Privacy International

Privacy International

EU-US passenger data transfer deal annulled by European Court

30/05/2006

In a long awaited decision from the European Court of Justice, the deal between the EU and the US to transfer passenger reservation data from EU carriers to the US Department of Homeland Security is to be annulled as of September 30, 2006.

The decision rejects the legal basis for the agreement. That is, the court found that when the Commission declared that the data is adequately protected by the U.S. it was in fact acting beyond the confines of European law, and when the European Council approved the agreement it did not do so on an appropriate legal basis.

While this court decision annuls a bad agreement between the U.S. and the EU it is in some ways a pyrrhic victory. The ECJ was called on to consider whether the transfers of this personal data to the U.S. adequately defended privacy and human rights. Instead the ECJ decision focused only on whether the European Commission and the Council had legal authority to complete such an agreement. As a result, governments may tweak the arrangements sufficiently to continue to permit the transfer of this data. Privacy International therefore recommends:

  1. It is time that the U.S. get its act together on privacy issues and begin implementing and properly enforcing legal protections on the use and abuse of personal data. It is increasingly apparent that the U.S. Government feels that it has the right to access as much information as possible with as little protections as necessary.
  2. It is time that Europe wakes up to the reality that it can not act without adequate regard to law and process. As it has done so many times in recent years the EU created and rushed ill-thought regulations and frameworks that circumvented democratic processes.

We hope that this decision can be seen as more than just a technical legal court decision and instead as a chance for a new start on these matters to reconsider and question if personal data should be the currency of international travel, if it is morally right to extend powers created for combating terrorism and then to apply them to other uses, and if privacy and security can be seen as complementary goals instead of how governments are currently dispensing with privacy in the name of security.

Background

In legislation approved by the U.S. Congress after September 11, 2001 the U.S. Customs and Border Police (CBP), later brought in under the Department of Homeland Security (DHS) called for the transfer of 'passenger name records' from 'foreign carriers' to combat terrorism and maintain national security. The exact details of these transfers were left for subsequent regulations and agreement.

Eventually the U.S. Government was demanding for database access to all reservation systems of foreign carriers to access the personal data on travellers to the U.S. EU data protection law, enshrined in the 1995 Directive on data protection, restricts the transfer of personal data from one jurisdiction to another unless there is adequate protection of that data. The U.S. was proposing to collect this information as it saw fit and to retain this data for up to fifty years -- and this was unacceptable according to the 1995 EU law.

The EU was thus placed in the awkward position of upholding its privacy law and facing the sanctions of the U.S. Government, where the U.S. Government could fine airlines up to 3000 US dollars per passenger; or granting the U.S. Government access to this data and failing obligations under the European Convention on Human Rights and its Article 8 that calls for the protection of privacy.

In 2003 and 2004 the U.S. and the EU negotiated an agreement on the transfers, eventually settling for

  • a reduced transfer of information, down from 60 data fields to 34
  • a reduced retention period, down from 50 years to 3.5 years
  • a reduced set of processing purposes, from 'any purpose' to 'combating serious crime and terrorism'

amongst other components of the agreement. On May 14 2004 the Commission released a decision on adequacy finding that the U.S. CBP provided adequate protection to the PNR data. On May 16 2004 the Council adopted a decision approving the agreement, and it came into force on May 28 2004.

The European Parliament was unhappy with this agreement, believing that the data should not be transferred, at least without greater safeguards. It decided to pursue the case on legal grounds, as the Parliament didn't believe that the Commission had adequate jurisdiction to make such an agreement with the U.S. authorities. As a result the Parliament took the Commission and the Council to the European Court of Justice over this agreement.

The court was being asked to decide

  1. whether the Commission could adopt the decision on adequacy on the basis of the 1995 Directive on data protection considering that Directive's scope excludes data that is processed for public security, defence, state security, and criminal law;
  2. whether Article 95 of the Treaty of the EC allows for the EU to conclude an agreement with the U.S. in order to preserve the internal market.

