An European Union agreement to provide airline passenger data to the US was thrown into doubt on Tuesday, after a court ruled the anti-terrorism measure was illegal.
As part of a deal agreed two years ago, European airlines transfer to US authorities 34 items of personal information on each trans Atlantic traveller.
The data include names, addresses and telephone and credit card numbers, details that the US says it needs to fight terrorism.
However, the European Court of Justice annulled the deal after finding that the Union’s member states had acted without a proper legal basis when they signed the agreement.
The EU’s Court of Justice said the agreement would stand until September 30, giving the EU’s 25 member states four months to respond.
The ruling is a blow to the European Commission because it agreed the deal with the US amid worries among EU citizens over how the information would be used.
Judgment of the Court of Justice in Joined Cases C-317/04 and C-318/04
European Parliament v Council of the European Union
and European Parliament v Commission of the European Communities
THE COURT ANNULS THE COUNCIL DECISION CONCERNING THE CONCLUSION OF AN AGREEMENT BETWEEN THE EUROPEAN COMMUNITY AND THE UNITED STATES OF AMERICA ON THE PROCESSING AND TRANSFER OF PERSONAL DATA AND THE COMMISSION DECISION ON THE ADEQUATE PROTECTION OF THOSE DATA
Neither the Commission decision finding that the data are adequately protected by the United States nor the Council decision approving the conclusion of an agreement on their transfer to that country are founded on an appropriate legal basis
Following the terrorist attacks of 11 September 2001, the United States passed legislation providing that air carriers operating flights to, from or across United States territory have to provide the United States authorities with electronic access to the data contained in their reservation and departure control systems, called ‘Passenger Name Records’ (PNR).
Since the Commission considered that those provisions could come into conflict with Community legislation and that of the Member States on data protection, it entered into negotiations with the United States authorities. Following those negotiations the Commission adopted, on 14 May 2004, a decision1 (the decision on adequacy) finding that the United States Bureau of Customs and Border Protection (CBP) ensures an adequate level of protection for PNR data transferred from the Community. On 17 May 2004, the Council adopted a decision2 approving the conclusion of an agreement between the European Community and the United States on the processing and transfer of PNR data by air carriers
established in Member States of the Community to CBP. That agreement was signed in Washington on 28 May 2004 and entered into force on the same day.
The European Parliament applied to the Court of Justice of the European Communities for annulment of the Council decision (Case C-317/04) and of the decision on adequacy (Case C-318/04), contending, in particular, that adoption of the decision on adequacy was ultra vires, that Article 95 EC3 does not constitute an appropriate legal basis for the decision approving the conclusion of the agreement and, in both cases, that fundamental rights have been infringed.
The European Data Protection Supervisor intervened in support of the Parliament in both cases, the first intervention before the Court by that authority since its establishment.
In today’s judgment, the Court has annulled both decisions.
The decision on adequacy
The Court examined, first of all, whether the Commission could validly adopt the decision on adequacy on the basis of Directive 95/46/EC4. It noted that Article 3(2) of the directive excludes from the directive’s scope the processing of personal data in the course of an activity which falls outside the scope of Community law and, under any circumstances, processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law.
According to the decision on adequacy, the requirements for the transfer of data are based on United States legislation concerning, amongst other matters, the enhancement of security, the Community is fully committed to supporting the United States in the fight against terrorism and PNR data will be used strictly for purposes of preventing and combating terrorism and related crimes, and other serious crimes, including organised crime. Therefore, the transfer of PNR data to CBP constitutes processing operations concerning public security and the activities of the State in areas of criminal law.
While the view may rightly be taken that PNR data are initially collected by airlines in the course of an activity which falls within the scope of Community law, namely sale of an aeroplane ticket which provides entitlement to a supply of services, the data processing which is taken into account in the decision on adequacy is, however, quite different in nature. That decision concerns not data processing necessary for a supply of services, but data processing regarded as necessary for safeguarding public security and for law-enforcement purposes.
The fact that the PNR data have been collected by private operators for commercial purposes and it is they who arrange for transfer of the data to a non-member State does not prevent that transfer from being regarded as data processing that is excluded from the directive’s scope. The transfer falls within a framework established by the public authorities that relates to public security.
The Court thus concluded that the decision on adequacy does not fall within the scope of the directive because it concerns processing of personal data that is excluded from the scope of the directive. Consequently, the Court annulled the decision on adequacy. The Court added that it was no longer necessary to consider the other pleas relied upon by the Parliament.
The Council decision
The Court found that Article 95 EC, read in conjunction with Article 25 of the directive5, cannot justify Community competence to conclude the Agreement with the United States that is at issue. This agreement relates to the same transfer of data as the decision on adequacy and therefore to data processing operations which are excluded from the scope of the directive. Consequently, the Court annulled the Council decision approving the conclusion of the agreement and did not consider it necessary to consider the other pleas relied upon by the Parliament.
Limitation of the effects of the judgment
Since the agreement remains applicable for a period of 90 days from notification of its termination, the Court decided, for reasons of legal certainty and in order to protect the persons concerned, to preserve the effect of the decision on adequacy until 30 September 2006.
1 Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States Bureau of Customs and Border Protection (OJ 2004 L 235, p. 11).
2 Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (OJ 2004 L 183, p. 83, and corrigendum at OJ 2005 L 255, p. 168).
3 This article relates to the adoption of measures for the harmonisation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market.
4 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
5 This article forms part of Chapter IV of the directive concerning the transfer of personal data to non-member States.