In the aftermath of 11 September 2001 the US government introduced a number of laws aimed at preventing further airborne terrorist attacks. Among the new statutory obligations was a requirement that airlines flying to and from the US disclose passenger and crew-related information before, or shortly after, each flight takes to the air. Airlines that fail to comply face heavy fines and risk losing their landing rights. But how could airlines comply with the new US laws requiring them to divulge passenger information and also abide by European laws requiring them to keep it secure?
Almost five years on and airlines are still caught in the middle of a confusing, highly political and often misleading debate between various European bodies. The chaos has been magnified by the fractured and inconsistent ways in which European data protection law has been implemented by individual member states. Now, in the latest twist, a new ruling by the European Court of Justice has taken the airlines back to square one.
So what’s the issue?
Airlines store passenger information in flight-specific data files called passenger name records (PNRs). These are processed primarily by the airlines’ reservation and departure control systems (RES/DCS). Because of technical limitations, airlines can currently meet the US data requirements only by providing the US Customs and Border Protection Agency (CBP) with online access to their databases so that agents can themselves ‘pull’ the data they need from the RES/DCS systems. A more satisfactory approach would be for the airlines to ‘push’ a data file containing only the relevant PNR data to the US authorities, but most airline systems cannot cope with this.
Because PNRs identify living individuals, they are considered ‘personal data’ under European data protection law. As readers are likely to know only too well, this imposes a number of obligations on the data processor, including:
· the need for the individual data subject to consent to processing;
· restrictions on processing for purposes not notified to the individual when consent was given; and,
· a prohibition on transfers to countries outside the European Economic Area which do not have the same level of legal protection for personal data (unless specific consent has been given or certain other conditions have been met).
The merry-go-round
First among EU groups and institutions to react formally to the new US legal requirements was the ‘Article 29 committee’, a powerful European-level body populated by representatives of the data protection regulators in each member state. In 2002 the committee declared the requirements to be in breach of European data protection law. The European Parliament then followed suit, condemning the US requirements on a number of grounds, including human rights. It soon became clear that the airlines were between a rock and a hard place; forced to choose between meeting either US or European legal demands in order to ferry passengers to and from the US.
Both the European Parliament and the regulators of the Article 29 committee urged the European Commission to negotiate an appropriate European-level bi-lateral agreement with Washington to control CBP data access and so protect the privacy of European air passengers. Airlines saw this agreement as a good idea; it could resolve the legal conundrum at a stroke and, importantly, save airlines the misery of 15 (now 25) separate discussions with individual member state regulators.
The European Commission did indeed negotiate a draft agreement with the US but the European Parliament and many of the regulators were not happy with it. The Commission pressed ahead regardless and approved the draft agreement as having resolved the breaches of European data protection law identified so far. The Council of Europe also endorsed the proposed agreement on the grounds that it protected the single market ideal by creating one legal solution for the whole of the EU.
The European Parliament was furious and, supported by Europe’s newly-appointed data protection supervisor, it now claimed that the Commission’s measures were illegitimate because PNR data transfers were not subject to European data protection law after all. In spite of the fact that the data protection supervisor’s own Web site carried Article 29 Committee opinions supporting the proposition that European data protection law did apply to PNRs, the European Parliament began legal proceedings in 2004 to establish the opposite. Confused? Imagine being an airline.
What??!
Thus the ECJ judgment of 21 May 2006, annulling the commission’s “approval” and the inter-state agreement signed by the Council, is a victory for the European Parliament, albeit, as it turns out, a pyrrhic one (see the last paragraph of this article). .
By way of background it is worth knowing that European co-operation between member states rests on three ‘pillars’. Pillars two and three are largely matters decided between the governments of member states – these include matters such as state security, defence, etc. The first pillar covers everything else – all those areas in which member states have effectively ceded sovereignty to the European legislative ‘machine’ – and this is largely the domain in which the law-making powers of the European Parliament, Commission and data protection supervisor arise.
