This legal opinion concerns the question whether and how the recent Opinion 1/15 of the Court of Justice of the European Union (CJEU) on the Draft EU/Canada PNR Agreement impacts the Proposal for a Regulation on an Entry/Exit System. For that purpose, it analyses in detail the main findings in Opinion 1/15 and related earlier case law on data retention schemes before applying the identified principles to the context of data collection and retention in the planned EES.
1. With its decision in Opinion 1/15 the Court further confirmed that the standards developed so far for data retention schemes are to be applied irrespective of the nature of the instrument when testing the admissibility of a measure in view of the right to privacy and data protection as they result from Articles 7 and 8 Charter of Fundamental Rights of the European Union respectively. Therefore, the standards can be regarded as general principles for such schemes, whether they are based on secondary EU law such as Directives or Regulations as well as in the context of International Agreements or instruments with an external effect.
2. The general principles developed by the CJEU for data retention schemes need to be respected whenever data collected and retained reveal private information. The standards are not dependent on the sector, but any relevant data retention measure is regarded to be infringing the above mentioned fundamental rights and the type of data as well as the means of collection are only of relevance for the question of justification. The fact that data collection and retention under the EES takes place in a different context than processing under the PNR Agreement, which itself had a different context than the communications data setting dealt with in the previous Digital Rights Ireland and Tele2/Watson judgments, does not influence the necessity to respect the same general principles.
3. In developing the general principles, the CJEU integrated findings of the European Court of Human Rights (ECtHR) in mass surveillance and data retention cases when the Strasbourg Court interpreted Article 8 ECHR. Together, the case law of the two Courts underlines that data retention schemes have in principle a significant impact on the right to privacy and data protection of all data subjects concerned and therefore, such measures can only be justified if they genuinely meet an objective of general interest and comply with a strict necessity-requirement. Whereas the CJEU has confirmed that fighting serious crime such as terrorism is an objective that can justify the collection and retention of certain data of specific persons for longer periods, this is much less obvious for other objectives. The EES pursues a primary objective of migration management and border control. The prevention, detection and investigation of serious crime is merely a secondary objective of the planned system. Thus, retention of data under the EES is not limited to persons who represent a risk to public security. Therefore, the retention periods as regards the primary purpose of the EES are not proportionate to the objective pursued and not strictly necessary in order to achieve it.
4. Based on the findings in Opinion 1/15 it is clear that even justified retention of data needs to be limited in terms of duration to what is necessary in connection with the pursued objective. This led the Court to find that although the transfer by air carriers and subsequent use of air passengers data by Canadian authorities was acceptable, the continued retention after departure of the concerned individuals from Canada was no longer needed as long as they did not represent a risk to public security and therefore, in violation of EU law. The same logic applies for the data retention periods under the EES. Where a person lawfully enters the Schengen area and exits the EU within the period of authorized stay, data may only be retained if an objective beyond facilitation of border control and management is applicable, such as objective evidence that the data may contribute to the protection of public security.
Longer retention periods concerning Third Country Nationals (TCNs) whose entry was refused or who overstayed the period of authorized stay, are possible but should be decided on a case by case basis by the competent authority verifying the conditions for entry. Thus, if the refusal of entry is based on a criminal offence, the retention of the respective data would be necessary in order to pursue a legitimate interest of public security in preventing the person from entering the EU. The same logic should be applied for individuals who exceeded the period of their authorized stay in the Schengen area. Whenever there is objective evidence that the data of a person may contribute to the prevention, detection and investigation of serious criminal offences, the prolongation of retention periods for persons falling under any of the above-mentioned categories beyond that of personal data from unsuspected persons is justified. However, it would need to be established whether that data should be stored in a system established primary for border management purposes or rather in a specific databases for LE purposes.
5. Concerning access to retained data by LEAs, the CJEU previously decided in the data retention cases mentioned as well as the Schrems judgment and confirmed now in Opinion 1/15 that personal data must be effectively protected against the risk of abuse and unlawful access and use. Lawful access to personal data by competent authorities must therefore be based on objective evidence and preceded by prior review carried out by a court or by an independent authority. In cases of urgency, where early access is regarded as imperative, when the Proposal for the Regulation foresees that prior authorisation can be disregarded and the central access point shall process an access request immediately, the ex post-review on the legitimacy of the request is all the more important to ensure safeguards against potential fundamental rights violations. This ex post-review has to be carried out by a court or independent authority. A lack of such provisions makes the EES incompatible with the standards required by the CJEU.
6. It is important that strict necessity as condition for retention periods as well as the requirements for LE access laid down by the CJEU are applied also for the EES. The proposed EES Regulation does not fulfil these requirements at least with regard to the proportionality of retention periods that must be based on strict necessity, conditions for judicial review prior to LE access to personal data and the lack of a truly independent ex post review mechanism. Beyond the EES, the requirements mentioned by the CJEU should be seen as a basis to set a standard for any future database retaining data of individuals for long periods. Especially with regard to interoperable databases, concerns regarding the different purposes of databases, the conditions for LE access and varying retention periods arise. Therefore, a standard model should be established along the conditions established by the CJEU in order to prevent fundamental rights violations, particularly, by means of automated processing of personal data and profiling of the individuals concerned. When applying the standards, further requirements need to be taken into consideration with data transfer to third countries that will take place within the scope of Regulation 2016/679 and Directive 2016/680 respectively, even if data is originally stored within the territory of the European Union.