Fluggastdatenspeicherung: Die Zukunft von Vorratsdatenspeicherung und automatisierter Verdachtsgenerierung

In Ligue des droits humains, the CJEU declared the EU Directive on Passenger Name Record (PNR) data to be compatible with Articles 7 and 8 CFR. The Court therefore declined to invalidate the PNR Directive, but significantly curtailed almost all of its central tenets. This contribution analyzes what the decision entails for the PNR system. It argues that the German transposition law, the Fluggastdatengesetz, can no longer function as a suitable legal basis for the German PNR system since it is in flagrant violation of EU law, as interpreted by the Court. Hence, the German PNR system must be stopped until the Fluggastdatengesetz has undergone parliamentary reform.Since Ligues des droits humains also represents a landmark decision on predictive policing, this contribution critically dissects how it is significant for the future of European security law beyond the PNR context. In so doing, it focusses firstly on the evolving doctrinal standards for the mass retention of personal data and secondly, on the technology-induced, automated generation of suspicion pertaining to threats to public security. Regarding the first point, the decision is situated in an evolving jurisprudence prescribing a situation-specific reduction of the objective criteria for mass surveillance as put forth in Digital Rights Ireland. Regarding the second point, this contribution contrasts the CJEU’s approach – which is characterized by a lack of substantive boundaries, and an abundance of technology-specific procedural guarantees with many delegations to Member States – with the stricter approach taken by the German Constitutional Court. It argues that the current doctrinal framework is insufficient in addressing the rule-of-law concerns raised by the reliance on modern technologies for the purposes of the automated generation of suspicions. Based on the aim of stabilizing relationships of mutual recognition through human interventions, this contribution makes some tentative doctrinal proposals for bridging the gap between automated hits and concrete threats. It then concludes with an outlook to the ETIAS Regulation