The European Court of Justice has backed a request by the European Parliament that the European Commission’s decision to conclude an agreement with the United States for the transfer of Passenger Name Records (PNR) and an associated finding of adequacy in relation to the protection of data by third party countries under the EU data protection directive should be annulled.
However, the decision is likely to cause more confusion with the court ruling that EU data protection law doesn’t apply to disclosures of passenger details for the purposes of public security.
As statewatch says ‘the EP has won a “pyrrhic” victory, as the agreement will now be replaced either by national agreements, or by a third pillar agreement with the US. Either way the EP has no power over approval of the treaty/treaties or even the power to bring legal proceedings against them. The press may describe this as a victory for the EP or for privacy but they will be mistaken. Moreover, there is a risk that if an EU treaty or purely national treaties are signed with the US that the standard of privacy protection could actually be worse than in the original PNR deal’.
One thing is certain, the airlines are unlikely to stop providing that data, as doing so would be commercial suicide. Although in countries such as France and Spain the arguments may be more heated.
Expect some interesting opinions and arguments on this story over the next few days.
Richard Jones, of international law firm Clifford Chance, points out: “It’s a paradoxical judgment. The court struck out the accord on the basis that EU data protection law doesn’t apply to disclosures of passenger details for the purposes of public security. That suggests that the disclosures can continue without breach of the EU rules, which certainly isn’t what the European parliament intended, but it isn’t yet clear whether the national regulators will agree. The accord was meant to create a level playing field and this judgment leaves the airlines back where they started, having to wrestle with the issue in each member state.””
Peter Hustinx, EDPS, says: “The judgment seems to have created a loophole in the protection of European citizens whereby their data are used for law enforcement purposes. This makes it all the more important that a comprehensive and consistent legal instrument ensuring the protection of personal data outside of the first pillar is adopted without delay”.
“I see the judgment as a shot across the bows,” said Dr Chris Pounder, a data protection expert with Pinsent Masons, “Security and privacy have to be balanced, which most reasonable people will accept, and there must be independent supervision of the whole process so that those who use powers to obtain personal data do not exceed those powers. From the UK perspective there is a flexibility in the Data Protection Act for the Home Secretary to determine by order that these transfers should occur,” said Pounder. However, he added, “It is not clear whether or not the US administration will seek to pursue bilateral agreements or come to a fresh agreement with the European Commission or indeed indvidual airlines”.