The European Commission is preparing a new legal scheme obliging all airlines operating international flights to, from, or via EU Member States to transfer data on their passengers (Passenger Name Record) to designated authorities. Such a requirement is considered an anti-terrorism measure.
However, the European Commission is unlikely to adopt this formally before the ruling of the European Court of Justice on the 2004 EU-US agreement on the transfer of passenger data.
Following the terrorist attacks of 9/11, the United States adopted legislation requiring the airlines carrying passengers to, from, or across US territory to give access to the air passengers’ data contained in their reservation system (Passenger Name Records or PNR). Considering that the US legislation might conflict with the Community legislation on the protection of personal data (Directive 95/46/EC), the European Commission began negotiations with the United States to attempt to align the US legislation with European data protection obligations.
These negotiations ended with the adoption of the decisions of the European Commission 2004/535/EC of 14 May 2004 (OJ 2004 L 235) and of the Council 2004/496/EC of 17 May 2004 (OJ 2004 L 183), thus providing the legal basis for the transfer of personal data concerning air passengers to the US bureau of Customs and Border Protection (CBP).
However, considering that the US commitments were not sufficient to adequately protect air passengers’ data, the European Parliament asked the European Court of Justice to annul both decisions – for further analysis of this question see the article "US Transfer of Airline Passenger Data” (cf. Bird & Bird Data Protection Newsletter of 01/10/2003).
In November 2005, the Advocate General Philippe Léger proposed to the European Court of Justice that both decisions should be annulled, due to a lack of appropriate legal basis.
The decision 2004/535/EC adopted by the European Commission stated that the US CBP offered an adequate level of protection for personal data transferred from the community. This “adequacy decision” was taken pursuant to Article 25(6) of Directive 95/46/EC, which authorises the transfer of personal data to a third country not offering adequate data protection if the country entered into a number of commitments for the protection of personal data. However, the Advocate General found that the European Commission did not have the power to adopt the “adequacy decision” since Directive 95/46/EC does not apply to the processing of personal data undertaken in pursuance of activities that do not fall within the scope of Community law, particularly for such matters as public security and state activities in relation to areas of criminal law. He concludes that the “adequacy decision” is thus null and void.
The Advocate General also found that Article 95 of the EC Treaty was an inappropriate legal basis for the Council to adopt its decision 2004/496/EC approving the conclusion of an agreement with the United States on the transfer of PNR data to the US CPB. He considered that Article 95 of the EC Treaty only concerns measures having as their object the establishment and functioning of the internal market, whereas the Council’s decision 2004/496/CE pursues the objective of the fight against terrorism. This was another reason why the Council’s decision is to be considered as null and void.
The opinions of the Advocate General are not binding on the Court of Justice but the Court tends to follow them in the majority of cases. The Court of Justice should deliver its judgement in spring 2006.