The Data Protection News

Tuesday, May 30, 2006

European Court of Justice annuls agreement between EC and USA

Following the terrorist attacks of 11 September 2001, the United States passed legislation providing that air carriers operating flights to, from or across United States territory have to provide the United States authorities with electronic access to the data contained in their reservation and departure control systems, called ‘Passenger Name Records’ (PNR).
Since the Commission considered that those provisions could come into conflict with Community legislation and that of the Member States on data protection, it entered into negotiations with the United States authorities. Following those negotiations the Commission adopted, on 14 May 2004, a decision (the decision on adequacy) finding that the United States Bureau of Customs and Border Protection (CBP) ensures an adequate level of protection for PNR data transferred from the Community. On 17 May 2004, the Council adopted a decision approving the conclusion of an agreement between the European Community and the United States on the processing and transfer of PNR data by air carriers established in Member States of the Community to CBP. That agreement was signed in Washington on 28 May 2004 and entered into force on the same day.

The European Parliament applied to the Court of Justice of the European Communities for annulment of the Council decision (Case C-317/04) and of the decision on adequacy (Case C-318/04), contending, in particular, that adoption of the decision on adequacy was ultra vires, that Article 95 EC does not constitute an appropriate legal basis for the decision approving the conclusion of the agreement and, in both cases, that fundamental rights have been infringed.
The European Data Protection Supervisor intervened in support of the Parliament in both cases, the first intervention before the Court by that authority since its establishment.
In today’s judgment, the Court has annulled both decisions.

The decision on adequacy
The Court examined, first of all, whether the Commission could validly adopt the decision on adequacy on the basis of Directive 95/46/EC. It noted that Article 3(2) of the directive excludes from the directive’s scope the processing of personal data in the course of an activity which falls outside the scope of Community law and, under any circumstances, processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law.
According to the decision on adequacy, the requirements for the transfer of data are based on United States legislation concerning, amongst other matters, the enhancement of security, the Community is fully committed to supporting the United States in the fight against terrorism and PNR data will be used strictly for purposes of preventing and combating terrorism and related crimes, and other serious crimes, including organised crime. Therefore, the transfer of PNR data to CBP constitutes processing operations concerning public security and the activities of the State in areas of criminal law.
While the view may rightly be taken that PNR data are initially collected by airlines in the course of an activity which falls within the scope of Community law, namely sale of an aeroplane ticket which provides entitlement to a supply of services, the data processing which is taken into account in the decision on adequacy is, however, quite different in nature. That decision concerns not data processing necessary for a supply of services, but data processing regarded as necessary for safeguarding public security and for law-enforcement purposes.
The fact that the PNR data have been collected by private operators for commercial purposes and it is they who arrange for transfer of the data to a non-member State does not prevent that transfer from being regarded as data processing that is excluded from the directive’s scope. The transfer falls within a framework established by the public authorities that relates to public security.
The Court thus concluded that the decision on adequacy does not fall within the scope of the directive because it concerns processing of personal data that is excluded from the scope of the directive. Consequently, the Court annulled the decision on adequacy. The Court added that it was no longer necessary to consider the other pleas relied upon by the Parliament.

The Council decision
The Court found that Article 95 EC, read in conjunction with Article 25 of the directive, cannot justify Community competence to conclude the Agreement with the United States that is at issue. This agreement relates to the same transfer of data as the decision on adequacy and therefore to data processing operations which are excluded from the scope of the directive. Consequently, the Court annulled the Council decision approving the conclusion of the agreement and did not consider it necessary to consider the other pleas relied upon by the Parliament.

Limitation of the effects of the judgment
Since the agreement remains applicable for a period of 90 days from notification of its termination, the Court decided, for reasons of legal certainty and in order to protect the persons concerned, to preserve the effect of the decision on adequacy until 30 September 2006.
The full text of the judgment may be found on the Court’s internet site


Post a Comment

<< Home