European Court of Justice Strikes EU-US Agreement on PNR Data
posted by Francesca Bignami
The European Court of Justice dealt a blow yesterday to European Union and U.S. policymakers, with two important judgments on privacy and transatlantic relations. Back in 2004, the European Union and the United States signed an agreement guaranteeing the privacy of European airline passenger data when that data was transferred to the U.S. government. In European Parliament v. Council of the European Union and European Parliament v. Commission of the European Communities, the Court of Justice found that the Europeans did not have the power, under their constitutional rules, to enter into the agreement. Luckily for the airlines and the governments, the Court delayed the effect of its decision until September 30, 2006. Until then, European airlines will keep on being able to transfer their passenger data—and keep on being able to fly into American airports–without having to worry about breaking European privacy law. Afterwards, it could get complicated.
Some background. After the September 11 terrorist attacks, airlines flying into the United States were required to give the U.S. Bureau of Customs and Border Protection (CBP) access to the passenger name records (PNR data) in their computer systems. In other words, the CBP was to be afforded access to the airlines’ databases in London, Rome, Amsterdam, and other European cities to extract PNR data on their American-bound passengers, before those passengers actually touched down in an American airport. The PNR data would be extracted by the CBP and stored in the CBP’s own computer system. This was designed to allow the CBP to check on any terrorist connections of passengers before their arrival in the United States; the information could also be used in future investigations. If European airlines did not comply, they faced stiff U.S. penalties. But, if European airlines did comply, they ran the risk of breaking European privacy laws. As I said in my last post, many European privacy laws require “adequate” protection for private data transferred abroad and the United States is widely viewed as not affording “adequate” protection. Therefore, European airlines that transferred PNR data to the U.S. government risked being prosecuted by their own authorities.
The European Commission (the European Union’s civil service) took the lead in trying to fix the airlines’ dilemma. This it did based on its powers under the European Union’s Data Protection Directive. (Data protection is the European expression for data privacy and a directive is a type of EU law.) Because in my last post I was dealing with the NSA, I didn’t mention this law, which guarantees data privacy when firms and other actors process data for economic purposes. The Directive, passed in 1995 and in force since 1998, standardizes the privacy rules for market actors in all Member States of the European Union.
In February 2003, the European Commission and the CBP began negotiations on an agreement that would guarantee the privacy of European PNR data after it had been collected by the CBP. In spring 2004, the two sides reached an agreement. In May 2004, the Council of Ministers (the intergovernmental body where the Member States take decisions) and the European Commission adopted the decisions necessary to render the PNR agreement effective, internally, for the European Union. And, on May 28, 2004, the EU-U.S. PNR agreement was signed by a representative of the Council and the Secretary of the Department of Homeland Security. At that time, the agreement became effective externally, under international law.
But the European Parliament was not happy with the PNR agreement. Therefore, the Parliament challenged in the European Court of Justice both the Commission’s and the Council’s decisions rendering the agreement effective under internal, European Union law. The lawsuit was driven in large part by institutional politics unrelated to the substance of the agreement. For years, the European Parliament has been asserting, quite successfully, greater powers vis-à-vis the other two branches of EU government (the Council and the Commission); the PNR lawsuit represented a bid for greater powers in the foreign relations field. But setting aside the politics, what were the alleged defects, in EU law, of the PNR agreement? There were numerous legal grounds for the European Parliament’s challenge, most of which went to the inadequate protection of privacy.
In yesterday’s judgments, the Court of Justice found for the European Parliament. Not to cause too much turmoil for the governments and the airlines, the Court of Justice allowed the Commission’s decision—and, therefore, the PNR agreement too–to stay effective until September 30, 2006.
Perhaps more surprising than the outcome was the reasoning of the Court of Justice. (The Court was following the opinion of the Advocate General assigned to the case. Advocate Generals are members of the Court who are responsible for writing a public opinion before cases are decided, advising the Court on the law and the correct outcome.) The Court of Justice did not consider any of the privacy-related claims. Rather, it found that neither the Commission nor the Council had the power to enter into the PNR agreement.
To explain the Court’s logic, I must get into some basic EU law. The European Union has a bizarre constitutional structure that comes out of the fact that it used to be an international organization, now is a quasi-federal polity. It has three “Pillars.” The First Pillar governs the regulation of the common market—things like the rules that apply when a plane takes off from Rome and lands in Munich. This is not an area that goes to the core of national sovereignty, and so the European Union (actually “European Community” when we’re talking about First Pillar) has acquired a lot of power in the First Pillar—and the Member States have lost a lot of power. In the PNR episode, the European institutions acted under the First Pillar: the Commission based its decision on the Data Protection Directive (a market-regulating, First Pillar law) and the Council based its decision on the Data Protection Directive, together with its more general First Pillar powers.
