European Court Strikes Down U.S. PNR Deal
The European Court of Justice today ruled that the agreement to give airline passenger name record data to the United States by the EU Council of Ministers was made without proper legal status.
The court ruled that the EU Data Protection Directive, upon which the Council and the European Commission based their actions, did not apply to data collected for security purposes.
It gave the EU until Sept. 30, 2006, to find a new legal solution.
Without such a solution, European airlines would find themselves in the awkward position of facing heavy fines from the European Union if they surrender PNR data to the United States, but prohibition from U.S. air space and thousands of dollars per passenger in fines if they do not.
The agreement stipulates that within 15 minutes of takeoff for U.S.-bound flights, a European airline must send the U.S. authorities personal information about the passengers on board.
The ruling came more than two years after the European Parliament voted to refer to the European Court of Justice the controversial agreement by the European Commission to give U.S. security authorities access to the passenger data of European citizens. A spokesperson for Graham Watson, one of the members of the European Parliament who opposed the agreement, at that time had warned that a ruling from the court could take up to two years.
All 25 members of the EU Council of Ministers had endorsed an effort to render the court's ruling on the EC deal moot by crafting a deal two years ago through which U.S. Customs personnel only has had access to 34 out of a possible 60 fields of PNR data, such as name, contact details and credit card numbers. Fields with so-called "sensitive" data that reveal religion, race or health, such as dietary preferences, were not provided. U.S. Customs only can use the information to deal with terrorism, terrorist-related crimes and certain types of transnational organized crime. Furthermore, data only is stored for 3.5 years instead of 50 years as originally planned by U.S. officials, and Customs only passes information on to other U.S. agencies on a case-by-case basis.
The American Civil Liberties Union was quick to endorse the court's decision. "The United States needs to get into the orbit of reality when it comes to airline passenger data sharing and prescreening," said Barry Steinhardt, director of the ACLU's Technology and Liberty Project. "This decision shows that our Homeland Security officials cannot keep fantasizing that they can create a massive, all-encompassing global system for collecting data on travelers by running roughshod over not only basic privacy protections but also the laws of other nations."
Tim Sparapani, ACLU's Washington legislative counsel, added, "Europe has done what the United States should and must eventually do: create enforceable laws to protect personal data. This decision strikes another blow at the administration's over-reaching passenger screening proposals, like Secure Flight and Registered Traveler, which are fatally flawed and should be abandoned."
The Air Transport Association offered no opinion, but issued the following reaction. "We anticipate that the U.S. government and European authorities will resolve this matter without subjecting airlines to conflicting demands. Because the European Court of Justice's decision does not go into effect until Sept. 30, there is time to do so," said Air Transport Association president and CEO James May. "ATA and its members will continue to work closely with governmental authorities to find a practical solution to this issue."