-317/04 and C-318/04, European Parliament v Council and Commission, Judgment of the Grand Chamber of 30 May 2006 [2006] ECR I-4721’ (2007) 44 CML Rev 1081. 22 Agreement between the EU and the US on the processing and transfer of passenger name record (PNR) data by air carriers to the US Department of Homeland Security [2006] OJ 2006 L 298/29. 23 Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the EU, of an Agreement between the EU and the US on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security (DHS). This agreement had been preceded by an interim version, in which even many right-related concerns could be found. See Agreement between the EU and the US on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security, OJ 2007 L 204/16, 24 On the implications of the use of sensitive data, see further in this article. 25 Letter from Peter Hustinx, European Data Protection Supervisor, to Wolfgang Schäuble, Minister for the Interior (27 June 2007) <http://www.statewatch.org/news/2007/jun/eu-us-pnr-hustinx-letter.pdf> accessed 7 March 2018. 26 European Parliament Legislative Resolution of 5 May 2010 on the launch of negotiations for PNR agreements with the USA, Australia, and Canada P7_TA (2010)0143. 27 Agreement between the United States of America and the European Union on the use and transfer of PNRs to the US Department of Homeland Security, OJ 2012 L 215/13. 28 For an overview of the contents and critical aspects of this agreement, see Arianna Vedaschi and Gabriele Marino Noberasco, ‘From DRD to PNR: Looking for a New Balance Between Privacy and Security’ in David Cole and others (eds), (n 4) 67. cf Quirine Eikjman, ‘Accountability in Europe: Ethical Dilemmas in Terrorism Risk Management’ (2013) 6 J Pol & L 35, 39, arguing that data security guarantees enshrined in the 2012 agreement contribute to accountability of the EU political bodies. 29 Anti-Terrorism Act, SC 2001, C 41. 30 Council Decision 2006/230/EC of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data, OJ 2006 L 82/14. 31 For an overview of this regime, see Peter Hobbing, ‘Tracing Terrorists: The EU-Canada Agreement in PNR Matters’ Special Report, Center for European Policy Studies, 17 November 2008 < https://www.ceps.eu/publications/tracing-terrorists-eu-canada-agreement-pnr-matters> accessed 7 March 2018. 32 Council of the European Union, Agreement between Canada and the European Union on the transfer and processing of PNR, 2013/0250(NLE). 33 European Parliament Resolution of 25 November 2014 on seeking an opinion from the Court of Justice on the compatibility with the Treaties of the Agreement between Canada and the EU on the transfer and processing of PNR data P8_TA (2014) 0058. 34 Case A-1/15, Opinion of AG Mengozzi, 8 September 2016. For an analysis, Fanny Coudert, ‘The Legitimacy of Bulk Transfers of PNR Data to Law Enforcement Authorities under the Strict Scrutiny of AG Mengozzi’ (2016) 2 EDPL 596. 35 Indeed, before this the Advocate General remarked that art 16(2) TFEU can be invoked as an appropriate legal basis for such an agreement, together with art 87(2)(a) TFEU, read in conjunction with art 218(6)(a)(v). 36 Opinion of AG Mengozzi (n 34) para 180. 37 Ibid, para 170. 38 On which see Steve Peers and Sacha Prechal, ‘Article 52. Scope and Interpretation of Rights and Principles’ in Steve Peers and others (eds), The EU Charter of Fundamental Rights. A Commentary (Hart Publishing, Oxford, UK 2014) 1455; Jan Kühling, ‘Fundamental Rights’ in Armin von Bogdandy and Jürgen Bast (eds), Principles of European Constitutional Law (Hart Publishing, Oxford, UK 2009) 479. With specific regard to data protection, Charlotte Bagger Tranberg, ‘Proportionality and Data Protection in the Case Law of the European Court of Justice’ 1 (2011) IDPL 239. 39 Opinion of AG Mengozzi (n 34) para 192. 40 Ibid para 193. 41 Ibid para 186. 42 Ibid paras 199–204. 43 Ibid paras 205–06. 44 See further in this article for some insights on the implications of the use of such data. 45 Ibid para 279. 46 Art 4 of the agreement. 47 Ibid para 222. 48 Ibid para 285. Specifically, the masking and gradual depersonalization of data would guarantee respect for the concerned rights. 49 Opinion 1/15 (European Court of Justice, 26 July 2017) ECLI:EU:C:2016:656. For a short comment, see Arianna Vedaschi, ‘The European Court of Justice on the EU-Canada PNR Agreement’ (2018) 14 EUConst and Chiara Graziani, ‘PNR EU-Canada, la Corte di Giustizia blocca l’accordo: tra difesa dei diritti umani e implicazioni istituzionali’ (2017) DPCE online 959. 