European Court of Justice Strikes EU-US Agreement on PNR Data

The European Court of Justice dealt a blow yesterday to European Union and U.S. policymakers, with two important judgments on privacy and transatlantic relations. Back in 2004, the European Union and the United States signed an agreement guaranteeing the privacy of European airline passenger data when that data was transferred to the U.S. government. In European Parliament v. Council of the European Union and European Parliament v. Commission of the European Communities, the Court of Justice found that the Europeans did not have the power, under their constitutional rules, to enter into the agreement. Luckily for the airlines and the governments, the Court delayed the effect of its decision until September 30, 2006. Until then, European airlines will keep on being able to transfer their passenger data—and keep on being able to fly into American airports–without having to worry about breaking European privacy law. Afterwards, it could get complicated.


Some background. After the September 11 terrorist attacks, airlines flying into the United States were required to give the U.S. Bureau of Customs and Border Protection (CBP) access to the passenger name records (PNR data) in their computer systems. In other words, the CBP was to be afforded access to the airlines’ databases in London, Rome, Amsterdam, and other European cities to extract PNR data on their American-bound passengers, before those passengers actually touched down in an American airport. The PNR data would be extracted by the CBP and stored in the CBP’s own computer system. This was designed to allow the CBP to check on any terrorist connections of passengers before their arrival in the United States; the information could also be used in future investigations. If European airlines did not comply, they faced stiff U.S. penalties. But, if European airlines did comply, they ran the risk of breaking European privacy laws. As I said in my last post, many European privacy laws require “adequate” protection for private data transferred abroad and the United States is widely viewed as not affording “adequate” protection. Therefore, European airlines that transferred PNR data to the U.S. government risked being prosecuted by their own authorities.

The European Commission (the European Union’s civil service) took the lead in trying to fix the airlines’ dilemma. This it did based on its powers under the European Union’s Data Protection Directive. (Data protection is the European expression for data privacy and a directive is a type of EU law.) Because in my last post I was dealing with the NSA, I didn’t mention this law, which guarantees data privacy when firms and other actors process data for economic purposes. The Directive, passed in 1995 and in force since 1998, standardizes the privacy rules for market actors in all Member States of the European Union.

In February 2003, the European Commission and the CBP began negotiations on an agreement that would guarantee the privacy of European PNR data after it had been collected by the CBP. In spring 2004, the two sides reached an agreement. In May 2004, the Council of Ministers (the intergovernmental body where the Member States take decisions) and the European Commission adopted the decisions necessary to render the PNR agreement effective, internally, for the European Union. And, on May 28, 2004, the EU-U.S. PNR agreement was signed by a representative of the Council and the Secretary of the Department of Homeland Security. At that time, the agreement became effective externally, under international law.

But the European Parliament was not happy with the PNR agreement. Therefore, the Parliament challenged in the European Court of Justice both the Commission’s and the Council’s decisions rendering the agreement effective under internal, European Union law. The lawsuit was driven in large part by institutional politics unrelated to the substance of the agreement. For years, the European Parliament has been asserting, quite successfully, greater powers vis-à-vis the other two branches of EU government (the Council and the Commission); the PNR lawsuit represented a bid for greater powers in the foreign relations field. But setting aside the politics, what were the alleged defects, in EU law, of the PNR agreement? There were numerous legal grounds for the European Parliament’s challenge, most of which went to the inadequate protection of privacy.

In yesterday’s judgments, the Court of Justice found for the European Parliament. Not to cause too much turmoil for the governments and the airlines, the Court of Justice allowed the Commission’s decision—and, therefore, the PNR agreement too–to stay effective until September 30, 2006.

Perhaps more surprising than the outcome was the reasoning of the Court of Justice. (The Court was following the opinion of the Advocate General assigned to the case. Advocate Generals are members of the Court who are responsible for writing a public opinion before cases are decided, advising the Court on the law and the correct outcome.) The Court of Justice did not consider any of the privacy-related claims. Rather, it found that neither the Commission nor the Council had the power to enter into the PNR agreement.

