Concurring Opinions » Francesca Bignami

European Court of Justice Strikes EU-US Agreement on PNR Data

Francesca Bignami — Wed, 31 May 2006 22:35:00 +0000

The European Court of Justice dealt a blow yesterday to European Union and U.S. policymakers, with two important judgments on privacy and transatlantic relations. Back in 2004, the European Union and the United States signed an agreement guaranteeing the privacy of European airline passenger data when that data was transferred to the U.S. government. In European Parliament v. Council of the European Union and European Parliament v. Commission of the European Communities, the Court of Justice found that the Europeans did not have the power, under their constitutional rules, to enter into the agreement. Luckily for the airlines and the governments, the Court delayed the effect of its decision until September 30, 2006. Until then, European airlines will keep on being able to transfer their passenger data—and keep on being able to fly into American airports–without having to worry about breaking European privacy law. Afterwards, it could get complicated.

Some background. After the September 11 terrorist attacks, airlines flying into the United States were required to give the U.S. Bureau of Customs and Border Protection (CBP) access to the passenger name records (PNR data) in their computer systems. In other words, the CBP was to be afforded access to the airlines’ databases in London, Rome, Amsterdam, and other European cities to extract PNR data on their American-bound passengers, before those passengers actually touched down in an American airport. The PNR data would be extracted by the CBP and stored in the CBP’s own computer system. This was designed to allow the CBP to check on any terrorist connections of passengers before their arrival in the United States; the information could also be used in future investigations. If European airlines did not comply, they faced stiff U.S. penalties. But, if European airlines did comply, they ran the risk of breaking European privacy laws. As I said in my last post, many European privacy laws require “adequate” protection for private data transferred abroad and the United States is widely viewed as not affording “adequate” protection. Therefore, European airlines that transferred PNR data to the U.S. government risked being prosecuted by their own authorities.

The European Commission (the European Union’s civil service) took the lead in trying to fix the airlines’ dilemma. This it did based on its powers under the European Union’s Data Protection Directive. (Data protection is the European expression for data privacy and a directive is a type of EU law.) Because in my last post I was dealing with the NSA, I didn’t mention this law, which guarantees data privacy when firms and other actors process data for economic purposes. The Directive, passed in 1995 and in force since 1998, standardizes the privacy rules for market actors in all Member States of the European Union.

In February 2003, the European Commission and the CBP began negotiations on an agreement that would guarantee the privacy of European PNR data after it had been collected by the CBP. In spring 2004, the two sides reached an agreement. In May 2004, the Council of Ministers (the intergovernmental body where the Member States take decisions) and the European Commission adopted the decisions necessary to render the PNR agreement effective, internally, for the European Union. And, on May 28, 2004, the EU-U.S. PNR agreement was signed by a representative of the Council and the Secretary of the Department of Homeland Security. At that time, the agreement became effective externally, under international law.

But the European Parliament was not happy with the PNR agreement. Therefore, the Parliament challenged in the European Court of Justice both the Commission’s and the Council’s decisions rendering the agreement effective under internal, European Union law. The lawsuit was driven in large part by institutional politics unrelated to the substance of the agreement. For years, the European Parliament has been asserting, quite successfully, greater powers vis-à-vis the other two branches of EU government (the Council and the Commission); the PNR lawsuit represented a bid for greater powers in the foreign relations field. But setting aside the politics, what were the alleged defects, in EU law, of the PNR agreement? There were numerous legal grounds for the European Parliament’s challenge, most of which went to the inadequate protection of privacy.

In yesterday’s judgments, the Court of Justice found for the European Parliament. Not to cause too much turmoil for the governments and the airlines, the Court of Justice allowed the Commission’s decision—and, therefore, the PNR agreement too–to stay effective until September 30, 2006.

