<%BANNER%>

The Influence of the European Commission Data Privacy Directive on Third Countries and the Passenger Name Record Controversy

Permanent Link: http://ufdc.ufl.edu/UFE0021477/00001

Material Information

Title: The Influence of the European Commission Data Privacy Directive on Third Countries and the Passenger Name Record Controversy
Physical Description: 1 online resource (88 p.)
Language: english
Creator: Mason, Jonathan D
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2007

Subjects

Subjects / Keywords: adequacy, airline, country, court, data, directive, ec, eu, europe, justice, law, name, passenger, personal, privacy, protection, record, third, us
Journalism and Communications -- Dissertations, Academic -- UF
Genre: Mass Communication thesis, M.A.M.C.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: In an age when governments and businesses transfer personal data of individuals over the Internet, the U.S. and the European Union have tried to protect such data in different ways. Whereas the U.S. has sought to protect specific types of private data (such as health records and financial data), the European Union passed the 1995 Data Privacy Directive as a way to protect all private data. In the 1995 Data Directive, the European Union sought to protect the private data of European citizens within Europe and without. The Data Directive mandates that non-European Union countries must have adequate levels of data protection if they are to transfer private data in or out of Europe. The EU has allowed a handful of nations to transfer private data because the E.U. deemed their laws adequate in protecting private data. The challenge to the E.U. has been trying to work out the protection of private data with the U.S. An important area of contention over transferring private data has been the U.S. requirement since late 2001 that all airline carriers arriving or departing from the U.S. must provide the U.S. government with Passenger Name Records, a packet of data collected by the airlines that contains private data such contact information and financial information. The U.S. requires this information in order to screen passengers for security threats. In 2004, the U.S. and the EU had reached an agreement to transfer this data, but the European Court of Justice annulled this agreement and said that the EU could not use the 1995 Data Directive as a foundation for such an agreement. The Court of Justice gave the two sides until July 2007 to reach a new agreement. An agreement meeting the needs of both sides would protect the privacy of airline passengers while providing the U.S. with the data needed to combat terrorism and protect national security.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Jonathan D Mason.
Thesis: Thesis (M.A.M.C.)--University of Florida, 2007.
Local: Adviser: Chamberlin, William F.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2007
System ID: UFE0021477:00001

Permanent Link: http://ufdc.ufl.edu/UFE0021477/00001

Material Information

Title: The Influence of the European Commission Data Privacy Directive on Third Countries and the Passenger Name Record Controversy
Physical Description: 1 online resource (88 p.)
Language: english
Creator: Mason, Jonathan D
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2007

Subjects

Subjects / Keywords: adequacy, airline, country, court, data, directive, ec, eu, europe, justice, law, name, passenger, personal, privacy, protection, record, third, us
Journalism and Communications -- Dissertations, Academic -- UF
Genre: Mass Communication thesis, M.A.M.C.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: In an age when governments and businesses transfer personal data of individuals over the Internet, the U.S. and the European Union have tried to protect such data in different ways. Whereas the U.S. has sought to protect specific types of private data (such as health records and financial data), the European Union passed the 1995 Data Privacy Directive as a way to protect all private data. In the 1995 Data Directive, the European Union sought to protect the private data of European citizens within Europe and without. The Data Directive mandates that non-European Union countries must have adequate levels of data protection if they are to transfer private data in or out of Europe. The EU has allowed a handful of nations to transfer private data because the E.U. deemed their laws adequate in protecting private data. The challenge to the E.U. has been trying to work out the protection of private data with the U.S. An important area of contention over transferring private data has been the U.S. requirement since late 2001 that all airline carriers arriving or departing from the U.S. must provide the U.S. government with Passenger Name Records, a packet of data collected by the airlines that contains private data such contact information and financial information. The U.S. requires this information in order to screen passengers for security threats. In 2004, the U.S. and the EU had reached an agreement to transfer this data, but the European Court of Justice annulled this agreement and said that the EU could not use the 1995 Data Directive as a foundation for such an agreement. The Court of Justice gave the two sides until July 2007 to reach a new agreement. An agreement meeting the needs of both sides would protect the privacy of airline passengers while providing the U.S. with the data needed to combat terrorism and protect national security.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Jonathan D Mason.
Thesis: Thesis (M.A.M.C.)--University of Florida, 2007.
Local: Adviser: Chamberlin, William F.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2007
System ID: UFE0021477:00001


This item has the following downloads:


