Europe’s highest court ruled Tuesday that an agreement calling for wholesale transfer of personal data on airline passengers to the United States is illegal, a ruling that emphasizes the shifting legal and moral framework for storing and sharing personal information.
The European Court of Justice, which sits in Luxembourg, essentially overturned a 2004 agreement reached with the European Commission to give U.S. law enforcement agencies and others involved in anti-terrorism efforts access to some 34 different categories of information about passengers on all airline flights that take off from one of the 25 states that are members of the European Union.
In doing so, the court sided with the European Parliament, which challenged the agreement after it was reached without its consent in the months after the Sept. 11, 2001 terrorist attacks on New York City and Washington, D.C.
The ruling stopped short, however, of saying it was an outright violation of European citizens’ rights to have their information turned over, instead leaving that question unanswered, with the issue likely to return to the court if further challenges are launched.
Back to the Table
The data involved includes a host of information about passengers, including their names, credit card numbers, home addresses and phone numbers and details from their passports. The Bush administration had argued that the data was necessary to keep track of movement of known or potential terrorists who may have been plotting additional attacks.
The U.S. said the security of all western nations, including allies of the U.S. and smaller European nations that are not equipped with robust anti-terrorism infrastructures of their own, was at stake, and threatened to revoke the landing rights of airlines that did not cooperate.
The European Commission consented to turn over key data as part of a five-year deal — set to expire later this year. The court’s ruling gives the Commission four months to reach a new deal, with the current framework remaining in place until then.
The court said the original deal failed to take into account key principles of European law.
In a statement, the European Commission said it was still analyzing the implications of the ruling.
“The Commission will now work with other parties to find a solution which ensures effective action against terrorism and protection of fundamental rights,” the statement said. “The ruling ensures there is no lowering of data protection standards, no effect on passengers, no disruption of transatlantic air traffic and that a high level of security is maintained.”
Millions of passenger records are involved. The U.S. is especially interested in European travelers because they make up nearly half of all foreign visitors to the country, with nearly 10 million visits annually by air originating in Europe.
In the wake of the ruling, European lawmakers said any talks about a new agreement would have to include an increased sensitivity to privacy rights of European citizens.
Critics have questioned whether the U.S. authorities could guarantee the security of the data after it has been received, questions no doubt reinforced by the recent revelation that millions of U.S. armed forces veterans had their personal data compromised when the laptop computer of a Veterans Affairs employee was stolen from his home.
The debate over data has grown far wider and more intense in recent weeks as well after reports surfaced that the National Security Agency may have been working with major telecommunications companies in recent years to transfer records of millions of phone calls to the agency to aid its anti-terrorism efforts.
“The ability of companies to store and manipulate data exploded so quickly that there wasn’t a lot of time spent on whether and how to do it,” Gartner analyst Avivah Litan told the E-Commerce Times. Today, a lot of what would have been theoretical questions at one point are now being played out in real-life scenarios. “In a way, the world is playing catch up with the technology.”