50 Opinion 1/15 (n 49) para 97. 51 Ibid para 135. 52 Ibid para 98. 53 The Advocate General, in its opinion to the Court, based its reasoning on the legal basis on similar argument. See Opinion of Advocate General Mengozzi (n 34) and Coudert (n 34) 597. 54 Opinion 1/15 (n 49) para 94. 55 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31. 56 Maximilian Schrems (n 8). Some scholars, before the CJEU issued Opinion 1/15, argued that Schrems would have a ‘domino effect’ on other European agreements, among which PNR deals: Yann Padova, ‘The Safe Harbour is Invalid: What Tools Remain for Data Transfer and What comes Next?’ (2016) 6 IDPL 139, 160. 57 Interpreted, as some scholars claim, also according to the case law of the European Court of Human Rights (ECtHR) on the right to privacy. Gabe Maldoff and Omer Tene, ‘Essential Equivalence and European Adequacy after Schrems: The Canadian Example’ (2016) 34 Wis Int’l LJ 211, 233–40. For a comparison between the CJEU and the ECtHR case law, with reference to most recent cases, Mark D Cole and Annelies Vandendriessche, ‘From Digital Rights Ireland and Schrems in Luxembourg to Zacharov and Szabó/Vissy in Strasbourg: What the ECtHR Made of the Deep Pass by the CJEU in the Recent Cases on Mass Surveillance’ (2016) 2 EDPL 121. 58 Namely, all circumstances in place in the third country deserve consideration; the Commission must periodically check whether adequacy persists; circumstances after the adoption of the adequacy decision has to be taken into account. See also n 129. 59 Paul Voigt and Axel von dem Bussche, The EU General Data Protection Regulation (GDPR) (Springer, Cham, CH 2017) 116. 60 Christopher Kuner, ‘Reality and Illusion in EU Data Transfer Regulation Post Schrems’ (2017) 18 German LJ 881, 893. 61 In other words, as sort of ‘global law’ in relation to privacy. On the development of ‘global law’ standards with regard to the fight against terrorism, Arianna Vedaschi, ‘Dalla global war al global law’ (2017) Quaderni costituzionali 424. 62 See specifically on the theoretical foundations of global law Neil Walker, Intimations of Global Law (CUP, Cambridge, UK 2015). 63 Opinion 1/15 (n 49) para 126. 64 Ie the agreement itself, and not consent. According to art 8 of the Charter, a limitation can be based, alternatively, on consent of the data subject or on another legitimate basis laid down by law. 65 Opinion 1/15 (n 49) paras 147–51. In order to support the appropriateness of the means at stake to ensure such objective of general interest, the Court referred to several documents and studies laid down by the EU and Canadian institutions. 66 Ibid para 163. 67 Ibid para 157. 68 Ibid para 158. 69 It is defined by art 2(e) of the agreement as data revealing ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership’ or relating to ‘a person’s health or sex life’. This list is very similar to that laid down by the recent PNR Directive. 70 Ibid para 165. 71 Art 15 of the agreement. 72 Opinion 1/15 (n 49) para 173. 73 Ibid para 172. 74 Therefore, this definition was not left to be determined by national law, as for example, in the DRD, where discretion afforded to Member States in this regard constituted one of the grounds for the declaration of invalidity. 75 Ibid para 181. 76 Ibid paras 185 and 189. 77 Ibid, paras 190–91. 78 Citing to Schrems (n 8) and Tele2 (n 9) decisions. 79 As already stated, the retention period is of 5 years (maximum). Notably, the Court deemed the length admissible (para 209 of the Opinion). 80 Opinion 1/15 (n 49) paras 204–07. 81 Ibid para 203. 82 Ibid para 212. 83 Ibid para 214. 84 Ibid paras 216–17. 85 Ibid para 225. 86 Ibid para 231. 87 COM(2017) 605 final. 88 On the activism of the CJEU, Gareth Davies, ‘Legislative Control of the European Court of Justice’ (2014) 51 CML Rev 1579, discussing the capacity of EU institutions to overcome the CJEU’s ruling with ‘excessive’ legislative effect. See also Mark Dawson, Bruno De Witte and Elise Muir (eds), Judicial Activism of the European Court of Justice (Edward Elgar, Cheltenham-Northampton, UK-US 2014). 89 This is likely to affect the PNR agreement with the US and Australia, since they are both based on arts 82(1)(a) and 87(2) TFEU. See further in this section. 