Full Text
xml version 1.0 encoding UTF-8
REPORT xmlns http:www.fcla.edudlsmddaitss xmlns:xsi http:www.w3.org2001XMLSchema-instance xsi:schemaLocation http:www.fcla.edudlsmddaitssdaitssReport.xsd
INGEST IEID E20101206_AAAABY INGEST_TIME 2010-12-06T10:12:40Z PACKAGE UFE0021477_00001
AGREEMENT_INFO ACCOUNT UF PROJECT UFDC
FILES
FILE SIZE 8240 DFID F20101206_AAATII ORIGIN DEPOSITOR PATH mason_j_Page_74thm.jpg GLOBAL false PRESERVATION BIT MESSAGE_DIGEST ALGORITHM MD5
ccd60bab4731173f4d7a9f1fc26760c7
SHA-1
94705e281ec3e85330ddbcc881b365d85e913026
134954 F20101206_AAASRQ mason_j_Page_05.jpg
7ea8b1033548870aca986b240123dd92
c9728ec12a99bd3274ec8a03d9039814c18bb563
59313 F20101206_AAATDL mason_j_Page_14.pro
84a50efe2557f4d7dd34f8d17d425f72
6d644d85c07661bad0f23cb64db6c795f394fd8b
87633 F20101206_AAASWO mason_j_Page_19.jpg
bcc9a0cb6300d147a33fa27c7c09b928
f66acc79e421e5bbeaf80ca16811c4700adf97be
29541 F20101206_AAATIJ mason_j_Page_07.QC.jpg
179dba1b44ea414a837d9fa28da4e3ef
dcff5fcc13337e8d23ccf80ef0d215955b65313a
2204 F20101206_AAASRR mason_j_Page_49.txt
1339e666d9d5c62b9a42347a1bf1159d
ce65211454ebbe94d6a79f79f22cb9245864e3a6
51717 F20101206_AAATDM mason_j_Page_15.pro
16a810fc7aff8d2db66442acc6653bbb
1ff35ef31bb17582adad33b9104cc174987bb511
33717 F20101206_AAATIK mason_j_Page_18.QC.jpg
e85ab301bb60635c04400096f649661a
d6ce89e35a659360b33be587e97c7a9ec6ca1c19
302 F20101206_AAASRS mason_j_Page_04.txt
af2d46d54b118a9b3a052c97dea6d4af
8e1d473d3b153da151e4495a5fe5c8ecb02da7e0
54778 F20101206_AAATDN mason_j_Page_16.pro
bcafa103b08be283cde9eb5a89cda7ca
8f8303f1a431fc266b6af78b78b168c445da7346
96936 F20101206_AAASWP mason_j_Page_20.jpg
dd480eb714d2674ceb8059bc329e9487
eb176258378b0849dfd271472091ec95e338ae1d
29356 F20101206_AAATIL mason_j_Page_19.QC.jpg
ac1178c26fd1d210861fb4a80f89f177
f52f70c3fbcafa0bcc0fc3b3ef5b5fd61e17cee4
1053954 F20101206_AAASRT mason_j_Page_37.tif
ed886ed62386d86ce77a2516a2571cb4
1d7dfcfee3814d0181ddd5990070d7060748795c
50493 F20101206_AAATDO mason_j_Page_17.pro
061d4425bee7fb15719ce47422009653
fc66dc4e6020dc9fc7d910fd2f0ff99946944694
94189 F20101206_AAASWQ mason_j_Page_22.jpg
af8b21a607ce9f1acdd0336d4d72ede6
b24d7d9107f4bd43ac1122beab89c7af396b4f63
7813 F20101206_AAATIM mason_j_Page_25thm.jpg
5afacce1f429bd76886784d58a831789
eb4d4ee7b8c2fe188afb62e6a8b46837e0bdb568
7475 F20101206_AAASRU mason_j_Page_19thm.jpg
40af47ecb68762be139f47ca48000301
69a1c0f95a5dd9f8fd5fa88a0c6da9925d357917
43657 F20101206_AAATDP mason_j_Page_19.pro
3a5db0a75444857bf00e29e5ff6de5df
3e180d1a214dbc947f29373b2811a7268d752ea7
25878 F20101206_AAASWR mason_j_Page_23.jpg
6ea72dc1c49e2ff71f6fcd1fc3b93fcc
41c59e317234a6135a9c59877c0407622e0565ff
7581 F20101206_AAATIN mason_j_Page_05thm.jpg
3b8f035880b6b8cfc8eaa48ddcbf62df
367f7c354347e61c480b8a017af2d2ea92bc9a31
451 F20101206_AAASRV mason_j_Page_23.txt
b11a25b1532cdab2dff333ceaf4c82ca
cefb038ee2de59a066752476c13614523e7bcde3
48066 F20101206_AAATDQ mason_j_Page_21.pro
004791f408368e81063e98b4a6c7e332
f6ee3f9b298f69b696393ced242750debdbfccaf
83896 F20101206_AAASWS mason_j_Page_24.jpg
23a405bb1a2ae09ac17f121ea8b7910b
bab6a18299ec1103fa78e9cf3d4d421b504ffe84
31787 F20101206_AAATIO mason_j_Page_70.QC.jpg
068b60787fd48e3fea7facd6dab375f1
971f1890f53a589e38e2a032de2d0619e9422f65
2142 F20101206_AAASRW mason_j_Page_78.txt
94cf472cd9c3960b0cbaf92881e36ea9
9117af7c2c951343b3e52a7c10c9b85e01006141
11314 F20101206_AAATDR mason_j_Page_23.pro
7b78248584d25bfdfebed0628b95e385
c7bfb3031e497fc38573272dc912888531cd8cef
103427 F20101206_AAASWT mason_j_Page_25.jpg
b860229cfef648542aec6fc59635b439
ffb960449b33c2229f42756105be8039a7a94152
28827 F20101206_AAATIP mason_j_Page_64.QC.jpg
f867db5d6dc9e54eeebb508b784dbbdd
daed9a039664a9931f258e8f5fd38807c8ffa73a
102814 F20101206_AAASRX mason_j_Page_33.jp2
f6bbbf9182262818b6f14e490076b13a
a45ac0cd40b97f7978edb456f79898a19b7ff605
41678 F20101206_AAATDS mason_j_Page_24.pro
ca992b4643b704421c2260c9fb0d1edb
1b932c11c0362ca845528e1666b519adf1257ae5
106166 F20101206_AAASWU mason_j_Page_26.jpg
3b80138087badefe4342d9f28b1d58c1
d4c91c960f457fcee442423c06b08a379a9f19c2
33505 F20101206_AAATIQ mason_j_Page_82.QC.jpg
fc369717ea094f91adbe6a9b8fb59f97
b239789316b01ea7717517976f5b06f1c7e611dd
F20101206_AAASRY mason_j_Page_15.tif
62248fecf5c77b3f1aa25064ee3c34ad
3911951497c09208c08741273ccd797be0a87efc
55659 F20101206_AAATDT mason_j_Page_25.pro
88d3efe3b7dae9ec159bf3ca2546ed5a
7695971bafa4b31a9fad65cb1603ac3e6e20ef80
94554 F20101206_AAASWV mason_j_Page_27.jpg
113c4eb33bc136a8d54aed5e484faae8
9f1897a0f7a61f90c1905791c8cfcac672599f12
1901 F20101206_AAASPA mason_j_Page_63.txt
b6832059c860cabe4bfb9500530e2a01
6d98bcdc73799dde716b9e60a7e4dbfd9c2b3a67
7648 F20101206_AAATIR mason_j_Page_45thm.jpg
87a61c10e03ff05216616b909ecb813c
c8c6b915d25c5459566c46979fcecd2642623311
11639 F20101206_AAASRZ mason_j_Page_87.QC.jpg
1ba0d3954a219673d070e9734505dc1a
802e6c305509897de6acfc105a850d4e4f13fd7b
58964 F20101206_AAATDU mason_j_Page_26.pro
175478bd4fdc8b3ec1f8a3bef9115369
bbe2a982b9129f5b73b5d27fe3ee34caa44058bc
94388 F20101206_AAASWW mason_j_Page_30.jpg
09fdff4a46f9f9358ea162ad11284681
a083d54412f0875ec69e6c55a8e54a533aed2e62
25271604 F20101206_AAASPB mason_j_Page_86.tif
f885b21571cd5a57f0625045f251af8f
f9f2a3d1491b8f70e25050929d82ab819a00dd37
34535 F20101206_AAATIS mason_j_Page_12.QC.jpg
6de021cff4daee47c6de913032a97935
0eb29c480362a24a1e8686af350efba6788b0dec
48931 F20101206_AAATDV mason_j_Page_28.pro
331b8d1e05ce6973285505b77deb1795
b4d66c05b26340c60586c0d850424057dc113022
90667 F20101206_AAASWX mason_j_Page_31.jpg
1c29c63c9a71af253fb9816762722c1a
75c80239c91ef885357eb37179201b3f438e1486
8529 F20101206_AAASPC mason_j_Page_68thm.jpg
60d88c857dfe6ccb56cfec9899046bc9
b7b3416fe4d72b5720b89984c7eef9ed4424c082
7588 F20101206_AAATIT mason_j_Page_30thm.jpg
04c117de450703e649e584099d5e1d78
21ca3fc69bd40bbc0a6063e65ee4f1a602ed0670
45202 F20101206_AAATDW mason_j_Page_29.pro
f2169921b15c10e7c1a8c1c10bf44b39
c63923744513ed77a989d7a36c60e3b6a4fb061a
1748 F20101206_AAASUA mason_j_Page_19.txt
4d07d2f5ca27b669dcd9f43c94287657
7e2859209bf52a824eb56eb39b103ab248f5ec8a
96345 F20101206_AAASWY mason_j_Page_32.jpg
2dc8b6131a17b4234b097fc8ded0288c
f10133873a76fddafb775ae1f79c7099d7ad6ab2
816 F20101206_AAASPD mason_j_Page_03thm.jpg
020a01c7a79e85ca47d8f0eea19cc64b
a2a4045c59b85bca6ef7481fc42b2e4bf84ebf54
31507 F20101206_AAATIU mason_j_Page_36.QC.jpg
32dcf88926e72e6771979de760831b6c
cf93b79a3b692720905cc89d4ef957b55ff9d832
47331 F20101206_AAATDX mason_j_Page_30.pro
81a0b71b29ac4b7065841300c959e16b
8b8542d25c83f0f203dbcc9afddadd6b300f3519
97287 F20101206_AAASUB mason_j_Page_28.jpg
21434fd001d8a912f5c1a253172a1679
ea98d4f902db6aab38eda1ae7acb4d3064a23331
97815 F20101206_AAASWZ mason_j_Page_33.jpg
4b5749f2ebfd38cb27bff7db9d848aa7
d6c5179d081aa2a9680c5ffd28b9a728f1493632
7973 F20101206_AAASPE mason_j_Page_29thm.jpg
63196df8911b4a85cd10dcecc4c4b2c6
36ef713ab0b0053e2c200eddc42e1d2f35b2ed1e
132157 F20101206_AAATIV UFE0021477_00001.xml FULL
34705a3646473973a45fa9664e8cf7fa
d44c3812d2b134865285646734091f4d67e6bbcc
44571 F20101206_AAATDY mason_j_Page_31.pro
bf3aae7ff97a3d54afc954bd17ca70b0
b980c1fddcc7261350f050b30c51a91e7e17b053
1886 F20101206_AAASUC mason_j_Page_44.txt
650cc8d2c1e4640c354a87a4219c4166
d122948a1f259a00681854484ffc7449fc536545
34430 F20101206_AAASPF mason_j_Page_15.QC.jpg
7dae7a00808860fb0adc39bad2fb88d4
f9283918f2a9afc532635ec2d1de0c653a10a5ed
9174 F20101206_AAATIW mason_j_Page_01.QC.jpg
de13405181f38abb81dc4237ac9dcb37
e824bbc4bfab710802cfa4766e58a90c53d321f7
93020 F20101206_AAASZA mason_j_Page_19.jp2
d5ddf3d4fca7aa03fcf97957b01a7ba6
010bb9921ae3555ba5626c05b76c2dc623a7509e
F20101206_AAATBA mason_j_Page_08.tif
c87eb193ec33347a6113da5f8fd9e519
33102aaceb670e09ef6226131f1e86abcd4c1670
47760 F20101206_AAATDZ mason_j_Page_32.pro
8e1cbb51db92a93666f5e8d756d24ff5
d2c0b061d6b627d25990c22ae2afcc18110d8d56
66365 F20101206_AAASUD mason_j_Page_84.jpg
ef0ef9bd6edaf06c32d5f33b1e60f1d7
caac993d42a24a0ed15994e80c51393a51ff7f57
6731 F20101206_AAASPG mason_j_Page_50thm.jpg
12f55eb75b9d5dc14a23881dd12d1d66
3cfb1192f7f400c33e11fa7e78376e9f5985ff8d
541 F20101206_AAATIX mason_j_Page_02thm.jpg
ee7d2c9d14fbf8bb5178d625e8d0ed0b
d1f4f7bcb41bea313d894c5196597cfbae3af102
103963 F20101206_AAASZB mason_j_Page_20.jp2
73fe0349044df43177f6efa1aacfdef5
bd9782cb292a8c3e240cb009972c2823e1005ac1
F20101206_AAATBB mason_j_Page_10.tif
7d84167d2126d3e7333009a99324988d
8a3d8eb8145b58807aed2d7128fa1c9f3639bdba
F20101206_AAASUE mason_j_Page_41.tif
97fc5804071dc2ad3843f613da0dd166
cf2baf804581835f418eae0c7807695eb7f3f778
F20101206_AAASPH mason_j_Page_44.tif
62f733029099c90a3c865ee08fe04b6a
b30acf9ad3b74343449786c2ba064073b371f308
1203 F20101206_AAATIY mason_j_Page_02.QC.jpg
dd46f44f5c1077b1fdb759c142a3484c
633d787adeca696b46ecab555d19b2498d2bbc0e
101627 F20101206_AAASZC mason_j_Page_22.jp2
c74bb1f1f4380e83bd218a23340692f5
c917a2f5828994bceb34554e0d3813db59ce6ff2
F20101206_AAATBC mason_j_Page_11.tif
bccc6f740810531a4d8ab95ba72298c4
80c1f277cd97f4cab1de289f0a50efb54ea4f46e
108687 F20101206_AAASUF mason_j_Page_69.jp2
3c59d7c8cbdc2eab4e04bc32e365bce1
d97ea5e745c88b164e32a3288660bd2a35a83725
1580 F20101206_AAATIZ mason_j_Page_04thm.jpg
aca1ff2701dd00155af63ee854bd0127
5e973588fa9967a0006a3b702c91a48574c002b8
1908 F20101206_AAATGA mason_j_Page_20.txt
670f856330a3e3be8e62c48082372759
0e20bfb64448c1639ec788940088ba41c9671520
27412 F20101206_AAASZD mason_j_Page_23.jp2
8b1f47b6fe3aa6db8256688d40e1e9dc
dbd8fd0b4bcb40a4e63c0292d5b4e5c6997197f9
F20101206_AAATBD mason_j_Page_12.tif
53f8aa8c1a47963299fdf08a24442b30
dad34a48afd15ae337756bb338eb2dbddd64d854
8147 F20101206_AAASUG mason_j_Page_53thm.jpg
0a01342adf4b3d8d3c5e305b3e927e2b
b140f16510b01a6c1ba52c201c8206996f71830f
93540 F20101206_AAASPI mason_j_Page_34.jp2
efd3a192f8148c056af337b8140196e1
5cc369f62b88d14f5f2995a8829f546cd2a2f5c3
1984 F20101206_AAATGB mason_j_Page_22.txt
ce0d38e4a88342aa24cd40b8e8ebdfe3
ed2a208a5321b303c0597347836650b9f1615f1c
88067 F20101206_AAASZE mason_j_Page_24.jp2
c2fe73c016443321d34d31eb49d9285e
247d56fae99232d53e1f02dd0de7e36ec7da079f
F20101206_AAATBE mason_j_Page_13.tif
64368ff7416bf1ed6bdc318102074c7b
f5953790262f600932b7feb6687f075c39e6222d
99608 F20101206_AAASUH mason_j_Page_29.jp2
a2b973016ded1413bb76964560684492
7c560423fb2f63c188a4711602dac0f2d87e8ad6
93146 F20101206_AAASPJ mason_j_Page_52.jpg
ee921c644182706cc0f51ab28758cc05
65c1fef18202efcebe2d5cad50e7bc551ede6580
8548 F20101206_AAATLA mason_j_Page_49thm.jpg
b7a3495b0664b66b66bcd6edd54b1eee
248cd3f90722e40a18108c58e60a7ba3af047b5b
1784 F20101206_AAATGC mason_j_Page_24.txt
4990f16a927ad25e620ba2c7bcfb2e9f
439906db00020d593b43d5b1320c458f414f18be
114412 F20101206_AAASZF mason_j_Page_25.jp2
9dfb4c0b685df2965b7ca3e1c1f694ad
68c93dab47f3c3b64bfae3aa9f54c7e9fb08f54b
F20101206_AAATBF mason_j_Page_14.tif
1093cf2cffebb9efa93f2a10c3f37d0d
d56b5b06a82875093882bce8512fbf877ac6fede
31926 F20101206_AAASUI mason_j_Page_59.QC.jpg
ac7aaf13ed3e98141a4813552d9ebff4
02d993156a00b55ade5560d69ce899e5ae371e97
32206 F20101206_AAASPK mason_j_Page_77.QC.jpg
d4acede97ca2d9dd223a589cea2badc6
7b02a3c67d3dabc85847d645abaf0f487db957ea
34784 F20101206_AAATLB mason_j_Page_49.QC.jpg
b28576341f3325f3a47c72aaec88ceb2
0cc5e86c5c66e72f7d852a7cf35d965268ccf336
2231 F20101206_AAATGD mason_j_Page_25.txt
0bb65184677cacce3dd7c1f5850d3d86
a8b9316c0b8250767bab5991039209e0edbde833
112594 F20101206_AAASZG mason_j_Page_26.jp2
01e55cc1e383a0c7d58c3397d36ba80d
f3d868b7dc770c923f9fcddb226b723ff8caba7f
F20101206_AAATBG mason_j_Page_16.tif
0cac79fb4371055db2bbeed7aed6fcba
051070628688ddd41e34a39c665a33f77505deda
1998 F20101206_AAASUJ mason_j_Page_11.txt
33d9e3bd3283b344e1ca3b7812bb34b6
a0854f1b358a1a83390c67428a577b2b62ebd403
F20101206_AAASPL mason_j_Page_59.tif
c3dc43e0f22da1bb81ebf3d938b545d7
7c3a7c4b5502ee02c02dc69d1a7a5ace52d34e59
7732 F20101206_AAATLC mason_j_Page_51thm.jpg
776775f9ef67fb406de517912e9c3ae5
9ae2b2d4cd5fc1a233bddc76011ddbd9a1416ac5
2012 F20101206_AAATGE mason_j_Page_27.txt
0e45f89096073c3d0abe54a231bab969
bf909ba88c3d4fa6308393d98e098d319c467302
102201 F20101206_AAASZH mason_j_Page_28.jp2
cb20b4772ef6756d00c194fd2110d1fc
6c2a7a1e10986396087008ff45d300d46fa911b1
F20101206_AAATBH mason_j_Page_17.tif
6afb7d29c50f8cb051976285f23873c9
112c8eaeff791905316f33a4c668ef0dd5c6f1d8
F20101206_AAASUK mason_j_Page_51.tif
9ac7065d43c062b18c0353388a610676
d2008740c276ff7924e65b2db94bcadff213f2d9
2540 F20101206_AAASPM mason_j_Page_86.txt
625205e06bd181a162eba15376e24259
a87cdc774345da1eb1609a0d2905dafb8d5d1056
1956 F20101206_AAATGF mason_j_Page_28.txt
43c02e8445bac6844516d6a5cbc1bd57
695eab7a584033ed18189a0583de5e08873f78ae
101053 F20101206_AAASZI mason_j_Page_30.jp2
9107ad33251b30c66ed449b941977de5
79961198d88fbc3a3ef88491944db19db76bfa15
F20101206_AAATBI mason_j_Page_18.tif
54597f817d6d24c0a701928f11171c93
4702fd277123f10ae45133c49f80d7de77f76296
108305 F20101206_AAASUL mason_j_Page_46.jpg
66233a2173e51ad8ca32d25d97677ac4
358385c59b21d1de077d9dab641c0fdb725e336c
46315 F20101206_AAASPN mason_j_Page_44.pro
0bf7f96929a4c71d70e391bac71eb920
e94c7a5425d5abc30948e951d47d4f94c0f720e5
7798 F20101206_AAATLD mason_j_Page_52thm.jpg
7a37656173ae3d51492713d6800e12f8
b2924cb2bf11e8b5410ee2a6138d6d4e67b2d991
1857 F20101206_AAATGG mason_j_Page_29.txt
26057de3d771b8529efe2bec02f13f0f
689922f5cb0bc4932a2123bfe0c228049c88456f
F20101206_AAATBJ mason_j_Page_21.tif
f8a2d216c945dbb083668df9f6ca5372
491229d820e050975f616fc9b4408db43be67b2f
9043 F20101206_AAASUM mason_j_Page_72thm.jpg
9cded3e32551296ec49d96e4b83f55de
32c0e60c0197a818fdfb0db9144f288236c9d2a4
17672 F20101206_AAASPO mason_j_Page_04.jp2
045294a2cfbb8681a42075f6fc2c6b1a
218372bf8bc54541663a31a7983352b797c75bf1
96892 F20101206_AAASZJ mason_j_Page_31.jp2
ecffdda0efe3ca47abf736a6136870d5
e23ef9790aa18daa9b8ffd8e3a18b09df24236fe
30523 F20101206_AAATLE mason_j_Page_52.QC.jpg
dfe6e13beea20363685b0338aa92afc0
074a25286aefa808ed47f7691627ca7c75430d71
1898 F20101206_AAATGH mason_j_Page_30.txt
01e078f3d7620b65420a760f949e765c
ac4157d042bb33770b313f7ad5ed01bf51f695dc
F20101206_AAATBK mason_j_Page_22.tif
0d11a9e4159841e9d714878d88e6e0fa
1199eb91a99b410570bed41e0653084205d0b5ad
47599 F20101206_AAASPP mason_j_Page_20.pro
ee2fe2db10ba574737840d0adb4948d8
7baff51fce0fc26d5f2fa849d91c411cd9f133c9
105131 F20101206_AAASZK mason_j_Page_35.jp2
129b70e7d76bea449ce72e71e41e0ca3
dfd8bcac9934a51cd54f2686e70b55c2db9b03f2
32388 F20101206_AAATLF mason_j_Page_53.QC.jpg
796080b56dc8816a5edd03f395b6ce8e
c6cabaccded3101d5c139f7a51c3b95db3ac779c
1788 F20101206_AAATGI mason_j_Page_31.txt
a5bd6c23dfcc6e1d73930879c86f9e04
d2dfa904d11e5ba82cb3a0183a94aa35a789e451
F20101206_AAATBL mason_j_Page_23.tif
e1381fd997cde3db294627a07514b432
e1c558aeeb383ec03d483a6d6b97bcb6ef212dc2
F20101206_AAASUN mason_j_Page_80.tif
4486dbbcee44caddce67a66d6b58eb40
8612cedb240c5262e8902d33bb978ea13c14e5cb
94745 F20101206_AAASPQ mason_j_Page_54.jpg
f76afed45e6fdcacd04cebde7e164c4f
2cbc8532e39c5694c27c41b41b88427a176c4eb0
109461 F20101206_AAASZL mason_j_Page_38.jp2
b0fd0713bae77887ee6f5d2790d75845
bb2ed3ac7e669077b00272d33df8ea3b6f1624d7
29934 F20101206_AAATLG mason_j_Page_54.QC.jpg
7b5df3d0014b23cf391ec2eedb486691
e59435cd94523a85c96ac684385b3d1b13eba354
1915 F20101206_AAATGJ mason_j_Page_32.txt
0acacb49cad5ff6db736fc4b4022683a
deab9776e3b7799fafffc9152d51ceebfe0735b5
F20101206_AAATBM mason_j_Page_24.tif
5a479aaa7204200cceff56682356aa9a
3ed7bc2245416b171cd1590b4e1c91c9970fe6d1
1899 F20101206_AAASUO mason_j_Page_74.txt
b1b084d5c15adecc82c863913a0e109e
1410436d14006ffc21e1d26b91bdab871b5d0e24
37910 F20101206_AAASPR mason_j_Page_87.jpg
213cf096ceab0e7cf79782e4906c41a4
d70a95d2c14731005dd998ecbaf8f0ac58195c3e
103685 F20101206_AAASZM mason_j_Page_39.jp2
403e2c87852bd8f5dc94cc326c00f163
7d8fa033dc4c9d315f6a75534eca1c17e08032ea
8494 F20101206_AAATLH mason_j_Page_55thm.jpg
fe49ec406d5985e35b902b8a0d7f08df
a7f4f790cf5a6ed913d6fed0cfdd5887236e739c
1771 F20101206_AAATGK mason_j_Page_34.txt
1e275cf419c02ce3bd4217e0b1bb1b0f
e4f1f0de8dc64d45a18e95318f169a9a8d272856
F20101206_AAATBN mason_j_Page_25.tif
23a0186d550bd926ee5ae8fc564a01b3
7ed0b6b97c43b56251ad7a3b34d4da838cd92cea
F20101206_AAASUP mason_j_Page_79.tif
2d457da8d8a2a334085cc25a126b4a10
8ea31831aaf1499e52ca919402d4883f03393a37
F20101206_AAASPS mason_j_Page_56.tif
4f4d410f7cfd7c4ee54b6291b326148b
4ee731eea22254cc9f8f0345f6e3ffbcc2c3a9e5
64889 F20101206_AAASZN mason_j_Page_40.jp2
fb9f6ffd6b7b5d77576bb68f8fc37cbf
28a0af24d6b7776ddce36a93c715e1a108365f1f
34589 F20101206_AAATLI mason_j_Page_55.QC.jpg
3ec5bf9eda357213c864194b28008684
bca086c1cdc61a3093b9890e922c19f883beb006
1987 F20101206_AAATGL mason_j_Page_35.txt
d32de00ba3d57e45cab6252f339eaea3
08be03354b78d6dc46aa8af852dcb8261bb40358
F20101206_AAATBO mason_j_Page_26.tif
a242d896c2eea9b1a8802c6631517cc8
bb89fda078090126ac8f2681e4e20d983ae2b0c5
8667 F20101206_AAASUQ mason_j_Page_79thm.jpg
0ab15dd9ca71dce809d65d7b01a9a2b0
3ae635f729b0f4df9f6c26bc9a14050e9bbeb6b1
F20101206_AAASPT mason_j_Page_35.tif
c92b7519f4935ee73e6e0d7eea01dd7d
2ecba7ca00a1ea97368bdb89b1fb0b08d9723a39
101669 F20101206_AAASZO mason_j_Page_41.jp2
ba00a7e8e2b30439fb6e79e2ef747b22
be22c2977ab57cbfb2cef743973f3ce526bc504a
33144 F20101206_AAATLJ mason_j_Page_56.QC.jpg
5ca3aa47184ace7c693959b14d9f047c
59f5b76075a89d7e73c7fdcadbcf3c087563dc54
1913 F20101206_AAATGM mason_j_Page_36.txt
eed50ae531d456340200fcf04c804900
c648bc336dfcda5d51833350b25bbad6265820e2
F20101206_AAATBP mason_j_Page_28.tif
1308661ef723a6a11388f96297a6e38c
86e0712023dce9daca11e8b6b6b8a09d93aceccc
31476 F20101206_AAASUR mason_j_Page_65.QC.jpg
682516d636d3ba9e8e87d9106d1d767d
b551879560c300e81a719de43e999546e8f9ecc9
50453 F20101206_AAASPU mason_j_Page_59.pro
8aeea5c69e143216b8b938ab13b96ae3
0b58e7ca3468f5355b778db3dd08943c4834c20f
102688 F20101206_AAASZP mason_j_Page_43.jp2
5c98a9bf4be22ac42c4629f9c8b87adb
8008225e619cef90df9ea6cf4dd718790c2340fb
7645 F20101206_AAATLK mason_j_Page_57thm.jpg
c1e3af326e24f3c68f675a055bcbe2fa
6e94c9c47ce228bd36004e725b3f924958b4d5b4
2138 F20101206_AAATGN mason_j_Page_37.txt
50f13cd03b7614dc8f46e01827881340
0162349bd1ebd4b67dd70fb967cde10a834113b9
F20101206_AAASUS mason_j_Page_71.tif
c5615ff5f9b69402989eeab0052725c0
5fb6565b0cea5ae8293e7f56ed6e2a85ae0bd3c9
113503 F20101206_AAASPV mason_j_Page_71.jp2
3f3b2b21843c33ed17b209cbd1901ffc
fd749c93ca3745f83011ac8e9e4ef38ba44affee
96196 F20101206_AAASZQ mason_j_Page_44.jp2
fc923c84f32d8b6d138082f36ebb4b63
a6c0327ded3c666b002c4424203569d47657cedc
F20101206_AAATBQ mason_j_Page_29.tif
cffcfd81115fcf443983f286c4d60ccd
345f4f5adf942897fdf5813476ff1c08f32093c4
30513 F20101206_AAATLL mason_j_Page_57.QC.jpg
9a5af8a7adefb930213d679e61d71ea0
d7fc32caaa2fa835872a4b33eadec845fc7e56ef
2017 F20101206_AAATGO mason_j_Page_38.txt
1c6b3def044e6a7d1f7f4df4d3ba5d65
2654a55c00a34c9f8482abf44c292e26522b2ed9
6567 F20101206_AAASUT mason_j_Page_04.pro
b1a12ca8a03bd81cf599cbe36950df10
da5493cd28a913eafdcceeafd2871c375e8eacce
F20101206_AAASPW mason_j_Page_32.tif
63e677db299b26dde7a33300966aac31
f450eba2662e1077a2fa345c56378a4dc6d6b9ae
96209 F20101206_AAASZR mason_j_Page_45.jp2
971b350081c625d9b1a226387002d588
a0404b1570c32fcff70e015c04de3cf620500c08
F20101206_AAATBR mason_j_Page_30.tif
b21b4aa06b567c6ea20f4b8015fab785
604bb9331f447d13d82f593f56730c73e0b14b8c
7981 F20101206_AAATLM mason_j_Page_58thm.jpg
dc46bad46dc70a6be0b56af7c1c29cfe
a76fdb03f005ddffbbd9707e828be6ead7b2720e
1954 F20101206_AAATGP mason_j_Page_39.txt
6dae0a68eee99bac3728919121dad08d
381130d305e6063bf6cf217a8e0aeb14505d8653
44284 F20101206_AAASUU mason_j_Page_34.pro
663aad825fa8fb45e65e1d70dd171725
972de5904ce534ccf5ffa96d70ed22923d05dbe0
7023 F20101206_AAASPX mason_j_Page_44thm.jpg
b353d4fe4fa268b218e5d74b2dde8b2b
e58af450c18f3e5be129b433336e285938f067fe
F20101206_AAATBS mason_j_Page_31.tif
4b16ae40c229863392257276993b58f9
e4576b052d9ad8d9cb7734773366a91bd21ae36e
31219 F20101206_AAATLN mason_j_Page_58.QC.jpg
3bbbf34863b968dc73a0993da0f20d0f
beacfbca4d6acef66f745e0a873c7401590b2afb
1914 F20101206_AAATGQ mason_j_Page_41.txt
82af27c52edf77698a94d7fae7f1289c
31c2e9d04bbe0c15c024d7d06a0d73d21e76f826
103919 F20101206_AAASUV mason_j_Page_36.jp2
b309b0a2b00c53fb71295c9960a75f41
fce5ad8ec227b8ef1d7fe7a4fb1d5a7fc3f220b8
93725 F20101206_AAASPY mason_j_Page_29.jpg
f358bfa489f7aa3b256601b01886bd12
8f8b58a1d70cc2b69131770f5d0bd6da3dd3d800
115279 F20101206_AAASZS mason_j_Page_46.jp2
f51a18d486ec8fcf60dd34888b9b4479
5163b5762baaa5a98aec6c546f920ea68bbcb736
F20101206_AAATBT mason_j_Page_33.tif
cb0b5488eb76c54e52b00dc2ec445a5b
8b08fe7bf62a15994b79166545352847924d7981
7920 F20101206_AAATLO mason_j_Page_60thm.jpg
2f3e13a91eaee015223043338695a531
0e80030426a0470160fb70f3d9b46161149db329
1912 F20101206_AAATGR mason_j_Page_42.txt
8612a3a38807633c48ce4b3204e700c0
980f040883e5c7ac58b5fbae2c8bf910596eaf92
556 F20101206_AAASUW mason_j_Page_88.txt
e52cffff3421fbec764840d9f002148f
1cbcdde1a757299539b770c75d79aa468f249549
4985 F20101206_AAASPZ mason_j_Page_40thm.jpg
2a7fb74ff7d8e314719aaf914cbbe6ac
43ac4d5f5bfc064acd10be85af3c9c145dcf69f9
122165 F20101206_AAASZT mason_j_Page_47.jp2
63624933f649f9c9fccf97447c7d24ca
467eb239f046b9680c226fb89b9a753766584dd6
F20101206_AAATBU mason_j_Page_34.tif
bf86e5c412e46eb306fb3ce8caf7f756
083292b87e87cb9a88e9f2f10ec9dde84f157cb3
31109 F20101206_AAATLP mason_j_Page_60.QC.jpg
6c0f014d72abcce8f0015991549b3618
912f710338aefa14210460390ed03343177f2a09
1786 F20101206_AAATGS mason_j_Page_45.txt
a80eb13de60a3be575d27d38416c884f
a72875929b5e3dc952dc9292aabd7647efcc5d58
26167 F20101206_AAASUX mason_j_Page_67.QC.jpg
7865589c22b405f3eb26f7adbe24827f
ad80f9981bf866c6eb0adf4b2da36ec697ff561b
1051986 F20101206_AAASZU mason_j_Page_49.jp2
408bb2fcccf2ae56500fe78c5f62ad63
ef68089e8dd946301d2eb93812a9787757c521f3
F20101206_AAATBV mason_j_Page_38.tif
f64cec25b8a58c4401288d4c041a193f
2f5ab0f299dadc2a660a4dab61ae13600ac0cc25
7630 F20101206_AAATLQ mason_j_Page_61thm.jpg
7dd7c3c98ca7350f5c3c4fb4c191d838
1181196a1df080ee5c874ef0f0a3385db862046d
F20101206_AAATGT mason_j_Page_46.txt
9eed0cc690ffef1eba7b1dbd2c122093
ec238c7919c886a38c032f3fd54a2f26f9543ad6
102961 F20101206_AAASUY mason_j_Page_37.jpg
2d38eaf6a991b9d35d3532e56716f7c8
82b07e1026e871076ad9c702014140f5f3159c8b
85782 F20101206_AAASZV mason_j_Page_50.jp2
32f8c9a3883e7b9a0c5a3b1c9381a917
0ea3e681271ea9b7c497e45e51b2553f08b91e15
F20101206_AAATBW mason_j_Page_39.tif
39b4b1c5c501196733a604f0d7f96e17
d595a5ee58ab3ef418e929212fd4d263ad933ee2
104064 F20101206_AAASSA mason_j_Page_18.jpg
252cb92298300921ca9bf60a5081a427
aaa8ce020aa8c35ea86d277603e64919ec0913f8
31344 F20101206_AAATLR mason_j_Page_61.QC.jpg
b05b2b99501f5063a34002e5abbbcb19
9e0710cf2256d91c3ba54613192123b6b316cfd4
2347 F20101206_AAATGU mason_j_Page_47.txt
75f9267b2fd456cc8d3ba78b0f61911b
7f791d236b9b755cfbbcdd0a3f7228efb0394b70
51333 F20101206_AAASUZ mason_j_Page_51.pro
ffaed7e3dbd9c8fd22f675c99863de10
53a1a0d14daea6ffb90cc9e2f1ccd49e5836841f
104350 F20101206_AAASZW mason_j_Page_51.jp2
1e0f3add3b783262eaa49bb95c6018ff
e66ebc964d8393ae39caa56fc90c6eb07402cea0
F20101206_AAATBX mason_j_Page_40.tif
a6919a0b00d3c3c8be7669d50b64995d
e490ea1a7790c94e0bc76a3a034c84464f0ac625
7095 F20101206_AAASSB mason_j_Page_16thm.jpg
b5a49e6f0c6f46d493e63b5e72c7e639
193b02da393d7d6fe2ff7babb5a04d144c163445
31923 F20101206_AAATLS mason_j_Page_63.QC.jpg
d597bc7affe6308f8e320fca1c6190e8
fb912d53057d357c893b8e2b28307b59284b5613
1574 F20101206_AAATGV mason_j_Page_50.txt
359f3be09e15976b89f4813d9f3e2cc4
f717e13f26c58343e9514188fc02456249a661a5
111224 F20101206_AAASZX mason_j_Page_53.jp2
55dbac811a7ab527f4c0b6a6d53dfc2d
e8c09f739dd7e4f46c7b5c90db02d258c78b1d80
F20101206_AAATBY mason_j_Page_42.tif
672f1935226f32c1b2898a8a2d21eaa2
46f5699849f1c5a11c104ca054a2345ca2b283b1
2109 F20101206_AAASSC mason_j_Page_81.txt
10e7a24a9efeafe1ab595db4d5959f56
352454707402c47e34fc575b0e1644cd1981adc5
7939 F20101206_AAATLT mason_j_Page_65thm.jpg
9cb1f1b8468f3b8c8762d4c0c29f30ad
395bac48a4f6c41eb172bf28bb41d6cdb4affdaf
F20101206_AAATGW mason_j_Page_51.txt
bc803c9cc0d368382e9fb554f02f62ef
19406e5f3dc8d41717c80b7c543c503fdde86b18
86426 F20101206_AAASXA mason_j_Page_34.jpg
bde151f08e70b495fd5632962149ad55
3c90ce9dd14bf4dea0f992a522e54c3e24bd0bb6
102018 F20101206_AAASZY mason_j_Page_54.jp2
11055e20d173661483cb260fe8842954
7447d7665a19ef6134800a741890669b82c9853c
97953 F20101206_AAASSD mason_j_Page_16.jpg
