MercoPress. South Atlantic News Agency

The ECJ limits disclosure of passenger's flight data and rules when it can be used by law enforcement agencies

Data is collected and processed by passenger information units set up by each EU state. Units then cross-check passenger info with law enforcement databases

In a milestone ruling, the European Court of Justice (ECJ) limited the disclosure of how passenger data is collected and when it can be used by law enforcement.

A rights group who brought the case arguing that EU practices go too far, and could “lead to mass surveillance and discrimination”

The case concerned EU's Passenger Name Record (PNR) Directive which was adopted in 2016. The measure permits justice officials and police to access passenger data on people flying into and out of the EU. It also allows the collection of passenger data on flights within the EU in some cases.

The directive seeks to aid authorities in combating serious crime and preventing terrorism.

The data collected can include the names and contact information of passengers, as well as flight numbers, number of bags, how they paid for the flight and who they traveled with.

That data is collected and processed by passenger information units set up by each EU member state. The units then cross check the passenger information with law enforcement databases. This personal data can then be sent to police, Europol and other bloc authorities “either spontaneously or in response to duly reasoned requests,” according to the European Commission.

The data is used to track known criminal suspects, but also to flag potentially suspicious flights — including if a passenger paid in cash or if they aren't bringing lots of luggage on a long-haul flight.

Currently, the data is “depersonalized” after six months and can be saved up to 5 years — after which, it must be deleted.

The ECJ, however, ruled that while the directive is permissible, certain limitations must be set so that the data collection does not violate EU law.

In a statement, the court said “that respect for fundamental rights requires that the powers provided for by the PNR Directive be limited to what is strictly necessary.”

Authorities in the EU's 27 member states may only transfer and process passenger data for a “genuine and present or foreseeable terrorist threat.”

The data can only be accessed by authorities when the person's travel is believed to be connected to criminal activity — meaning they must be suspected of fleeing the scene of a crime, or arriving at a destination with an intent to commit a crime.

The court also took issue with the length of time that the data is saved, saying much of the data should not be stored after six months. Law enforcement agencies would be permitted to keep the data for longer only if there is an “objective link” to potential terrorist activity or a serious crime.

The ECJ also banned the use of artificial intelligence (AI) in machine learning systems to harvest and process data on airline passengers.

Tuesday's decision is significant in that it is the first time the EU's top court issued a ruling curbing the use of artificial intelligence — setting a precedent that could be used in future cases where AI is concerned.

While the ECJ did not halt the practice outright, the ruling is also a partial-win for data privacy advocates who argued that the PNR directive violated data protection rights and the right to privacy.