A Hiccup for Security-Based Data Transfers to the US

June 1, 2006

On 30 May 2006 the European Court of Justice (‘ECJ’) annulled the decisions of the European Commission and the Council that led to the transfer of personal data relating to passengers on flights to, from or across US territory to US authorities. The US authorities were provided with electronic access to the data contained in air carriers’ reservation and departure control systems, called Passenger Name Records (‘PNR’) (Joined Cases C-317/04 European Parliament v Council of the European Union and C-318/04 European Parliament v Commission of the European Communities ). 

On 14 May 2004, the Commission adopted a "decision of adequacy" under Directive 95/46/EC (the Data Protection Directive), finding that the US personal data protection regime provides an adequate level of protection for PNR data transferred from the EC. On 17 May 2004, the Council adopted a decision approving the conclusion of an agreement between the EC and the US to transfer PNR data held by air carriers established in EU Member States. The agreement entered into force on 28 May 2004.

The European Parliament applied to the ECJ for annulment of the decisions of the Commission and the Council, contending, in particular, that adoption of the decision on adequacy does not fall under the competence of the Commission, that the EC Treaty does not provide a legal basis for the Council decision approving the conclusion of the agreement and, in both cases, that fundamental rights were infringed by the agreement. 

The ECJ annulled the decisions of both the Commission and the Council, concluding that they were founded on inappropriate legal bases. 

Findings of the ECJ

The ECJ concluded, first of all, that the Commission could not validly adopt the decision on adequacy because the transfer of PNR data is a "processing operation" concerning public security and criminal law. As such, it falls within the exclusive competence of EU Member States, rather than the Commission (whose remit does not include processing that is necessary for safeguarding public security or for the purposes of criminal enforcement). Although PNR is initially collected for the provision of services, the Commission’s decision, according to the ECJ, concerned data processing necessary for safeguarding public security and for the purposes of criminal enforcement. The fact that the PNR data is collected by private entities (for commercial purposes), and is transferred by such entities does not prevent that transfer from being data processing that is necessary for safeguarding public security and for the purposes of criminal enforcement. Consequently, the Court annulled the Commission’s decision on adequacy. 

As to the Council’s decision to agree to conclude the agreement, the ECJ found that Article 95 EC, read in conjunction with Article 25 of Directive 95/46/EC, does not create Community competence to conclude an agreement with the United States which relates to the transfer of personal data where the data processing contemplated is excluded from the scope of the Directive. Consequently, the ECJ also annulled the Council’s decision.

Effects of the ECJ Judgment

Firstly, if the transatlantic data flow is not to be disrupted, the EC-US agreement on PNR transfers must be re-negotiated. The question remains whether such renegotiation will have to occur with individual Member States. 

Secondly, and more broadly, the ECJ’s judgment calls into question the ability of both the Commission and the Council to agree to the transfer of personal data to the US, or any other jurisdiction without "adequate" personal data protection regimes, where the contemplated transfer concerns public security and criminal law. For example, in October 2005 a similar agreement was signed with Canada. While that agreement provides a greater level of data protection, contemplates the transfer of less data, and contemplates data transfer using a “push” system (rather than the more intrusive “pull” system in use with the US), it is also based on a Commission decision regarding adequacy. In a post-September 11 environment, public security is increasingly being used as a justification for a number of international data processing arrangements. The ECJ’s judgement is likely to have knock-on effects for similarly justified data transfer agreements in a range of sectors.

Thirdly, although the ECJ annulled the decisions of the Commission and the Council on the basis that neither entity had a legal basis for their decision, and did not analyse the content of the agreement, many believe that the data transfers violated the privacy of passengers. The agreement required airlines to transfer to the US authorities 39 pieces of data on passengers flying to the US, including their names, addresses, telephone numbers and credit card numbers. This data is clearly personal data, and passengers had not consented to their transfer, nor was it necessary for the performance of a contract or on any of the other grounds set out in Directive 95/46/EC. In such circumstances, data controllers need to be aware of the circumstances in which they can transfer personal data outside the European Union.

Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn attorney with whom you work, or Michael Walther ([email protected];+49 89 189 33-180) in Munich or Miranda Cole ([email protected]; +32 2 554 7201) in Brussels.    

© 2006 Gibson, Dunn & Crutcher LLP

The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.