7765987b10364218d3964ff4a1791e46
7a05bab3aeed28c476a9850f7adbd3cb02437dc9
29021 F20101206_AAATLU mason_j_Page_66.QC.jpg
d11bf756b9ef8e1230f577d6ed0d9fbd
4006c7dc067a793f20a44ed941c1dbaa0cf62bdf
1812 F20101206_AAATGX mason_j_Page_52.txt
a78a3d85e85a61a6142bdb74ef3a462a
ee18976a4853574fd6687ae15f34926f7b3c1698
97846 F20101206_AAASXB mason_j_Page_35.jpg
70271c959d3cb5b513cdcb99d28932c1
767eb6ad6e26a6a7c2bf4d2651195997f995e060
112323 F20101206_AAASZZ mason_j_Page_55.jp2
397c698ef916e49465b40b5ad04082fb
2aad10bf8a1b7a6ed0f55f764641aa146345a021
F20101206_AAATBZ mason_j_Page_45.tif
5afe5074d38afaaa7c6eabb34e7e5db3
37c1c397c77cd1bcab46c03d598e2bdd67067bb6
101942 F20101206_AAASSE mason_j_Page_27.jp2
1372a166c321848fbec238ee8efefb70
4aa08708c725a4de1d27bfa048749485491df5c3
6326 F20101206_AAATLV mason_j_Page_67thm.jpg
c28fe756e0bab3adfdc06017655b6584
b2dd2cc5e7fda2ed1c160e1986b647f9f93f91f9
2184 F20101206_AAATGY mason_j_Page_53.txt
fd9995b95b67805f534acc8342b6998a
d37c43f2aa7e0930829ddaf654e8e56acf2ef83b
96767 F20101206_AAASXC mason_j_Page_36.jpg
9e938021694b026d129a95c806b387ab
8857d2df76fe5173fc4a786222fdf948c21feab8
50123 F20101206_AAASSF mason_j_Page_35.pro
d62e3ba1b981d637ab51ba6a264cb625
1685411065830b7d510e1a3a26df8faaa068b1ef
33763 F20101206_AAATLW mason_j_Page_68.QC.jpg
14a4a3eb9e905bb8d0363418a327b2fa
0a724b714b7784dce4b90f02c709e38c4bf89644
1962 F20101206_AAATGZ mason_j_Page_54.txt
120dbb85427cb0fce0a6fe6b20862981
a655bcf0de37869bf5abac617ac5b04ee678d00d
48974 F20101206_AAATEA mason_j_Page_33.pro
c8f8247b35b39bb65f50f5f314ce427c
594279bc3d366e4f5b5e8019ac7c894c3459a6c8
101157 F20101206_AAASXD mason_j_Page_38.jpg
89b7e263c1ab4ce83e3b9ec4c91c095f
c90c91af38459e8d15d9db7f8716eb24a46bdc3c
5341 F20101206_AAASSG mason_j_Page_04.QC.jpg
407442fdde95cc7334ab87112cb0fef7
64c7544e0973a028893931a2a2c6e3a0b1fbb4c6
8584 F20101206_AAATLX mason_j_Page_71thm.jpg
fbf8f41047fb18e2595e5d8291bd8513
7d833e6f7abdf12218ee30f7451b202c02d8c343
47976 F20101206_AAATEB mason_j_Page_36.pro
dc501e37b9743321a47d3d8c72082c66
fb4b3f80d6b0ec13ff03597d31010d21648dc3bf
96882 F20101206_AAASXE mason_j_Page_39.jpg
e1e470ab83884c9f00d1d912ca6ad2a1
87dec886c44c959be46a7cbe07d324f3bbc3f172
8473 F20101206_AAASSH mason_j_Page_75thm.jpg
66be5a4048a6dd1dfc06ff6522d319ac
e68cd4c7cc98ee3c6376441340dac24e738fd1f4
34744 F20101206_AAATLY mason_j_Page_71.QC.jpg
6fd2307d7ab5a03a55d2d3cf544e50b3
6b89dc135125d4fb67d60125d6f11a72800acf93
30854 F20101206_AAATJA mason_j_Page_05.QC.jpg
effbac619f5243c38f6a7a54e7465b97
aef848d75b548fa4144c6d806409630e7ddfec29
50984 F20101206_AAATEC mason_j_Page_38.pro
413d78e17462ae199c504991066bcd1f
3d8ed8cee2bbdbb65113dcaccb95459f3cf2c3dc
60801 F20101206_AAASXF mason_j_Page_40.jpg
07359782708863ff47e596204cfe2c42
17bf8315a217e484260b42a7db4b55094ee39e98
F20101206_AAASSI mason_j_Page_52.tif
2ea9f51342dd413e2d2c56df1790b437
813c23666a1586a5f354eb53960f1b6b5bf2be78
36444 F20101206_AAATLZ mason_j_Page_72.QC.jpg
fe1a63fd92f8fe2006a403d18e1f36aa
97e00274fbffcf1b7890a87709fbb69468703140
48737 F20101206_AAATED mason_j_Page_39.pro
013f0b9e30503bfc19d813417a178463
e08dc8b08260f9606dc0698d1b81746ce47e277b
96976 F20101206_AAASXG mason_j_Page_41.jpg
ea95ceaf656842f8e49a4abc887435a7
766cd659c4379d0e36cb8f74f51d2bf3123dce71
37715 F20101206_AAASSJ mason_j_Page_86.QC.jpg
20ecad190749424d1e3e2a9bac3d409e
03796240139780d62eeddd7d349f6942f61fc400
22065 F20101206_AAATJB mason_j_Page_06.QC.jpg
6852fd39d35804bce06e90493030c2cc
d3438c117b263a6aa414659c1ab20b8d97b9069c
28893 F20101206_AAATEE mason_j_Page_40.pro
241979d3a331c9d509e7476f1159fc2a
1af99efbcb9a09d87cec10f904ff415b48cea577
94146 F20101206_AAASXH mason_j_Page_43.jpg
2cbde6411bdd8abc74f3b07f92be1534
414c4bfab0d2e6e7b8f306de8292f6e2d306426d
1923 F20101206_AAASSK mason_j_Page_21.txt
703f3b1c04f448c32bdc84f184367304
b6b7d389ff6c6c2317e01926e9ca9d5910fe76f5
2879 F20101206_AAATJC mason_j_Page_08thm.jpg
59e02bbe0fa7f542305b8025d2dabb66
5f02cea095d7a69869b3a12f0cf9644423d21cbd
46532 F20101206_AAATEF mason_j_Page_41.pro
11fc9e1f0666cda2c5632f49b24f5b4b
3d9e98ac17f8be16d0a085366c0f8849634baf60
113620 F20101206_AAASXI mason_j_Page_47.jpg
699ac3dc139ac9e9415f18505d1e0406
c456e1019b2dd0a708b7ca8c211cc2103418d7bc
11659 F20101206_AAATJD mason_j_Page_08.QC.jpg
5a424e2ecb0fe0efc3984a206689c08f
b18b9cf85ccf2bb1edf0029a964aec6757f3d927
47521 F20101206_AAATEG mason_j_Page_42.pro
9a147fefa345081c7f0403f2dc7d5764
f51ae5a95264376242c18fee7d44cf5a2f5795cf
95343 F20101206_AAASXJ mason_j_Page_48.jpg
32ec8265a0b7164793a6086d0e1c1a69
fed98e4a09e3de93237732d72c823ca590dac536
F20101206_AAASSL mason_j_Page_81.tif
1e702631d68c4ed8125c47017380dd33
96ec7f2ba8b40619e3c9f9acde72ba66abbb981c
8451 F20101206_AAATJE mason_j_Page_09thm.jpg
ab001a477bd6156151eb3048ae3d3ab6
ac2f4bb80003abc364be704d2445601acd3a0336
49217 F20101206_AAATEH mason_j_Page_43.pro
7ec31e5bf5d077fa43908fb2399786ca
7d3d9d204ff304940a76e58ad0c881500c0e6876
108274 F20101206_AAASXK mason_j_Page_49.jpg
d9f605c02180d7e9ce5abce0f6587d22
f8f292e6342283adf032b64301f4e2e5e78b5b07
39072 F20101206_AAASSM mason_j_Page_50.pro
e23f6bc1ee5990b4dac9b90d3819fbc6
740e87a8f7e049e0572bd411d425bed2e25b6835
34832 F20101206_AAATJF mason_j_Page_09.QC.jpg
2d2930462cace84ba6007e9e8e8cbf20
b74035056829e31768ae47d3d73529108fff741b
44459 F20101206_AAATEI mason_j_Page_45.pro
2aac856108ec6fe355a741df93f3325e
980ef4ef11388c6da0c66eb0c50988103a5a02ac
79993 F20101206_AAASXL mason_j_Page_50.jpg
23acb59ea58e47c0b884327ea2ccc9cc
3aee9402f04fdc223fe460927f1349fc1a79208a
112118 F20101206_AAASSN mason_j_Page_62.jp2
c20dd4dd0bcc66a13b766e5be6123253
6da1cbf2502dbad6a955838d827591faf6c38e43
8750 F20101206_AAATJG mason_j_Page_10thm.jpg
1fa4f2d82f2a1232e61c1f5e47e4ae8a
5e111516644f17454f445d61ea3e88597c634c30
56399 F20101206_AAATEJ mason_j_Page_46.pro
94a2e1b6c8c1dbc0ce8bb397d8b5b0a6
8376b8233b7044c359cd5d4f558b2de45049b045
98646 F20101206_AAASXM mason_j_Page_51.jpg
17d352d5698dea3d91021b94dc464e11
bbb993032d667491aae8d02444bdd59719b4c2a9
26955 F20101206_AAASSO mason_j_Page_50.QC.jpg
6eb19e7d4d2fb6ecf1f4c4f6e782e290
c62707d40ac083057e859acef0f19422b60f2494
7524 F20101206_AAATJH mason_j_Page_11thm.jpg
c335a7cb97ed1aca5e12c218a5cb5ef1
15192b55762bb3d453aed292499b9b53498932e5
55908 F20101206_AAATEK mason_j_Page_49.pro
55d46c6bab0df493f81878f2e21052f2
c70a17ffcce2180b0817aafb7695ad53fdc68199
106306 F20101206_AAASXN mason_j_Page_55.jpg
c98e563f42dc6f4ed60f3066271a3b3c
6eaebbdf543bfdb457eb7b35c841e8016711c4e2
102298 F20101206_AAASSP mason_j_Page_48.jp2
46446722a4556daca14dd3212e0f8657
1937b1de8acdb29d9f6c21a08cf128b3036e27b1
31157 F20101206_AAATJI mason_j_Page_11.QC.jpg
989efebd5f4a9ec71979ff7748a2eced
822fa1755e3fe8380b8a3d4717862c317d183f11
45033 F20101206_AAATEL mason_j_Page_52.pro
e4072020091d814250ee085797efc5eb
431c1f08f1bc52b01ddd169b440a51dbe6b3bc92
105005 F20101206_AAASXO mason_j_Page_56.jpg
65de31c028885510c4afec1194a9fce1
a4359415bd50da5b589b4312b6225d532b56e08f
32256 F20101206_AAASSQ mason_j_Page_21.QC.jpg
429749e6f7ebcaa6be9b8c5306a00a1d
3033cff3b1b3498edfa50da10e0cf9c4c898ada5
8303 F20101206_AAATJJ mason_j_Page_12thm.jpg
0d95375778b0af8f383e7e33790cddb6
2b3192e1b884085b3b862f59816420d98eca8c01
54602 F20101206_AAATEM mason_j_Page_53.pro
c0756da90c0e58e478f998afad93bda5
253013a8ec25e696004d6a2a2cff5f1c354edc38
92648 F20101206_AAASXP mason_j_Page_57.jpg
4c16cc32558c38c6158344c2499ec298
1c73fe8b304acb69c4797e2cb96d19fdab78651e
94986 F20101206_AAASSR mason_j_Page_42.jpg
2f32f9f03377c28d1139f927bb42ea98
ef0f00c6f761cc6fede9191274ed8e49a737253b
8615 F20101206_AAATJK mason_j_Page_13thm.jpg
ff36ad00893379024652ab59079f5a00
5820c71283d3c787603e42d652f3a45f6237ac40
49269 F20101206_AAATEN mason_j_Page_54.pro
3bfd08e6be95567a3a214dc929972ffb
2fabe2891558043b0b716c78b5febfc9bf18518a
F20101206_AAASSS mason_j_Page_63.tif
ee4ec505fba8505b55c12904b0b0706e
d3b6601d02626fea8facca42394fef105617263c
8360 F20101206_AAATJL mason_j_Page_15thm.jpg
94f571cdabcf45cbd27980bee549de6f
953eb29d1ecaee560c6feb7c68066f068058bb1e
53720 F20101206_AAATEO mason_j_Page_55.pro
42b8de273f117f7c57f90d60d33927aa
781f6d0f31f13ce0401fcd118447316406bf38e1
99457 F20101206_AAASXQ mason_j_Page_58.jpg
797ba3d4c7570a0620b89f9b3b0150a1
ae5beabac7029377b8f14b7c99376f64fadbf80c
F20101206_AAASST mason_j_Page_36.tif
57f8db6606cdc11545b4668959db669e
ea0857a184a099ac5d376517bac9359f54328536
30270 F20101206_AAATJM mason_j_Page_16.QC.jpg
7a949ae162c7710834c08ced13e870a2
a154bb09d03a02f2dd0ff5a305a042d8d18c9966
54783 F20101206_AAATEP mason_j_Page_56.pro
4a4166cad16d8480ec60b10a6a63e440
9cc68d140865fa8e16776fbfa6b85694b15e02e2
99039 F20101206_AAASXR mason_j_Page_59.jpg
8c1aae1b3bf6a5fa513eff34ac01c628
3e27e3c0c010f6ffcfa8fa6ebbd5f4db1562ade8
103330 F20101206_AAASSU mason_j_Page_70.jp2
8cc2e3f9d04b49e75e038089f003ec36
261f7f3530c76f90bd48cbe6b2cb90a32f1f94de
31244 F20101206_AAATJN mason_j_Page_17.QC.jpg
9c92852fde1800959113fef8a6c9dbb3
789035e29631f751548a5ace2375861ff479399c
45414 F20101206_AAATEQ mason_j_Page_57.pro
107d440d30e4853311369e0038f28702
de14d0b8d648391f947e490a1601d5c65ab3ef5a
98548 F20101206_AAASXS mason_j_Page_60.jpg
cf001f50a51d6622ef2fc547823fa3cf
93d4ed51e8a7b74084e6508cb3298482aaa98f8a
8690 F20101206_AAASSV mason_j_Page_14thm.jpg
8f31e22d1de49acd0afdb3c357bc7ea0
e24aae914fc4198eb8f9af02dc551684f10423ca
8170 F20101206_AAATJO mason_j_Page_18thm.jpg
d7a23709a1e7aead9986a88df2e297c1
1634464f9fc331e02107cd23ab04735ebbbed600
53499 F20101206_AAATER mason_j_Page_58.pro
2b19f6ec92c4dd9d3abac8913f6014a7
d051e0db5b17e79d4167733dc7456b435468d999
94285 F20101206_AAASXT mason_j_Page_61.jpg
ab282c9434d8e05a07543812ac018d31
28cf348e23cdd6fce55c329113cc663942ae23d2
95918 F20101206_AAASSW mason_j_Page_07.jpg
303dd4f8c8b04496adbc28acd009e30a
857258f9a3e613f56e5ce499d9d0773e164da478
7810 F20101206_AAATJP mason_j_Page_20thm.jpg
9b0ddf2e59a0c190d08e21fb86967058
36e489528c83b381ad0722b61ba54c9bae1e8846
48547 F20101206_AAATES mason_j_Page_61.pro
cce12a44f1ace771592120b8a51319f2
10866187a744930e72d0b1f363829534ab3b6a0a
97395 F20101206_AAASXU mason_j_Page_63.jpg
e80b59580c35c4b825ab7cb2be62499c
ee451d317aa219f36763c1695ba3ed0105fe086f
105322 F20101206_AAASSX mason_j_Page_73.jp2
1caa4680ee73de61cbd102aaf3354381
cda50b03d19866f1c85cef7636678c3fd50fbaa8
31393 F20101206_AAATJQ mason_j_Page_20.QC.jpg
c2cb5d14593db7131cbd4b359dfcdcf9
2e595bc3871239540b3e014c24fd0748e934e202
52981 F20101206_AAATET mason_j_Page_62.pro
9954c591aa6d77c5158dc2825cf65cd9
3f724661ae62716cd73872f47cfe75fcf263b90b
96926 F20101206_AAASXV mason_j_Page_65.jpg
e1852b2e05891082df150425be5e5d58
6f924b594894c8a8e14e65de0787c1a1a91b4812
103034 F20101206_AAASQA mason_j_Page_53.jpg
28840a1493454d0329d38db453e80c96
939e9ab5a419a388b2f8389d94eca4c0bfa0dbab
31509 F20101206_AAASSY mason_j_Page_29.QC.jpg
bc72b56d7140964022601ad11e391c8f
ddeefc8bf470c85b94ee4761eb64e6d3ca5c3991
8042 F20101206_AAATJR mason_j_Page_21thm.jpg
73965c0f01d88170ea3bb28f9cd72a75
9b90a333a8be87a3c57a7984e3885b465e8b5f08
47461 F20101206_AAATEU mason_j_Page_63.pro
4e5d387bc072e4287da7a50a8836c4e3
e808aa30e586f39d6eba600b759939940ca91f93
89180 F20101206_AAASXW mason_j_Page_66.jpg
e482dc31b794c7e56ba314dcfe38ea36
347ba8545f733d8ac4eff66214386d8032917cee
F20101206_AAASQB mason_j_Page_20.tif
d70e75c597e457a5d045b437c357a53d
394a2aff899b66d7280ab1057d0c7004445282a0
43024 F20101206_AAASSZ mason_j_Page_64.pro
a2ccaf4ceff038c611cdbafced5c771f
3852b2334a118c5fdf8944a434439dd635147000
8070 F20101206_AAATJS mason_j_Page_22thm.jpg
96b6639161b95d15af565781ccd4e1cd
f2d13cb7ce9d2d00f226466296028f788a81eef7
43158 F20101206_AAATEV mason_j_Page_66.pro
a9ac8b4b358945f07d266fa86f192023
64f797841898f2c35886ea2214b92565357e1f80
77825 F20101206_AAASXX mason_j_Page_67.jpg
f6f18e60867dfba0eb5b3f4545e77dac
05420cd88032f4c910d8d4c6d7ea26936766480f
36218 F20101206_AAASQC mason_j_Page_83.QC.jpg
eb5927c14a9d6dffeb97bcba855e13f4
a54c807a2814ac581b45756b4f131c1a131bfe2b
31078 F20101206_AAATJT mason_j_Page_22.QC.jpg
a96516125e596c34bf1dbfee9d629652
62d3afed730c46d982e2fa9c8eb5180637614da7
36435 F20101206_AAATEW mason_j_Page_67.pro
655366d1b5c84836d0dd892bef2bf124
bb0ad8f6a351e9f02e68c44f4cd2e22bc2f0cd31
101757 F20101206_AAASXY mason_j_Page_69.jpg
0cdd4ce9d6289e4019cd37fb88c328c8
c36709ccc585e2d5dc5203006917b48f3c90de61
2255 F20101206_AAASQD mason_j_Page_23thm.jpg
cdfda7e2378ceaec9dfadc3cb8e7013b
c16d2d51a6a4b353d0988c25ebb778adede1a319
88888 F20101206_AAASVA mason_j_Page_44.jpg
e2d0eff2b35e051590380404bfdcdb44
015161777b1d392da17040612855b8190397688e
8582 F20101206_AAATJU mason_j_Page_23.QC.jpg
9563c36417259213fe958307fb4a0c89
7fce3205a4678d8b4ba939a6e06e81ca6fe9c0c9
54030 F20101206_AAATEX mason_j_Page_68.pro
ed24e82ac601f5dab0db5a43873cd753
6a4c12e9b35c56a88fb3b325c230a0cb1ded3f46
97906 F20101206_AAASXZ mason_j_Page_70.jpg
0bb0a23fdbd220a2a45c60d2548d5abb
513efdb59c8e727c3edeb13bc7cbde7dc4a82ecc
2099 F20101206_AAASQE mason_j_Page_62.txt
c2d7ed0d89627101cc9ce4e99a839b7e
b68143b27a4abb1da1fe8e762583db7167c700f4
98193 F20101206_AAASVB mason_j_Page_21.jpg
4f0f659f9ac4c20af394cc8a734e11d8
aafa7fe17eb8e092fa6d21e8c35673f5c751a085
6969 F20101206_AAATJV mason_j_Page_24thm.jpg
f71e91fd8964b33cdde2da0a924fd151
64c7a63923615cd6a31d02a521760ef72eabdf78
50905 F20101206_AAATEY mason_j_Page_69.pro
a021071b238f97f85dc2e752cdc00723
d2937a1b824f0afce2eb58d0729c336df1e07fa3
52202 F20101206_AAASQF mason_j_Page_18.pro
8fe1e6b6a4168e65115cbec93e20e2e4
eb19aea3ef197a69aafc6d13ba1e41149735ae48
107502 F20101206_AAASVC mason_j_Page_62.jpg
66ba5ce086ecb2b649726e7c7a69f304
f47342fb4ebf34db52b2486a9d9a17972867cc5c
27755 F20101206_AAATJW mason_j_Page_24.QC.jpg
378a0944a3b9a81591ac44f3d1b3553d
38e31b8636347cd0fd738f00ad899e557775f94e
52023 F20101206_AAATEZ mason_j_Page_71.pro
1025dd3df2b10193903288bf8296b8e0
bcaa86683012e54eefbbcedd79fff766a552d02f
29089 F20101206_AAASQG mason_j_Page_01.jp2
0049735f66a03bc27bba38c4053182ac
79c47fc126c8ad0b5f95bf44734f197515940900
F20101206_AAATCA mason_j_Page_46.tif
bacf099570197d05f409865e6f2c751a
ee5778c77529f1baf3d711486f20efd835bc1816
7960 F20101206_AAASVD mason_j_Page_85thm.jpg
33e8eab07e512e6f77c260f09fea880c
efcd161fdaab5a4b81f3607e49900ad4f402a8c8
31185 F20101206_AAATJX mason_j_Page_25.QC.jpg
f5ecbf981db2a6171bb6c6cd66dfcddc
70d1afa04286d34eab1b38e3421a3c81b81941dc
111130 F20101206_AAASQH mason_j_Page_72.jpg
eae67695511e554124b1db9002581de0
6eb16376a34d868f009d65d4fe45a3a355518e83
F20101206_AAATCB mason_j_Page_48.tif
4a029ec2cb5b6efccf7d34f618ac2d20
7bf89999c79be32ce2534658aeb2fbe60bd16c76
F20101206_AAASVE mason_j_Page_19.tif
c00d927bd64a609dc86a550044bafa50
20fe9aec12a979b24bbfcaddf440c82d475d5f2d
33724 F20101206_AAATJY mason_j_Page_26.QC.jpg
527ee708e24b05c45959047a4eab4b80
d32d0f279e90092ba78361fe5e4ce8ae0281e09a
36152 F20101206_AAASQI mason_j_Page_10.QC.jpg
deb0aa8d5b399297eb73620b15794c00
2ea4765703e49d665beaca5a2d49f5ec23c8072d
F20101206_AAATCC mason_j_Page_49.tif
06352115a7373700a73eb7bf0d718a95
32e411f97561c2a1835e54e42f2af01d2aad74a6
F20101206_AAASVF mason_j_Page_84.pro
177abec9c32cff5f427e22ab35cb3fa7
538d766a9b396519aff404cbfff08a440ac912f4
7636 F20101206_AAATJZ mason_j_Page_27thm.jpg
25c3880ff75d30371b1f529391ecb442
ef8a7d587f3f353c1b72958706b1983396c9d3d4
2117 F20101206_AAATHA mason_j_Page_55.txt
55e9748ec4f9333b4a24d4e6d820e69a
3eea2671b5f55cfe8c8467246e0c47ee98cd01ec
F20101206_AAATCD mason_j_Page_50.tif
dedc42caf28c638e93ca87f3884460fa
a832df86cfc21389ae13a2cb81ab28ece7ebe28b
1949 F20101206_AAASVG mason_j_Page_33.txt
d3c03e9b87d0473bec9dac045b167c75
750852bd9e576f6fec6f3955c61f1ff999b69063
1826 F20101206_AAATHB mason_j_Page_57.txt
dfa90c4eb460ba25baab8b839824c882
5ef15078790afe4f8466ac6fa7ad91a9e09406d5
35400 F20101206_AAASQJ mason_j_Page_80.QC.jpg
8ac9960e6c44392f7444cfe7e54b1c91
abc1c37196ee56bd410ee3a37c8cfc65de5f0150
F20101206_AAATCE mason_j_Page_53.tif
02034cfcb25594ec6f4e09b35abb84c2
cc3f65ddfac858fa347cd9a49cdaa36af2503350
100044 F20101206_AAASVH mason_j_Page_73.jpg
f431a678f6884a1f65c933e4c33134ee
34b0eb43e4f8eb0433fbc6a5f9fea931a57aaebf
8267 F20101206_AAATMA mason_j_Page_73thm.jpg
299d079e4261d3eaa2a168b390782b67
4e6dc911c0b2b30dd50839280921e7b49d5e140d
2110 F20101206_AAATHC mason_j_Page_58.txt
0ca947a7ff483e3c4171d1d92039c63f
71dc8170c078377c7db2cec235921991435b2e57
F20101206_AAASQK mason_j_Page_07.tif
b21c1cd167714bb4fd2cacd31e81c0d3
fccf1598c886e423807cc5ebb3ac737319d6ddc2
F20101206_AAATCF mason_j_Page_58.tif
5132bf34d2a75726a81a1e45cb0180fb
74a6d10e17dc59ef7fc80f8f3fbf9a3cc31fdcec
110932 F20101206_AAASVI mason_j_Page_68.jpg
3ccaff4bcceec862048b6bd681cd6374
3c4930315a29db441d7cca3419c32cc2ab867cf0
33913 F20101206_AAATMB mason_j_Page_73.QC.jpg
1449474eb76edb2689990dcbd692560c
551ba10f00eceb9ced7a1696a2c875eb49ad37e6
F20101206_AAATHD mason_j_Page_59.txt
093ef0e84bc323b7cd3f240c1dfe6df0
cb8096977825afab87c9120afa8626c2222ac274
2146 F20101206_AAASQL mason_j_Page_56.txt
9ab52eb2bb9c3c5977b5b4cb84e10fd7
98c629ae43a86d9a6405f444e16a4d88bf762108
F20101206_AAATCG mason_j_Page_60.tif
a35ceab3fc784a2594cc86739d478982
adcdaf140bd7083a01735450c08fef74303dd97a
59183 F20101206_AAASVJ mason_j_Page_47.pro
fe97ee04d56e968d3dcfecab22202186
b79f47c86db8ebefa4da66b6658c20d72d387b7a
33186 F20101206_AAATMC mason_j_Page_74.QC.jpg
53e0215936d33f1c9219e2b4974d267f
85b0aec7c38b3b4e10c35530b046045a36d015ed
1952 F20101206_AAATHE mason_j_Page_60.txt
00e3a3624a147b2488365eacc817750a
cbe7818a5527977f4a8f42cfc6e214da5487d56a
26893 F20101206_AAASQM mason_j_Page_44.QC.jpg
79527e1eb9b9f6e3911e2ff62a25a184
043a7e7988f3c0b04e2f33fc698c13be39c2fc11
F20101206_AAATCH mason_j_Page_61.tif
9870c5c0e1b792a71d4a94404cd5e2c8
98910c89123d6c917b9367900054c927abf42155
741 F20101206_AAASVK mason_j_Page_87.txt
eff38567944cf835e7790e611d73416d
914cf83b3f538593377d5cc5fbc98433753bb394
8399 F20101206_AAATMD mason_j_Page_76thm.jpg
b19fcf0a5a322275104275e71ef96bd7
6b5a3ab515f5e4c3e7bf3cb402fefd35a45c6f00
F20101206_AAATHF mason_j_Page_61.txt
009d40406d7845c1cd52bafe68f5bedd
4bf288931fc60d7721690023128779be9bace185
8072 F20101206_AAASQN mason_j_Page_59thm.jpg
45e86d2c6da6b985d891b52f57789259
fcfc1e69c7a44aaca83db9537457c039b3f838e1
F20101206_AAATCI mason_j_Page_62.tif
e6e8293a176793b5f6f046377963a44d
4c179bf2213dd1107470928ccb2f886613ad68a1
F20101206_AAASVL mason_j_Page_47.tif
830658bfd46393565c35a0bee52073cf
3800ac8a48d9de2d96c9637a3a8cd90fc8bfe0e3
1733 F20101206_AAATHG mason_j_Page_64.txt
96798def7d15575c8a77bbf34de3a0bc
c7eb47a966e90f4a0fbb2112ec0e178084cb94df
8236 F20101206_AAASQO mason_j_Page_81thm.jpg
f0b35501bacb8f82b2715445be66fd4e
c18cec7830aa687bd25a51393e5b823605d6e333
F20101206_AAATCJ mason_j_Page_64.tif
406c5149ac0001071904394ffdf8f5db
aca1134357eb9a5e5e1cd1ae555a801e8f6f4031
33836 F20101206_AAASVM mason_j_Page_76.QC.jpg
46a4982001548c586daf9a2d376139d3
fa9b207b8415b2956537e8445da0debb7da8fa38
8411 F20101206_AAATME mason_j_Page_78thm.jpg
2d68cb86d2f7a96c34fcb8e52c31a21d
58583a4fb4b7029eeb2066ad0157d06173d1ca79
F20101206_AAATHH mason_j_Page_65.txt
7d00297602b2a96d60895c2df3f444ed
39e3c02faacb863f82c806d378174ccab941ad92
34378 F20101206_AAASQP mason_j_Page_37.QC.jpg
90da20c40a3ad77101e78c21e99b6487
a6ff4817ddc3c0cf4a45744a42e51b4133d1d773
F20101206_AAATCK mason_j_Page_65.tif
801f43b7591ae8ba3953d9eb13c64dff
4b83a47ac07b27f8badc6eec1b88474ff1de734d
53083 F20101206_AAASVN mason_j_Page_37.pro
d02c181a9588d450e7fed7cc6656ca42
30054030752d81761d83518f4d264edb9b2c0491
8772 F20101206_AAATMF mason_j_Page_80thm.jpg
c6611fb9e56bc5d327135ffd8ce4f170
649401d92908d37dca83bbd7c76f7d64f1c00721
1524 F20101206_AAATHI mason_j_Page_67.txt
e8de99e5da4d5b0802e51e9b0484a26b
413aac825db9a65f21bd27917b64b2d845e56ac7
102909 F20101206_AAASQQ mason_j_Page_21.jp2
5e0e95c54dc1b8b66156843617f1be00
f912e331e472ad5408c4863789b81903dfe3bf8c
F20101206_AAATCL mason_j_Page_66.tif
fbc4311f6ce82d601703fc67be6f3b6f
59d55ee8db64c356e52fba4316dc4eb0d3a83adb
33713 F20101206_AAATMG mason_j_Page_81.QC.jpg
34447b71ef8d8d9804917e05673c67c7
ed3b7d137cf4aa00d80e3eb7727a5b4597ec2279
2227 F20101206_AAATHJ mason_j_Page_68.txt
7ce884d1e51b3db379c5041daf293370
2482c5b31cfafe8c8d56b071efb22ecc165ab5f5
2018 F20101206_AAASQR mason_j_Page_17.txt
762f944b468ec66493b4106a4862e635
00556c67a3b8b0be54987d2f3422b75bd6773f67
F20101206_AAATCM mason_j_Page_67.tif
c8c6583b285b4373f08d6c576f3ea2e1
54dc6e9c2384b199b5ae83dea2c96e8621d385bf
F20101206_AAASVO mason_j_Page_09.tif
b385ef77fe3dcd9bc6848917d71b6c59
a5b26b1d72807d0257c28c72a6832dae9ffc99cf
5448 F20101206_AAATMH mason_j_Page_84thm.jpg
5d15b1f10e0d5740dfdd9ab6d59bf5d5
32b6822dd3ae91acb288651eba61108b6a24ac80
F20101206_AAATHK mason_j_Page_69.txt
15227c0a93a71e09450d04fe260e5476
76aa06a6717e6787b06196c90f7408e4153a031e
8020 F20101206_AAASQS mason_j_Page_36thm.jpg
cf210e622a4792e4ff87323d955ef1f0
ebcea3ed7ca157585d05045822ae8e7067ba3016
F20101206_AAATCN mason_j_Page_68.tif
95652cfd5aae5869dd5e966b71ad8ff4
3e1d23edda6afc156759dffb75a0e7fe390da547
36045 F20101206_AAASVP mason_j_Page_13.QC.jpg
8a0567440c97df3ad2d765a23a065a9a
cb5a9a31b085f556e5cc32fbb9a41eff9f9f4270
21827 F20101206_AAATMI mason_j_Page_84.QC.jpg
4c6b2532df38f0a9ad80d8417decf335
25b289b74b93f1c40058de28806e49ba0f2a8c2e
F20101206_AAATHL mason_j_Page_70.txt
ac03c186de2cf8b43506f004665963ba
a1c7e244c9f46c3b728173b1083a5449fa18e06e
F20101206_AAASQT mason_j_Page_03.QC.jpg
7527c9f492a484c792e755bc1eaf66fc
6544be249dfa8b790812db83706e256eb3fb4b90
F20101206_AAATCO mason_j_Page_69.tif
0b69defdf69cec9293bea651d6024e57
f2ca71e1b36ea0464aeb3abefb8c582f940c779a
110564 F20101206_AAASVQ mason_j_Page_82.jp2
b6c48bd488dbc7a6f6815a52649b37c2
a985ea2c84c362ef04677cb06f698d8c0e562e5b
34061 F20101206_AAATMJ mason_j_Page_85.QC.jpg
c826d536b51cde93c0122d27563ab82c
3cbe241033814490dcdaeeedbfb3b072b99dea89
2059 F20101206_AAATHM mason_j_Page_71.txt
b25923b75ac798d66d8ee39cff249e85
8f9bfedf0757e8316102f2f741f9be5ba1eaf93a
F20101206_AAATCP mason_j_Page_70.tif
b39ce41c98e91fc1fbfe9184ddf98b42
b5e1e3a33bb5aadaf09690e9edc221e20154dd39
7965 F20101206_AAASVR mason_j_Page_70thm.jpg
4c7af5481fd81efb6bb186d0d312b741
4bf6c4d5c475777b909d4ee751ef64b7070c88e1
2299 F20101206_AAASQU mason_j_Page_26.txt
7dc3d2ba6de53b39fa0c1773b2404d92
2d5ec4d0214048a0b877f54a801d047b117e6af5
9508 F20101206_AAATMK mason_j_Page_86thm.jpg
d6d876fabaaf71ae89d92f9e21ccd01b
1fb6d31c60948274560bb03d2b99e936afb0ae59
2108 F20101206_AAATHN mason_j_Page_72.txt
8738c18ef344ba070de685ca48a045e2
92cfaeb56fc43e7d5899d671d1cbc3da9b63d57d
F20101206_AAATCQ mason_j_Page_72.tif
1dd4e17a06e0b3857de092456873c0eb
6dba3bf56d7c1f2218b50dfbb6d16c6113a6932c
110859 F20101206_AAASVS mason_j_Page_37.jp2
ca29c162335a3f054e9de44454c38965
7eb4a5d79b2510ad909ebda2395a5ccf51ce3c6c
102277 F20101206_AAASQV mason_j_Page_65.jp2
676d5f404f96bb7478b39c7e4faa9f08
25394e7b9ab1fdce5817aa579188a3afd6ca107f
2555 F20101206_AAATML mason_j_Page_88thm.jpg
d3bfddae08469eba068ac24be45a5314
3dc7446af2e18b14cfa308451f54ad26b80773ef
2154 F20101206_AAATHO mason_j_Page_75.txt
e417d16d9f52d2992e0afcac6f2e39bf
afa1d1abd4679b521589b95a1133b6e03ac5fd56
F20101206_AAATCR mason_j_Page_73.tif
0642ff25fa81c8101d6d0c744d7283e5
e484b22a888da4594c9f06db9b505fdfe945ef30
35527 F20101206_AAASVT mason_j_Page_14.QC.jpg
ef0db1b27e4e7361cf80204420ebcfb3
6e622d9c1c3f6d699300fefd7198dd077a977d7c
5517 F20101206_AAASQW mason_j_Page_06thm.jpg
18828bcd9890c5c98273c8d26ddf1b8e
59439896c5b8f44dc34777c692c2b22ba033cc07
1975 F20101206_AAATHP mason_j_Page_76.txt
0ff3e54fc84560a50e740436311bcbde
873ba42640dae75c931bfa56f33dbe5f61fb8261
F20101206_AAATCS mason_j_Page_74.tif
e23cfa83cea21309c17bcc407f8714f0
c711febb70063f6e072dc7c6565084fe0edad34d
46600 F20101206_AAASVU mason_j_Page_70.pro
aed92845723afd45c30498bfb0bae8b2
fca1f26467d6a1e67c8f0a618d33984b29be0dbe
8618 F20101206_AAASQX mason_j_Page_62thm.jpg
a87aa9263f595cf2902157fcef57a021
fccd074a5a89eb7a8f542b206fa0041f770eeb8a
1868 F20101206_AAATHQ mason_j_Page_77.txt
e813a2c1d912d549354853f94d98b44d
9b20db641fa4e912dff60699a4486bee1a6cc7ba
F20101206_AAATCT mason_j_Page_75.tif
f89f25b15fd356f692586613bdb0448a
77ef96e9b229879375ddd805a2ad814e8036810f
F20101206_AAASVV mason_j_Page_55.tif
b57457dc3007f02011d637ed4964e031
551824dd1b710642c56a23a6b888189301bb69f5
46475 F20101206_AAASQY mason_j_Page_22.pro
d65aae3f74ab04e6e0d8a7f5a859116b
e1630b382257a63d30f5388d79b20339567f3652
1986 F20101206_AAATHR mason_j_Page_79.txt
48ea8d435490c78dacd1a812b8649a58
00101a39d0459e2f0d22526cd2fedd8ce58d7d14
