Institutionalising Data Transfers in the UK-EU Relations

The EU has penned few data transfer arrangements with third countries, including recently with the UK with the new framework of law enforcement cooperation post-Brexit. This framework, the UK-EU Trade and Cooperation Agreement (TCA), introduces new oversight mechanisms for data transfers for law enforcement purposes, including the data dubbed as Passenger Name Records (PNR), to be transferred to the UK border agency. This paper explores the governance of the transfer of PNR data under the TCA through the mandate of a host of actors including competent data protection authorities, Passenger Information Units, and Specialised Committee on Law Enforcement and Judicial Cooperation, which is newly introduced in the TCA. The purpose of this paper is to discuss whether the multitude of authorities involved in supervising PNR data transfer satisfy the system of checks and balances as required under EU law.

Privacy Standards for Data Transfers: Unlocking the Legality of PNR Data Transfers

The EU has concluded several arrangements with countries on the transfer of Passenger Name Records (PNR) framed with respect to the international cooperation for the fight against terrorism and serious crimes. Following the CJEU’s ground-breaking Opinion /15, the legality of these arrangements has become the subject of debate, not least because at their core they allow for the transfer of personal data of people on the move without a connection between themselves and their threat to public security of the country into which they seek to enter. This contribution seeks to trace the CJEU case law on intrusive surveillance measures, with particular focus on the legality of border surveillance. It thus discusses the potential precarities of PNR data transfer arrangements, including the most recent one concluded between the UK and the EU.

PNR Data: An Element of Criminal Justice or Border Control?

One of the most pressing issues in the EU-UK relations post-Brexit has been the timely and accurate exchange of personal data for law enforcement purposes. One set of data, which is called Passenger Name Records (PNR), however stands out from the rest as its use has been integrated into pre-entry border screening procedures, whose justification is grounded on security purposes. This contribution aims to unmake the characterisation of PNR data transfers as part of criminal justice cooperation as enshrined in the UK-EU Trade and Cooperation Agreement (TCA) and question its link to the scope of border control. The purpose of this contribution is thus to interrogate the repurposing of PNR data and the accountability questions that might arise thereof.

The Reform of the Advanced Passenger Information (API) Directive as a New Form of Travel Surveillance

Directive 2004/82/EC (API Directive) regulates the collection and further processing of personal data of air travellers prior to their travel. It is primarily a border control instrument, which however enables the use of travellers data for law enforcement purposes in accordance with their national law. The API Directive has been recently evaluated and the Commission has announced a series of reforms in that respect, enabling the expansion of its scope to other forms of travelling, the collection and further processing of additional categories of personal data and their future interoperability with EU information systems. A Commission proposal is expected in that respect in the second quarter of 2022. This contribution aims to provide a fundamental rights assessment of the expected legislative reform and enquire whether the reform will prescribe an additional form of travel surveillance in addition to the EU PNR Directive and the relationship between the two legal instruments.