Perhaps more surprising than the outcome was the reasoning of the Court of Justice. (The Court was following the opinion of the Advocate General assigned to the case. Advocate Generals are members of the Court who are responsible for writing a public opinion before cases are decided, advising the Court on the law and the correct outcome.) The Court of Justice did not consider any of the privacy-related claims. Rather, it found that neither the Commission nor the Council had the power to enter into the PNR agreement.

To explain the Court’s logic, I must get into some basic EU law. The European Union has a bizarre constitutional structure that comes out of the fact that it used to be an international organization, now is a quasi-federal polity. It has three “Pillars.” The First Pillar governs the regulation of the common market—things like the rules that apply when a plane takes off from Rome and lands in Munich. This is not an area that goes to the core of national sovereignty, and so the European Union (actually “European Community” when we’re talking about First Pillar) has acquired a lot of power in the First Pillar—and the Member States have lost a lot of power. In the PNR episode, the European institutions acted under the First Pillar: the Commission based its decision on the Data Protection Directive (a market-regulating, First Pillar law) and the Council based its decision on the Data Protection Directive, together with its more general First Pillar powers.

By contrast, the Second and the Third Pillars apply to matters that do go to the core of national sovereignty: defense and other types of foreign policy (Second Pillar) and fighting crime and protecting against internal security threats like terrorism (Third Pillar). The European Union has powers in these areas, but it is hamstrung in various ways by Member States anxious to preserve national sovereignty.

Since the PNR agreement involved private, commercial European air carriers, the Commission and the Council thought they could act under the First Pillar. But the Court of Justice disagreed—essentially the Court said that the European Union would have to act under the Third Pillar or not at all. Here I’m simplifying slightly. What the Court actually said was that since the text of the Data Protection Directive expressly does not cover “[data] processing operations concerning public security . . . and the activities of the State in areas of criminal law” (i.e., matters that fall under the Third Pillar) and since the PNR agreement covers “processing operations concerning public security and the activities of the State in areas of criminal law,” the Commission’s decision could not be based on the Data Protection Directive. It applied a similar logic to annul the Council’s decision. What the Court did not say was that the deeper, Three-Pillar constitutional structure of the European Union, which puts regulation of the market in the First Pillar, cooperation on fighting terrorism in the Third Pillar, barred the European Union from entering into PNR agreement. In this, it was careful not to follow the Advocate General’s opinion to the letter (see his opinion at paras. 140-155). Therefore, the Court left the door open to an agreement based on, not the Data Protection Directive, but another aspect of the First Pillar. But it is extremely difficult to envisage what that might be, since the Data Protection Directive excludes public security and criminal law precisely because of the constitutional Three-Pillar structure. Plus, the Court, in its own analysis, put the transfer of PNR data squarely in the Third Pillar: the Court stated, without reservation that the data transfer covered by that agreement was “not data processing necessary for a supply of services, but data processing regarded as necessary for safeguarding public security and for law enforcement purposes.” Para. 57.

What happens now? Because the basic problem remains: if European airlines refuse the CBP’s request for their PNR data, they face stiff U.S. penalties; if they comply with the CBP’s request, they risk breaking European privacy laws. (But after the Court of Justice’s decision, only national laws and the Council of Europe instruments I described in my earlier post, not EU law, since the Court of Justice said that the Data Protection Directive does not cover security-related data transfers.) As I see it, there are two scenarios. Either the European Union will enter into a similar, now Third-Pillar, agreement with the U.S. or the 25 different data protection laws of the 25 Member States will apply.