To explain the Court’s logic, I must get into some basic EU law. The European Union has a bizarre constitutional structure that comes out of the fact that it used to be an international organization, now is a quasi-federal polity. It has three “Pillars.” The First Pillar governs the regulation of the common market—things like the rules that apply when a plane takes off from Rome and lands in Munich. This is not an area that goes to the core of national sovereignty, and so the European Union (actually “European Community” when we’re talking about First Pillar) has acquired a lot of power in the First Pillar—and the Member States have lost a lot of power. In the PNR episode, the European institutions acted under the First Pillar: the Commission based its decision on the Data Protection Directive (a market-regulating, First Pillar law) and the Council based its decision on the Data Protection Directive, together with its more general First Pillar powers.

By contrast, the Second and the Third Pillars apply to matters that do go to the core of national sovereignty: defense and other types of foreign policy (Second Pillar) and fighting crime and protecting against internal security threats like terrorism (Third Pillar). The European Union has powers in these areas, but it is hamstrung in various ways by Member States anxious to preserve national sovereignty.

Since the PNR agreement involved private, commercial European air carriers, the Commission and the Council thought they could act under the First Pillar. But the Court of Justice disagreed—essentially the Court said that the European Union would have to act under the Third Pillar or not at all. Here I’m simplifying slightly. What the Court actually said was that since the text of the Data Protection Directive expressly does not cover “[data] processing operations concerning public security . . . and the activities of the State in areas of criminal law” (i.e., matters that fall under the Third Pillar) and since the PNR agreement covers “processing operations concerning public security and the activities of the State in areas of criminal law,” the Commission’s decision could not be based on the Data Protection Directive. It applied a similar logic to annul the Council’s decision. What the Court did not say was that the deeper, Three-Pillar constitutional structure of the European Union, which puts regulation of the market in the First Pillar, cooperation on fighting terrorism in the Third Pillar, barred the European Union from entering into PNR agreement. In this, it was careful not to follow the Advocate General’s opinion to the letter (see his opinion at paras. 140-155). Therefore, the Court left the door open to an agreement based on, not the Data Protection Directive, but another aspect of the First Pillar. But it is extremely difficult to envisage what that might be, since the Data Protection Directive excludes public security and criminal law precisely because of the constitutional Three-Pillar structure. Plus, the Court, in its own analysis, put the transfer of PNR data squarely in the Third Pillar: the Court stated, without reservation that the data transfer covered by that agreement was “not data processing necessary for a supply of services, but data processing regarded as necessary for safeguarding public security and for law enforcement purposes.” Para. 57.

What happens now? Because the basic problem remains: if European airlines refuse the CBP’s request for their PNR data, they face stiff U.S. penalties; if they comply with the CBP’s request, they risk breaking European privacy laws. (But after the Court of Justice’s decision, only national laws and the Council of Europe instruments I described in my earlier post, not EU law, since the Court of Justice said that the Data Protection Directive does not cover security-related data transfers.) As I see it, there are two scenarios. Either the European Union will enter into a similar, now Third-Pillar, agreement with the U.S. or the 25 different data protection laws of the 25 Member States will apply.

Under the Third Pillar, the Council can enter into international agreements. Thus the Council could sign another PNR agreement with the United States, just wearing its Third Pillar hat. But there are many hurdles, as compared to international agreements under the First Pillar. First, all the Member States in the Council must agree—over most Third Pillar matters, each Member State has a right of veto. Second, for such an international agreement to be effective, internally, it must comply with whatever ratification requirements exist in each of the 25 Member States. Third, the Council might very well first have to adopt internal, intra-European legislation on sharing airline data among European police authorities before it can enter into an external agreement with the United States. I’m not an expert on the Second and Third Pillars but that would be my reading of the applicable articles of the Treaty on European Union (arts. 24 and 30) together with the Court of Justice’s so-called ERTA doctrine. Ironically, the only advantage, speed-wise, that a Third Pillar agreement would have over the First Pillar is that the European Parliament would have no powers–it does not have the right to be consulted on proposed international agreements and it does not have standing to challenge such agreements in the Court of Justice. Would the European Union be able to surmount all of these obstacles before September 30? It is not impossible but keep in mind that those long, European summer vacations are coming up.

