The European Court of Justice struck down the 2004 agreement between the European Commission and US Customs and Border Protection (CBP) on the sharing of aviation passenger name records (PNRs) for people traveling to the United States, following a lawsuit by the European Parliament. The court’s full decision is available here, and it is summarized in this press release from the court. The court’s key finding:
The Court found that Article 95 EC, read in conjunction with Article 25 of the directive, cannot justify Community competence to conclude the Agreement with the United States that is at issue. This agreement relates to the same transfer of data as the decision on adequacy and therefore to data processing operations which are excluded from the scope of the directive.
…and on that basis, it reached the following decision:
1. Annuls Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection and Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States Bureau of Customs and Border Protection;
2. Preserves the effect of Decision 2004/535 until 30 September 2006, but not beyond the date upon which that Agreement comes to an end.
The ruling is summarized in this BBC story. Commentary on the ruling can be found at the EU Law Blog, the Practical Nomad, and this triumphalist press release from the ACLU, which argues that “decision strikes another blow at the administrationâ€™s over-reaching passenger screening proposals.” But the website Statewatch disagrees with this interpretation of the ruling, arguing:
The treaty conclusion and Commission decision have clearly been annulled because (following the opinion of the Advocate-General, see below) their subject-matter fell outside the scope of the data protection directive, as they concerned essentially the processing of data by law enforcement authorities. The other pleas by the EP [European Parliament], in particular the privacy plea, are therefore not considered at all (the Advocate-General had considered them for the sake of argument, but rejected them). The EP has therefore won a “pyrrhic” victory, as the agreement will now be replaced either by national agreements, or by a third pillar agreement with the US. Either way the EP has no power over approval of the treaty/treaties or even the power to bring legal proceedings against them. The press may describe this as a victory for the EP or for privacy but they will be mistaken.
I agree with this interpretation. This decision is above all a judgment on the EU’s byzantine character, and only secondarily about the issues at stake. The result is that all parties are going to have to work hard to develop a new agreement or set of agreements in the next few months. This advance notification is a critical layer of our travel security system, so it’s essential that the US and EU find ways to work this out, in a way that provides consistent and enforceable privacy protection but eschews fearmongering and hyperlegalism. And I think at some point the US and EU need to think about developing a common set of agreed principles for privacy and security issues, to move away from the painstaking case-by-case basis on which these issues are negotiated today.