An agreement between the European Union and Canada over the sharing of air passengers’ personal data is illegal in its current form, according to a top legal advisor.
The agreement was signed in 2014, but the European Parliament asked the Court of Justice of the European Union (CJEU), the EU’s top court, to rule on whether the deal respected the fundamental rights of EU citizens. The parliament won’t clear the deal until it gets the court’s ruling.
On Thursday the court’s advocate general, Paolo Mengozzi, advised the CJEU to rule that the deal is not OK and cannot go ahead, due to a lack of privacy safeguards.
Get Data Sheet, Fortune’s technology newsletter.
The EU-Canada passenger name record (PNR) agreement is intended to help the authorities in various countries combat terrorism and other serious transnational crimes. The EU has similar arrangements with the U.S. and Australia, and will by 2018 have a similar system operating within the union.
The deals involve the sharing of air passengers’ details—names, travel dates and itinerary, seat number and so on—in order to track people as they move around. The airlines already have these details, but the agreements force them to send the information to the authorities in the flight’s destination country.
Civil liberties advocates have long argued that such agreements are incompatible with EU privacy laws.
According to Mengozzi, the EU-Canada deal falls down on several fronts. Firstly, it allows the Canadian authorities to store and process Europeans’ PNR data for purposes that have nothing to do with public safety, which is supposedly the point of the deal.
Mengozzi also said the Canadians would be able to get, use and store EU citizens’ sensitive data, which is a big no-no under EU law, and would be able to disclose the PNR data for reasons that are again unconnected with serious transnational crime and terrorism.
He said the Canadians would also be able to pass the information on to other countries without properly checking that those countries won’t pass it on to yet more countries.
For more on privacy and national security, watch our video.
Interestingly, Mengozzi reached his conclusions based on the CJEU’s rulings in the Schrems case—the one that obliterated the EU-U.S. Safe Harbor agreement—and the Digital Rights Ireland case, in which the court struck down an EU directive that forced telcos in member states to store customers’ communications data.
Here’s what the court said about Mengozzi’s opinion:
It is necessary that, at a time when modern technology allows public authorities, in the name of combating terrorism and serious transnational crime, to develop extremely sophisticated methods of monitoring the private life of individuals and analysing their personal data, the Court should ensure that the proposed measures, even when they take the form of envisaged international agreements, reflect a fair balance between the legitimate desire to maintain public security and the equally fundamental right for everyone to be able to enjoy a high level of protection of his private life and his own data.
As always, the advocate general’s opinion is only meant to guide the CJEU, which will issue a final ruling in due course.
However, things are not looking good for the EU-Canada deal, and if the court follows Mengozzi’s advice then those other deals will also come in for very close scrutiny. After all, Mengozzi did not say all PNR agreements are necessarily rotten—just that they need to be carefully formulated to protect people’s rights.