90 For an overview on art 16 TFEU and obligations arising from it, Hielke Hijmans, The European Union as Guardian of Internet Privacy: The Story of Art. 16 TFEU (Springer, Cham, CH 2016). 91 As noted by the EP. See Opinion 1/15, para 32, citing to the Declaration on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, OJ 2010 C 83, 45. See further on the issue Hielke Hijmans and Alfonso Scirocco, ‘Shortcomings in EU Data Protection in the Third and the Second Pillars. Can the Lisbon Treaty be Expected to Help?’ (2009) 46 CML Rev 1485. 92 However, the relationship between the two is very close, since art 8 of the Charter grants data protection the status of a fundamental right that must be respected as long as EU law applies. See Hijmans (n 90) 127. See also Angeles Gutiérrez Zarza, Exchange of Information and Data Protection in Cross-border Criminal Proceedings in Europe (Springer, Cham, CH 2014) 27. 93 European Parliament v Council of the European Union and Commission of the European Community (n 21). Scholars argue that these cases fixed the principle according to which the legal basis should be chosen in light of the aim and content of the act. Mario Mendez, The Legal Effects of EU Agreements. Maximalist Treaty Enforcement and Judicial Avoidance Techniques (OUP, Oxford, UK 2013) 78; Nadine Zipperle, EU International Agreements. An Analysis of Direct Effect and Judicial Review Re- and Post-Lisbon (Springer, Cham, CH 2017) 112. 94 Cristina Blasi Casagran, ‘The Future EU PNR System: Will Passenger Data Be Protected?’ (2015) 23 Eur J Crime Crim L & Crim Just 241, 244. 95 Elspeth Guild and Evelien Brouwer, ‘The Political Life of Data: The ECJ Decision on the PNR Agreement between Europe and the US’ (2006) Centre for European Policy Studies Policy Brief 109 <https://www.ceps.eu/publications/political-life-data-ecj-decision-pnr-agreement-between-eu-and-us> accessed 7 March 2018. 96 Directive 2006/24/EC (n 7). 97 Ireland v European Parliament and the Council, Case C-310/06, [2006] ECR I-4721. 98 Hijmans and Scirocco (n 91) 1504, arguing that what made the CJEU decide that art 95 was appropriate as a legal basis was the fact that, contrarily to PNR agreements, data retention rules did not imply the systematical transfer of data to public authorities. 99 European Parliament v Council of the European Union and Commission of the European Community (n 21). 100 Ireland v European Parliament and the Council (n 97). 101 Paul J Cardwell, EU External Relations Law and Policy in the Post-Lisbon Era (T.M.C. Asser Press, The Hague, NL 2012) 295. 102 Part II, Title IV TFEU. 103 European Parliament, Resolution of 11 November 2010 on the global approach to transfers of PNR data to third countries, and on the recommendations from the Commission to the Council to authorize the opening of negotiations between the EU and Australia, Canada and the US, P7_TA-PROV(2010)0397, point 5. 104 Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ 2016 L119/1. 105 Directive 2016/680/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA OJ 2016 L 119/89. 106 An emblematic example is criticism about the term ‘etc.’. See Opinion 1/15 (n 49) para 157. 107 Art 4(3) of the agreement, stating that all data that is not listed must be deleted. 108 Opinion 1/15 (n 49) para 162. 109 Eg in Digital Rights (n 6) where it claimed the need for a list of crimes that could justify retention. 110 Directive 2016/681/EU of the Parliament and of the Council of 27 April 2016 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, OJ 2016 L 119/132. The Directive has to be implemented by Member States within May 2018. For a critical analysis, David Lowe, ‘The European Union Passenger Name Record Data Directive: Is It Fit for Purpose?’ (2017) 16 Intl Crim LRev 78. 111 Opinion 1/15 (n 49) para 165. 112 Michel Rosenfeld, ‘Judicial Balancing in Times of Stress: Comparing Diverses Approaches to the War on Terror’ (2005) Benjamin N Cardozo School of Law, Working Paper n 119; Arianna Vedaschi, ‘Has the Balancing of Rights Given Way to a Hierarchy of Values?’ 1 Comp LR 1. 113 Before the adoption of the agreement, scholars warned against the risk of profiling entailed by it and, more in general, by the forthcoming PNR scheme at the EU level. Franziska Boehm, ‘Tit for tat – Europe’ revenge for the Canadian and US PNR systems? The envisaged European model of analyzing flight passenger data’ (2010) 11 ERA Forum 251. 