One of the key aims of the first pillar is the promotion of the single market. The idea behind the single market is a Europe which, for the purposes of trade, is borderless. For this to work there needs to be a flattening of legal differences between member states where these differences are relevant to trade. The 1995 data protection directive was one such attempt at flattening. Unfortunately the compromises that had to be made to get the law agreed now provide member states implementing the law with a relatively wide discretion in key areas. In short, Europe is far from flat when it comes to data protection.
The ECJ ruling thus implies that this is not ‘pillar one’ territory because the disclosure requirement is ultimately a matter of state security. Accordingly, the contested disclosure of PNR data to US authorities is outside the scope of data protection law and the Commission and the Council were, therefore, relying on an inappropriate legal basis when they adopted their respective positions.
Was it all worth it?
The ECJ’s conclusions are arguable, so let’s pretend for a moment that the ECJ is wrong and European data protection law does apply to PNRs. From a UK data protection perspective, and taking a plain English reading of the directive, was the Article 29 Committee justified in holding those early opinions that started this furore?
It is certainly true that, on the face of it, the US wants a relatively unrestrained right to do whatever it wants with PNR data, including using it for anti-terrorism measures but also using it for immigration and crime prevention as well as other largely undefined purposes. Some people might well object to such a rampant invasion of their privacy now being part of the cost of getting on a plane to the US. But such well-founded fears aside, the central legal question remains: does this amount to a breach of data protection law?
As we know, informed consent is required under EU data protection law for processing to take place at all. For a transfer to the US to take place, a further informed consent is required. But why should these requirements be so impossible to satisfy? The Article 29 Committee has speculated that ‘freely given … consent may be difficult to obtain’ and concluded, therefore, that consent does not offer a ‘proper solution’. But this is a non sequitur. Consent may, as the committee said, be “complicated” to achieve, but whether or not consent has been obtained is, ultimately, a question of fact in each case. It seems rash to write off the possibility that airlines and their distributors might use customised booking and privacy forms to achieve the necessary consent as too complicated, as the committee appears to have done. The law does not say you can consent only to easy things. Nor does it say that consent is ‘freely given’ only if you have the option of withholding consent and still flying to the US. If you don’t like the deal, don’t get on the plane.
The committee also speculated that data protection breaches would occur because the PNR data would be ‘excessiv’” given the aims of the US authorities and that, therefore, this might itself be a breach of data protection law. But is the Article 29 Committee really qualified to decree what is, and what is not, excessive for US law enforcement officials to require in order to allow visitors to fly to their country?
Where there may be a legitimate issue is in the wide and undefined nature of the US‘s declared processing aims; the directive certainly requires that the purposes for the processing be ‘specific’ and ‘explicit’. But even this is only arguable.
On the face of it, then, the stark conclusions of the Article 29 Committee that the US requirements were incompatible with data protection requirements do not entirely seem to add up. Certainly airlines would probably prefer a single piece of paper signed by the US and Europe that says it’s OK for them to comply with US security requirements; it would save them having to consider whether their privacy notices work and of having to haggle with regulators all over the EU. But that is not the point. A law that was intended to introduce conformity and facilitate trade across Europe has actually cost the European taxpayer and businesses four years and a lot of money figuring out what it actually means. And this is just one such issue which, in spite of how it might look, is not a particularly difficult one either. The real difficulty rests with the politics, but that is rightly another matter.
Back in 2003, at the time of the commission’s review of the data protection directive, we and many others argued that Europe’s data protection law required fundamental change if it was to be made to work properly. In particular, the law should be easily understood particularly by citizens, consistently implemented across Europe and proportionate. Unfortunately these calls remain unheeded.
In the meantime it looks like the airlines will get their piece of paper. The Commission has just announced that it will side-step the data protection directive and the European Parliament and go straight to member state governments for the permission it needs to sign a deal with the US.
Tim Pullan is a Partner in the IT & Ousourcing Group at Lawrence Graham LLP: tim.pullan@lawgram.com