Ruling Annuls US-EU Data Deal - 2006-06-05

The European Court of Justice last week ruled that the E.U. Council of Ministers did not have the legal status to agree that European airlines should give U.S. officials airline passenger name record data and that the European Union until Sept. 30 to find a new legal solution.

The court ruled that the E.U. Data Protection Directive, upon which the Council and the European Commission based their actions, did not apply to data collected for security purposes.

Without such an E.U.-U.S. pact, European airlines would be in the awkward position of facing heavy fines from the European Union if they surrender PNR data to the United States, but prohibition from U.S. air space and thousands of dollars per passenger in fines if they do not.

The current agreement stipulates that a European airline must send U.S. authorities personal information about the passengers on board within 15 minutes of takeoff for U.S.-bound flights.

The court's ruling came more than two years after the European Parliament voted to refer to the European Court of Justice the controversial agreement by the European Commission to give U.S. security authorities access to the passenger data records of European citizens.

All 25 members of the E.U. Council of Ministers had endorsed a deal two years ago through which U.S. Customs personnel only had access to 34 out of a possible 60 fields of PNR data, such as name, contact details and credit card numbers. Fields with data that reveal religion, race or health, including dietary preferences, were not provided.

Furthermore, data only are stored for 3.5 years instead of the 50 years originally planned by U.S. officials, and Customs only passes information on to other U.S. agencies on a case-by-case basis.

IJet International CEO Bruce McIndoe said the Europeans are concerned that some of the required data elements are commercial rather than security data, most obviously credit card numbers. He said there were two elements in particular that they were most eager to negotiate: "paring back the amount of data that's being given out and shortening the time for which the U.S. retains the data." While he said that neither side has an advantage in the negotiations, the ruling "forces a date certain to have those discussions in earnest." Even so, he said, "it would not be unlikely to get an extension if both parties are negotiating in earnest," and he expects the issue to be resolved "by the end of the calendar year."

The American Civil Liberties Union endorsed the court's decision. "The United States needs to get into the orbit of reality when it comes to airline passenger data sharing and prescreening," said Barry Steinhardt, director of the ACLU's Technology and Liberty Project. "This decision shows that our Homeland Security officials cannot keep fantasizing that they can create a massive, all-encompassing global system for collecting data on travelers by running roughshod over not only basic privacy protections but also the laws of other nations, " ACLU's Steinhardt said.

Tim Sparapani, ACLU's Washington legislative counsel, added, "Europe has done what the United States should and must eventually do: create enforceable laws to protect personal data. This decision strikes another blow at the administration's over-reaching passenger screening proposals, like Secure Flight and Registered Traveler, which are fatally flawed and should be abandoned."

Air Transport Association president and CEO James May said, "We anticipate that the U.S. government and European authorities will resolve this matter without subjecting airlines to conflicting demands. Because the European Court of Justice's decision does not go into effect until Sept. 30, there is time to do so. ATA and its members will continue to work closely with governmental authorities to find a practical solution to this issue."