EU- USA "agreement" and "findings" on airline reservation data transfers are invalid

As had been expected and as the Court’s own “Advocate General” (investigating magistrate) had recommended , the Court of Justice of the European Community today ruled in two cases brought by the European Parliament, annulling both the agreement with the USA entered into by the European Commission to permit access by the Customs and Border Protection (CBP) division of the USA Department of Homeland Security (DHS) to airline reservation data collected in the European Union (EU), and the finding by the European Council that airline reservation data transferred to the USA is adequately protected to satisfy EU law.

The Court’s combined decision in the two cases is based entirely on the (dubious) conclusion that the transfer of reservation data to CBP is undertaken solely for purposes of “national security”, “public security”, and law enforcement, which are subject to different procedural and jurisdictional rules than were followed in the overturned Council and Commission decisions. The decision left open the possibility that the data transfers themselves might, or might not, be found to be legal on other grounds or under some different type of agreement.

The decision applies not just to just to reservations on European airlines, or flights to and from Europe, but even for flights within the USA if the reservations are made in Europe or through a European entity such as a travel agency, tour operator, or airline office in Europe, or through the Europe-based Amadeus CRS used by many travel agents and airlines worldwide.

But by holding that certain claimed purposes are exempt from EU privacy and data protection law, it leaves unclear the status of the pending complaints and enforcement requests against airlines and other entities (the other main culprits being the computerized reservation systems or CRS’s) who have turned over reservation data on passengers or other people (such as third parties paying for tickets) to the USA, or who have transferred data to commercial entities in the USA (such as USA-based airlines and CRS’s) without commitments by those entities to protect the data adequately in accordance with EU law.

National data protection authorities in EU countries, as well as the European Commission as the enforcement agency for the privacy clause of the EU regulations governing CRS’s (which apply to CRS’s that operate in the EU, regardless of where they are based, and which have been flagrantly violated), had stayed action on complaints against airlines and other entities that transfer reservation data to the USA, pending the outcome of the court cases brought by the European Parliament.

A new debate will now begin on whether, and if so how, they should take action to bring the practices of the travel reservation data processing industry into compliance with EU law. Central to this process would be fundamental changes in the data “sharing” practices of the commercial reservation processing industry centered on the CRS’s.

The decision postpones the effective date of its annulment of the “agreement” with the USA until 30 September 2006, presumably to allow time for a new agreement to be negotiated and approved. As with the original (improperly adopted) agreement, the strategy of the USA and its allies (the UK intervened in the European Court on the side of the USA) will be of secret back-room negotiations and heavy pressure. Direct involvement of European data protection authorities in the new negotiations, as well as close monitoring by privacy advocates and NGO’s, will be crucial if the likely new agreement is to be any improvement over the one just overturned. And on this side of the pond, privacy advocates and civil libertarians in the USA need to insist that any replacement international agreement that is intended to be binding on the USA (as it would have to be to satisfy EU law and comply with the European Court decision), be properly presented for ratification by the Senate as required by USA law, and not be entered into by an unconstitutional executive or administrative fiat of the President or the DHS.

[Addendum, 30 May 2006: Most of the reports on the European Court decision have assumed that, while the agreement (now annulled) was in in effect, airlines and the USA government have been complying with it. But that’s not true, and there have been a series of lies about what the agreement actually said, and what was actually being done. Among other things, first, the airlines were supposed to “push” to the government only certain types of data extracted from passenger name records for flights only for between the USA and Europe, and only 15 minutes before departure. So far as I can tell, this “push” system was never implemented (too difficult and expensive, given the lack of standardization in PNR data entry formats, and anyway the airlines didn’t really care about the invasion of their customers’ privacy). Instead, airlines have provided the USA government with unrestricted access to “pull” any data from any PNR of any flight. I’ve been told by a source familiar with the access logs that the USA has accessed complete PNR data on flights entirely within the EU, weeks in advance. Second, there was supposed to be an annual audit of compliance with the agreement, but “the audit report has been kept secret even from Members of the European Parliament. The finding that the agreement was invalid probably lets the USA off the hook, ironically, for insisting that the report on (non)compliance with the agreement be kept secret.]