By contrast, the Second and the Third Pillars apply to matters that do go to the core of national sovereignty: defense and other types of foreign policy (Second Pillar) and fighting crime and protecting against internal security threats like terrorism (Third Pillar). The European Union has powers in these areas, but it is hamstrung in various ways by Member States anxious to preserve national sovereignty.
Since the PNR agreement involved private, commercial European air carriers, the Commission and the Council thought they could act under the First Pillar. But the Court of Justice disagreed—essentially the Court said that the European Union would have to act under the Third Pillar or not at all. Here I’m simplifying slightly. What the Court actually said was that since the text of the Data Protection Directive expressly does not cover “[data] processing operations concerning public security . . . and the activities of the State in areas of criminal law” (i.e., matters that fall under the Third Pillar) and since the PNR agreement covers “processing operations concerning public security and the activities of the State in areas of criminal law,” the Commission’s decision could not be based on the Data Protection Directive. It applied a similar logic to annul the Council’s decision. What the Court did not say was that the deeper, Three-Pillar constitutional structure of the European Union, which puts regulation of the market in the First Pillar, cooperation on fighting terrorism in the Third Pillar, barred the European Union from entering into PNR agreement. In this, it was careful not to follow the Advocate General’s opinion to the letter (see his opinion at paras. 140-155). Therefore, the Court left the door open to an agreement based on, not the Data Protection Directive, but another aspect of the First Pillar. But it is extremely difficult to envisage what that might be, since the Data Protection Directive excludes public security and criminal law precisely because of the constitutional Three-Pillar structure. Plus, the Court, in its own analysis, put the transfer of PNR data squarely in the Third Pillar: the Court stated, without reservation that the data transfer covered by that agreement was “not data processing necessary for a supply of services, but data processing regarded as necessary for safeguarding public security and for law enforcement purposes.” Para. 57.
What happens now? Because the basic problem remains: if European airlines refuse the CBP’s request for their PNR data, they face stiff U.S. penalties; if they comply with the CBP’s request, they risk breaking European privacy laws. (But after the Court of Justice’s decision, only national laws and the Council of Europe instruments I described in my earlier post, not EU law, since the Court of Justice said that the Data Protection Directive does not cover security-related data transfers.) As I see it, there are two scenarios. Either the European Union will enter into a similar, now Third-Pillar, agreement with the U.S. or the 25 different data protection laws of the 25 Member States will apply.
Under the Third Pillar, the Council can enter into international agreements. Thus the Council could sign another PNR agreement with the United States, just wearing its Third Pillar hat. But there are many hurdles, as compared to international agreements under the First Pillar. First, all the Member States in the Council must agree—over most Third Pillar matters, each Member State has a right of veto. Second, for such an international agreement to be effective, internally, it must comply with whatever ratification requirements exist in each of the 25 Member States. Third, the Council might very well first have to adopt internal, intra-European legislation on sharing airline data among European police authorities before it can enter into an external agreement with the United States. I’m not an expert on the Second and Third Pillars but that would be my reading of the applicable articles of the Treaty on European Union (arts. 24 and 30) together with the Court of Justice’s so-called ERTA doctrine. Ironically, the only advantage, speed-wise, that a Third Pillar agreement would have over the First Pillar is that the European Parliament would have no powers–it does not have the right to be consulted on proposed international agreements and it does not have standing to challenge such agreements in the Court of Justice. Would the European Union be able to surmount all of these obstacles before September 30? It is not impossible but keep in mind that those long, European summer vacations are coming up.
The second scenario is that the European Union will do nothing and, therefore, national laws would apply. As I alluded to in my last post, national laws are incredibly variable. In countries like the United Kingdom and Italy, air carriers could transfer passenger data for public security purposes without any guarantees of “adequate” data protection. But French and German carriers would probably need such guarantees. Moreover, under the Council of Europe’s Convention 108 and under all national, European laws, air carriers would need a basis in law for transferring PNR data. Without that, the personal data wouldn’t be processed “fairly and lawfully” as required by those instruments. Therefore, in all 25 Member States, national regulations would have to be passed, creating a legal duty for airlines to comply with the CBP’s requests.
These two fairly convoluted scenarios remind me of that famous quip of Henry Kissinger’s: “When I want to speak to Europe, whom do I call?” In the more humdrum area of trade and market regulation, this isn’t so much of a problem anymore. On security-related issues, however, it is still unclear whom the U.S. government should be calling.