PNR Ruling Said to Raise Data Retention, Privacy Issues
The European Court of Justice (ECJ) Tues. voided a pact demanding that European nations give U.S. Customs airline passengers’ phone number, credit card and other data within 15 min. of departure for the U.S. The move may have broad implications for privacy rights and data transfers in other contexts, including communications traffic data retention, experts said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The ruling doesn’t take a view on the content of the agreement, a DHS spokesman told us, only the methods by which the agreement was reached. Calling the case “complex” and saying DHS and CBP need to “study the judgment carefully” for its long-term implications, the spokesman pointed out that the court ruled only that the EC didn’t have the authority to make such agreements in the first place. He said the court avoided any ruling on DHS’s privacy standards or methods. In the short term, the spokesman said, the data will continue to flow, and he added that the Dept. will be working closely with Europe to carve out long-term agreements for airline safety after the Sept. 30 deadline for the program to stop.
The ruling may have opened a loophole in European data protection law, European Data Protection Supervisor Peter Hustinx said. Individuals no longer can trust that data collected for commercial purposes but used by the police are protected by the data protection directive, he said. That heightens the need for govts. to create a “comprehensive and consistent legal instrument” to protect personal data sought for law enforcement purposes, he said.
The ECJ ruling, made on appeal annulled two elements: an EC decision holding U.S. privacy laws to be adequate to allow transfer of personal information on European citizens, and Council of Ministers approval of the Passenger Name Records (PNR) agreement. The appeal, by the European Parliament (EP), said the pact violated privacy rights.
The EC based its “adequacy” decision on the data protection directive. The EC said airlines collect PNR data in the course of doing business, but the court found that effort to have public security and law enforcement, not commercial, reasons. The directive doesn’t apply to data processing in public security, defense, state security and criminal law activities.
The ECJ also dumped the Council approval for the PNR pact, saying govts. can’t use the data protection directive as a basis for licensing data transfers that fall outside its scope. The agreement will run until Sept. 30. After the ruling, EC spokesman Johannes Laitenberger said the Commission “would respect the court’s ruling and consult with U.S. on any changes that may be required.” The U.S. “has indicated its willingness to enter into such discussions and for its part to continue to respect the PNR agreement so long as it remains in force,” the EC said.
The U.S., which calls the data vital to its war against terror, threatened airlines that don’t comply with fines and loss of landing rights. The ruling could cause a crisis in U.S.-European relations, EC officials said. While there’s no immediate threat of break in trans-Atlantic air traffic, it will be hard to renegotiate a deal that will satisfy both the EP and the U.S., they said.
The EP vowed a hard line on any new deal. “Our victory in this case demonstrates the refusal of the members of the European Parliament to buckle in the face of transatlantic bullying,” said Sara Ludford, a U.K. Liberal Democrat MEP.
The judgment could mean big headaches for individual European airlines. They risk U.S. sanctions for refusing to bow to electronic passenger data demands, and sanctions from their national data protection authorities if they don’t, said Axel Spies, a D.C.-based telecom lawyer. The decision has implications for EU/U.S. data transfers in security and other realms, he said. “I expect European data protection authorities to scrutinize EU/U.S. data transfers outside of the Safe Harbor Principles much more closely to ensure the receiving party in the U.S. guarantees an ‘adequate level of data protection,'” he said. For those reasons, the ruling will raise the bar for the U.S. Dept. of Homeland Security when it seeks online access to data stored under the newly enacted data retention directive, Spies said.
The EP won a “Pyrrhic victory,” said Tony Bunyan of Statewatch, a U.K.-based body that monitors EU privacy and civil rights issues. The agreement will be replaced either by national bilateral pacts with the U.S. or by a treaty whose adoption is solely in the hands of Council ministers, with only advisory input from the EP, he predicted. Either way, lawmakers will have no power over the pacts and won’t be able to challenge them in court -- and any new agreement could have lower privacy protections than the PNR, Bunyan said. “The press may describe this as a victory for the EP or for privacy but they will be mistaken,” Bunyan said.