EU-US Passenger Data Transfer Deal Annulled by European Court
May 30, 2006
In a long awaited decision from the European Court of Justice, the
deal between the EU and the US to transfer passenger reservation data
from EU carriers to the US Department of Homeland Security is to be
annulled as of September 30, 2006.
The decision rejects the legal basis for the agreement. That is, the
court found that when the Commission declared that the data is
adequately protected by the U.S. it was in fact acting beyond the
confines of European law, and when the European Council approved the
agreement it did not do so on an appropriate legal basis.
While this court decision annuls a bad agreement between the U.S. and
the EU it is in some ways a pyrrhic victory. The ECJ was called on to
consider whether the transfers of this personal data to the U.S.
adequately defended privacy and human rights. Instead the ECJ
decision focused only on whether the European Commission and the
Council had legal authority to complete such an agreement. As a
result, governments may tweak the arrangements sufficiently to
continue to permit the transfer of this data.
In legislation approved by the U.S. Congress after September 11, 2001
the U.S. Customs and Border Police (CBP), later brought in under the
Department of Homeland Security (DHS) called for the transfer of
'passenger name records' from 'foreign carriers' to combat terrorism
and maintain national security. The exact details of these transfers
were left for subsequent regulations and agreement.
Eventually the U.S. Government was demanding for database access to
all reservation systems of foreign carriers to access the personal
data on travellers to the U.S. EU data protection law, enshrined in
the 1995 Directive on data protection, restricts teh transfer of
personal data from one jurisdiction to another unless there is
adequate protection of that data. The U.S. was proposing to collect
this information as it saw fit and to retain this data for up to
fifty years -- and this was unacceptable according to the 1995 EU law.
The EU was thus placed in the awkward position of upholding its
privacy law and facing the sanctions of the U.S. Government, where
the U.S. Government could fine airlines up to 3000 US dollars per
passenger; or granting the U.S. Government access to this data and
failing obligations under the European Convention on Human Rights and
its Article 8 that calls for the protection of privacy.
In 2003 and 2004 the U.S. and the EU negotiated an agreement on the
transfers, eventually settling for
- a reduced transfer of information, down from 60 data fields to 34
- a reduced retention period, down from 50 years to 3.5 years
- a reduced set of processing purposes, from 'any purpose' to
'combating serious crime and terrorism'
among other components of the agreement. On May 14 2004 the
Commission released a decision on adequacy finding that the U.S. CBP
provided adequate protection to the PNR data. On May 16 2004 the
Council adopted a decision approving the agreement, and it came into
force on May 28 2004.
The European Parliament was unhappy with this agreement, believing
that the data should not be transferred, at least without greater
safeguards. It decided to pursue the case on legal grounds, as the
Parliament didn't believe that the Commission had adequate
jurisdiction to make such an agreement with the U.S. authorities. As
a result the Parliament took the Commission and the Council to the
European Court of Justice over this agreement.
The court was being asked to decide
- whether the Commission could adopt the decision on adequacy on
the basis of the 1995 Directive on data protection considering that
Directive's scope excludes data that is processed for public
security, defence, state security, and criminal law;
- whether Article 95 of the Treaty of the EC allows for the EU to
conclude an agreement with the U.S. in order to preserve the internal
In November 2005 the Legal Advisor released an opinion on the case,
but the final decision was released on May 30, 2006.
The court decision released on May 30 2006 was on a joint-case:
European Parliament v. Council of the European Union and European
Parliament v. Commission of the European Communities (C-317/04 and
In part the decision was about the protection of privacy and
upholding the 1995 Directive on data protection and ensuring that the
U.S. provided adequate safeguards; but the 1995 Directive does not
apply to activities which fall outside the scope of Community law
such as public security, defence, and state security. So while the
Commission was arguing that the agreement was permissible under the
1995 Directive (and thus adequate), the decision was also about
whether the Commission had sufficient jurisdiction to create an
agreement on that basis with the U.S. on such matters.
Though the Parliament was calling on judicial review on the grounds
of breach of fundamental rights and the principle of
proportionality,the Parliament was also arguing that the Commission
was acting beyond its remit because the agreement did not comply with
the 1995 Directive on data protection. Most importantly, according to
the Parliament, the Directive does not apply to activities that fall
outside the scope of Community law; so the Commission could not
legally create an agreement with the U.S. on such matters.
The Commission (and the UK Government) argued that the carriers
process PNR data within the Community jurisdiction and then arrange
for their transfer onwards to the U.S., and so the activities of
these private parties are regulated by the Directive. The Commission
argues that the activities of public authorities fall outside of the
scope of Community law; not the regulation of activities of private
parties that relate to public security, etc. In essence, the
Commission was arguing that though it may not establish an agreement
that would transfer data to the U.S. that is held by public
authorities, it may establish an agreement that woudl transfer data
that is held by private entities.
The court finds that because the transfer of PNR data to the U.S.
constitutes processing operations concerning public security, and
because private operators must operate within a framework established
by public authorities, then the European Commission was acting beyond
its remit by establishing an agreement in an area in which it has no
jurisdiction, i.e. public security. The court then states that the
Commission was not competent to conclude the agreement.
A second point was considered by the court. The Commission argued
that the agreement was based on the Treaty of the European Community
under Article 95. The European Parliament argued that this was not an
appropriate legal basis for the agreement with the U.S. If the
agreement's purpose was to ensure the establishment and functioning
of the internal market then possibly the agreement would stand. But
the agreement's purpose is more geared towards making lawful the
processing of data that is required by the U.S. On top of that the
European Commission is not competent to conclude the agreement
because it relates toa acitivites that are beyond the scope of the
The European Council argued that Treaty contains language regarding
the transfer of data to third countries, and as such, the EU must be
able to enter into negotiations with third countries to allow for
these transfers. The Council argued that the intention of the
agreement was to eliminate any distortion of competition within the
EU -- if only some of the member states had agreements with the U.S.
and others didn't, then this would distort the internal market. The
Council concluded that the agreement was designed to impose
harmonised obligations on all airlines across the EU.
On this second point the court found that the EU did not have
sufficient jurisdiction to conclude the agreement. As the agreement
relates to the transfer of data that are excluded from the scope of
the Directive and as such there is no legal basis for the agreement.