Tuesday, May 30, 2006

US-EU Passenger List Transfers—Ruled Illegal

In May 2004, the United States and the European Union entered into an agreement in which the EU would supply the US with “34 items of information on passengers, including name, address and credit card details, within 15 minutes of departure to the United States.”[1] That agreement, which was ostensibly about protecting against ,[2] has been ruled by the European Court of Justice [hereinafter ECJ] as “founded on an inappropriate legal basis.”[3]

At the time the agreement was made, civil liberties groups were harshly critical and the European Parliament challenged the agreement, contending that “it had no legal basis and infringed fundamental rights.”[4] The ECJ declined to rule on whether it infringed on privacy rights.[5]

The decision has created a situation of serious legal limbo as trans-Atlantic carriers struggle to comply with two conflicting sets of laws.[6] If airlines do not pass the relevant information on, they face fines of up to $6,000 per passenger and the loss of landing rights.[7] EU nations now have until September 30 to come to some sort of legitimate legal footing regarding the agreement, and if they “fail to fix legal technicalities by that dare, airlines may have to change the way they collect and transfer data.”[8]

The case came to the ECJ based partly on Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, which states, in pertinent part, that every person in the EU has the right to respect for his privacy in personal matters, and that no public authority may interfere with the exercise of this right, except as is necessary and legal in the interests of national security or the like.[9] The Parliament advanced four privacy-based pleas for annulment: ultra vires action, breach of the fundamental principles of Directive 95/46/EC (which protects individuals with regard to personal data processing), breach of fundamental rights, and breach of the principle of proportionality.[10] The ECJ found that the allegation that the Directive was infringed “is well founded,”[11] but that the other “limbs” of this argument need not be addressed.[12]

The Parliament also advanced six legal-foundations-based pleas for annulment, namely that Article 95 EC was an incorrect legal basis for the Decision to share passenger data.[13] The ECJ agreed, and the point is exceptionally nuanced. In essence, Article 95 EC requires that decision have “as its objective and subject-matter the establishment and functioning of the internal market by contributing to the removal of obstacles to the freedom to provide services”; there are no provisions designed to achieve such an objective.[14] In short, the situation is much like what happened when the United States Federal Communications Commission attempted to require broadcasters to include “broadcast flags,” which courts ruled could not happen because Congress had not given the FCC such authority; before the FCC could require the “flags,” Congress would have to give the FCC the authority to require it.[15] Likewise, before the Commission could require the sharing of passenger data, there needs to be an appropriate, non-infringing basis for doing so.


[1] , Deutsche Welle, May 30, 2006.
[2] , Bloomberg, May 30, 2006.
[3] DW, supra note 1.
[4] Id.
[5] Id.
[6] Bloomberg, supra note 2.
[7] Aoife White, , AP (via Forbes), May 30, 2006.
[8] Id.
[9] Case , Parliament v. Commission, (2006) ¶ 3.
[10] Id. ¶ 50.
[11] Id. ¶ 60.
[12] Id. ¶ 61.
[13] Id. ¶ 62.
[14] Id. ¶¶ 63, 68-69.
[15] , 406 F.3d 689 (D.C. Cir. 2005).

posted by McNabb Associates, P.C. @ 1:37 PM