The European Court of Justice’s Advocate General, Leger, has backed a request by the European Parliament that the European Commission’s decision to conclude an agreement with the United States for the transfer of Passenger Name Records (PNR) and an associated finding of adequacy in relation to the protection of data by third party countries under the EU data protection directive (95/46) should be annulled.
Examination of the aim and the content of the agreement with the United States, approved by the Council’s decision, leads him to conclude “that it simultaneously pursues two objectives: the fight against terrorism and other serious crime and the protection of personal data. He therefore considers that Article 95 EC does not constitute an appropriate legal basis for the Council’s decision and proposes that the Court should annul it”.
On the topic of adequacy he says “consultation of air passengers’ data, and those data being put at the disposal of, and used by, the CBP, constitutes the processing of personal data concerning public security and the activities of the State in relation to areas of criminal law. Such activity is therefore outside the scope of Directive 95/46. He therefore finds that that directive did not give the Commission the power to adopt a decision concerning the appropriate level of protection for personal data transferred in the context of and with a view to processing expressly excluded from the scope of that directive. The Advocate General therefore concludes that the adequacy decision infringes the underlying measure, namely Directive 95/46, and proposes that the Court should annul that decision”.
In May 2004, and despite concerns that the agreement breached the EU Data Protection Directive, the US Government and the European Commission agreed to make EU flight passenger data details available to US customs authorities 15 minutes prior to take-off.
The deal made 34 elements of passenger data available to the US Department of Homeland Security (DHS), Customs and Border Protection (CBP), who can retain it for 3.5 years. The DHS has also agreed not to transfer data wholesale to the broader US intelligence community but instead compare the data with US intelligence databases available to the DHS. DHS said “PNR data is used by CBP strictly for purposes of preventing and combating: 1) terrorism and related crimes; 2) other serious crimes, including organized crime, that are transnational in nature; and 3) flight from warrants or custody for the crimes described above.”
The deal is believed to breach the EU Data Protection Directive because passengers cannot effectively give permission for all uses the US intend to make of their data. Data holder permission is particularly important because the transfers include sensitive data, such as health, as well as food preferences, which could identify religious affiliation. The European Parliament opposed the deal claiming that there exists no specific EU legislation for using PNR data for public security purposes and that, in the USA, the protection of privacy is not regarded as a fundamental right; there was the lack of redress mechanisms for people who are denied entry to the US on the basis of the information in the PNR records; there was a lack of opportunities for passengers to correct errors in their personal data; and the fact that the fact that a “pull” instead of a “push” system is used to obtain the data, meaning that the US does not have to ask for the data but has immediate access to it.
The Full judgement of the Court is expected in 2006. The court follows the advice of its advocate general in about 80% of cases, and hopefully will do so in this instance. If the court annuls the deal, it would have to be renegotiated between the parties, and on an entirely new legal basis.