Under the Third Pillar, the Council can enter into international agreements. Thus the Council could sign another PNR agreement with the United States, just wearing its Third Pillar hat. But there are many hurdles, as compared to international agreements under the First Pillar. First, all the Member States in the Council must agree—over most Third Pillar matters, each Member State has a right of veto. Second, for such an international agreement to be effective, internally, it must comply with whatever ratification requirements exist in each of the 25 Member States. Third, the Council might very well first have to adopt internal, intra-European legislation on sharing airline data among European police authorities before it can enter into an external agreement with the United States. I’m not an expert on the Second and Third Pillars but that would be my reading of the applicable articles of the Treaty on European Union (arts. 24 and 30) together with the Court of Justice’s so-called ERTA doctrine. Ironically, the only advantage, speed-wise, that a Third Pillar agreement would have over the First Pillar is that the European Parliament would have no powers–it does not have the right to be consulted on proposed international agreements and it does not have standing to challenge such agreements in the Court of Justice. Would the European Union be able to surmount all of these obstacles before September 30? It is not impossible but keep in mind that those long, European summer vacations are coming up.

The second scenario is that the European Union will do nothing and, therefore, national laws would apply. As I alluded to in my last post, national laws are incredibly variable. In countries like the United Kingdom and Italy, air carriers could transfer passenger data for public security purposes without any guarantees of “adequate” data protection. But French and German carriers would probably need such guarantees. Moreover, under the Council of Europe’s Convention 108 and under all national, European laws, air carriers would need a basis in law for transferring PNR data. Without that, the personal data wouldn’t be processed “fairly and lawfully” as required by those instruments. Therefore, in all 25 Member States, national regulations would have to be passed, creating a legal duty for airlines to comply with the CBP’s requests.

These two fairly convoluted scenarios remind me of that famous quip of Henry Kissinger’s: “When I want to speak to Europe, whom do I call?” In the more humdrum area of trade and market regulation, this isn’t so much of a problem anymore. On security-related issues, however, it is still unclear whom the U.S. government should be calling.

The NSA Phone Call Database: The European Perspective

Francesca Bignami — Mon, 29 May 2006 22:51:16 +0000

Had a European government, instead of the Bush administration, created the NSA’s call database, would that government be in violation of European privacy law? I think so, for the reasons I explore below.

Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.

A more pragmatic reason for caring about the different result under European privacy law is that it could undermine transatlantic cooperation in the fight against terrorism. Some European laws forbid the transfer of public security and law enforcement data to countries without adequate privacy protection. This latest revelation just reinforces the European view that U.S. privacy laws are inadequate—and therefore could make European governments reluctant to turn over information on European citizens to the American government in the fight against terrorism.

The details of the NSA call database are murky. For purposes of my analysis, I’m assuming the following: (1) it was authorized by a secret, executive order, based on the President’s constitutional commander-in-chief powers; (2) the database contains call records—when, for how long, and to which phone numbers the calls were made–of millions of American citizens that are traceable to those citizens; (3) before the program became operative, no government officer independent of the President’s administration had the opportunity to review the program for privacy concerns and, since it has become operative, no independent officer has the power to enforce compliance with basic privacy safeguards.

In Europe, any database of electronic information that can be traced to individuals, including phone records, is considered a possible threat to the fundamental right to private life. For databases created for intelligence and law enforcement purposes, there are two Europe-wide sets of standards: Article 8 of the European Convention of Human Rights on private life and the Council of Europe’s Convention 108 on Personal Data Processing. The European Court of Human Rights has decided a number of telecommunications surveillance and data privacy cases under Article 8. A third set of standards, covering intra-European exchanges of personal information to prevent, investigate, and prosecute crime, is being negotiated in the European Union. All European countries also have their own data protection laws, which set down more precise duties and rights. The ones I’ll be referring to here are the laws of Germany, France, Italy, and the UK.

Under Article 8 of the European Convention on Human Rights, the NSA’s database would have to satisfy three conditions. First, it would have to be authorized by a law that was accessible to the public and that contained precise enough provisions to curb arbitrary government action and to put citizens on notice of possible incursions into their private sphere. Second, the purpose of the interference with privacy would have to be legitimate. Both “national security” and “public safety” count as legitimate purposes. Third, the interference with privacy would have to be proportional. Proportionality turns on two, related inquiries: Is there evidence that the government action can achieve the stated purpose? Is the government action necessary for accomplishing the stated purpose or are there alternative means of accomplishing the same purpose that will burden the right less? The burden of justification on the government, under the proportionality test, varies tremendously, depending on the right at stake and the public interest being pursued. The more important the right, the higher the burden on the government, the more important the public purpose, the lower the burden on the government.