F20101206_AAATCU mason_j_Page_76.tif
f5558ed6e95459fed43c6f0bd5ac72fc
50abc9888f88110b68150e45132d271705331100
46098 F20101206_AAASVW mason_j_Page_77.pro
4edf4d0c343a1deaa9aeb7eb85428369
76b753a2f249e68d0c7bf4441a57f60940d6c840
47562 F20101206_AAASQZ mason_j_Page_73.pro
8e44e94f55ad219013f83e66adc78f17
114666e08e7827a4d1202a1f64c55dfd678f108b
2038 F20101206_AAATHS mason_j_Page_82.txt
c65671ad7f0dbea9b681b8eb0981de12
e5558c4efe77f91a316005ba61eed30c0131ad1a
F20101206_AAATCV mason_j_Page_77.tif
6af469981e38f424c2af335b3831fa5b
26c4bacb6ec46070b142fe8dd1756dda5d0ccc92
F20101206_AAASVX mason_j_Page_57.tif
e875965c5e6ab1cff14cd04df39e90bf
8f5fec9b77bfc686db32f3caceb8d596a41a1b8f
2193 F20101206_AAATHT mason_j_Page_83.txt
069446bae83046d820576e8fd6a860f7
4928e880b1384a9858ccda3a4bc805b603367f1c
F20101206_AAATCW mason_j_Page_78.tif
ef7e7dc7330898e463e302f0141fd7a8
8b1d9636bddb64bad5b4bac14e1ee5b4d55298bc
102812 F20101206_AAASTA mason_j_Page_42.jp2
9d66e5a112d3635409df810f1a0499c3
625f0e9ef452e7bee47ac98c86940feb9786db41
F20101206_AAASVY mason_j_Page_02.tif
866161c43fc859d89771ef8625a03a35
a78c398f41af50a42006cf336193c7e1b8f68c12
1242 F20101206_AAATHU mason_j_Page_84.txt
634fdab4b0bb969498f263875e80c8bb
366effa7cdf05698e07d0f89e0bf3082842b5194
F20101206_AAATCX mason_j_Page_83.tif
ef4dfda121523161d36ed03428b9088a
4edccd646c925d2ca4f3a4c1179df648b1e2d6b4
8016 F20101206_AAASTB mason_j_Page_69thm.jpg
6132c21485c7ffd40de578a13e7b8c22
12cba2db13c3ec46f0783207b9a54fbd3db96092
93106 F20101206_AAASVZ mason_j_Page_64.jp2
ed8c7f1cddc1c69097f204f9120c8fc9
972c6b1aaf13dfb5d68d48763a72beaff5a80684
2357 F20101206_AAATHV mason_j_Page_85.txt
74e374fcf46191edc8983fcae9d71e42
d0db4b7480a6dd15d15ed437306aa90a6eb0d2ea
F20101206_AAATCY mason_j_Page_84.tif
d827b0db53e5a192e02e499a04f4ecfa
1f7b1b6bf2e81eccf2759801b5d758ac042a394f
1960 F20101206_AAASTC mason_j_Page_43.txt
3aaf74cd25505b544acd34dc7f2b516d
c904ba2ee1de1d96633bcb365f5e6dc6ccde7ee3
2124 F20101206_AAATHW mason_j_Page_01thm.jpg
4a8121e9df4bd29a25ab67ededc7f7ee
c238af757fe0416e6b4ec5a08eba8e17857398c7
F20101206_AAATCZ mason_j_Page_85.tif
0e322bf992cfea09dfc1a6421826cc16
35a9fcd3917e957e17c621e7b1cc2909ec833729
F20101206_AAASTD mason_j_Page_54.tif
0e1891a3a1fbc791f5c71de1da935fce
e4ee45e280fd2f5e1c98b6bb23a3542025805b49
99802 F20101206_AAASYA mason_j_Page_74.jpg
753534749b3cac83a3304421e18b4a58
b7d19d06d02ed3a294183abebe592bb4dd44bbe0
112209 F20101206_AAATAA mason_j_Page_56.jp2
1a0ce95ea62c402abed690a9b762c571
eee59e6a7933b8fade0ee3b1da3a14c5b6a97023
329852 F20101206_AAATHX mason_j.pdf
ac461b4327e6b2870c45f818e568fd63
56b0c83b44e5e7e65b085ad509497ed96e2acca4
62285 F20101206_AAASTE mason_j_Page_86.pro
82b5512a70116ca5c3a3d9a06f1598d5
6a89ced972b0c0a8db0d6daf5eeafae3f69b47b1
103428 F20101206_AAASYB mason_j_Page_76.jpg
e11df97694dbc35636a4ae0362ebe0d0
1003c8e5f265bbcf10406f569d80a77cc8711aa2
97430 F20101206_AAATAB mason_j_Page_57.jp2
997c6904dffabb8ca80d60c8df7435bb
6afab8955420de09809988af27de45c45ca2556e
7990 F20101206_AAATHY mason_j_Page_56thm.jpg
56d9d4b8574de3960c5ac2b5fab0a359
87d788e46348512959486ece16e4581ed0e19ac7
34069 F20101206_AAASTF mason_j_Page_75.QC.jpg
b2a64bbc106ae99d10fafeb3139d0424
0a6cac7128c1afe4ca8f871809cd9a3dd53b3685
97015 F20101206_AAASYC mason_j_Page_77.jpg
a412f38be5ddd26494346f5e196bd058
d22f949196685a4ca22e5a79611bb9c6e7e91f4a
107704 F20101206_AAATAC mason_j_Page_58.jp2
77bbcdb9e9d0c53e9a805f649f905b1d
083eeeac9ba170a2c585cddd442016ff8e9bdda0
32460 F20101206_AAATHZ mason_j_Page_69.QC.jpg
979988bf9079a3417fbfc98be7868488
02a9acf9b2898019123d89b34c51f12870c16a9c
53397 F20101206_AAATFA mason_j_Page_72.pro
68a82e0d20ae82090e2f6394bf16d63d
0b4beff46b9529b4e978f8402725004997f9fa6c
102521 F20101206_AAASTG mason_j_Page_32.jp2
240449e8c35c5cabe940c19d3a9a6bd9
991930e68bee8763fb3b03466092b7a4b8bf737d
106463 F20101206_AAASYD mason_j_Page_78.jpg
33fb6359d90b1ece06d591ef46656f2f
c85f00a220a41d8c7d82f820379699db925467fc
104663 F20101206_AAATAD mason_j_Page_59.jp2
61646ff51d1ea31b8b4197c61d698db8
ea4ef50549eb416868d879bc0f585a8c467b6894
47735 F20101206_AAATFB mason_j_Page_74.pro
7acb1fe0ee43bb5b840be731e612d230
e79aa5bacdf55c053654ee83b0ac9081c1d5f381
34112 F20101206_AAASTH mason_j_Page_78.QC.jpg
342df6a63f3b51ff9d3edbf6d1cd0198
e1df137a8885af29c2928ae03204de06dff40045
105281 F20101206_AAASYE mason_j_Page_79.jpg
ef20035c1a543fa67ef8e118d9b3c790
3ee0afe8d3144f2cf4eacb30f36950b679ef4b74
103606 F20101206_AAATAE mason_j_Page_60.jp2
543fc78bd79698c78e78e5f0721bd718
9744b3943301238ab1de649b009a9de9a36e8454
31431 F20101206_AAATKA mason_j_Page_27.QC.jpg
4b14b96b02eabdbad9fbad71cba46760
dbf09774a9a727ad506e026a9d7c12f1ce824f96
49771 F20101206_AAATFC mason_j_Page_76.pro
9ed12cfe5a520c1c1f7e599f49d0032b
54e1a852c87e013f041e6bfa0b894944288da6b9
1729 F20101206_AAASTI mason_j_Page_66.txt
5ec15bd65e0d7c973730faf7156b7add
bcc39a5c14ee542f7592dee875df4c5b64d4c452
108621 F20101206_AAASYF mason_j_Page_80.jpg
3c885a2ae66662786ac335aba80e81d2
79b3f23d90fb0a37509a35d23ea6b3564e857872
101342 F20101206_AAATAF mason_j_Page_61.jp2
29ebc1d81093a0b21575264bec952709
774944997967fb527a835a0e12cdd125c1651e68
32412 F20101206_AAATKB mason_j_Page_28.QC.jpg
d9de80e1c746f98f64c38162ae3770fd
5b0b92bd717b912d27e618b837082b4ab0494cde
54482 F20101206_AAATFD mason_j_Page_78.pro
c0a43569aa04f145f77aa91dd22a20be
27afc255fb6a8d4a9c66a0a08e3dfe8946a70eef
105612 F20101206_AAASTJ mason_j_Page_82.jpg
89d4bb20843adfbe0cddd334294b588b
c302a816cc208777fc00f689d0347cd751076227
103789 F20101206_AAASYG mason_j_Page_81.jpg
53b1ffe038e59121b26d85bb1eb2954b
3d789090704c6a6825febc22301ce13a2db225e6
100534 F20101206_AAATAG mason_j_Page_63.jp2
c814877f85c4744b8b5fdc64f640d81b
e821b897772e2f3c24220e1bd42f72efe0fb9344
50145 F20101206_AAATFE mason_j_Page_79.pro
c037cfa01efb1956fd03917ef7b9a22a
5db0d0c5710e2b084e0faf6ddb582b0a2005b0de
F20101206_AAASTK mason_j_Page_43.tif
f37399bfbb5cad5512624a78087f48d6
800426fe3172ef18865b37e26db1cd493d74c4e7
111429 F20101206_AAASYH mason_j_Page_83.jpg
ac1820ff982fc972419e729deb60d8a7
f7ffe688e6dbb8826115a0e362a9f87a58fc5eab
94326 F20101206_AAATAH mason_j_Page_66.jp2
f69b45420733ae4a3157d450342a815f
41b456886955d194a0387e4d1ada2e43c4fdd656
7442 F20101206_AAATKC mason_j_Page_31thm.jpg
d458a714204e6a5a619e7d7f274add1e
0946d4fe0609ab81fcbc7b064db24cd7bbf91a6e
52527 F20101206_AAATFF mason_j_Page_80.pro
30e9fe323644a2719abfc7f87c54b53d
228f321c6a366400a4bbac45a774067f62045c3d
6930 F20101206_AAASTL mason_j_Page_03.jpg
e897bd91fc65e3ac2b334420ec801523
9f44ed87799bb3c657a0ab5830194632a1fe3903
119779 F20101206_AAASYI mason_j_Page_85.jpg
d1d86b9d54e56e88ed7b8c8e94e576c4
d443cf75e3c7aa8d5b792ea60c0cc83f1963ff79
82347 F20101206_AAATAI mason_j_Page_67.jp2
79cf0f48af8bf9b98490ffd0a233c736
984c324d72f1cf42fefbb5ec4dd292a0bb29237a
29984 F20101206_AAATKD mason_j_Page_31.QC.jpg
538dbac1ba4e1259d04105611b055610
1b5b7460fd9adf2386715deaf806e3d86c518deb
52529 F20101206_AAATFG mason_j_Page_81.pro
3a3982b33e88bab17e008de3d31915ac
c868102edebb52f2fbf6d6a109d8aa8813016c1f
126472 F20101206_AAASYJ mason_j_Page_86.jpg
37314426a4603df51ba638518ead76c5
3efb75af25e8ddc0b6aebe563f6619e1ad02cff6
116766 F20101206_AAATAJ mason_j_Page_68.jp2
bbc84389a6c0639f1f236bce0981ba12
2d1800da30b5fd05740bdc2b6b799b6d2817b383
7572 F20101206_AAATKE mason_j_Page_32thm.jpg
928f2762a523b75dd97bc0510c14c78c
0a0acf152b9482e65d39370d5176793351c3f55e
51634 F20101206_AAATFH mason_j_Page_82.pro
09b57b0cbaacc0a64fd056f015e4385d
2a9b0de09c822bfd6c9936e17500113bcc013bdf
90372 F20101206_AAASTM mason_j_Page_45.jpg
4ccd55ad54144bc4aa89ab08c8afd213
4848d3137847d6ae44e2aecd89e11bbae7d9d841
29998 F20101206_AAASOP mason_j_Page_43.QC.jpg
73306a4e12633f219c12ae67281b4557
873a5c13e1e9bbf5a292956e654156a79ede0d0f
31545 F20101206_AAASYK mason_j_Page_88.jpg
2fc50146297fc5c7d4f5308d5f7d40b8
bf3f1525ab8f2b4a10c12a931e8aa25f3f7facf4
115335 F20101206_AAATAK mason_j_Page_72.jp2
66a445fe87ad6d5565dcf44fc65f5236
c66d815c184ebaef5ac37dbbaffda2913dc1377e
31540 F20101206_AAATKF mason_j_Page_32.QC.jpg
2104e539cdd450ab484d9b526725c2ed
0080bfaff4d5af16eb8bb91bd592261f0e4f1c14
55793 F20101206_AAATFI mason_j_Page_83.pro
5b29929857d7e796bacd4f49b27c1e85
bc2a910638ff166752dd78d4f81c3341251353f5
2120 F20101206_AAASTN mason_j_Page_15.txt
9fd20b5f5eeb3a4d7274e5d4bea40072
12fafd9d87e57bb07c8b11acd964002c291ea4ba
95980 F20101206_AAASOQ mason_j_Page_17.jpg
fb1c8b7c3d80187bf519e79f0e2d0feb
ae1ed66d99df6835ee46c2f4b0d42dab8952a4e0
5468 F20101206_AAASYL mason_j_Page_02.jp2
1855319e06de8fa8dcbff9fb3faa21ba
c38ea47b0aa10e84c9bb4ecbcbce7a117914d7d0
106091 F20101206_AAATAL mason_j_Page_74.jp2
0d1ebe6f066a9c5c5f4c6f3c8558cbe9
28aab8cfbff69f1b0e6e5698cd8cef2ed7650dd1
7774 F20101206_AAATKG mason_j_Page_33thm.jpg
0cef2d4e6e244c6537e5cb4918a83e31
de03835b77d1ba920d8129d7535ece202f24d89a
58043 F20101206_AAATFJ mason_j_Page_85.pro
aebe0ff52959d31b970cfb5332a892ef
49a904d0905179004e448913e14c9081844b3660
87873 F20101206_AAASTO mason_j_Page_64.jpg
8531b59d5395c6eac9238a1dc69742c8
99a5945634e47f1b6f5707333c6d10eaaecedeb2
131118 F20101206_AAASOR mason_j_Page_13.jp2
bdb315e88a7d9d68614de67dd7a30e6e
09719e7c1c21160170d7f5279d5b0f75c0f576f7
7782 F20101206_AAASYM mason_j_Page_03.jp2
b552bec561013737f5ca8927f632dc3f
058cb96024edd899f64d5ca2fdab84d097f97aef
108691 F20101206_AAATAM mason_j_Page_76.jp2
e7c5dc097a1bc3f087b724efaa80bd9e
589b7e8307930d1b15c2eb4c94adeab36bf866df
7302 F20101206_AAATKH mason_j_Page_34thm.jpg
52d3b0012cf9363d32885c9410a38729
b41dd874e50f59876e4d94465d460b7b77bcd340
17799 F20101206_AAATFK mason_j_Page_87.pro
4e843777b7b56cd8ef3197536f6fd5ba
458e64fcfcb22485850e2c3f6707dddfd5c08f7b
117232 F20101206_AAASTP mason_j_Page_83.jp2
bbcc4c03b6baf21b30db5e5194647c9f
bdbfe9d6379d828887f8296f7f2e9a4d00ba4b9b
7817 F20101206_AAASOS mason_j_Page_63thm.jpg
304f249ba7e4d675d75a6d1758e5d468
5e9ed0be34d3f61ee3b54a02f6bfd2d17752c0a8
1051970 F20101206_AAASYN mason_j_Page_05.jp2
f800f1adf442a74cc69f0896435221de
4b5942e518e18563567cee30bbb8dd4df4a87fa0
103302 F20101206_AAATAN mason_j_Page_77.jp2
f3e61cc1c99629513d4b7c199ee5fd65
e8493f9e344dc27b20b40d692255c4d22ad6cfc0
28212 F20101206_AAATKI mason_j_Page_34.QC.jpg
d3c9d863299be0261b275680efefd288
ec7d1227df4652af224477407f00cc640e00bf59
12982 F20101206_AAATFL mason_j_Page_88.pro
79a016ceaa2b2ae8d55adb0044ba3e9c
c6b7e192c146c64c0b4691278516519c159036f4
48906 F20101206_AAASOT mason_j_Page_60.pro
c049bbb56bc9b237b3386f7b74e8428d
adc300466e4080b62923bacead655dd1e09d59f7
1051979 F20101206_AAASYO mason_j_Page_06.jp2
fe81dc2ea70b62804c361a38a7cfa1b8
ac646b4a0cbf2dafc8d2b5e333e35fd156eb0e47
112544 F20101206_AAATAO mason_j_Page_78.jp2
e186212d96c9301d665da28ca71079aa
026aef5a8cd2efc152d99eb6fc01ec204358eee3
108367 F20101206_AAASTQ mason_j_Page_71.jpg
e208e60efbcfed9fe27ce26ac3926be4
7afb0cdbd645dce54fba704f836e8061df5e4478
7925 F20101206_AAATKJ mason_j_Page_35thm.jpg
c7c990c394710800d45e5b824792157f
e911bb74facd32ba11a7549788b19a5f15be97d8
523 F20101206_AAATFM mason_j_Page_01.txt
e83d7be6d1daf8cd1e4898164a418357
94591732272cb8796983a81f35cc724227a3c366
F20101206_AAASOU mason_j_Page_27.tif
e5b048f30ea0e13d3d3db30b5e2a6572
42f93313587e76d25d90c3bf2abd4c37ce740d16
97800 F20101206_AAASYP mason_j_Page_07.jp2
6bddc067404f9d250f578358a0a4d667
12aea155a2a3d34563879fe89b64db4b5d80adcb
110508 F20101206_AAATAP mason_j_Page_79.jp2
5679aa9bbf49c3fbee621954f2ad9d7b
0c6b06f48cb074ca98aeadf4c50854cdc657f310
113493 F20101206_AAASTR mason_j_Page_75.jp2
7ee1ce9da4bcc6c79e360def2ca23fd3
0ab23747e549bc991861a964cfffdd182d381735
31977 F20101206_AAATKK mason_j_Page_35.QC.jpg
ce2d7ad00ce7d0744b780da12eab2ea8
8e9de84c299c16567c432b7603b5dcfa7c4cf91a
99 F20101206_AAATFN mason_j_Page_02.txt
1ebc7e6515794562e832e55972b7acc0
c97743b846a818c30154df0d9fcc833cb09a50f2
35156 F20101206_AAASOV mason_j_Page_62.QC.jpg
55290f68478036b6a2babca2eba3536c
b5eec62f6a365a3ec07f11ecf8f9dd75068d4d17
36256 F20101206_AAASYQ mason_j_Page_08.jp2
15274a0088df0792809a0e08b1c4009d
53c2048ded377ccabb0401f554d223968dc56365
110510 F20101206_AAATAQ mason_j_Page_81.jp2
72c80f8b5dac61c74c0f655e862e03de
13419499ed0676f623e341e2e105ab70265fa234
43760 F20101206_AAASTS mason_j_Page_06.pro
885932ccc06162cbe6a840847afbce97
4dacc8c4df61f8a6aaa9d6a20ec78ef2dfaec939
8355 F20101206_AAATKL mason_j_Page_37thm.jpg
b17bfd206541debd35e310168a7fa56c
e6df56585daaabefd15113e8285cbc707efc802c
139 F20101206_AAATFO mason_j_Page_03.txt
7dd06cfb034ee85484c7518b0b4b56a1
328cbadf208fbc422bed17a7eb21709ae13872b5
98939 F20101206_AAASOW mason_j_Page_52.jp2
966dac22055d790e0ae652401e843d98
abb6c79275403a987ce8096f1934af0d68c0b043
69155 F20101206_AAATAR mason_j_Page_84.jp2
6721b1f9c963fd2a89a56e6d3d327fd7
8d814e7ae16fd1115f4f75cd37fd6ae1ee20c3c2
54819 F20101206_AAASTT mason_j_Page_75.pro
6e441e741cc3c406e40533191efea2b5
f3057d148e6000a3b4368e451543ef51bf44e1bc
8430 F20101206_AAATKM mason_j_Page_38thm.jpg
89772ae10ea2156b4a326f86a57e6af8
5080414cffc02050c9d3c357b45d3d91b53208c9
3341 F20101206_AAATFP mason_j_Page_05.txt
d2092a31269301a1c0296a4116a5dbdf
debc980da63c21567624a6c2eb08fc7c32bb90cb
33139 F20101206_AAASOX mason_j_Page_38.QC.jpg
c989845cb0116df3a300149329d93685
b2474e1bf85864d29f6f5831dec8c2b3ecc5f7ce
128187 F20101206_AAASYR mason_j_Page_09.jp2
b6a602fe853da642d575484e2aab6836
deb7cbd4ed287e1e7469064952bbfcfe3230bdc5
125809 F20101206_AAATAS mason_j_Page_85.jp2
229eb1046eea1da37d5d0274321980d3
ac7e0e15b5255a7bf4dd22446a76b96b59f1595f
8646 F20101206_AAASTU mason_j_Page_47thm.jpg
534242f875d9c2f86d06e688c17c4ec2
7cf49fd07646fdbf7233f90e2aa47303ab89033b
7598 F20101206_AAATKN mason_j_Page_39thm.jpg
41a1f4ec021cfe7a37a6c6f7a18cddca
e4eef485f8c07ef4a9c02ecc84f47a262126cea1
1890 F20101206_AAATFQ mason_j_Page_06.txt
8775203d31ef844b8114351ed63d59f2
3329ae7845175ea8c03b5402a535a7b709192883
906 F20101206_AAASOY mason_j_Page_02.pro
b0f7dc294452cd06dac66b63002ab9db
8ca7b00d68eab59c5d118577cd866e0848faa64d
137785 F20101206_AAASYS mason_j_Page_10.jp2
3c5ef067518821ddf9b204984c411a8e
7320997355c50369cff5db3b90e63783eeda1c4a
1051975 F20101206_AAATAT mason_j_Page_86.jp2
4ac82b3f6247a60e95467f6749ec5fc5
3394552696a757da1b11505b36e092719569c9d4
8968 F20101206_AAASTV mason_j_Page_83thm.jpg
dce81e92d18fc451c1fffffa8459ea9b
4bf871db7cccc0fb3f4b4cdda30ac47ababc6eee
19818 F20101206_AAATKO mason_j_Page_40.QC.jpg
cda6ebf1ca2c7ace50b6449fca7678f7
94519a9d90473dc5ed187c2e1ba04dc288042974
1990 F20101206_AAATFR mason_j_Page_07.txt
fa3435a4ba38729db8e1d7365dceed5a
6ecfd1703efe8a734bb1e27a4bd915d9b4da7214
2087 F20101206_AAASOZ mason_j_Page_80.txt
9324ab1f6c05df0408d211b34fff8c34
3fc30f4e0a8367b9eb9fdb352924f19401d79f1a
102993 F20101206_AAASYT mason_j_Page_11.jp2
986b9ac444aa45e33dbde8fdb0c48c7d
f88de47d3a853825388aa0321470419e4b313ee9
44279 F20101206_AAATAU mason_j_Page_87.jp2
6049b8d01d4824b0fb58149621efaee1
52050a48d8831fe3df68f21684b2d7756a40624b
8522 F20101206_AAASTW mason_j_Page_82thm.jpg
b0ea6cd4474c327d180711d21ec02955
48fe5c95c495a7a894d06e980d94c1fad7b4959c
7463 F20101206_AAATKP mason_j_Page_41thm.jpg
e275f0a5b79589e2637f8e0945af5fbd
96bfbc6b3fd81954bde0ca27fc3b035a9bb03fc5
619 F20101206_AAATFS mason_j_Page_08.txt
e671cf79525b36f6b2008857603456df
2159377b04ca6a23a83a22ccdd50f23f6acd44e4
134159 F20101206_AAASYU mason_j_Page_12.jp2
ebe65c03b73ad392209b2c5b8c4a9bfd
81e0af41d65dab2d4cd1cd566eba739cdcd65e88
32425 F20101206_AAATAV mason_j_Page_88.jp2
199d71d5574fa576bc969bdcf49fe68d
c2201c6fa662ec139092d3242e01c3ab80f0dfab
53336 F20101206_AAASTX mason_j_Page_48.pro
232441cef4cffb6e5a9923319771e200
d1e3917e43ffd27cdf2fed1db66f88f07a0ae5f6
30665 F20101206_AAATKQ mason_j_Page_41.QC.jpg
f0b7a21feb1f267ae9663516670b5f0a
07660eb74b225c4cf340f23e3528a08be6101991
2740 F20101206_AAATFT mason_j_Page_09.txt
45badc3fb308a8567f0bdb87478be076
7d5df1afab89f6e39bb1c1cc8da86fea1ca4a5b1
120318 F20101206_AAASYV mason_j_Page_14.jp2
edacbdb36922d910b60d864c90a476f6
c2c33b00bf405c6d0424b071d3cc3c4ac80c3faa
F20101206_AAATAW mason_j_Page_01.tif
8dce1c44bd69947c14b60f3dd04cb778
7097c290c39a9fb3f453962c221a43c2c611625c
114222 F20101206_AAASRA mason_j_Page_80.jp2
3918285530897005e08aed5868711435
767a121a4a7eb2c61b849126296aab818ba0ad7e
7571 F20101206_AAASTY mason_j_Page_07thm.jpg
2ad0fd8895be26ec4417312c7426f634
ed032f3c5485363834874fb7b7339399009a5a62
7530 F20101206_AAATKR mason_j_Page_42thm.jpg
7912e2f701a24ecae4e524a1ff67d404
fe1acd1c7f9aa0e4eb2d91ce14aff78d2a72395d
2864 F20101206_AAATFU mason_j_Page_10.txt
725c0c10f1f135033f17686ffb21cb2b
2ea9c3ad756d69f754081ec3b9ca46408310200b
110556 F20101206_AAASYW mason_j_Page_15.jp2
45d8c94b06318deb26964267c46d0752
3784bb2c41cda2cb41ed5b0b1b2feeef3f6d9398
F20101206_AAATAX mason_j_Page_04.tif
50ece60e2a94ae95e033360c34f76953
4caf7d55807016d6a5bcddeef626d1291e8a63d8
1894 F20101206_AAASRB mason_j_Page_73.txt
fffd5274b2bc946ca4118579cbebe4e3
9dda2550b3ef6c4a737679d3c9c61e33f70474f4
50698 F20101206_AAASTZ mason_j_Page_27.pro
bb8ad141c69ca21fe0309ae1721277aa
b791fd3c659b610b47fd158b9b39f4f9557855a2
29940 F20101206_AAATKS mason_j_Page_42.QC.jpg
1189f3db38619a77671cd2a4039187f0
2384be55e1f54d0a97cbd0f2afbd1f5f2244818c
2893 F20101206_AAATFV mason_j_Page_12.txt
3916a979d2313e7ac904d4f7e9b1025f
8c1e55404d20933ca59b2141b7a4d182a698af90
108788 F20101206_AAASYX mason_j_Page_16.jp2
7b4f5aa4150ef98774832442b8f2d6da
3deabfd4489f05939597f085d1f6209011bdaecf
121700 F20101206_AAASRC mason_j_Page_12.jpg
446fcbaec9a483768966353ac755d133
e64c02ffeb96ad42cdbaa3d490a946baa6f71679
7921 F20101206_AAATKT mason_j_Page_43thm.jpg
99ed3c7e8f4b574051859aa4d56724d8
88d87588b20538c29d5e726c34e4fd04b9b92f46
2683 F20101206_AAATFW mason_j_Page_13.txt
f678cb241e799ec2724f0b7c4811cf6e
ce988cd228e47851e803b920f2ebd57ad791ff4a
102325 F20101206_AAASWA UFE0021477_00001.mets
81da56723921aeab903d56247b698664
70f0b2d2c9ee435cc9586aec29c30d0d1e202250
106035 F20101206_AAASYY mason_j_Page_17.jp2
296862b3ff0c52349cc63c2f27d2a8a4
c57887598ebd910ecc17c3dfc0ff3f32f915be74
F20101206_AAATAY mason_j_Page_05.tif
79ec78d50551c0796144029b2aa86555
ab94608caf08bf38d7c2d3ed45bacec1d63f8eb3
68340 F20101206_AAASRD mason_j_Page_09.pro
28fa58c52434146e044e3361ed42699c
8bb24143aff56665e67655000d7a8746465bff05
28583 F20101206_AAATKU mason_j_Page_45.QC.jpg
f1f06b4a54c54bdf87e5056b8a35abf7
9166bfd3edc6c3b45bb717f40e6f624c7aa5c349
2305 F20101206_AAATFX mason_j_Page_14.txt
f2a5a071b32e936f9bfe93d9827ae018
4bf96bf4082880a5e10cf678606dd4986bbcf51a
110875 F20101206_AAASYZ mason_j_Page_18.jp2
92562023a7530423ba49e796240767e9
87040237a8137ef49c5ba309df9f5a0996c5573c
F20101206_AAATAZ mason_j_Page_06.tif
d3a3ea68c8b5bf12343c2c2a4e385a2c
a8bcd3dfd507d3c50519a87a8f5929fcae3c2c48
10371 F20101206_AAASRE mason_j_Page_88.QC.jpg
5062f18e4d48725b9a7b1eec37d0aca8
48c65b3f0d1b7e7899800c7fde1b0be83c3befbe
8833 F20101206_AAATKV mason_j_Page_46thm.jpg
889564a4c7b5998cfee982f6e8014a87
0dd95439e3f5da7c6300066aa28e039eb2336d81
2197 F20101206_AAATFY mason_j_Page_16.txt
4295b9968479ad13f76e24d761232459
7964d8a83090ee25468c3f2421a473ef89223157
106430 F20101206_AAASRF mason_j_Page_75.jpg
bc6fd6568aa05b50bd24805de7767bb0
51b387b0596be021f296b6a72055f77e91a75f00
35268 F20101206_AAATKW mason_j_Page_46.QC.jpg
586b996de4be53b5a3ebab4ee07117ab
b77032e7dd699c827b209932b1ba0c512252f7c3
2082 F20101206_AAATFZ mason_j_Page_18.txt
939c809b3cc6274e56d2d5620d92690a
d1307ecaaf08e6b096c94241b5d7cc549b4e8948
30448 F20101206_AAASWD mason_j_Page_01.jpg
e8cf84dd75d7716221bf12e706056be5
f9a8134598dbd67d34060ef5decf83e4176accce
3027 F20101206_AAASRG mason_j_Page_87thm.jpg
5c5485757a19bb588b3001cfe12719f2
573278e582a1bb3776de98ead5095dfbe6762373
F20101206_AAATDA mason_j_Page_87.tif
c81c91fa6f6a7b0f0804af4c4f116788
104616c5c8f76482d2e547c9bca3519f1a33795b
34652 F20101206_AAATKX mason_j_Page_47.QC.jpg
f87b91bf9bc69235bc6614b42530cee6
75ac770fdf0421f0c5c383b88730a7c75b4fff24
4087 F20101206_AAASWE mason_j_Page_02.jpg
c5289ef3515a4762ad195d5dbd03f588
0b667b84997691857b37aee6e2e1758634feb882
F20101206_AAASRH mason_j_Page_82.tif
3157edf1d4878afd3c0202dffc4494ca
59a78cb525a263457a9ce2dbf43f7c76c09bd79b
F20101206_AAATDB mason_j_Page_88.tif
a4e10427ef612d97752162c37b1da0b3
a52974728058f47b0dc3706d6668ab2836f0cbae
7386 F20101206_AAATKY mason_j_Page_48thm.jpg
d3a359605add8c36eddbab7e0e60ca7a
4b40b7e5cef4d8a20872884a63812952c103d116
17196 F20101206_AAASWF mason_j_Page_04.jpg
e0069993a95cc02307d08fbaa2097f0b
c1a9c9abf2dff52fee88dea568b56d2a4b3a7500
1199 F20101206_AAASRI mason_j_Page_40.txt
eb345a3730ccfc110ea1a5f5ab612acf
d05b013c63e75d512cef802c7c8f50f872c0a524
9724 F20101206_AAATDC mason_j_Page_01.pro
c8c7d726f7606f2d936c6563170e1b87
dcb31370e22ca41ec3c31622b384a98d4cbb3a6e
28962 F20101206_AAATKZ mason_j_Page_48.QC.jpg
ec78179a7190b38527255324d2778e86
5926419d43561454e2f37383012232b4b06fd5bd
7282 F20101206_AAATIA mason_j_Page_64thm.jpg
47610a22f9b2689fd0a5efc41e90a182
fe803b2bf300c24e95bb153fa958ce14dea7d536
90401 F20101206_AAASWG mason_j_Page_06.jpg
1d86e1b4a553a01927c351771471d790
e9182a55de0d3bb49a47cdbe10bf0bc2555f2f5d
48937 F20101206_AAASRJ mason_j_Page_65.pro
7feaeb48693cd0036430d88f8696a355
85de42826db292b031c75d42325343046933a3ed
F20101206_AAATDD mason_j_Page_03.pro
3cadf2f00e274e85f1d6d557d0a0da70
d8ac033661472b41319f7611047f1443bd01d128
32012 F20101206_AAATIB mason_j_Page_39.QC.jpg
e2439fb8303e372689747154570b1bcd
a24de9e636fc020eddf6da534b7764cc64ba78a2
34044 F20101206_AAASWH mason_j_Page_08.jpg
229c4f33f3b414fc03dda9a869a58d26
4213dd012431c06a62093a845b74a6c072930653
75540 F20101206_AAATDE mason_j_Page_05.pro
d0250adec5816a4f95f1ad9a962d88e6
5766c0d4d12064a32ab82506c83ed197c41701fd
8085 F20101206_AAATIC mason_j_Page_26thm.jpg
04a603e28524200164d563a8881fa081
4dba090808afd24549c76af32243674866a7230e
118465 F20101206_AAASWI mason_j_Page_09.jpg
805874717cf66e3048568795bf6ca65c
126d49512551afb63c4c1796df6784f8c9ede831
F20101206_AAASRK mason_j_Page_48.txt
5d73ccb61cd556c3cebd6074a6cdb60e
5006a7e5f0b2ae622829f3f4b9b7c210f9d383df
45067 F20101206_AAATDF mason_j_Page_07.pro
2277a6453e533d6354e0904dd1f694c9
a81371c2529dde1799a5a3b1741f8c3b25f8395d
7500 F20101206_AAATID mason_j_Page_54thm.jpg
0b49c3d317a063ffea38cc7c27551a59
7364ec0a9ae4ba20401e1b56993c440cc0e985d6
122551 F20101206_AAASWJ mason_j_Page_10.jpg
b08e919e116ef7a179414f35508bf13b
e722e416c33c663bbafebdddda65dfb766934791
7702 F20101206_AAASRL mason_j_Page_28thm.jpg
ad39b5b039b78e2c29dd9e9b6a2814cd
70464464157ae48465118797a87f72533d4f0972
15504 F20101206_AAATDG mason_j_Page_08.pro
f7845d5179262069ec52cf4351072a6f
d00e3aa34c94dec1f3e0ec95df9c201d6df4a66c
31808 F20101206_AAATIE mason_j_Page_33.QC.jpg
da27eb38a4772e7e64dcb8943f059bd9
5f0fca27f3fb5f341939849b9c96d5b5c116453a
98391 F20101206_AAASWK mason_j_Page_11.jpg
c1dc98ac6f40b32533333584f9d319e9
4bf029ac8ca370a5ab98a7c4e033d132b854e96f
31839 F20101206_AAASRM mason_j_Page_51.QC.jpg
b4221160cec93506fd5f04c39e2f6382
1157143ad7bca08ab528c234236e7cd4b2e0c356
74078 F20101206_AAATDH mason_j_Page_10.pro
4f7c5a44e5fc94a8c4625e9a959bc4d4
7c9337467897b9671b09cf13ec279e6f790ef5d6
31207 F20101206_AAATIF mason_j_Page_30.QC.jpg
84002d665f6db27a5db00f21f589d356
4e801cdb2ebb20160aa411693075afa182d16ddf
121673 F20101206_AAASWL mason_j_Page_13.jpg
abefb68d8a2e53f913bba556d275c497
95f8f7ba6186c56fc00afdf23ee13a579774dcdf
34219 F20101206_AAASRN mason_j_Page_79.QC.jpg
057d8d6caccc42926aafbccd6e59f16c
7f42620fb839771548bc41b689982d75028a77ee
49776 F20101206_AAATDI mason_j_Page_11.pro
698e18203b10635501ebc838141f8f12
ea3712620e2fedd823155317db92bf5a6ff3e68f
7655 F20101206_AAATIG mason_j_Page_17thm.jpg
ea2cf3a0d9cb218b2d546337802e7b4e
4f0f6d19b9ee86a6e7bb8531879ee87fe87459df
113195 F20101206_AAASWM mason_j_Page_14.jpg
1caf2ed3adc69a933002a49b2ce50bb8
0be9cfc0b85f26e1c9bf3b183c86b9184ecb63df
F20101206_AAASRO mason_j_Page_03.tif
addcac218b461c16a52953443c06b14b
e65e7f3f4857e42dd4c0393e48a134868600e8a3
74750 F20101206_AAATDJ mason_j_Page_12.pro
dcbfb35dcab992bf012c142cae26eed3
463e75d5767cc1bbeb6db644589fcb1a3700bd41
7413 F20101206_AAATIH mason_j_Page_66thm.jpg
a0819e54105ebac20117e22202ba749b
55c42e6a76cd591cec45d1f48c755b1b55a027e4
8186 F20101206_AAASRP mason_j_Page_77thm.jpg
56736c20e4976b2d1e513c142f8d1082
90e5da133c56d1a3f63c831a0a6beb56af577e71
69888 F20101206_AAATDK mason_j_Page_13.pro
4f3edfd83c823670ed5d7ea11dc95083
0c7b4f1f08e3822cc45f9fc7b926be3b5bc52108
106396 F20101206_AAASWN mason_j_Page_15.jpg
1c019f3ee3309c55e7dd7c323b89e527
ba00122198290542c7b922f1ccd82e1b844053d0







THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PRIVACY DIRECTIVE ON
THIRD COUNTRIES AND THE PASSENGER NAME RECORD CONTROVERSY




















By

JONATHAN D. MASON


A THESIS PRESENTED TO THE GRADUATE SCHOOL
OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OF
MASTER OF ARTS INT MASS COMMUNICATION

UNIVERSITY OF FLORIDA

2007






































O 2007 Jonathan D. Mason


































To my wife, Erin; and to my son, Sam. They make all of this worth doing.









ACKNOWLEDGMENTS

I would like to thank my committee members for their contributions. Special thanks goes

to Dr. Bill Chamberlin for his time and mentoring. I would especially like to thank my wife,

Erin, for her incredible patience and love.












TABLE OF CONTENTS


page

ACKNOWLEDGMENT S .............. ...............4.....


AB S TRAC T ......_ ................. ............_........7


CHAPTER


1 INTRODUCTION ................. ...............9.......... ......


Private Data in the Digital Age ................. ...............9...............
Third Countries and the Data Directive ................. ...............11...............
Passenger Name Records .............. .....................13
Purpose of The si s ................ ...............15........... ...
Review of Literature ................ ...............15........... ....
Research Questions............... ...............2
Research Methods............... ...............22
Conclusion ................ ...............22.................


2 OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON
THIRD COUNTRIES............... ...............2


Purposes of the Data Directive ................. ............ .... ...............24.....
Key Provisions for Third Countries in the Data Directive .............. ... ............ .........2
Third Countries and the Data Directive Requirement for Adequate Levels of Data
Privacy Protection ................. ...............29.................
Switzerland ................. ...............29.......... ......
Canada ................. ...............3.. 1..............

Argentina ................. ...............32.................
Guernsey ........._..... ..... ._. ...............3 4....
Isle of M an...................... .. .............3
United States Safe Harbor" ........._.._.._ ...............36.._._._ ...
Conclusion ........._.._.. ...._... ...............37....


3 THE PAS SENGER NAME RECORD S CONTROVERSY ......____ ..... ... ._ ..............41


The Australian Passenger Name Record Agreement ....._.._ ............... ........._..... ....42
The United States Passenger Name Records Agreement .............. .. ............................ 4
The Opinion of the Advocate General and the European Court of Justice Decision
on the PNR Case .............. ... ..._ ...... ... .. .......... .... .......5
The Opinion of the Advocate General versus the Court of Justice' s Holding in the
Passenger Name Record Case............... ............... ..................6
Plea: the PNR agreement represented an infringement of fundamental rights ........63
Plea: the Commission and Council went beyond their authority in creating the
U. S. PNR agreement. ............ _.. ....._ .. ...............64
Plea: the U. S. PNR agreement was overbroad ................. ............................66











Summary of the Advocate General's Opinion on the PNR case ...........__.................66
Conclusion ........... ......_ ...............67...

4 CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE ........._.....68

Sum m ary of the Issues .............. ... ...... .... ....... ..__ ... .. .. .. ... ..........6
How Has the EC Defined Adequate Data Protection Laws for Third Countries and
How Has the EC Applied This Definition to Third Countries Thus Far? ...................69
What Does the Passenger Name Records Dispute Between the US and the EC
Show about the Directive' s Third Country Requirements? .............. .. ..........__ ...71
How Might the European Court of Justice Annulment of the Passenger Name
Records Agreements Potentially Affect the Directive, Especially Its Third
Country Requirement? ............. .... .... .. .. ....... .............7
The Advocate General's Opinion versus the European Court of Justice' s Ruling .........72
The Australian PNR Agreement versus the U. S. PNR agreement .............. ..............75
Resolving the Current PNR Agreement .............. ........ ... ... ... .. .......7
Components of a PNR Agreement with Appropriate Accommodations for Europe ......78
Components of a PNR Agreement with Appropriate Accommodations for the U.S......79
Resolving Future PNR Agreements and Decisions on Adequacy............. .._.........___....80
Conclusion ................. ...............81........ ......

REFERENCE LIST .............. ...............85....

BIOGRAPHICAL SKETCH .............. ...............88....









Abstract of Thesis Presented to the Graduate School
of the University of Florida in Partial Fulfillment of the
Requirements for the Degree of
Master of Arts in Mass Communication

THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PRIVACY DIRECTIVE ON
THIRD COUNTRIES AND THE PASSENGER NAME RECORD CONTROVERSY

By

Jonathan D. Mason

August 2007

Chair: William F. Chamberlin
Major: Mass Communication

In an age when governments and businesses transfer personal data of individuals over the

Intemet, the U.S. and the European Union have tried to protect such data in different ways.

Whereas the U. S. has sought to protect specific types of private data (such as health records and

financial data), the European Union passed the 1995 Data Privacy Directive as a way to protect

all private data.

In the 1995 Data Directive, the European Union sought to protect the private data of

European citizens within Europe and without. The Data Directive mandates that non-European

Union countries must have adequate levels of data protection if they are to transfer private data

in or out of Europe. The EU has allowed a handful of nations to transfer private data because the

E.U. deemed their laws adequate in protecting private data. The challenge to the E.U. has been

trying to work out the protection of private data with the U. S.

An important area of contention over transferring private data has been the U.S.

requirement since late 2001 that all airline carriers arriving or departing from the U.S. must

provide the U.S. government with Passenger Name Records, a packet of data collected by the

airlines that contains private data such contact information and financial information. The U.S.










requires this information in order to screen passengers for security threats. In 2004, the U.S. and

the EU had reached an agreement to transfer this data, but the European Court of Justice

annulled this agreement and said that the EU could not use the 1995 Data Directive as a

foundation for such an agreement. The Court of Justice gave the two sides until July 2007 to

reach a new agreement. An agreement meeting the needs of both sides would protect the privacy

of airline passengers while providing the U.S. with the data needed to combat terrorism and

protect national security.










CHAPTER 1
INTTRODUCTION

Private Data in the Digital Age

With the arrival of the digital age, more and more consumers across the world rely on the

Internet for day-to-day services and business transactions. As increasing numbers of consumers

follow this trend, more and more commercial establishments conduct business on-line. When

customers do business either on-line or by traditional means, they usually must provide personal

information such as addresses, phone numbers, Social Security numbers, health records, birth

dates, and financial information that is then used by the business to complete the transaction

requested by the costumer. The use of the information increasingly includes the transferring of

data over the Internet between businesses, government bodies, and other organizations. With

growing amounts of international business and law enforcement conducted on-line, private data

often crosses national borders in the transfer process.

This cross-border data flow creates a significant challenge in part because countries have

adopted different laws and regulations for the protection of personal data. Specifically, the

United States and the European Union, the two largest economies in the world,2 differ

significantly in their respective approaches to data privacy protection. The United States tends to

address privacy concerns by enacting narrow, sectoral laws protecting only specific types of




SAn example of data transferred across borders and between organizations occurs when an individual flies on an
airline and provides his or her personal information as part of the ticketing process (including, but not limited to
name, address, phone number, birth date, Social Security number, passport information, etc.), that information is
then transferred to the Bureau of Customs and Border Patrol through the U.S. Department of Homeland Security.
This is the case in the U.S. since the post-9/1 1 passage of the Aviation and Transportation Security Act of 2001 Pub.
L. No. 107--71, 115 Stat. 597. Under this law, airlines landing in the U. S. are required to provide the private
information of their passengers to the U. S. customs as part of the ongoing war on terror. See also the Electronic
Privacy Information Center website at httpl w\ \\ \\ .epic .org/privacy/intl/passenger~data. html

2 The European Union's 2005 GDP was $11,650,000,000, second only to the United States who's 2005 GDP was
$11,750,000,000. 2005 CIA World Factbook, available atll! htt w i .cia.gov. Last visited on April 20, 2006.










private data.3 The Fourth Amendment of the U. S. Constitution grants a "right of the people to be

secure in their persons, houses, papers, and effects against unreasonable searches and seizures."4

This amendment directly applies to physical intrusions of privacy, but only indirectly ensures the

intangible aspects of privacy such as the right to keep personal information private. On the other

hand, the European Union (EU) and its Member StateS6 COnsider the concept of data privacy as a

fundamental human right and enact broad, general legislation aimed at ensuring the legal

protection of citizens' personal data in government and in business.

Due to technology that allows organizations to transfer massive amounts of private data via

the Internet, the European Commission (EC) issued, in 1995, Directive 95/46/EC "on the

protection of individuals with regard to the processing of personal data and on the free

movement of such data," commonly referred to as the European Union Protection of Data

Privacy Directive' (hereafter referred to as the "Data Privacy Directive" or "the Directive").8




3 An example is the Privacy Act of 1974, 5 U.S.C. # 552a that set laws limiting how the U.S. federal government
can use personal data such as tax information. The Privacy Act did not, however, provide general privacy laws for
businesses.

4 U.S. CONST. amend. IV.

5 The U.S. Supreme Court has also recognized that "the First Amendment has a penumbra where privacy is
protected from governmental intrusion." Griswold v. Connecticut 381 U.S. 479, 483(1965).

6 At the time of this thesis' composition in early 2007, 25 nations belong to the European Union: Austria, Belgium,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, the Netherlands, and the
United Kingdom. Candidate nations vying to join the EU include the nations of Bulgaria, Croatia, Former Yugoslav
Republic of Macedonia, Romania, and Turkey. See European Union Member States website at
http://europa. eu. int/abc/governments/index~en. htm#members

SIn European Union law, a directive issued by the European Commission is binding on the individual Member
States, requiring that each nation in the union must implement the policies in the directive into its respective laws.
See Treaty Establishing the European Community, art. 249, availab le at http://europaeeu int/eur-
lex/en/treatie s/dat/ecconstreaty&us .

SCommission Directive 95/46/EC, Directive of the European Parliament and of the Council of24 October 1995 on
the protection of individuals with regard to the processing ofpersonal data and on the fr~ee movement of such data,
1995 O.J. (L 281).









The fundamental purpose of the Data Privacy Directive was to unify the data privacy protection

laws of the individual European Union Member States.9

Third Countries and the Data Directive

Among the most debated and the most controversial portions of the Directive in non-

European nations is Chapter IV, Article 25(1), which requires that

The Member States shall provide that the transfer to a third country 10 of personal data
which are undergoing processing or are intended for processing after transfer may take
place only if .. the third country in question ensures an adequate level of protection. 1

In other words, as a condition to transferring private data, the Data Privacy Directive

indirectly requires non-European Union nations, or third countries, to protect private data

according to the levels of protection outlined for the Union' s own Member States in the

Directive. Any business transferring private data between an organization in a EU Member State

and an organization in a third country may only do so if the third country provides adequate

protections governing the transfers of private data. Because of the great amounts of data

transfers required for international business and because of Europe' s economic importance in the

world economy, this section of the Directive could potentially impact the laws of every nation.

In order to determine if a nation meets the adequate level of protection requirement, the

Directive empowers the EC to officially approve the free flow of data between a EU Member

State and a third country. Article 25(6) of the Directive authorizes the EC to consider a








9 The term "Member States" refers to the individual nations comprising the European Union.

'0 The term "third country" refers to a nation or state that does not belong to the European Union.

11 Commission Directive 95/46/EC, art. 25(1), 1995 O.J. (L 281)










recommendation made by the data authorities of the Member States and to act on such a

recommendation or not. 12

Since the implementation of Directive 95/46/EC, the European Commission (EC) has

judged the data privacy laws of several nations as "adequate" in protecting private data and has

officially reported that EU businesses may transfer private data with businesses in these nations.

The nations thus far approved include Switzerland, Canada, Argentina, Guernsey, 13 ISlC Of

Man. 14 To a certain extent, the EC has granted the U.S. approved status through what is called

the "Safe Harbor" agreement and through the agreement to allow the transfer of airline

passenger data. 16 In the case of each of these nations, the European Commission studied the

laws of the nation applying for approval and judged that the nation provided adequate levels of

protection for private data, thereby enabling the EC to give European businesses the green light

to deal with businesses in these nations.





12 Id. at art. 25(6). Upon a recommendation of the Working Party (Article 29), comprised of data authorities from
the Member States, the Article 3 1 Management Team delivers the opinion of the majority of the authorities and the
EC report goes to the European Parliament. The Parliament then has 30 days to judge whether or not the EC has
acted within its authority and to make recommendations if needed. After this period, the third country can gain
approved status. See Commission decisions on the adequacy of the protection of personal data in third countries,
availab le at http://europa. eu.int/comm/j ustice_home/fsj/privacy/thridcountries/indx nhtm.

13 The Bailiwick of Guernsey, located in the Channel Islands (population 61,000), is a protectorate of the United
Kingdom. This island gleans roughly 55% of its income from banking and insurance, providing motivation to gain
approval status from the EC on transferring private data. Information obtained from Guernsey government website.
available at ht tp u sal .gov.gg.

14 The Isle of Man is a small (population 73,600) protectorate of the UK located in the Irish Sea. Forty-five percent
of the Isle's economy comes from offshore banking. The Isle also boasts "offering incentives to high-technology
companies and financial institutions to locate on the island has paid off." The nature of the Isle's economy meant
that the Isle could benefit from an approval on data transfers from the EC and the Isle now enjoys "free access to
European Union markets." Information obtained from an Isle of Man website available at
htl1 \p w\ il .isleofman.com/ and http://wwwwggov~im.

1s Information obtained from European Union website. Last visited March 14, 2006.
http://europa. eu. int/comm/justice _home/fsj /privacy/thridcountrie s/index~en. htm.

1 6Id~










The Directive has been criticized for failing to specify the definition of an "adequate level

of protection" and the exact process a third country needs to receive approval from the European

Commission. Scholars have attempted to define "adequacy" and to document the requirements

for EC approval, but none have focused on analyzing the laws of nations that have already been

approved and comparing them to the Directive's language. Such an analysis is important in

understanding how the Commission itself has used the Directive to ensure data privacy when

transferring data to third countries. Since 1995, the Commission has used the third country

adequacy requirement from the Directive as a tool in negotiating with third countries for

protecting the transfer and use of private data; however, the Commission' s efforts to enforce the

Directive' s requirements for adequate levels of protection of private data has met some

challenges along the way.

Passenger Name Records

A key challenge to the enforcement of the Data Directive involves the United States and its

use of the private information found in airline passengers' Passenger Name Records (PNRs).

PNRs contain passenger information collected by commercial airlines including names,

addresses, phone numbers, travel itineraries, numbers of luggage items used in travel, travel

agency or reservation data, credit card information, dietary information, passport numbers, and

social security card information. 1 Air carriers collect this data and are required to pass it along



'7 The categories of information contained in PNRs include: PNR record locator code, date of reservation, date of
intended travel, name, other names on PNR, address, forms of payment information, billing address, contact
telephone numbers, travel itinerary for the specific PNR, frequent flyer information, travel agency information,
travel agent name, code share PNR information, travel status of passenger, split/divided PNR information, e-mail
address, ticketing field information, general remarks, seat number, ticket number, date of ticket issuance, "no show"
history, bag tag numbers, no show information, other supplementary information, special service information,
received from information, historical changes to the PNR, other travelers on PNR, seat information, one-way ticket
information, advance passenger information, and any other field of information the airline might include. See
Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger Name Record Data,
69 Fed. Reg. 41,543, 41,547 (July 9, 2004).










to the Department of Homeland Security (DHS) for all passengers on transnational flights. Is The

DHS collects this information as a way of combating transnational crimes and terrorism, but in

2003 19 the EC took issue with the use of European citizens' PNRs. The EC based its concerns

on the third country adequacy requirements in the Data Directive.

Since 2003, the European Commission's Directorate for Justice, Freedom, and Security

and the U. S. government have negotiated the use of Passenger Name Records by the U. S.

Department Homeland Security and the program's legality under European law. During this

period, the two sides have made a number of agreements to allow the use of PNRs under certain

conditions, and the latest agreement was reached in October 2006.20 The multi-year discourse

between the EU and the US provides excellent insight into the enforcement process that the EC

will use to ensure that the principles of the Data Directive are followed domestically and in third

countries.

Despite the numerous agreements on the use of PNRs, on May 30, 2006, the European

Court of Justice (ECJ) annulled two 2004 agreements reached between the European

Commission, the Council of the European Union and the U. S. government on the transfer of

PNRs to the Department of Homeland Security. In its ruling, the ECJ annulled these agreements

on the grounds that the enforcement of the use of PNRs falls outside the scope of the Data

Directive because it involves "processing operations concerning public security, defence, State




's For basic information on PNRs, visit the Department of Homeland Security website, "Frequently Asked
Que stions" section, availab le at http://www.dhs. gov/xlibrary/assets/privacy/privacyfaq_pn cb.pdf.
19 See Letter from Frits Bolkenstein, Member of European Commission, to Tom Ridge, Director of Homeland
Security (Dec. 18, 2003), available at http://ec.europa.eu/justice_home/fsj/privc/osaeuypn2031-8
letter-bolkestein~en. pdf.

20 See Agreement between the European Union and the United States of America on the processing and transfer of
passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, 2006 O.J.
(L 298/29).










security and the activities of the State in areas of criminal law."21 Under European law, the

European Commission, where the Data Directive originated, concerns the marketplace and

commerce, not criminal law or national security. The EC/DHS agreements used national

security and fighting transnational crime as the primary foundation for transferring PNRs, yet the

European Court of Justice ruled that this foundation fell out of the scope of the Data Directive

and of the Commission' s authority.

