The European Court of Justice (ECJ) has annulled an agreement between Europe and the US which formed the legal basis for European airlines to provide passengers’ personal information to US authorities.

After the terrorist attacks of 11 September 2001, the US passed legislation requiring airlines flying into or out of the US to provide access to information (known as "passenger name records" or "PNR") to US customs authorities. PNR information comprises data relating to a passenger’s journey and includes details of departure and return flights, connecting flights, special services required on board and any other relevant information. The information is collected in respect of each journey booked by a passenger and is stored in the air carrier’s automated reservation/departure control systems. PNR information amounts to "personal data" or "sensitive personal data" within the meaning of EU data protection laws and disclosure of such data to the US authorities raised considerable difficulties with data protection compliance for EU air carriers and EU subsidiaries.

From an EU perspective, the Data Protection Directive (95/46/EC) prohibits the transborder flow of personal data to a country which does not have an "adequate" level of data protection. The US is not regarded as adequate for these purposes. As a result, the European Commission initially concluded that compliance by EU air carriers would breach the EU’s data protection legislation because of the absence of any guarantee of an "adequate level of security" for the data. However, agreement was subsequently reached between the European Commission and the US, whereby the US Bureau of Customs and Border Protection ("CBP") undertook to put in place adequate security protections in respect of the PNR data which it would receive. As a result, on 14 May 2004 the European Commission issued a decision permitting transfers of PNR data to the US with immediate effect.

It is this agreement which the ECJ has annulled, on the ground that the European Commission did not have the power to reach such an agreement. Although PNR data are collected by airlines as part of their commercial activities, and the processing of this data by the airlines is governed by relevant data protection laws, the transfer of the data to the US customs authorities was not necessary to the supply of services by the airlines. Instead, the transfers of PNR data are made to safeguard public security and for law enforcement purposes, which are excluded from the ambit of the Data Protection Directive.

Where does this leave European airlines?

The industry has until 30 September 2006 to find a legal solution which will permit the transfers. The US customs authorities are unlikely to waive the requirement for PNR data to be provided and have previously threatened to impose fines and withdraw landing rights for individual airlines which do not comply. The airlines themselves may face sanctions from their own Data Protection Authorities if they continue to transfer PNR data after 30 September 2006 without implementing an alternative solution. However, the European Commission has proposed what it hopes will be a remedy for the impasse, advising the European Council to authorise negotiations for a new agreement based on Article 38 of Title VI of the Treaty on European Union. The effect of this would be to bring the agreement within the scope of the third pillar of the EU Treaty (police and judicial co-operation in criminal matters) which, according to the Commission, would be the correct legal basis for an international agreement regarding criminal law and public security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.