When the privacy right at stake is data privacy, the proportionality investigation is guided by some of the more specific guarantees of Convention 108. For instance, the amount of the data processed should be no more than necessary to accomplish the purpose. Neither should the time during which the data are stored be any longer than necessary to accomplish the purpose. As a special safeguard for the burdened, privacy right, individuals should have the right to check their personal data, to make sure that it is accurate and that, in all other respects too, their personal data is being processed in accordance with the law. Most European countries have also ratified a protocol to the Convention, providing for an independent supervisory authority, and even those that have not ratified the protocol, have such a supervisory authority. In most countries, privacy authorities have advisory powers over proposed legislation, while everywhere they have oversight powers, to ensure compliance. The Convention allows for certain exceptions from its privacy guarantees, including exceptions for national security and law enforcement. However, those exceptions must themselves be based on law and be proportional.

How would the NSA’s database fare under this European privacy law? First, based on European Court of Human Rights’ case law as well as French and German data protection law, I think that the database would fail the requirement of an authorizing law. It does not appear to me that a secret, executive order based on a constitutional conferral of power to the President to serve as “commander in chief” would be good enough. (Of course, the administration’s lawyers might have in mind more precise statutory text as the authority for the database, in which case this analysis could change.) It is neither accessible to the public, nor is it specific enough to curb arbitrary exercises of power and to put citizens on notice of how their government is interfering with their basic rights. What about the Bush administration’s argument that any disclosure of the NSA call program threatens American national security? For, as I mentioned above, the Europeans allow for exceptions based on national security concerns. In my view, that argument would fail, both in the European Court of Human Rights and in national, European courts. Certainly, courts have permitted European governments to keep secret the some of the methods used in surveillance, together with the specific targets of surveillance. (Paul Schwartz has a terrific discussion of some of the German law in his article, German and U.S. Telecommunications Privacy Law, 54 Hastings L.J. 751 (2002-2003). And Verna Zöller provides an informative update in Liberty Dies by Inches, 5 German L. J. 469 (2004).) But I don’t know of any instance in which they have allowed such a massive government program, involving almost entirely national citizens, to go forward without some basis in a reasonably detailed, public law.

The good news for the NSA call program is that it would satisfy the second European legal requirement: national security is, most certainly, a legitimate purpose. Then we get to proportionality. Is a database with the calling records of tens of millions of citizens necessary for fighting terrorism? When making this kind of determination, European courts and privacy officers show considerable deference to their intelligence services. Courts and privacy officers are acutely aware of their limits in understanding how to combat terrorism, as compared to the seasoned professionals in their national intelligence services. But, in Europe, the government would have to make the case—not necessarily in public or in an ordinary court of law—that the data collection was capable of reducing the terrorist threat. The government would also have to consider other types of regulation, less invasive of the private lives of ordinary Americans–say, a database of the telephone records of al Qaeda suspects only. The government would also have to demonstrate that there were privacy-protecting safeguards in place. Again, European laws allow for exceptions based on national security concerns, but, again, I don’t think that those exceptions would apply here. Since we don’t know much about the NSA call program, we don’t know whether it is, in fact, supported by this type of reasoning. On the proportionality issue, therefore, I can’t come to any conclusion.

What about an independent privacy agency? That is certainly absent from the NSA call program. In much of Europe—including Germany (Federal Data Protection Act, section 26) and France (Law No. 78-17, article 11.4 and article 26.I)—this independent agency would have had to be consulted on the NSA program before it became operational. Many things can go wrong when a government collects information on the habits of its citizens, including phone records: phone numbers might be matched to the wrong people, leading the government to suspect ordinary citizens of being covert al Qaeda operatives; an intelligence officer who thinks that his wife is cheating on him might check her phone records; once the phone records get too old to help in the fight against terrorism, they might be passed along to tax fraud investigators or to direct marketers. Consultation of a privacy expert, when a government program is being designed, is an important way of ensuring that the necessary safeguards are in place, before any of these abuses can occur.