114 On profiling and its risks, Richard R Banks, ‘Racial Profiling and Antiterrorism Efforts’ (2004) 89 Cornell LR 1201; Daphne Barak-Erez, ‘Terrorism and Profiling: Shifting the Focus from Criteria to Effects’ (2007) 29 Cardozo LR 1; Helen Duffy, The ‘War on Terror’ and the Framework of International Law (CUP, Cambridge, UK 2015) 637. 115 Opinion 1/15 (n 49) para 165. 116 Paul de Hert and Vagelis Papakonstantinou, ‘Repeating the Mistakes of the Past Will Do Little Good for Air Passengers in the EU: The Come Back of the EU PNR Directive and a Lawyer’s Duty to Regulate Profiling’ (2015) 6 NJECL 160, 163. 117 Opinion 1/15 (n 49) paras 168–74. 118 Ibid para181. 119 Ibid para 204. 120 Directive 681/2016 (n 110) recital 37. 121 Ibid, art 12(5). For further analysis on potential effects of Opinion 1/15 on the PNR Directive, Elena Carpanelli and Nicole Lazzerini, ‘PNR: Passenger Name Record, Problems Not Resolved? The EU PNR Conundrum After Opinion 1/15 of the CJEU’ (2017) 42 Air & Space L 377, 391. They argue that the PNR directive is used as a ‘benchmark’ to evaluate the agreement, but, on some other points, it could itself bear the consequences of Opinion 1/15. 122 As noted by Raphael Bossong, ‘Passenger Name Records – from Canada back to the EU’ (Verfassungsblog, 28 July 2017) <https://verfassungsblog.de/passenger-name-records-from-canada-back-to-the-eu/> accessed 7 March 2018. 123 Whose masking period is, instead, 6 months. 124 Namely, Regulation 2016/679 (n 104), Directive 2016/680 (n 105) and Directive 2016/681 (n 110). All of them were approved on 21 April 2016. 125 Opinion 1/15 (n 49) para 220. 126 College van burgemeester en wethouders van Rotterdam v Rijkeboer, Case C-553/07 [2009] ECR I-03889. 127 Opinion 1/15 (n 49) para 224. 128 Opinion 1/15 (n 49) para 228. 129 ‘Essential equivalence’ was further elaborated, in preparation of the Privacy Shield, by the Statement of the Article 29 Working Party of 3 February 2016, 17/EN WP250, <ec.europa.eu/newsroom/document.cfm?doc_id=47741> accessed 7 March 2018, clarifying a set of principles of which ‘essential equivalences’ concretely consists. These principles are: a) clear, precise and accessible rules; b) strict necessity and proportionality; b) independent oversight; and d) effective redress. See on this point Maldoff and Tene (n 57) 239. 130 David Bender, ‘Having Mishandled Safe Harbor, Will the CJEU Do Better with Privacy Shield?’ (2016) 6 IDPL 117, 131. 131 European Parliament, resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP). 132 COM(2017) 611 final. 133 Even before this Opinion, scholars argued in favour of the annulment and subsequent renegotiation of the 2012 EU–US agreement. Douglas Louks, ‘(Fly) Anywhere but Here: Approaching EU-US Dialogue concerning PNR in the Era of Lisbon’ (2013) 23 Ind Int’l & Comp LR 479, 515. 134 Answer given to the European Parliament by Mr Avramopoulos on behalf of the Commission (4 November 2015). It is worth noting that negotiations may begin with Argentina and Japan, as well. 135 On the attitude of the CJEU, particularly in privacy-related cases, to behave as a ‘constitutional’ court, see Vedaschi and Lubello (n 6) 17. 136 Opinion 1/15 (n 49) para 67. 137 Joined Cases C-317/04 and C-318/04 (n 21). 138 Luisa Marin, ‘The Fate of the Data Retention Directive: about Mass Surveillance and Fundamental Rights in the EU Legal Order’ in Valsamis Mitsilegas, Maria Bergström and Theodore Konstadinides (eds), Research Handbook on EU Criminal Law (Edward Elgar, Cheltenham-Northampton, UK-US 2016) 210. 139 For a discussion on the ‘creative’ role of the courts, Otto Pfersmann, ‘Contre le néo-realisme juridique. Pour un débat sur l’interpretation’ [Against Legal Neo-Realism. For a Debate on Interpretation] (2002) Revue française de droit constitutionnel 790, arguing against the ‘legislative’ attitude of judges. 140 For more details on how the CJEU construed this complex balance in the commented Opinion, see Arianna Vedaschi, ‘L’Accordo internazionale sui dati dei passeggeri aviotrasportati (PNR) alla luce delle indicazioni della Corte di giustizia dell’Unione europea’ (2017) Giurisprudenza costituzionale 1913. © The Author(s) 2018. Published by Oxford University Press. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)

Journal

International Data Privacy LawOxford University Press

Published: May 7, 2018

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off