Concerns over national security that followed the terrorist attacks of 9/11 resulted in US legislation requiring airlines operating flights to or from the US to provide US customs authorities with electronic access to data in their reservation and departure control systems, known as Passenger Name Records (PNR data). But EU data protection law prohibits the airlines from doing so. A classic “rock and a hard place” situation developed, with EU airlines flying to and from the US faced with a choice between breaching EU data protection law or paying penalties for failing to comply with the US law, the prospect of long delays at US airports for their customers, and, at worst, the withdrawal of landing rights in the US. A deal had to be done, which it was, coming into force on 28 May 2004. Subject to its agreement to abide by certain restrictions on its use of the data and limitations on the PNR data fields that it could access, US Customs and Border Protection could be regarded as “adequate” with regard to the PNR data it received.
Industry always regarded this deal with mixed feelings. While on the one hand, it was good news for the airline industry, and no one wanted European airlines to be at a commercial disadvantage (in Europe at least), it was regarded as surprising by other industries that such a relatively lax set of data protection controls could be regarded as “adequate” when businesses in other industries still had to jump through all manner of hoops in order to transfer personal data out of the EU lawfully. The arrangement smacked of political pragmatism and economic expediency. Still, no one was complaining, apart, that is, from the European Parliament.
The Parliament criticised the “adequacy” decision on the basis that it conflicted with the Directive and Article 8 of the European Convention on Human Rights, which provides for the right to respect for private and family life, home and correspondence without interference from a public authority, subject to the interests of national security. It commenced proceedings, advancing four pleas for annulment, alleging ultra vires action, breach of fundamental principles of the Directive, breach of fundamental rights and breach of the principle of proportionality.
On 30 May 2006, the European Court of Justice agreed with the Parliament and quashed the deal (subject to a 90-day termination period) and annulled the Decision on “adequacy” due to the Decisions having been made outside the power of the EC and in conflict with the Directive. The US authorities and the European Commission have until 30 September to work out a new deal compatible with European law. We understand that talks have already commenced, but to be on the safe side, readers may want to take their US vacations before then, or else face even longer queues at the airport than usual.
Heidi Pfleger is a trainee with Bristows and is currently working in the Commercial IP department: heidi.pfleger@bristows.com.
