Citizens should be conscious of their rights, some of which were mentioned above, to be able to defend them when they think that a Member State is not respecting them. They should also know that they are entitled to defend their rights acquired through European law. They can do so by taking their case to the national courts, which can either issue a ruling or turn to the Court of Justice for a preliminary ruling [see e.g. Case C-50/00], or by simply and inexpensively lodging a complaint with the Commission or a petition with the European Parliament [Articles 24 and 227 TFEU, ex Articles 21 and 194 TEC). The Parliament has a Committee on Petitions which examines the complaints of citizens, mainly relating to social security, the recognition of professional qualifications or environment protection [Parliament Resolution]. If the complaint concerns instances of mismanagement in the activities of the European institutions or bodies, the citizen may address himself or herself to the Ombudsman appointed by the European Parliament (Articles 24 and 228 TFEU, ex Articles 21 and 195 TEC) [Decisions 94/114, 94/262 and 2002/262, see section 4.1.3].
Regardless of whether they are lodged with it or with the Parliament, the Commission is obliged to examine the grievances of citizens, which number around one thousand per year. Sometimes they are not justified and the Commission must explain to the citizen why this is the case. Not infrequently, however, they are justified and the Commission must address the Member State in question and ask it for explanations. If it does not get a good answer it must formally ask the Member State to correct its legislation or administrative practices which are causing injury to one or several citizens either of the State in question or of another Member State. If the Member State does not come into step with European law as requested by the Commission, the latter must take the State to the Court of Justice, which will give a final ruling on the obligations of the Member State. According to the Court, the Member States are obliged to compensate for damage caused to individuals by violations of European law attributable to them [Joined Cases C-6/90 and C-9/90] , particularly if certain conditions are satisfied: the rule of law infringed has been intended to confer rights on individuals, the breach is sufficiently serious, and there is a direct causal link between the breach of the obligation and the loss or damage sustained by the injured parties [Case C-470/03].
It appears that the citizens of the European Union have powerful means at their disposal to obtain justice under European law. They are sometimes more favoured than if they were just citizens of an individual State, for they can go beyond national judicial bodies to international ones in order to defend their rights and interests. However, in order to defend these rights, they must be aware of them. The fact is that the vast majority of the citizens of the Member States are not aware of their rights as citizens of the European Union. The task of informing them therefore falls both to national and European authorities, which are not very active in this area. The information deficit, examined in the following chapter [see section 10.1.2], weakens the defence of citizens' rights. On the contrary, the multinational human networks, which are growing in number and influence in the Union, may, among other things, defend the rights of citizens of different Member States [see section 9.4].
With the emergence of information systems spanning the entire internal market, the European Union has increasingly to concentrate on the protection of the personal data of its citizens. Article 16 of the TFEU (ex Article 286 TEC) states that everyone has the right to the protection of personal data concerning them. In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation aims to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States [Regulation 2016/79, see also section 17.3.6]. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity. The European Data Protection Board ensures the consistent application of this Regulation. European institutions or bodies must also protect the fundamental rights and freedoms of individuals, and in particular their right to privacy with respect to the processing of personal data [Regulation 45/2001]. An independent supervisory body, the European Data Protection Supervisor, monitors the application of the relevant rules [Decision 1247/2002].
US anti-terrorism legislation establishes that air carriers operating passenger flights to or from the United States must make passenger name record (PNR) information available to the US Customs Service upon request. PNR is a data record of each passenger's travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating airlines. Although the US measures potentially conflict with EU and Member States' legislation on data protection [see section 17.3.6], the EU and the USA reached an agreement providing a legislative framework enabling air carriers to transfer passenger data to the US authorities and allowing the latter access to data held by the European authorities on EU territory, while respecting the principles laid down in the Charter of Fundamental Rights of the European Union [Decision 2012/472 and Agreement].
PNR data should be transferred to a single designated passenger information unit (‘PIU’) in the relevant Member State, so as to ensure clarity and reduce costs for air carriers. The retention of PNR data in the PIUs should not exceed a period of five years, after which the data should be deleted [Directive 2016/681].