The second scenario is that the European Union will do nothing and, therefore, national laws would apply. As I alluded to in my last post, national laws are incredibly variable. In countries like the United Kingdom and Italy, air carriers could transfer passenger data for public security purposes without any guarantees of “adequate” data protection. But French and German carriers would probably need such guarantees. Moreover, under the Council of Europe’s Convention 108 and under all national, European laws, air carriers would need a basis in law for transferring PNR data. Without that, the personal data wouldn’t be processed “fairly and lawfully” as required by those instruments. Therefore, in all 25 Member States, national regulations would have to be passed, creating a legal duty for airlines to comply with the CBP’s requests.

These two fairly convoluted scenarios remind me of that famous quip of Henry Kissinger’s: “When I want to speak to Europe, whom do I call?” In the more humdrum area of trade and market regulation, this isn’t so much of a problem anymore. On security-related issues, however, it is still unclear whom the U.S. government should be calling.

You may also like...

5 Responses

  1. Michaël Van Dorpe says:

    I understand that the Court says that “the Data Protection Directive does not cover security-related data transfers”. However, does that mean that there are no privacy issues left? Even if this directive is not a problem, couldn’t art. 8 ECHR or some EU general principle make signing the exact same agreement with a “3rd pillar hat” illegal?

    Or is the fact that the Court allows the programme to continue until September 30, 2006 enough proof that the Court thinks there are no privacy issues?

    Of course, if the Parliament cannot challenge the new agreement, this question will not come up before the Court (unless the Parliament argues that a new agreement should be based on the first pillar anyway…).

    I just read that the plan is to keep the substance of the agreement intact, and just change the legal basis (http://euobserver.com/9/21765).

    Somewhere in my reasoning I probably lost course… This would have been much worse if I didn’t have your detailed blog entries to rely on; thank you!

  2. Francesca says:

    Thanks very much for that EU Observer article. It sounds like they will be proceeding under the Pillar 3 scenario that I outlined in my post, since Frattini talks of all 25 member states having to implement the agreement (which is part of what distinguishes Pillar 3 from Pillar 1 agreements).

    The privacy issue was never addressed by the Court (it was addressed by the Advocate General, in favor of the Council and the Commission, but that has no legal effect). Therefore, you are right that art. 8, ECHR and art. 8, EU Charter of Fundamental Rights could pose problems. The most likely way that such a challenge would arise is in the national courts and, from the national courts, by way of preliminary reference, to the ECJ. (14 member states have accepted ECJ jurisdiction over such preliminary references so far.)

  3. Thomas says:

    Sidebar:

    I thought a little historical background may shed some light on the EU’s position regarding privacy legislation. As a group of countries that have witnessed the severe abuse of personal identifiable (PI) information over the past century, you may start to appreciate why the European governments are reluctant to share. Case in point is their restrictions on cross border transmission of PI data or asysets. Trading partners were given a choice- comply or do not do business here.

    In a sense, when a person visits our country we are in effect inviting them into our own home. When I greet someone at my door, I have the right to establish certain conditions before granting them the privilege of entry. This includes the behaviour expected while in my home. As the gatekeeper, I should be able to demand that a prospective guest prove to me they are worthy of entry and trust while in my home.

    Since an airline ticket is in essence a key to my front door, the burden of proof should rest with the guest, not the airline or government at the point of departure or arrival.

    For example, many countries require a pre-approved visitor’s visa including length of stay & purpose. Some go as far as demanding proof that certain inoculations occur in advance to protect their own population. Should I get the urge to see a real lemur in the wild, I know that Madagascar requires my compliance with their rules. A pre-approved vistor’s visa can also act a deterant to those acting on spur-of the-moment emotions. By the same token, I can choose whether to go or be content visiting the local zoo.

    Proofing one’s identity is not a new concept. I image that even the caveman demanded some form of authentication such as a sign, marking or ritual prior to inviting a stranger into their firelight. The elusive 28th could include a national “Right to Privacy” in this context.

    In short, the onus should be on the guest. The solution does not lie in going Pillar to Post.

  4. Gitaoero says:

    interesting thank you…

    celebrity

  5. Gitaoero says:

    interesting thank you…

    celebrity