The Court of Justice' s opinion and its effect on the most recent agreement on the transfer

of PNRs between the EC and the DHS, raise important legal questions about the Data Directive

yet to be answered. The ECJ' s decision calls into question the scope of the Data Directive22 and

may prove influential in the future enforcement of the Directive in third countries.

Purpose of Thesis

The purposes of this thesis are to 1) analyze Data Directive 95/46/EC and its requirements

for data protection in third countries; 2) analyze how the European Commission has actually

applied the adequacy requirement to third countries; 3) analyze the ongoing dispute between the

United States Department of Homeland Security and the European Commission concerning the

transfer of Passenger Name Records from airline carriers to the DHS, including an analysis of

the annulment by the European Court of Justice of previous EC/DHS agreements; and, 4) to

examine how the European Court of Justice decision, and the Passenger Name Record

agreements, might affect the scope and the enforcement of the Data Directive in the future.

Review of Literature

Most of the legal research surrounding the Data Directive 95/46/EC has focused on the

potential effects of the Directive on business with the U. S., on comparisons between the U. S.

21 Joined Cases C-317/04 and C-318/04, Eur. Parl. v. Eur. Comm'n and Council on Eur. Union, 2006 OJ (C 178) 2.

SSee infra at page 46.










laws and EU data privacy protection laws,23 and analyses of the "Safe Harbor"24 agreement

between the U. S. Department of Commerce and the EU.25 The literature does an excellent j ob of

discussing some of the issues and problems raised by the EU Data Directive. The extant

literature lays an important groundwork for the purposes of this thesis.

Alexander Zinser, a technology lawyer in Switzerland,26 discussed the Directive's five

critical aspects of data privacy protection that could be used as criteria in approving data

transfers to third countries in his 2003 article in the John Marshall Journal of Computer and'

Information Law/.27 Zinser argued that the Directive does not specifically say whether the level

of protection in the EU laws28 Or in the Member State laws29 is most applicable. This question of

which level of protection to use (the EU or the Member States) arises from the nature of

directives and how Member States could conceivably adopt stricter standards for data protection

than the EC did for Europe as a whole.









23 See 23 COMP. LAB. L. & POL'Y J. 251 (2002). This issue contained comparative articles focusing on some of the
issues surrounding U.S. and EU data protection law, including a focus on how the Directive and U.S. laws vary
concerning data privacy in e-commerce.

24See infra pp.24-26.

25See David A. Castor, Note: Treading Water in the Data Privacy 4ge: 4n analysis of Safe Harbor 's First Year. 12
IND. INT'L & COMP. L. REV. 265 (2002). This article contains a helpful and insightful analysis of the Safe Harbor
agreement between the U.S. Department of Commerce and the European Commission. Castor examines some of the
changes U.S. businesses have made to be in accordance with Safe Harbor as well as looking at some of the potential
difficulties in enforcing the agreement in the U.S.

26Alexander Zinser, International Data Transfer Out of the European Union: the adequate Level of Data Protection
according to article 25 of the European Data Directive. 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003).

27Id. at 549-553.

28Id. at 557.

9 Id. at 565.










In another article by Zinser, appearing in the Tulanze Journal of Technology & Intellectual

Property (Spring 2004),30 he asserted that Article 25, which requires that data transfers to third

countries occur only with "adequate levels of data protection," empowers the European

Commission and EU Member States to judge the third country's level of data protection but fails

to specify how these governments would physically or technologically intervene to restrict the

actual transfer of data to a country that does not meet the levels of adequacy.31 He posited that

perhaps "telecom operators would be asked to intervene and block any transfer.32"

Zinser also pointed out that the Directive never explicitly lays out a way that either a

Member State or the EU will even "be aware of a data transfer to an unsecure country."33 If the

EU or the Member States are not aware of non-secured data transfers to third countries, then the

Data Directive could prove ineffective in protecting trans-national transfers of European' s

private data.

In an article written shortly after the passage of the Data Directive in 1995, Paul Schwartz,

law professor at the University of Arkansas, Fayetteville, illustrated some of the important issues

raised by the language of the Directive.34 Schwartz focused mainly on how the Data Directive

could affect the United States; however, he also provided important information relevant to a

discussion of the Directive's effects on other nations.





30 Alexander Zinser; European Data Protection Directive: the Determination of the Adequacy Requirement in
International Data Transfers. 6 TUL. J. TECH. & INTELL. PROP. 171 (lr1114.
31 Id. at 175.

3 2Id

33 Id. at 178.

34 Paul Schwartz, Data Protection Law and the European Union 's Directive: the C Illl. g.- for the United States:
European Data Protection Law and Restrictions on International Data Flows. 80 IOWA L. REV. 471 (1995).










Schwartz showed that the laws of most EU member states require an "equivalent" level of

protection when transferring private data to a third country, but the Data Directive only requires

an "adequate" level of protection by third countries, thereby potentially lowering the level of

security required for this third country data transfer.35 According to Schwartz' analysis, third

countries that have received European Commission approval for data transfers could potentially

be held to lower data privacy protection standards than before the Data Directive.

Zinser had mentioned in his 2004 article that the Directive does not state whether the

standards of the EU or of an individual Member State will be used to judge adequacy in a third

country. If the EU determines adequacy using the Directive, third countries will probably be

held to one standard for adequacy; however, if the laws of the Member States determine

adequacy, there could be 25 different standards, potentially leading to a third country or a

business "bargain-shopping" for the most lenient level of adequacy amongst the Member States.

Joel Reidenberg, professor at the Fordham University School of Law, while comparing in

2001 the positions of the U. S. and the EU on data protection,36 Said that while "democratic

states" agree that information privacy "is a critical element of civil society," the United States

has left the protection of privacy to markets rather than law. In contrast, Reidenberg said,

Europe treats privacy "as a political imperative anchored in fundamental human rights."37

Reidenberg said that although the EU Privacy Directive requires businesses to report potential

violations of third countries to their own officials, studies show that few businesses were doing





35Id. at 472.

36 JOel Reidenberg, E-Conunerce and Privacy Anstitute for intellectual Property &~ Aforination Law Swinposiuin: E-
Conunerce and Trans-4tlantic Privacy. 38 Hous. L. REV. 717 (2001).
37Id. at 730-731.










so at the time of his article.38 Still, Reidenberg asserted that the European model for data privacy

protection influences other nations more than the U. S model. He noted that countries such as

Australia, Canada, and Hungary used the European model to form their own national data

privacy protection laws.39

In an article from 2000, Kevin Bloss, focusing on the battle between the U.S. and the EU,40

argued that the Directive might not hold up to scrutiny if the U. S., or another nation, were to

bring portions of the Data Directive before the World Trade Organization.41 Bloss argued that

the fact that the Data Directive unilaterally requires non-European nations to enact specific laws

at the risk of losing the ability to do business with European businesses, could constitute a

violation of fair-trade agreements.42

Bloss supported his position by arguing that one of the WTO/General Agreement on

Tariffs and Trade (GATT) rules that Europe might be breaking is called the "Most Favored

Nation" obligation.43 This obligation requires all GATT nations to give every other party to

GATT/WTO "identical privileges with respect to any given product either imported or

exported."44 Bloss posited that the U.S. could bring a challenge to the Data Directive before the

WTO on grounds of a violation of this obligation because the Data Directive requires third

countries to treat EU Member States with un-identical privileges.


38Id. at 734-735.

39 Id. at 735.

o0 Kevin Bloss, Raising or Razing the e-Curtain ?: The EU Directive on the Protection of Data Privacy, 9 MINN. J.
GLOBAL TRADE 645 (2000).
41 Id. at 654-655.

I2d. at 654.

43Id. at 655.

I4d.










In an article from 2005, Francesca Bignami discussed numerous aspects of the Data

Directive and the EC/US Passenger Name Records dispute.45 Much of Bignami's article focused

on the concept of transgovernmental organizations (such as the EU) and the difficulties in

maintaining a sense of democracy in such networks. The author argued that the PNR dispute

could serve to strengthen the unity of the EU Member States because it represents a unified effort

to protect privacy against the differing US approach.46 Bignami argued that the PNR dispute

could lead to reducing the democratic deficit that exists between the EU Member States;47

however, the author' s idea may prove overly optimistic if the ECJ annulment of the PNR

agreements reduces the scope and effectiveness of the Directive as a whole. Bignami questioned

why the European governmental organizations would choose to focus so much effort on the PNR

dispute. She argued that the PNR case appealed to a fundamental European right and that the US

PNR was perceived as a threat to Europeans.48

Bignami also focused on the challenge of enforcing the Data Directive in Europe, due to

the "dizzying array of institutional arrangements" for implementing and enforcing the Data

Directive.49 The mixed procedure form of creating laws at the European level then placing

responsibility for implementation and enforcement on the individual nations differs even from

the transnational organizations of the United Nations or the World Trade Organization. 50

Bignami pointed out that Europe has supranational organizations (European Commission,


45 Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European Information Privacy
Network, 26 MICH J. INT'L L. 807 (2005).
46 Id. at 811.

47 Id.

48 Id. at 865.

49 Id. at 819.

so Id. at 823.










European Court of Justice, European Parliament) that are charged to oversee the actions of the

Member States in regards to European policies, but that their role is somewhat inhibited by

limited resources and the autonomy of each Member State's separate legal systems."

Bignami also discussed how the Data Directive grants the EC the authority to oversee

complaints and concerns from Member States regarding the adequacy of data protection laws in

a third country.52 The challenge is whether or not the individual Member States are aware of

questionable data transfers and will report the matters to the EC. Bignami stated that the

Member States have not been active in either blocking dangerous data transfers or being specific

about the conditions for data transfers.53 The author also reported on the fact that the

Commission had openly criticized the Member States for allowing many dangerous and illegal

data transfers in their international trade.54

The points articulated by Bignami demonstrate the difficulty in actually fulfilling the

requirements of the Data Directive for third countries. The author discussed how the PNR

dispute might affect transnational governance in Europe; however, Bignami did not discuss how

the PNR dispute will affect the effectiveness of the Directive itself.

Overall, the literature on the EU Privacy Directive provides help in understanding the

document, but does not look at the texts of the EU documents that led to the approval of third

countries allowed to engage in data privacy transfers with the EU member states. An

examination of these documents should help to see what requirements the EU actually imposes

on nations to win approval as third countries. Also, the literature has yet to examine the recent


51Id. at 824.

52 Id. at 826-27.

53 Id. at 832.

54 Id. at 833.










developments of the PNR dispute and how this case might affect the enforcement and

effectiveness of the Data Directive in the future.

Research Questions

* R1: How has the EC defined adequate data protection laws for third countries and how has
it applied this definition to third countries thus far?

* R2: What does the Passenger Name Records dispute between the US and the EC show
about the Directive' s third country requirements? How might this effect the future of the
Directive with other third countries?

* R3: How might the European Court of Justice annulment of the Passenger Name Records
agreements potentially affect the Directive, especially its third country requirement?


Research Methods

This thesis is a legal analysis of both international and domestic data privacy laws. The

research for this thesis will include extensive analysis of legal documents concerning the EC

Data Directive, the data privacy laws of third countries, the use of Passenger Name Records by

the US Department of Homeland Security, and the European Court of Justice decision on the

EC/DHS PNR agreements.

Research for this thesis was conducted using LexisNexis, the websites of the European

Union, and relevant websites from the U. S. government (including the Department of Homeland

Security). All primary documents cited may be accessed from these sources.

This thesis conforms to the Bluebook style for legal writing and uses the standard legal

system of footnoting.

Conclusion

The research for this thesis is necessary for contributing to the understanding of how the

EC has applied the Directive's adequacy requirements to third countries thus far. The legal field

has yet to analyze the recent developments in the European Commission/Department of









Homeland Security dispute over the transfer of the private data included in Passenger Name

Records. An analysis of the European Court of Justice annulment of the previous PNR

agreements and an analysis of how the EC has applied the Directive to other third countries may

call into question both the validity and effectiveness of the Directive as it requires high levels of

data privacy in all European international trade.









CHAPTER 2
OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON THIRD
COUNTRIES

Purposes of the Data Directive

The Data Privacy Directive was created to protect the personal data of European citizens.

The Directive defines personal data in Article 2(a) as "any information relating to an identified

or identifiable natural person." An "identifiable person is one who can be identified, directly or

indirectly, in particular by reference to an identification number or to one or more factors

specific to his physical, physiological, mental, economic, cultural or social identity."' Due to its

broad definitions of personal data and identifiable person the Directive applies to arguably all

forms of personal data. The Directive' s stated purposes are as follows.

* Promote the common European market by unifying the Member States' laws on data privacy
protection

* Protect the right of privacy for citizens in Member StateS3 both in local and international
markets and with non-European third countries

* Remove the obstacles to the free, trans-border flow of information between Member States
that stem from differing data privacy protection laws in each nation'

* Adapt European Community laws to fit advances in technology and communication

* Ensure that individuals have access to their private data in order to confirm that it is accurate
and being protected'




i Commission Directive 95/46/EC, art. 2(a), 1995 O.J. (L 281).

2 Id. at recitals 1, 3-5.
3 Id. at recital 2.

4 Id. at recital 20

SId. at recitals 7-9.

6 Id. at recitals 6, 14, 16.

SId. at recital 25.










* Establish safeguards for data transfers to and from controllers residing in third countries
without adequate levels of data

* Provide a way for individuals or organizations to demonstrate "adequate levels" of data
protection despite residing in a "third country void of adequate protections to data privacy"9

* Create data privacy authorities to oversee data privacy in the Member States and to unify
them into a Working Party that oversees data privacy in the EU and communicates with the
European Commission on data privacy matters. 10

These purposes demonstrate the sweeping intent of the European Commission to enact

legislation governing data privacy in a broad and general way. This approach is very different

than the U. S attempts to protect privacy by enacting subj ect-specific laws. 1

Key Provisions for Third Countries in the Data Directive

The Data Directive requires that a third country provide "adequate levels of protection" in

order to transfer data with a business from the EU. Despite this requirement, the Directive never

explicitly defines adequacy. Alexander Zinser, a technology lawyer based in Lausanne,

Switzerland, has written extensively on the question of determining the definition of adequacy in

the Directive. In his 2003 article on the Directive, Zinser pointed out that the Data Directive

contains no specific definition of an "adequate level of data protection,"12 but that the Directive

does provide, in different places, at least five critical areas of data privacy that could be used as

criteria in approving data transfers to a third country.





SId. at recitals 56-57.

9 Id. at recital 59.

10 Id. at recitals 62-65.

'' See Joel Reidenberg, E-Commerce and Privacy Institute for Intellectual Property &~ Information Law Symposium:
E-Commerce and Trans-Atlantic Privacy. 38 Hous. L. Rev. 717, 730-731 (2001). See also supra at note 3.

12 Alexander Zinser, International Data Transfer Out of the European Union: the Adequate Level of Data Protection
According to Article 25 of the European Data Directive. 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003).










From these critical areas of data privacy, Zinser identified five criteria used to determine

whether or not a third country provides an adequate level of protection. These five criteria are:

* The lawfulness of the processing of personal data
* The special protection of sensitive data
* The rights of the data subj ects
* The security of the actual processing of data
* The existence of control and enforcement measures. 13

The task of grouping each provision of the Data Directive into these five criteria is

complex; however, this process helps in understanding the definition of adequate levels of data

protection. Each article in the Data Directive may be classified into one or more of the five

criteria.

An example of this complexity can be found in one of the key provisions of the Directive,

Article 6. This article outlines the requirements for maintaining the quality and accuracy of

personal data. Although these requirements come from Article 6, they apply to each separate

part of the five criterial4 Article 6(a), that Member States must ensure that data be lawfully

processed, 1 is the essence of criterion 1. Article 6(b), that data must be collected for a specific

purpose,16 also deals with criterion 1, the lawfulness of data. Article 6(d), that data must be kept

as accurate and as up to date as possible," could also concern criterion 2 (special protection of

data) by requiring Member States to protect the accuracy of data, and criterion 3 (rights of data



13 Id. at 559.

14 COmmission Directive 95/46/EC, art. 6, 1995 O.J. (L 281).

Is Id. at art. 6(a).

16 Id. at art. 6(b). This article also states that furtherhr processing of data for historical, statistical or scientific
purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards."
Although the original data must be collected for a specific, legitimate purpose, the Directive does not state that there
need be a specific purpose in the "further processing of data" for these purposes.

17 Id. at art. 6(d). The Directive states that data should be kept accurate and up to date taking "every reasonable
step" but it never defines what constitutes a "reasonable" step.










subjects) by requiring that individuals have the right to have accurate data. Article 6(e), that data

be kept in a form that permits identification of data subj ects for no longer than necessary, I

concerns criterion 2 and criterion 3 as well.

A few other articles of the Directive provide insight towards understanding the EU data

privacy law' s expectations for third countries. Article 12 grants data subj ects the right to find out

how companies and agencies use their private data,19 falling under criterion 5 (existence of

control and enforcement measures). These articles also concern criterion 3 (rights of data

subj ects) because they grant rights to data subj ects.

Another article related to criterion 3 is Article 14, which allows the data subj ect to petition

the transfer of his or her personal data to the data controllers and to do so free of monetary

charge.21 Article 17 requires the data controller to "implement appropriate technical and

organizational measures to protect personal data,"22 a requirement that addresses criterion 4 on

the security of processing data.

Of greatest relevance to this thesis is Article 25, "Transfer of Personal Data to Third

Countries." This Directive article states that data cannot be transferred to a third country unless

"adequate levels of protection" are provided for in the nation' s laws.23 Article 25(2) says that in

determining the adequacy of data protection in the third country, the Member States or the EC



1s Id. at art. 6(e). The article says that Member States should regulate any long-term storage of data in cases of
"historical, statistical, or scientific use."

19 Id. at art. 12.

20 The directive defines a "controller" as the person or entity in charge of determining "the purposes and means of
the processing of personal data." Commission Directive 95/46/EC, article 2(d).
21 Id. at art. 14.

I2d. at art. 17(1).

23Id. at art. 25(1).









should pay attention to the purpose of the data transfer (criterion 1) and the duration of the

transfer (criterion 4).24 In addition to these directions, Article 25(2) also requires that the

Member State or the EC look at the third country's laws relating to the security of processing

data, a requirement that falls under criterion 4 on the security of the actual processing of data.

If the Commission finds that a third country does not provide an adequate level of personal

data protection, the Directive requires them to "prevent any transfer of data of the same type to

the third country in question," a provision that is primarily a control and enforcement measure

from the EU (criterion 5).25

Article 28 of the Directive states that each Member State must appoint a public authority to

supervise the implementation of the Data Directive into the laws of that Member State. This

article falls under criterion 5 on the existence of control and enforcement measures. A data

authority must have authority to intervene when private data might be released without consent

or when private data records need be blocked from being transferred or erased and to prosecute

when data laws are broken.26 The presence of such an official in third countries could contribute

to the ability of a third country to demonstrate an adequate level of data privacy protection.

Because the Directive fails to specifically define what constitutes an adequate level of

protection, Zinser' s five criteria help to create a picture of the criteria the EU might use in

determining if the third countries' data privacy laws maintain an adequate level of protection.

The analysis of the third countries that have been approved for data transfers will reveal how the

EC has or has not applied these criteria.



24 Id. at art. 25(2).

25 Id. at art. 25(4).

26 Id. at art. 28(1-3).










Third Countries and the Data Directive Requirement for Adequate Levels of Data Privacy
Protection

Since passage of the EU Data Privacy Directive, the European Commission has approved

several third countries as having adequate levels of data protection. The Commission has

approved Switzerland, Canada, Argentina, Guernsey, and Isle of Man. The United States,

through the Department of Commerce, has worked out the Safe Harbor, an agreement that allows

individual businesses to agree to maintain adequate levels of data privacy protection in

accordance with the Directive.

Zinser' s five criteria for judging whether a third country's laws adequately protect personal

data provide most of the guidance needed for this chronological analysis of each country deemed

adequate. In each of these cases, the European Commission found that the third country in

question provides adequate data privacy protection.

Switzerland

Switzerland was the first nation to receive the European Commission's adequacy status.

On July 26, 2000, the European Commission issued a decision stating that Switzerland's laws

provided an adequate level of protection governing the transfer of private data. 27 The Swiss

regularly engage in international commerce with the EU Member States. The Commission

report on Switzerland's data privacy protection laws stated that the Swiss Federation provides for

protection at both the federal and cantonal (or state) levels.28

At the federal level, the Commission report stated that "The [Swiss] Federal Constitution .

.. gives every person the right to have his privacy respected and, in particular, to be protected




27Commission Decision 2000/518/EC, art. 1, 2000 OJ (L 215).

28Id. at (5).









from the misuse of data concerning him."29 This right falls under criterion 3, granting data

subj ects their rights to privacy.

The EC report also stated that Switzerland's court systems at both the federal and cantonal

levels have developed binding case law that protects "the quality of the data processed, the right

of access of the persons concerned, and the right to request the correction or destruction of

data."30 These constitutional and case-law based laws meet the requirements of the criteria that

data is of a high quality, that data subj ects have rights to access and correct their personal data,

and that the data is protected (criteria 2 and 3).

The Commission report also discussed the Swiss Data Protection Act of June 1992, which

permits citizens to have access to their personal information in files and created a supervisory

authority to oversee data privacy issues in the nation.31 The presence of a data authority is

consistent with criterion 5 on the existence of control and enforcement measures. As in the EU

Member States, this supervisory authority has power to investigate, prosecute, and hear claims

from organizations about breaches of personal data protection laws.

The Commission also recognized that most of the Swiss cantons have passed their own

data privacy legislation, focusing on local issues such as regulating how private data can be

transferred (criterion 4).32 This relates the lawful protection of the processing of private data

(criterion 1) granting sensitive data special protections (criterion 2).

The Swiss approach towards the protection of personal data is very similar to the EU Data

Directive model in that it grants data privacy the status of being a fundamental right and contains


29 Id. at (6).
30 Id.

31 Id. at (7).

32 d. at (8).










protections at the federal level and the local level. The EC report granting Switzerland the status

of being an approved third country recognizes that Swiss laws and practices meet each of the five

requirements for third countries in the Directive.

Canada

After Switzerland, Canada became the next country to receive adequacy status. On

December 20, 2001, the European Commission judged Canada' s privacy laws, particularly the

Personal Information Protection and Electronic Documents Act of 2000 (hereafter "the Canadian

Act"), as adequately protecting personal data.33 Although Canada does not have a constitutional

statement that recognizes data privacy as a fundamental right as Switzerland does, the EC report

praised Canada for passing legislation that protects privacy generally and sectorally.

The Canadian Act requires businesses to protect personal data and provides that the data

protection "will extend to every organisation that collects, uses or discloses personal information

in the course of a commercial activity."34 The Canadian Act defines the lawfulness of the

processing of data and limits it to when the data subj ects has authorized the transfer (criterion 1).

This act grants data subj ects the rights to petition organizations for their private data and to

correct inaccurate data, as well as to protest the improper use of their data (criterion 3). The act

also calls for secure processing of private data (criterion 4).35 This law seemingly meets the

criteria that the data is lawfully obtained (in this case through commercial activity) and that

sensitive data is protected.






33 COmmission Decision 2002/2/EC, art. 1, 2001 O.J. (L 2/13)

34 Id. at (5).
3 5 Id.










The Canadian Act mandated the creation a Canadian Federal Privacy Commissioner to

oversee privacy issues at the national level.36 The privacy commissioner has the authority to

hear claims and complaints pertaining to personal data protection from individuals and

organizations, to summon witnesses, to audit businesses' privacy practices, to administer oaths,

and to "compel the production of evidence if voluntary co-operation is not forthcoming."37 The

authority granted to the privacy commissioner meets the requirements of criterion 5 by

implementing control and enforcement measures.

The EC decided that Canada' s laws and practices provide adequate levels of private data

protection; furthermore, Canada' s laws met each of Zinser's five criteria. The language of the

Canadian Act demonstrates a general approach to protecting personal data that is similar to the

EU Data Directive.

Argentina

Argentina became the next nation to receive an adequacy decision from the European

Commission. On June 30, 2003, the Commission decided that Argentina' s data privacy

protection laws provided adequate levels of private data protection in accordance with Article 25

of the EU Directive. 38 The Commission stated that Argentina' s legal standards for the protection

of personal data have been provided for in binding general and sector-specific rules.39

The Constitution of Argentina treats privacy as a fundamental right, just as Switzerland' s

constitution and the ECPHRR. 40 The Constitution of Argentina includes a "habeas data" rule


3 6Id

37 Information obtained from the Office of the Privacy Commissioner of Canada website available at
bli \l u\ llprivcom.gc.ca/aboutUs/index~e.asp. Last visited on April 19, 2006.
38 COmmission Decision 2003/1731/EC, 2003 OJ (L 168).
39 Id. at 3.

40 See supra 14.










that allows the data subj ect to know both the "content and purpose of all the data pertaining to

him or her contained in public records or databanks, or in private ones."41 Under the "habeas

data" rule, citizens also have the right to demand that their information be corrected, deleted, or

made confidential,42 a right that relates to criteria 3 and 5. The EC report also states "Argentine

jurisprudence has recognized 'habeas data' as a fundamental and directly applicable right."43

The EC report also cited another Argentine privacy law, the Personal Data Protection Act

of 2000.44 This law follows the Data Directive model of granting citizens access to their

personal data, mandating the protection of personal data (criterion 2), the lawful obtaining of

data through businesses and government agencies based on data subj ects' consent (criterion 1),

and the secure processing of personal data (criterion 4).45 These rights meet the criteria of the

Directive by ensuring that data subj ects have access to their personal information, that the data

transfers stay secure, and that data is collected lawfully.

The Argentine government also has a National Directorate for the Protection of Personal

Data, a body charged with ensuring the protection of data privacy and with judging adjudicating

disputes about data privacy.46 The National Directorate has authority to impose sanctions on

organizations and even to pursue criminal liabilities for individuals and organizations that breach

data privacy protection laws. This national data authority constitutes a level of control and

enforcement measures (criterion 5).



41 COnst. Arg, Art. 43.3.
4 2Id.

43 COmmission Decision 2003/1731/EC, 2003 O.J. (L 168), 3
44 The Personal Data Protection Act No. 25.326 of 4 October 2000.

45 COmmission Decision 2003/1731/EC, 2003 O.J. (L 168), 3-4.
46 Id. at 4.










As with Switzerland and Canada, Argentine law meets each of Zinser' s five criteria and

meets the EC standards for providing an adequate level of protection.

Guernsey

The Bailiwick of Guernsey, a small island nation in the English Channel, became the next

nation to receive adequacy status from the European Commission. On November 21, 2003 the

EC granted Guernsey, a British protectorate that functions as a separate legal entity from the UK,

approved status as a third country with adequate levels of data privacy protection.47 In this

report, the EC stated that the basis for EC approval of Guernsey was based on the passage of the

Data Protection Law of 2001, a law "based on the standards set out in Directive 95/46/EC."48 In

other words, the EC fully acknowledged that the Directive serves as the foundation for the data

privacy laws of Guernsey.

In the Data Privacy Law of 2001, Guernsey granted data subj ects the rights to their

personal data and the rights to change or erase this data (criterion 3).49 The law also mandates

that data transfers be protected with technological safeguards and that a supervisory privacy

authority be set up (criteria 2, 4, and 5).50 As with the other approved third countries, the data

authority in Guernsey has powers to investigate and to intervene when there has been a breach of

data privacy protection."





47Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5. In its report, the EC recognizes Guernsey as a third
country because although it is a British protectorate, it maintains complete liberty from the Crown except in a few
international matters such as defense.

48Id. at (7).

49 d. at (7).
" Id.

51Id. at (8).










The EC report on Guernsey contains far less specific information on the reasons for

approving this third country for the free flow of personal data transfers with the Member States.

Although the report notes "the legal standards applicable in Guernsey cover all the basic

principles necessary for an adequate level of protection for natural persons," the EC gives almost

no specific reasoning behind their decision.52 The EC report shows that Guernsey has met

criteria 2, 3, 4, and 5. The report never specifically addressed the issue of defining lawfulness in

the processing of data.

Isle of Man

The Isle of Man, an island nation similar to Guernsey, received adequacy status from the

European Commission next. On April 28, 2004, the Commission issued a report approving Isle

of Man as a third country with adequate levels of personal data protection. 53 JUSt as with the

report on Guernsey, the EC report on Isle of Man contains few examples and few reasons for

granting the island nation approved status for data protection. The report cites the Data

Protection Act of 2002,54 the Human Rights Act 2001,5 and the Access to Health Records and

Reports Act 1993 as providing an adequate level of protection for private data. From these acts,

data subj ects in Isle of Man are guaranteed the lawful use of their private data (criterion 1), the

special protection of their private data (criterion 2), and security in the transfer of data (criterion

4).56 Data subj ects in Isle of Man also have the right to access their personal data and to correct



52 Id. at (9).

53 COmmission Decision 2004/411/EC, 2004 OJ (L 151). Like Guernsey, Isle of Man is a protectorate of the British
Crown and is in the same political arrangement as Guernsey.

54 d. at (7).

55Id. at (8).

56 See Isle of Man data privacy website available at http://www.gov.im/odps/yourrights.xml. Last visited on May 4,
2006.









errors in that data, as well as to seek compensation from a data controller who misuses the

private data of a data subj ect (criteria 3 and 5).57

Despite the lack of detail and analysis of these acts, the EC report says that the laws of

Guernsey allow for adequate levels of data privacy protection.'" The laws of Guernsey also

meet Zinser' s five criteria for determining adequacy.

United States "Safe Harbor"

Because of different approaches towards data privacy protection in the U.S. and the EU,

and because of the economic interdependence of these two economies, the EU Data Directive

has presented significant challenges for the U.S. and the EU. With little prospect of a U.S.

national law recognizing data privacy as a fundamental right and enacting broad, general privacy

legislation, the European Commission adopted the U.S. Department of Commerce' s "Safe

Harbour Privacy Principles and Frequently Asked Questions"59 (hereafter "Safe Harbor" and

"FAQs") on July 26, 2000.60 The Safe Harbor was created to allow businesses and organizations

in EU Member States to legally (under EU law) transfer personal data to businesses in the U.S.

and to protect trans-Atlantic commerce.

The rules of Safe Harbor apply to businesses under the jurisdiction of the Department of

Commerce and the Federal Trade Commission. These rules allow U. S. businesses to continue

data transfers with EU businesses by opting in to data principles that mirror much of the

provisions of the Directive, including ensuring that data transfers are secure (criterion 4),

granting data subj ects rights to access their data (criterion 3), providing data subjects with


57Id.

58Id. at (9).

59 See U.S. Dept. of Conunerce website, http ://www.export.gov/safeHarbor/index.html.

61) COmmission Decision, 2000/520/EC, 2000 0.J. (L 215) 7.










notification when their personal data will be used (criteria 3 and 5), keeping data accurate and up

to date (criterion 2), and creating governmental sanctions for violations of Safe Harbor principles

(criterion 5).61

In exchange for opting in to the Safe Harbor, U.S. businesses involved in disputes over

Safe Harbor principles would keep legal actions in U.S. courts, not in European courts.62 Each

business choosing to opt in must write the Department of Commerce, make its privacy policy

available on-line and with the Department of Commerce, and have its name published on a list of

Safe Harbor businesses.63

Through Safe Harbor, the U.S. has received partial approval from the EC on providing

adequate levels of data protection; however, because Safe Harbor only applies to businesses

under the Department of Commerce and the Federal Trade Commission, the assurance that the

U. S., as a third country, will follow the provisions of the Directive is limited. As of June 2007,

1,196 U.S. businesses had opted in to the Safe Harbor, through the U.S. Department of

Commerce.64 The Safe Harbor principles have accounted for meeting criteria 2, 3, 4, and 5, but

the agreement is different than approval for other nations. Other approved third countries have

received approval for data transfers as a nation, but the Safe Harbor does not represent a full

approval for the U. S. as providing adequate levels of private data.

Conclusion

Since its passage in 1995, the European Data Privacy Directive has had an influence on

other nations, an effect resulting from the requirements of Chapter IV of the Directive that

61 See "Safe Harbor Overview" on Department of Conunerce website for a complete list of the Safe Harbor
principles, available at http://www.export.gov/safeHarbor/sh overiewhtl Last visited on April 20, 2006.
62 Id. at "Safe Harbor Benefits."

63 Id. at "How does an organization join?".

64 Safe Harbor List, available at httpl w\ il \t .export.gov/safeharbor/doc_safeharbor~indexap










requires any non-EU nation to have adequate levels of data privacy protection as a precursor to

conducting personal data transfers. Because the free flow of personal data has become such an

important commodity in recent years, nations all over the world must consider adopting laws that

protect personal data.

The Directive provides third countries an opportunity to demonstrate an adequate level of

protection and gain approval from the Commission to ensure a free flow of information and a

continuation of business with EU Member States. In determining adequacy, the EC has applied

fiye criteria:

* The lawfulness of the processing of personal data.
* The special protection of sensitive data.
* The rights of the data subj ects.
* The security of the actual processing of data.
* The existence of control and enforcement measures.

Using these criteria the European Commission has given approval for Member States to

transfer personal data to Switzerland, Canada, Argentina, Guernsey, Isle of Man, and to the U. S.

(in limited scope). Despite the EC's consistent application of adequacy standards with other

nations, the case of the Safe Harbor for the U. S. demonstrates that the Commission shows some

flexibility in working with third countries. The PNR case may shed further light on how far the

EC will go to arrange an agreement with a third country (in this case, the U.S.).

Zinser' s fiye criteria proved accurate and helpful in analyzing the reports on each nation's

approval. A comparison of the official EC decisions granting these third countries approved

status reveals some interesting similarities and differences.

The EC reports on Switzerland, Canada, and Argentina contained detailed analysis of the

laws of those nations that protect private data. Each of these countries granted the concept of

data privacy the status of a general law, with Switzerland and Argentina declaring data privacy










as a fundamental human right. Each of these reports also contained examples of how these

nations protect privacy at both the general and the sectoral level, just as the EU protects privacy.

As stated in the analysis above, the reports on Guernsey and Isle of Man are brief and lack

the detail of the others. This may be a result of the fact that these nations are protectorates of the

United Kingdom and opted into the privacy protection laws of the United Kingdom. These two

island nations benefit greatly from a free flow of personal data as their economies are based

mainly on offshore banking and insurance, which might explain the reason that they sought

approval status from the EC.

As previously stated, the EC decision to work with the U.S. to create the Safe Harbor

differs greatly from its approval of other third countries. Despite the fact that the U.S. has no

general protection for personal data, the EU showed it was willing to work out compromises on

data protection in order to allow for international trade even when a nation was not in full

compliance with the EU Data Directive.

One question that arises is why so few nations have sought to gain the status of full

approval for personal data transfers with the EU. It is possible that some nations are skeptical

about the enforcement of the Directive as it pertains to adequacy in third countries. Zinser, in an

article previously discussed, pointed out that the Directive never specifies whether the EU or the

Member States will enforce the Directive or what methods they might use to enforce it.65

Without specific sanctions for noncompliance (which may prove difficult to craft and avoid








65 See Alexander Zinser: European Data Protection Directive: the Determination of the adequacy Requirement in
International Data Transfers. 6 TUL. J. TECH. & INTELL. PROP. 171 (lr1114.










WTO/GATT problems)66, many third countries might not make the efforts to enact adequate

privacy legislation or to encourage businesses to conform to Safe Harbor type principles.

Countries with general laws protecting data privacy might be those that stand to benefit the

most from EC approvals. For nations such as the U.S. where there is less chance of enacting

general privacy protections, the fact that the Directive allows individual businesses to have

adequate levels of protection makes the Safe Harbor (or potentially another plan with other third

countries) the best option for now for businesses. As stated previously, the Safe Harbor,

however, applies only to businesses and not to the transfer of private data by and to the United

States government; therefore, the debate between the United States and the European

Commission over Passenger Name Records falls outside the scope of the Safe Harbor and

necessitates a separate agreement.



























66 See Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy, 9 MINN.
J. GLOBAL TRADE 645 (2000).











CHAPTER 3
THE PAS SENGER NAME RECORDS CONTROVERSY

As discussed in Chapter 2, the European Commission has granted adequacy status to

multiple nations since passage of the Data Directive in 1995. In the cases of Switzerland,

Canada, Argentina, Guernsey, and Isle of Man, the Commission stated that those nations' laws

provided adequate levels of protection for private data. In the case of the United States, the

Commission worked with the U.S. government to create the Safe Harbor program wherein

individual businesses guaranteed to provide adequate levels of protection for private data.

Although the Safe Harbor agreement represented compromise, the greatest controversy and

challenges to the Directive have come in the form of laws requiring that commercial airlines

provide governments with Passenger Name Records. As mentioned in Chapter 1, Passenger

Name Records contain large amounts of personally identifiable information including financial

information, itineraries, physical addresses, travel information, and contact information.

Australia and the United States require commercial airline carriers to pass PNR

information to their national customs agencies. The European Commission has worked with

both of these nations in an effort to protect the private data of European citizens in PNRs. The

Australian PNR agreement was met with very little controversy, but the United States PNR

agreement has been the source of one maj or legal challenge in the European court system. These

agreements raise important issues that affect the scope and efficacy of the 1995 Data Directive. 2







SSee supra at note 17.

2 At the time of this thesis, the Australian and United States' PNR agreements are the only such documented PNR
cases with the European Union.










The Australian Passenger Name Record Agreement

Following the terrorist attacks of September 11, 2001 on the United States, the Australian

government implemented new security policies that included a requirement that commercial

airlines provide the government with Passenger Name Record data.3 Upon introduction of these

new requirements in the Border Security Legislation Amendment (Terrorism) Act 2002

(hereafter "Border Security Act"), the Government of Australia requested that the European

Commission officially determine the adequacy of Australia' s data protection laws for the transfer

of PNR data. In accordance with the legal framework laid out in the Data Directive, the

Commission assigned the task of determining adequacy to the Article 29 Working Party.4

As created in Article 29 of the Data Directive, the data protection commissioners of each

Member State and the EC data commissioner comprise the "Working Party on the Protection of

Individuals with regard to the Processing of Personal Data" (hereinafter referred to as the

"Working Party").s Under Article 30, the Working Party is charged with addressing concerns

(such as the PNR concerns) over data protection in third countries and informing the

Commission about any issue concerning data privacy for EU citizens.' In January 2004, the

Commission adopted the Article 29 Working Party's opinion that Australia provided an adequate







3 Border Security Legislation Amendment (Terrorism) Act, 2002, c. 64 (Austl.).

4 See Commission Directive 95/46/EC, Directive of the European Parliament and of the Council of24 October 1995
on the protection of individuals with regard to the processing ofpersonal data and on the fr~ee movement of such
data, 1995 O.J. (L 281).
SId. at art. 29(1).

6 Id. at art. 30(b).

SId. at art. 30(c).










level of protection of private data in its transfers of PNR data to the Australian Customs and

Border Protections agencies.8

The Border Security Act amended a number of laws governing the activities of Customs

and the Border Protection agencies in Australia. As mentioned above, one requirement of this

2002 act is that commercial airlines must transfer PNR data to the Australian government for use

in terrorist risk assessment. In its opinion on adequacy, the Working Party noted that the PNR

requirement in the Border Security Act had to comply with Australian privacy laws

guaranteeing the privacy of personal information. 10 The Working Party noted that Australia has

a strong legal foundation of protecting the collection, use, transfer, and retention of private data

in the public and private sectors.l

Keeping with the tradition of favoring the privacy of personal data, the Australian

government required specific procedures to ensure what the Australian government considered to

be highest possible levels of protection for the private data transferred in PNRs. The Borders

Security Act (hereafter "BSA"), seeks to ensure the protection of the private data in PNRs in the

following ways.

* Passenger Name Records accessed contain only current flight data and not historical PNR
datal12

* Computer software weeds out the data of 95% 97% of all passengers on an average flight
because they are determined to be of no risk to the security of the countryl13



SOpinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data
from airlines (10031/03/WP 85).

9 See Commonwealth Privacy Act, 1988, c. 118 (Austl.).

'0 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record
data from airlines (10031/03/WP 85) at 3.
11 Id. at 3-5.

I2d. at 5.










* The first human eyes to see any of the data are those of a Customs officer who reviews the
3% 5% of passengers flagged by the software screening and determines whether or not
the government should detain the passenger upon arrival in the country

* Computer software automatically deletes the PNR data of the 95% 97% of passengers
who clear the initial software screening"

* A Customs officer deletes all PNR data for every individual eventually cleared of any
concerns by the Customs and Border Patrols agencieS16

* Computer software automatically deletes flight information from Customs databases 24-48
hours after the flight"

* Computer software filters out "sensitive" information including racial or ethnic origin,
political opinions, religious or philosophical beliefs, or data on health problems

* The BSA limits the third parties authorized to receive the PNR data (namely Australian
law enforcement agencies)19

* The B SA limits the use of PNR data by law enforcement agencies to law enforcement
activities guided by judicially authorized warrants20

* The B SA bans the use of PNR data for a secondary purpose except where authorized by
the individual identified in the data or mandated by Australia federal law.21

As understood by the Article 29 Working Party, the above regulations governing the

collection and use of PNR data serve to protect the privacy of personal data at an adequate level

as defined in the EC Data Directive.



13Id~

1 Id~

1 Id. at 6.

1 6Id~

17 Id. at 7.

Is Id. at 8.

'19 d. at 9.

20 Id. at 9. The Working Party noted that in order to receive credit card and telephone records from Customs' PNR
data, law enforcement agencies must provide Customs proof of having obtained a warrant. Id.

21 Id. at 10.










The Working Party also noted that the Australian PNR agreements mandate "high levels"

of security when working with PNR data. 22 To protect sensitive information in PNRs, Australia

allows only a "small group"23 Of individuals access to PNR data. This group of individuals must

pass through three layers of passwords and identification confirmation before accessing the PNR

records. Additionally, PNR data is stored on an electronic network separate from other networks

in the Australian Customs agency system.24

The Australian PNR law also grants individuals the right to access and correct any data in

their records. Because most PNR data may be stored for only 24-48 hours, this aspect of the law

applies only to individuals who have been charged with violating Customs or border protection

laws. These individuals, whether charged or convicted, have a legal right to access their PNR

data and to rectify errors therein.25

The Australian PNR agreement also grants the Australian Privacy Commissioner the

authority to petition the Australian legislature to change any PNR practices that may not be in

line with existing Australian privacy laws.26 The PNR arrangement also gives the Privacy

Commissioner the authority to investigate alleged abuses of PNR brought forth by either

Australian citizens or non-citizens.27

The European Commission adopted the Working Party's Opinion on the adequacy of

private data protection in Australia's PNR system in January 2004. Under the recommendation


2 2Id

23 Id. at 8.

24 Id. at 10. The Working Party also noted that Customs officials refrain from using PNR data and visa information
together in any way. Id.
25 Id. at 11.

2 6Id

27 Id










of the Working Party, the Commission set a three-year time period on the present agreement with

a required review of the PNR system set for mid 2007.28 Since the European-Australian PNR

agreement in 2004, neither side has formally challenged the legality of the agreement or the

expressed concerns over the protection of individuals' private data when transferred to the

Australian government.

Although this agreement has not met legal challenges, the European-United States

Passenger Name Records has raised controversy from the European government and its citizens.

The United States Passenger Name Records Agreement

Despite the agreement between the United States and the European Union to create the

Safe Harbor, the trans-Atlantic battle over the protection of private data was renewed in late

2003. In post 9/11 legislation aimed at combating terrorism the United States Congress passed

the Aviation and Transportation Security Act (ATSA) that required airlines to transfer all

Passenger Name Records (PNRs) to the U.S. Customs and Border Protection (CBP).29 ATSA

required airlines flying in and out of the United States to provide this information to the CBP or

risk penalties.

This new law quickly raised concerns in Europe over the uses and transfers of European

citizens' private data in PNRs. The controversy between the EU and the U.S. over the PNRs

sheds additional light on how the EU might apply the Data Directive to third countries.

From the European perspective, the concerns about the transfer of PNRs to the U.S.

government are founded in Chapter IV, Article 25(1) of the Directive. This article states that


28 Id. at 12. At the time of the present study in June 2007, neither the European Commission nor the Australian
government has publicly announced an end to, or a renewal of, the PNR agreement.
29 Aviation and Transportation Security Act of 2001, Pub. L. No. 107--71, 115 Stat. 597. The Customs and Border
Protection is a U. S. governmental agency under the Department of Homeland Security (DHS). In this light, much of
the EU/U.S. debate over PNRs is directed towards the DHS.










The Member States shall provide that the transfer to a third country30 Of personal data
which are undergoing processing or are intended for processing after transfer may take
place only if .. the third country in question ensures an adequate level of protection. 31

This particular portion of the Data Directive has caused tension between the U. S. and the

EU because of the United States' sectoral, case-by-case approach to data privacy legislation. If

EU businesses and Member States follow the legal frameworks of the Directive regarding third

country adequacy of protecting private data, the trans-Atlantic flow of personal data could be

limited and business would be greatly disrupted between the world's two top economies. In the

case of the PNRs, airlines that refuse to provide this data to the CBP would be subj ect to fines

and potential loss of privileges to land in the U. S., resulting in a maj or loss of business due to

differences in privacy laws.

After the passage of ASTA, the European Commission notified the U. S. government that

the requirement to provide the CBP with PNRs violated provisions of the Data Privacy Directive

of 1995.32 The EC said it had learned that the PNRs of EU citizens were being transferred to the

United States Department of Homeland Security (DHS) for access by the CBP. In 2002, the EC

officially issued a report denouncing this practice as an invasion of the privacy of EU citizens.33

Because the ASTA failed to provide the data subj ect the authority to access his or her personal

data held by the DHS and to correct errors in that data, the Commission said the sharing of this

information violated the Data Directive. The Directive requires that personal data held by any




30A "third country" refers to a nation or state that does not belong to the European Union.

31 Directive 95/46/EC, Art. 25(1).

32See Conununication from the Conunission to the Council and the Parliament, December 16, 2003, on PNRs.
Accessed from EC website, available at http://europa.eu.int/comm/justice_home/fs/rvcdo/aeuyap-
communication/apis_en. pdf.

33 Opinion of the European Commission, Opinion 2/2004. available at
http://europa.eu.int/comm/justice_home/fsjpiaydc \\pdioes lai-'' n' pNl7_en.pdf.










government or business be accessible by data subj ects, that the data not be kept on record for

longer than necessary, and that a supervisory authority oversee the uses of the personal data. 34

In response, the U. S. Customs and Border Protection argued that the transfers of this data

are allowable under Article 13 of the Directive because the data is used in national and public

security, specifically to combat terrorism.35 Article 13 grants the EU and its Member States

room to restrict the scope of the Data Directive obligations on data protections if the government

deems such restrictions as a necessary safeguard in certain key areas.36 The key areas for

exemptions to the Directive's data protection guidelines include lifting data privacy restrictions

to aid in national security,37 defense,38 public security,39 fighting crime (including white collar

crime),40 maintaining economic interests,41 monitoring or inspecting crimes,42 and the protection

of the rights and freedoms of the data subj ect and others.43




3Id

35See Council Decision of 17 May 2004 on the conclusion of an agreement between the European Community and
the United States of America on the processing and transfer of PNR data by Air Carriers to the United States
Department of Homeland Security, Bureau of Customs and Border Protection (lIs1 4 ~~96/EC).

36 COmmission Directive 95/46/EC, art. 13(1), 1995 O.J. (L 281).

37Id. at art. 13(1)(a).

38Id. at art. 13(1)(b).

39 Id. at art. 13(1)(c).

40 Id. at art. 13(1)(d). In addition to granting exemptions for data protection in the act of preventing, discovering,
investigating, and prosecuting criminal offences, the Directive explicitly mentions that this exemption applies to
investigations and prosecutions of "breaches of ethics for regulated professions." Id. The Directive does not define
regulated professions.

41 Id. at art. 13(1)(e). The Directive states that economic interests include "monetary, budgetary, and taxation
matters." Id.

I2d. at art. 13(1)(f).

43Id. at art. 13(1)(g).










Acting under its authority, the Article 29 Working Party44 issued an opinion in January

2004 that highlighted many of the legal issues of the PNR debate. 45 In its opinion, the Working

Party acknowledged that the fight against terrorism is necessary but emphasized the necessity to

balance fighting terrorism the need to ensure human rights,46 including the fundamental human

right of privacy.47 The Working Party also expressed concern about the amount of personally

identifiable information contained in the PNRs passed to the U. S. government.48 Despite the fact

that the Commission had recently reached its agreement to transfer PNR data to the Australian

government,49 the Working Party stated that the Commission had no legal precedence to follow

in this case and could not issue a solid decision on what to do.'

In response to the Working Party's concerns over the level of protection of Passenger

Name Record data when transferred to Customs and Border Protection, the Department of

Homeland Security issued further explanations of the CBP PNR system in May 2004.51 The

document, titled the Undertakings, outlined the framework that the CBP would follow in its use

of the PNR data.

In the Undertakings, the Department of Homeland Security said that the Customs and

Border Protection only uses Passenger Name Record data in terrorist and law enforcement


44See supra at note 123.

45Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be
Transferred to the United States' Bureau of Customs and Border Protection (10019/04/WP 87). available at
http://europa.eu.int/comm/justice_home/fs/racdo/poc 21**14 u ps7_en.pdf.
I6d. at 3.

47Id.

48Id. at 4.

4 9Id.

"0Id. at 5. The Working Party did not provide any explanation as to why there was no legal precedence_for the PNR
case even though they had recently reached a PNR agreement with the Australian government.

51Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection Regarding the
Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543 (July 9, 2004).









activities.52 The DHS stated that it "believes that it will be rare than an individual PNR will

include a full set of data." 53 For those individuals flagged as "high risk," the DHS said that its

employees would manually search through the PNR data; otherwise, PNR data would be

analyzed by automated software.54 Finally, the DHS assured that it would follow legal channels

to obtain credit card transactions, e-mail communications, and phone records information on

high risk individuals."

In the Undertakings, the Department of Homeland Security also stated that PNR data

would be transferred to the Transportation Security Administration (TSA) for analysis56 and to

other government agencies, both domestic and foreign, on a case-by-case basis." In providing

PNR data to the TSA and other governments, the DHS stated that the PNR data would be filtered

for "sensitive" data (including race and ethnicity, religious beliefs, and union memberships) and

that the data would be used solely for terrorist screening purposes." The DHS promised that any

transfers and storage would be secured by the latest technologies.59

The Undertakings mentioned that neither U. S. citizens nor non-U. S. citizens would have

access to PNR data because the data would be exempt from disclosure as confidential

commercial information.60 The Undertakings mentioned that through a Freedom of Information


5Id

53Id. at 41,544.
5Id

55Id

5 6Id

57Id. at 41,545.

58Id. at 41,544.
5 9Id

601)d. at 41,545.










Act request, the data subj ect would be allowed to see his or her PNR data unless Customs and

Border Protection determined that providing the data would interfere with a law enforcement or

security activity.61 The DHS stated that denying an FOIA request because of concerns that data

disclosure would interfere with law enforcement would represent an "exceptional case."62

Finally, the DHS said that the PNR agreement would be subj ect to yearly j oint review by the

European Commission and the U.S. Department of Homeland Security in an effort to ensure that

privacy remain a priority in the U.S. PNR data searches.63 The European Commission, despite

its concerns over the U. S. government' s PNR uses, used the Undertakings as a guide for reaching

a May 2004 agreement to continue sharing PNR data between the U.S. and the EU.

The European Commission, in its report on the European-United States PNR agreement,

stated that the European Parliament had been given the chance to review the agreement but had

not acted within the time limits provided by European Community law.64 The Council stated

that, under Article 300(3) of the Treaty Establishing the European Union,65 Parliament must

deliver its opinion on the Commission's actions within a time limit chosen by the Council.66 In

this case, Parliament failed to act in time and provided no reason for the delay.






61 Id. at 41,546.

I2d.

63Id. at 41,547.

I4d. at 2.

65Treaty Establishing the European Union, 1997 O.J. (L 340) at 298. available at http://eur-
lex.europa.eu/smartapi/cgi/sga_doc?smartapi celexapi iprod!iCELEXnumdoc&numdoc= 11997E3 00&model=guichet
t&1g-en.

66Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be
Transferred to the United States' Bureau of Customs and Border Protection (10019/04/WP 87) at 2. available at
http://europa.eu.int/comm/justice_home/fs/racdo/poc 21**14 u ps7_en.pdf.










The European Commission, the Council of the European Union, and the European

Parliament comprise "the decision-making triangle"67 Of European governance. Understanding

the roles of these separate European governmental bodies is important to the present study

because of their involvement in the PNR controversy. In the European Union governmental

structure, the European Commission acts as the executive arm of the government for all matters

concerning the internal market. Its members are appointed by the Member States and approved

by the European Parliament.

The European Parliament, its members elected by EU citizens, is charged with supervising

the EU' s activities. In its supervisory responsibilities, Parliament can require the Commission to

include parliamentary proposals in Commission directives and must give approval to any

international agreement negotiated by the Commission.

The third EU governmental body, the Council of the European Union, shares legislative

power with the Parliament. Through a co-decision procedure, both the Council and the

Parliament must approve legislation on any matter dealing with the EU common economic

market. The Council is comprised of ministers from each EU Member State.68 In addition to

sharing authority with the Parliament, the Council also directs the European Commission when

to open negotiations with non-European Union nations.69

Because the Parliament failed to approve or disapprove the European Commission

Department of Homeland Security agreement on Passenger Name Records within its time limits,





67 How does the EU work? The decision-making triangle, http://europa.eu/abc/121essons/lesson_4ide4n/t
(last visited Apr. 17, 2006).
6 8 Id

6 9Id










on May 14, 2004 the Commission and Homeland Security went ahead with an agreement to

continue to allow airlines to transfer PNRs to Customs and Border Protection.70

The Commission agreed that the CBP provided adequate levels of data protection for the

PNRs and that the practice of allowing the U.S. government to access PNR data from the

airlines' databases could continue "only until there is a satisfactory system in place allowing for

transmission of [PNRs] by the air carriers"" to the CBP. Nowhere in the document did the

European Commission mention when such a system would appear or how the system would

differ from the current one.