In November 2005 the Legal Advisor released an opinion on the case, but the final decision was released on May 30, 2006.

The Decision

The court decision released on May 30 2006 was on a joint-case: European Parliament v. Council of the European Union and European Parliament v. Commission of the European Communities (C-317/04 and C-318/04).

In part the decision was about the protection of privacy and upholding the 1995 Directive on data protection and ensuring that the U.S. provided adequate safeguards; but the 1995 Directive does not apply to activities which fall outside the scope of Community law such as public security, defence, and state security. So while the Commission was arguing that the agreement was permissible under the 1995 Directive (and thus adequate), the decision was also about whether the Commission had sufficient jurisdiction to create an agreement on that basis with the U.S. on such matters.

Though the Parliament was calling on judicial review on the grounds of breach of fundamental rights and the principle of proportionality,the Parliament was also arguing that the Commission was acting beyond its remit because the agreement did not comply with the 1995 Directive on data protection. Most importantly, according to the Parliament, the Directive does not apply to activities that fall outside the scope of Community law; so the Commission could not legally create an agreement with the U.S. on such matters.

The Commission (and the UK Government) argued that the carriers process PNR data within the Community jurisdiction and then arrange for their transfer onwards to the U.S., and so the activities of these private parties are regulated by the Directive. The Commission argues that the activities of public authorities fall outside of the scope of Community law; not the regulation of activities of private parties that relate to public security, etc. In essence, the Commission was arguing that though it may not establish an agreement that would transfer data to the U.S. that is held by public authorities, it may establish an agreement that would transfer data that is held by private entities.

The court finds that because the transfer of PNR data to the U.S. constitutes processing operations concerning public security, and because private operators must operate within a framework established by public authorities, then the European Commission was acting beyond its remit by establishing an agreement in an area in which it has no jurisdiction, i.e. public security. The court then states that the Commission was not competent to conclude the agreement.

A second point was considered by the court. The Commission argued that the agreement was based on the Treaty of the European Community under Article 95. The European Parliament argued that this was not an appropriate legal basis for the agreement with the U.S. If the agreement's purpose was to ensure the establishment and functioning of the internal market then possibly the agreement would stand. But the agreement's purpose is more geared towards making lawful the processing of data that is required by the U.S. On top of that the European Commission is not competent to conclude the agreement because it relates to acitivites that are beyond the scope of the 1995 Directive.

The European Council argued that Treaty contains language regarding the transfer of data to third countries, and as such, the EU must be able to enter into negotiations with third countries to allow for these transfers. The Council argued that the intention of the agreement was to eliminate any distortion of competition within the EU -- if only some of the member states had agreements with the U.S. and others didn't, then this would distort the internal market. The Council concluded that the agreement was designed to impose harmonised obligations on all airlines across the EU.

On this second point the court found that the EU did not have sufficient jurisdiction to conclude the agreement. As the agreement relates to the transfer of data that are excluded from the scope of the Directive and as such there is no legal basis for the agreement.

With the anulment on those grounds, the Court did not consider the other pleas from the Parliament to consider the privacy and human rights aspects of the Agreement. This leaves the door open for bi-lateral agreements between the U.S. and each member state to be followed by a pan-European agreement after that point.

Related:
Data Protection and Privacy Laws Home Page
Border and Travel Surveillance Home Page
Policy Laundering Home Page
Anti-Terrorism Policy Home Page
U.S. and EU meet on terrorism, crime, and travel surveillance
Europe decides on privacy protection in Canadian Travel Surveillance system
EU-US Passenger records deal in possible breach
PI and ACLU Comment on Passenger Profiling (PDF)
PI condemns EU for data sharing agreement with U.S.
PI Warns that Foreign Police and Security Services can travel UK personal data

<< Back

Email us at privacyint@privacy.org.
Call on +44 (0)208.123.7933.
Privacy Policy - About PI - Support PI