ECJ rules on airline data case

Agreement over transfer of airline passenger data to US ‘illegal’

The European Court of Justice has ruled that an agreement struck two years ago between the European Commission and the United States which enables US authorities to obtain and process personal data of US-bound European airline passengers lacks a sufficient legal basis.

Under the agreement airlines carrying passengers into the US are required to transfer passenger name records (PNR) to the US Custom and Border Protection for the purposes of the prevention of terrorist activities and for the detection of other serious crimes.

The European Parliament challenged this agreement, being primarily opposed to the Commission’s finding that the US guaranteed adequate safeguards for the transferred data, commensurate with EU data protection law, and the Council’s subsequent approval of this decision.

The Court chose to annul the decisions of the Council and the Commission without entering into a substantive analysis of the PNR agreement. The Court ruled that the Data Protection Directive was the wrong legal basis upon which to base the agreement since the processing operations concerned matters of public security and criminal law, an area of law not covered by the Directive.

While this decision may be considered a vindication of privacy rights, it is likely that a similar agreement will be reached in the near future, albeit upon a different legal foundation.