Sunday, 21 May 2006
Decision due 30 May 2006 on USA-EU "agreement" on airline passenger data
The Court of Justice of the European Communities has posted a schedule for the announcement 30 May 2006 of the court's decision on two lawsuits brought by the European Parliament two years ago against the European Commission and Council, challenging the validity of the finding that personal data in airline reservations is adequately protected in the USA, and the agreement with the USA (entered into without Parliament's consent) to permit the transfer to the USA government, in certain cases, of reservation data collected in the EU.
The court schedule "is intended for quick reference only. It is published subject to amendments. It does not bind the institution."
The Court's "Advocate General" (investigating magistrate) has recommended that the Court rule in Parliament's favor on both issues, which would leave the ongoing transfers of reservation data to the USA, and the ongoing access to it by the USA government, in violation of EU law.
Even if it were to be upheld, the USA-EU agreement limits USA government access to reservation data collected in the EU to the Customs and Border Protection division of the Department of Homeland Security (DHS). But after the case was argued in the European Court, the ACLU obtained and last month released a memorandum of understanding between the DHS and the Centers for Disease Control (CDC) that would also allow the CDC access to this information, in violation of the USA-EU agreement.
More seriously, the agreement makes no provision for use of reservation data for the DHS Secure Flight airline passenger profiling and tracking system, which has been delayed and is being re-baselined but which has already been tested with data from June 2004 flights (including data collected in the EU), in flagrant violation of the USA-EU agreement.
To date, the DHS has made no comment on how, or if, it intends to try to square "Secure Flight" testing or deployment with the privacy requirements of EU law. The likelihood, and the nightmare of airlines that operate to the USA and accept reservations in the EU (regardless of whether they actually fly to or from the EU) is that the expected court decisions against the "adequacy" finding and the USA-EU agreement, as well as "Secure Flight" testing and deployment, will make it impossible for airlines legally to comply with USA government demands without ceasing all operations -- including both flights and acceptance of reservations -- in the EU.
Given the difficulty and delay faced by even the European Parliament in getting a decision upholding the law, it remains to be seen whether airlines will ever be required to comply with the law in their trans-Atlantic data transfers, inclduing both those to the USA government and those to USA-based reservation companies that, under USA law, are free to use, sell, or "share" with whomever they please personal data from reservations, in secret, with no obligation to tell the data subjects what they are doing with their travel dossiers.
(N.B. The European Union has changed the domain name of its primary Web server from "europa.eu.int" to "europa.eu", and many other EU institutions have also moved to the new ".eu" top-level domain. I haven't tried to update all the links past entries in this blog or elsewhere on my Web site, but if you find any that don't work, try substituing ".eu" for ".eu.int" and the end of the URL.)Link | Posted by Edward on Sunday, 21 May 2006, 20:17 ( 8:17 PM)