Moreover, in all of Europe, an independent privacy agency would have to have the power to ensure that government officers, in running the program, were complying with basic privacy safeguards. Here, even under European laws, there are exceptions for intelligence agencies. For instance, under German law, the Federal Commission for Data Protection does not have jurisdiction over telecommunications surveillance (which, under German law, includes calling records) when conducted by an intelligence agency (Federal Data Protection Act, section 24). But another independent, government body does have the power to order the government to stop illegal surveillance: a special, bi-partisan, parliamentary commission known as the G-10 Commission. Under French law, individuals do not have the right to check, directly, whether the information held on them by security agencies is lawful, but must be able to do so, indirectly, through their national privacy agency (Law 78-17, article 41). Furthermore, under European laws, these exceptions to jurisdiction do not apply to personal data used for law enforcement purposes. This is significant for the NSA program because it is unclear whether the information is being used only by intelligence officers, or by law enforcement agencies too. In sum, under European laws, the NSA program could not be exempted entirely from oversight by an independent government body with the power to investigate and to stop violations of privacy rights.

Now for the bottom line. Why does it matter that the NSA call program would be illegal under European privacy law? That, if any European government tried to do the same thing, it would be breaking the law? As I said at the beginning, I think that the different result under European law is revealing for what it says about current transformations in American law: it underscores the extent to which national security concerns are coming to dominate American law.

There is also a more pragmatic reason for taking European privacy law seriously. The National Security Agency might want information on the calls made by Europeans, in Europe. But because the way it handles private data is so out-of-line with European law, it is increasingly unlikely that the NSA will be able to get call information– or any other private information for that matter–from European governments.

Let me explain a bit further. In some European countries, private data cannot be transferred to countries without “adequate” privacy safeguards, even if that data is requested for national security purposes. This is the case in Germany, where an exception to the adequacy principle can be made only “for compelling reasons of defence or to discharge supranational or international duties in the field of crisis management or conflict prevention or for humanitarian measures.” (Federal Data Protection Act, section 4b(2)). This is also the case for France, where there is a public security exception to the adequacy principle, but that exception is still subject to a determination that the personal information will be protected in the country of destination (Law No. 78-17, article 69). Furthermore, at the European Union level, a series of laws are being negotiated that would enable police authorities, for purposes of preventing or prosecuting crimes, including terrorism, to freely exchange data like calling records and then transfer that data to their intelligence agencies. These are: the European Parliament and Council Data Retention Directive (adopted in March but not yet in force), the Council Framework Decision on the exchange of information under the principle of availability (under negotiation), and the Council Framework Decision on the protection of personal data (under negotiation). However, under the current version of the privacy part of the package, information like calling records could only be transferred to third countries that ensure “an adequate level of data protection” (Council Framework Decision on the protection of personal data, article 15.1(d)). Therefore, with one exception (article 15.6), national, European police and security agencies would have to deny an NSA request for call records. No wonder that the Americans expressed concern about this provision at a March 2-3, 2006 EU-US meeting.

Under all of these laws, even if privacy is not adequately protected in the destination country, an international agreement can stipulate privacy safeguards for the transferred data, and therefore render the transfer lawful. But the news of secret U.S. surveillance programs has made it more difficult to take this route. How are European governments to trust that an undertaking of an agency like the NSA or the FBI will not be quickly superseded by a secret order issued by the President, based on his constitutional powers? Of course, if that were to occur, European governments would have claims against the United States under international law. But given the weak enforcement mechanisms of international law and changing American surveillance practices, it is unclear whether such an undertaking could serve as a sufficient guarantee of European privacy.