The Court of Justice of European Union ruled that an EU mandate for dragnet surveillance of travelers through government access to airline reservations (PNR data) might be permissible under EU law — but only to what is strictly necessary for the purposes of combating terrorist offences and serious crime, provided that the powers provided for by that directive are interpreted restrictively.
Court ruled that Memberstates can no longer retain data for five years, unless it’s related to a suspect. Otherwise, data must be deleted after six months. The ruling also said that EU countries could only mandate data transfers for intra-EU travel if there is a “genuine and present or foreseeable terrorist threat.”
The judgment from CJEU comes after campaign group Ligue des droits humains in 2017 filed legal action accusing Belgium’s transposition of the PNR Directive of violating EU privacy rights.