To punctuate the strenuous relationship between the EU and the U. S. in the matter of the

Passenger Name Records, the EC also added that the present agreement would in no way serve

as a precedent for future agreements between the U.S. and the EC in matters of protecting

personal privacy.72 Although this agreement allowed the transfer of personal data in the name of

public safety, the Commission made it clear that this was not to become a common practice and

that the rules of the Directive applying to third countries were going to be enforced in the

future. 73

The U. S. also conceded to limit its use of "sensitive" information in PNRs.74 In

negotiations, the U. S. agreed to limit its use of PNR information to "the passenger' s name,


"0 Agreement between the European Community and the United States of America on the processing and transfer of
PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border
Protection, signed in Washington on 28.5.2004 at 4. 2004 O.J. (L 183) 83. 4vailab le at http://europaeeu int/eur-
lex/lex/LexUriServ/LexUriSery.do?uri= CELEX304O9:EN:HTML.

71 Id. at 5.

I2d. at 4.

73Id

74See Opinion 8/2004 on the information for passengers concerning the transfer of PNR data on flights between the
European Union and the United States of America (Sep. 30, 2004). available at
http://europa. eu. int/comm/justice_home/fsj /privacy/docs/wpdoc s/2004/wp97_e.pdf










contact details, details of the travel itinerary,. details of the reservation. [and] other

information," such as frequent flyer data.7 "Sensitive" information that the U.S. agreed not to

use includes information on religious and political affiliations, health records, sexual preferences,

and race. 76 The fact that the U. S. agreed to limit its use of this information showed, at least, a

willingness to adjust on its end. This could be a factor for other countries that wish to conduct

business with the EU but do not have such sweeping privacy protections written into national

law.

On May 17, 2004, three days after the European Commission issued its decision to allow

Customs and Border Protection to continue to transfer Passenger Name Record data, the Council

of the European Union issued its own decision on the matter. 77The Council stated that the

Parliament had failed to act on its authority to approve or disapprove the Commission agreement

and that the issue needed to be resolved quickly because of the pressure placed on the airlines to

comply with competing European and U.S. standards.' The Council also decided that the

agreement between the Commission and the Department of Homeland Security provided an

adequate level of protection for personal data. 79 Due to the urgent nature of the issue, the

Council approved the EC-DHS agreement. so



75 Id. at 5.

76Id.

77Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the
United States of America on the processing and transfer of PNR data by Air Carriers to the United States
Department of Homeland Security, Bureau of Customs and Border Protection, 2004/496/EC. 2004 O.J. (L 183) 83.
available at http://eur-
lex.europa.eu/smartapi/cgi/sga_doc?smartapi celexapi iprod!i CELEXnumdoc&1g= en&numdoc= 32004DO496&model
= guichett.
78Id.

9 Id.

O Id.










The Opinion of the Advocate General and the European Court of Justice Decision on the
PNR Case

Despite the agreement between the European Commission and the U.S., the European

Parliament was not satisfied with the decisions of the Commission and the Council. Parliament

brought suit to the European Court of Justice in July 2004, asking the ECJ to annul the European

Commission and Council of the European Union decisions permitting the transfer of the PNRs.s

In the European Union system, the European Court of Justice (ECJ) takes cases from Member

States that require a clarification of European law and from Parliament when challenging an

action of the European Commission. The ECJ consists of a judge from each Member State and

eight Advocates General. Upon receiving a case, the ECJ passes it on to one Advocate General

who then issues a non-binding opinion on the case. The ECJ traditionally adopts the opinions of

the Advocate General.82

The Court of Justice referred this case to Advocate General Philippe Leger, who issued an

opinion on the case on November 22, 2005. In his opinion on the combined cases of the 2004

Commission and Council decisions on PNR agreements, Leger sided with the European

Parliament and suggested that the Court of Justice annul the agreements issued by the EC and the

Council concerning the transfer of PNRs.8s3

The Advocate General argued that the Commission's ruling that the U.S. provides

adequate protection of private data was faulty. According to the Advocate General, "the

[European Commission Data Directive] does not apply to the processing of personal data


st Opinion ofAd'vocate General [English translation], delivered to the European Court of Justice on 22 November
200 5. Available at http://curia. eu. int/jurisp/cgi-bin/form.pl?lang=en& Submit= Submit...f=C-
3 17%2FO4&datefs= &datefe= &nomusuel= &domaie&mt=rsax 100.

82 See European Court of Justice website for further information at
http://curia. eu. int/en/instit/pre sentationf r/index~cj e.htm.
8 3 Id.










undertaken in pursuance of activities that do not fall within the scope of Community law,

particularly the processing of such data for such matters as public security and the activities of

the State in relation to areas of criminal law."84 In Other words, the Directive cannot regulate the

transfer of private data for security or law enforcement purposes. The Directive comes from, and

applies to, the European Commission. The sole mission of the European Commission is to

promote the common economic market in the European Union and the EC is not involved in law

enforcement or investigations into criminal activity."

Regarding the decision of the Council to allow the PNR transfers, the Advocate General

advised the Court of Justice to annul this decision as well.86 He used the same reasoning, that

the Data Directive, or any other European Commission directive, cannot be employed in the

realm of national security, defense, or law enforcement because they fall outside the

Commission' s authority to promote the European common market."'

Following the opinion of Advocate General Leger, the European Court of Justice annulled

both the Commission' s agreement to permit the transfer of PNRs to the U. S. Department of

Homeland Security and the Council decision affirming the agreement on the Passenger Name

Records. ss As expected by tradition, the ECJ followed the reasoning and the conclusion of the

Advocate General in its ruling.



84 d. at 17.

85For more information about the structure of the EU government, visit
http://europa. eu.int/abc/euroj argon/index~en. htm

86 Opinion ofAd'vocate General [English translation], delivered to the European Court of Justice on 22 November
200 5, 3 6. A vailab le at http://curia.eu. int/jurisp/cgi-bin/form. pl?lang=en& Submit= Submit...f=C-
3 17%2FO4&datefs= &datefe= &nomusuel= &domaie&mt=rsax 100.

87Id.

""Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union, 2006 May 30.
Available at http://ec.europa.eu/justice_home/fsj/privaydc/dqayprjdeetej3_50_n npf










The Court' s analysis of how the PNR case relates to Directive 95/45/EC provides

important insight into the Directive. In its decision, the Court addressed Parliament' s arguments

against the agreement in a systematic fashion. First, the Court considered Case C-318/04,

Parliament' s suit to annul the Council decision on adequacy from May 17, 2004 that had

legalized the continuing program of PNR transfers to Homeland Security. In its suit, the

European Parliament argued that because Article 3(2) of the Directive specifically excludes the

Directive from applying to issues that fall outside the scope of European Community law, the

Directive could not serve as a legal foundation for a Passenger Name Record deal with the U.S.

Department of Homeland Security.89

Parliament contended that the PNR agreement was aimed primarily at providing the U.S.

with personal data for the sake of fighting terrorism and organized crime.90 The Commission

argued that although the U.S. was seeking this data for those purposes, the Commission made the

agreement in order to protect the personal data of citizens' and to protect airlines from fines and

other penalties that could affect the common market.91 The ECJ, however, disagreed with the

EC on this issue.

The Court reasoned that the text of the Council's decision on adequacy clearly states that

the purpose of the agreement was to support the United States' efforts to combat terrorism and

international crime and to provide data to a third country solely for this purpose.92 The ECJ

reasoned that despite the fact that the PNR data is initially collected as a commercial activity by




89 Id. at recital 51.

901)d. at recital 52.

91 Id. at recital 53.

92 Id. at recital 55.










the airlines, the PNR agreement focused on the completely different use of the data for security

and crime Eighting.93

The Advocate General expounded on this point in his Opinion, pointing out that despite the

Council's argument that the agreement existed to protect the common market, the decision on

adequacy proved the opposite.94 The primary purpose of the agreement, he said, was to provide

the United States with data that would be used in fighting terrorism.95 The Advocate General

pointed out that both the EC-DHS agreement and the Council's decision contained a paragraph

that mandated that the U. S. would actively promote the cooperation of U. S. airline companies in

providing PNR data to the EU in the future if either the European Union or one of its Member

States desired PNR data for Eighting terrorism in Europe.96 The Advocate General stated the

European Commission could not claim that the purpose of the PNR agreement was to protect

European citizens' private data in international economic activities such as air travel when the

Commission had explicitly based its decision to continue PNR transfers in order to aid the U.S.

in Fighting terrorism and crime.97

The European Court of Justice, in its decision, ruled in favor of Parliament' s concern that

the PNR agreement infringed on Article 3(2)98 Of the Directive and that the Council decision on




93 Id. at recital 57.

94 Opinion of advocate General [English translation], delivered to the European Court of Justice on 22 November
200 5, 20. 4 vailab le at http://curia.eu. int/jurisp/cgi-bin/form. pl?lang=en& Submit= Submit...f=C-
3 17%2FO4&datefs=&datefe= &nomusuel= &domaie&mt=rsax 100.

95 Id.

9 6Id.

97 Id.

98 See Commission Directive 95/46/EC, 1995 O.J. (L 281) article 3(2). "This Directive shall not apply to the
processing of personal data in the course of an activity which falls outside the scope of Community law, such as
.. operations concerning public security, defence, State security, .. and areas of criminal law."










adequacy must be annulled.99 Having followed the opinion of Advocate General Leger in the

first part of the case, the Court then turned to its analysis of Case C-3 17/04, Parliament' s suit

over the EC-DHS PNR agreement. 100

In its suit, the European Parliament argued that as with the Council's decision on

adequacy, the 1995 Data Directive did not constitute the appropriate legal foundation for the

PNR agreement because it fell outside the Commission' s purpose of protecting the common

market. 101 The Commission asserted that under the auspices of Article 95 of the Treaty

Establishing the European thrion, the Commission and the Council had authority to seek the

harmonization of law where there is a clear conflict in international law between the EC and a

third country that would affect the common market. 102 Under this authority, the Commission

claimed the right to use the 1995 Data Privacy Directive as the foundation for the PNR

agreements .

The Court of Justice, however, ruled that Article 95 granted the Commission and Council

the authority to harmonize international laws relating to the European common market and not to

matters of national security. 103 Because the EC-DHS agreement relied on the authority to

regulate the common market from Article 95 of the Treaty Establishing the European thrion and

the authority to protect the common market from data privacy concerns in third countries from




99 JOined Cases C-3 17/04 & C-3 18/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union, 2006 May 30, at
recital 60. available at
http://ec. europa. eu/j ustice_home/fsj /privacy/docs/adequacy/pnr/j udgement~ecj _3 0_05_06_pnren.pdf.
'oold. at recital 62.

101 Id. at recital 63.

102 See Treaty Establishing the European Community, Article 95, 2002 O.J. L (C 325) 69. available at http://eur-
lex.europa.eu/LexUriServ/LexUriSery.do?uri CLX12002EO95:EN:HTML.

103 Id. at 67.










the 1995 European Commission Data Directive as its legal basis, the agreement had to be

annulled. 104

The Court said that the both Article 95 and the 1995 Data Directive concern the

functioning of the European common economic market, but that the Commission' s decision on

adequacy "does not have as its obj ective and subject-matter the establishment and functioning of

the internal market." tos In its decision to annul the 2004 agreements, the European Court of

Justice held that because the PNR transfers were for the purpose of combating terrorism and

crime, activities outside the scope of the European Commission' s mandate to promote the

common economic market, the Data Directive did not constitute an appropriate legal basis for

the PNR agreement. 106

Despite the Court of Justice' s annulment of the both the EC-DHS agreement and the

Council decision on adequacy, the ECJ held that the PNR agreement should remain applicable

for a period of 90 days so that the governments could work on a new agreement in that time.

The Court said that the agreement would not be preserved past September 30, 2006. 107

In October 2006, the Council of the European Union issued a decision to sign a new

temporary agreement between the European Union and the U.S. government on the transfer of

PNR data. 10s This new agreement resembled the 2004 agreements in the Commission's

adequacy decision and the Council's decision on adequacy that were annulled by the European

Court of Justice. As with the 2004 agreements, the Council and Commission cited the 2004

1o Id. at 67-70.

'05 Id. at 63.

106 See supra at note 218.

107 Id. at 74.

10s Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of
passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 27.










Undertakings as ensuring adequate levels of protection for the private data in PNRS. 109 As in

previous agreements, the Commission and Council reserved the right to withdraw from the

agreement upon receipt of concerns from the Member States about EU citizens' privacy. 110

Finally, the Council and Commission both agreed that preventing terrorism and transnational

crime were the basis for the agreement to transfer PNR data to the U.S. Customs and Border

Protection, just as previous agreements had stated. "1

The notable difference between the 2004 agreements and the October 2006 agreement was

the latter' s lack of allusions to the 1995 European Commission Data Directive. The October

2006 agreement instead used Article 6(2) of the Treaty on the European Union112 as the legal

basis for respecting privacy as a fundamental right "and in particular to the related right to the

protection of personal data."113 Due to the fact that the Treaty on the European Union applies to

all areas of Europe (not just the common economic market governed by the European

Commission), the agreement appeared to satisfy the literal holding of the Court of Justice' s

ruling that the PNR agreements dealt primarily with terrorism and law enforcement, not the

welfare of the common economic market. Finally, the October 2006 agreement set a date of July

2007 for creating a new, permanent PNR agreement between the Commission and the U.S.

Customs and Border Protection. 114




109Id.

"O0 d. at 28-29.

111 Id. at 29.

112 See Treaty Establishing the European Community, Article 6, at 2. 2002 O.J. (C 325) 69.

113 Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of
passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 29.
11 Id~










The Opinion of the Advocate General versus the Court of Justice's Holding in the
Passenger Name Record Case

In its decision to annul the European Commission-U. S. Department of Homeland Security

agreement, the European Court of Justice only addressed one of the European Parliament' s

concerns over the Passenger Name Record agreement. The ECJ held that the PNR agreement

infringed upon Article 3(2) of the 1995 Data Directive, namely that the Directive only applies to

protecting personal data in economic activities and not security and law enforcement activities.

Having found that the Directive was not an appropriate legal basis for the PNR agreement, the

ECJ annulled the agreement solely on these grounds.

The Court of Justice refrained from even addressing Parliament' s other arguments saying,

"it is not necessary to consider the other pleas relied upon by Parliament"" in order to annul the

agreement. By basing its ruling solely on one argument in the case, the Court failed to address

these other important concerns over the agreement, concerns that may prove problematic for

future PNR agreements. The Advocate General examined each of these pleas in his Opinion on

the case, siding with the European Commission and the Council of the European Union on every

count. The other pleas set forth by Parliament against the PNR agreements are that the PNR

agreement infringed on fundamental rights, that the PNR agreement was overbroad, and that the

Commission and Council overstepped their authority in the creation of the PNR agreement.

The Parliament' s pleas will be discussed in separate sections. An examination of the

Advocate General's response to these pleas provides valuable insight into potential problems

with future PNR agreements.




"5 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union, 2006 May 30, at
recital 70. available at
http://ec. europa. eu/j ustice_home/fsj /privacy/docs/adequacy/pnr/j udgement~ecj _3 0_05_06_pnr en~pdf.










Plea: the PNR agreement represented an infringement of fundamental rights

In its case, the European Parliament alleged that the PNR agreement between the U.S. and

the E.U. failed to respect the basic human right of protecting personal data. The Parliament

alleged that the system of accessing PNRs intrudes upon privacy and is overly broad in the

information provided to the government. 116 The Advocate General emphasized that, in Europe,

privacy is a fundamental right affirmed in Article 8 of the European Convention on Human

Rights and that any law seeking to limit this right "cannot Eind acceptance in the [European

Community]."ll The PNR agreement, in the Advocate General's opinion, constituted an

obvious--yet justified-intrusion on the right of privacy.

In order to justify an intrusion on private life, the Advocate General pointed out that such a

law must meet three criteria: it must 1) be in accordance with existing law, 2) pursue a lawful

and legitimate aim, 3) and be necessary for a democratic society.ll Whereas the Parliament

contended that the PNR agreement was not in accordance to the law, Advocate General Leger

said that the 2004 Department of Homeland Security Undertakings on the U. S. Passenger Name

Records system ensured that the agreement was indeed in accordance with privacy law, the first

of the three criteria. 119 The Advocate General also stated his opinion that fighting terrorism is a

legitimate governmental aim, consistent with the second criterion. 120

The third and final criterion for justifying an intrusion into private life is the issue of

whether or not the interference is necessary in a democratic society. In his analysis of this


"1Id. at recital 108.

"7 Id. at recital 208.

"8 Id. at recital 214.

"1Id. at recital 221.

12 Id. at recital 222.










question, Advocate General Leger stated that the European Court of Human Rights has defined

the term "necessary" as a "pressing social need" that "should be proportionate to the legitimate

aim pursued."12 The Advocate General stated that the European courts have sought to balance

the general interest and the interest of the individual in an effort to limit laws from being broadly

infringing on fundamental rights,122 but that the courts have traditionally allowed European

Member States "a wide margin of appreciation," or a great deal of latitude, in laws seeking to

maintain national security and combat terrorism. 123 The PNR case, he said, is an area where the

courts should allow the Commission and the Council "a wide margin of appreciation" because

the case is focused mainly on maintaining national security and combating terrorism. 124

Plea: the Commission and Council went beyond their authority in creating the U.S. PNR
agreement.

Advocate General Leger then sought to determine whether or not the Commission and the

Council exceeded the scope of their wide margin in the Passenger Name Record agreement with

the U.S. 125 He then systematically addressed Parliament' s arguments aimed at proving this plea.

The Parliament argued that the list of 34 personal data items in the PNRsl126 transferred to

the Department of Homeland Security, overstepped the "margin of appreciation" granted to the

Commission and Council. However, Advocate General Leger said that the amount of data







' Id. at recital 226.

I22d. at recital 228.

1 Id. at recital 230.

' Id. at recital 231.

'2 Id. at recital 234.

126 See supra at 17.










requested is necessary for combating terrorism and therefore was within the "margin of

appreciation" in this case. 2

The Parliament also contended that the PNR agreement overstepped the "margin of

appreciation" because the U.S. authorities would hold the PNR data for a long period, up to three

years and six months for most records and up to eleven years and six months for data on

passengers deemed as posing a high risk to U.S. national security. 128 Addressing this concern,

Advocate General Leger stated that the length of time for the data storage did not necessarily

infringe on the right to respect of privacy. He said that "although it is in principle desirable that

personal data should be kept for a short period, it is necessary, in this case, to consider the period

of storage of data from PNR in light of their usefulness, not only for purposes of preventing

terrorism but, more widely, for law-enforcement purposes."129 111 Other words, the Advocate

General felt that the long period of data storage in the PNR agreement did not overstep the

considerable latitude granted to laws aimed at combating terrorism and crime. 130

The Parliament also argued that the PNR agreements did not allow for any judicial review

of the PNR program by U. S. authorities, meaning that the U. S. court system could not impose

safeguards on the U. S. government' s use of PNR data. 131 Advocate General Leger stated that the

safeguards for protecting the PNR data from abuse in the U.S. government were adequate in

protecting personal privacy while using the data to combat terrorism. 132 The Advocate General


'27 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Conun'n and Council of the Eur. Union, 2006 May 30, at
recital 238.

12s Id. at recital 240.

129 Id. at recital 242.

'30 Id. at recital 243.

'31 Id. at recital 244.

'32 Id. at recital 246.










said that the PNR agreement allowed for an individual to access his or her PNR data and to

correct any errors contained therein, 133 and guaranteed that the Chief Privacy Officer at the

Department of Homeland Security would pursue any complaints about the misuse of PNR data

from the EU Member States on an expedited basis. 134 In his opinion, the safeguards for the PNR

program kept the agreement within the "wide margin of appreciation" in this case. 135

Plea: the U.S. PNR agreement was overbroad

Finally, the Parliament also argued that the PNR agreement was overbroad in that it

permitted the U.S. Customs and Border Protection to transfer PNR data to other U.S. government

agencies and to foreign governments. 136 Again, Advocate General Leger disagreed with the

Parliament on this issue. He stated that safeguards in the DHS Undertakings were sufficient to

protect PNR data from abuse in transfers to other governmental bodies. 137 The Advocate

General said that the Customs and Border Protection would only transfer PNR data to other

government bodies if the data was needed to pursue law enforcement activities and that the

governmental body receiving the PNR data would have to have written permission from the CBP

to use the PN\R data. 138

Summary of the Advocate General's Opinion on the PNR case

Following his reasoning in each of the issues mentioned above, Advocate General Leger

dismissed the Parliament' s plea alleging that the Passenger Name Record agreement infringed



1 Id. at recital 249.

I34d. at recital 251.

' Id. at recital 254.

136 Id. at recital 255.

1 Id. at recital 258.

1 Id. at recitals 259-260.










upon the right of protection of personal data. 139 The Advocate General recommended that the

Court of Justice annul the PNR case because the Commission had inappropriately based the

agreement on the 1995 Data Privacy Directive; however, the Advocate General disagreed with

the Parliament on every other plea. The fact that the Advocate General sided with the European

Commission and the Council of the European Union on all but one of the Parliament' s pleas is

potentially important for future PNR agreements. The potential significance of the Advocate

General's Opinion will be addressed in Chapter 4.

Conclusion

The Passenger Name Records disputes between the European Union and the U.S.

government provide a revealing look at how Europe has attempted to enforce the third country

adequate levels of protection for private data requirements in the 1995 Data Directive. Despite

substantially different approaches to privacy law, the U.S. and Europe have worked to try and

find a balance between sharing data to combat terrorism and protecting individual privacy.

The questions remain as to how Europe will apply its Directive to continued PNR

agreements with the U.S. and Australia, as well as how these PNR agreement might affect the

future of how the European Commission enforces the Data Directive to enforce data privacy

protection in non-PNR cases.














139 Id. at recital 262.









CHAPTER 4
CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE

The study conducted in this thesis seeks to answer three fundamental questions about the

1995 European Commission Data Privacy Directive. These questions are:

* R1: How has the EC defined adequate data protection laws for third countries and how has
it applied this definition to third countries thus far?
* R2: What does the Passenger Name Records dispute between the US and the EC show
about the Directive's third country requirements?
* R3: How might the European Court of Justice annulment of the Passenger Name Records
agreements potentially affect the Directive, especially its third country requirement?
This concluding chapter will constitute a summary of the issues, systematic answers to

these research questions, and some concluding remarks.

Summary of the Issues

Since passage of the 1995 European Commission Directive on the protection of personal

data, the European Union has required that governments and businesses of its Member States

may only transfer private data to a third country if that country assures an adequate level of data

privacy protection. As of the time of writing, the European Commission has granted national

adequacy rulings to Switzerland, Canada, Argentina, Guernsey, and Isle of Man. The

Commission has also worked with the United States to ensure that businesses can provide

adequate levels of protection for private data through the Safe Harbor program. Through these

agreements, the European Commission has consistently analyzed the laws of these nations in

order to determine if that nation provides an adequate level of protection.

A recent and controversial effect of the European Commission' s requirements that third

countries provide adequate levels of protection for private data has been the challenges to the

United States' post-9/11 laws requiring that commercial airlines provide U.S. Customs and

Border Protection with Passenger Name Record data. Although the Commission reached a PNR

See supra at note 112.










agreement with Australia in January 2004, that agreement met no controversy in Europe. In the

United States however, the amount of personal data in each PNR, obtained in an effort to combat

terrorism and aid law enforcement measures, has caused European concerns over both the uses

of the data and the security of transferring such data to the U. S. government.

At the time of the 2004 PNR agreement, the Commission and the U. S. government seemed

to have reached a satisfactory agreement to share this data, but the European Parliament

challenged this PNR agreement in the European Court of Justice. The ECJ then proceeded to

annul the agreement, stating that the Commission could not base its PNR agreements on the 1995

Data Directive because the Commission does not oversee national security and terrorism

activities. The European Commission, whose mission is to oversee the European common

economic market, had inappropriately used a directive focused on ensuring the protection of

private data in commercial activities to an agreement aimed at protecting private data used for

security purposes.

How Has the EC Defined Adequate Data Protection Laws for Third Countries and How
Has the EC Applied This Definition to Third Countries Thus Far?

Although the Data Directive never specifically defines "adequacy," an analysis of the

Directive provides a list of five elements of data protection that the European Commission

examines in determining adequacy:

* The lawfulness of the processing of personal data
* The special protection of sensitive data
* The rights of the data subj ects
* The security of the actual processing of data
* The existence of control and enforcement measures.2




2 See Alexander Zinser, International Data Transfer Out of the European Union: the adequate Level of Data
Protection according to article 25 of the European Data Directive. 21 J. MARSHALL J. COMPUTER & INFO. L. 547,
559 (2003).










Using this definition of adequacy, the European Commission has been fairly consistent in

determining whether or not a third country provides adequate levels of data privacy protection.

As discussed in Chapter 2, the Commission systematically studied the privacy laws of

Switzerland, Canada, Argentina, Guernsey, and Isle of Man. In each decision, the Commission

found that the laws of these nations adequately protect data privacy according to the Hyve-part

definition from the 1995 Data Privacy Directive.

In the case of the United States, the European Commission has sought to compromise in

order to continue trans-Atlantic commerce while protecting private data. In negotiating a Safe

Harbor agreement, the Commission found a way for U.S. businesses to meet the definition of

adequacy from the 1995 Data Directive and thereby to continue the practice of transferring data.

Apart from the Safe Harbor agreement, the European Commission has worked to negotiate an

agreement with the United States government to transfer the Passenger Name Records of all

travelers on flights landing in or leaving from the U.S. As with the Safe Harbor agreement, the

Commission has sought to apply the principles of adequacy in the 1995 Data Privacy Directive

and protect the transfer of data to a specific destination, the U. S. Department of Homeland

Security.

Overall, the European Commission has consistently used the 1995 Data Privacy Directive

as a legal framework for determining the adequacy of the handful of countries that have sought

adequacy determinations from the Commission. The consistent use of the adequacy definition

has created precedence for future adequacy determinations concerning the transfer of private data

to a third country government or business.









What Does the Passenger Name Records Dispute Between the US and the EC Show about
the Directive's Third Country Requirements?

The Court of Justice' s opinion in the PNR agreement seemed to refocus, for the European

Commission, the scope of the 1995 Data Directive to purely economic matters. In agreements

based on securing the protection of private data in business matters, the Commission has

consistently applied its definition of adequacy. With the PNR dispute, the European

Commission was forced to negotiate with the United States to provide "adequate" levels of data

privacy protection for the PNR data of European citizens. But, the Court of Justice ruled in the

PNR case, the Directive could not serve as a legal foundation for an agreement whose primary

focus is national security and combating terrorism.

Through the PNR cases, the Court of Justice that the Data Privacy Directive can only serve

as a legal foundation for protecting privacy in the common economic market. Although this

concept seemed clear from the Directive's creation in 1995 because it originated in the European

Commission-overseers of the European common economic market--the PNR case has served

as a tool for judging when an agreement falls outside of the common market. As discussed in

Chapter 3, the PNR agreements concerned the transfer of data from commercial airlines to the

Australian and U.S. governments. Because the agreements dealt with the commercial airlines,

the European Commission claimed that the underlying purpose of the PNR agreement with the

U.S. was to protect European citizens' private data in an economic setting (the commercial

airlines). Both the Advocate General of the Court of Justice and the European Court of Justice

itself disagreed with the Commission' s claim and instead found that the language of the

agreements clearly indicated that the primary purpose behind the PNR agreements was fighting

terrorism and crime.3


3 See supra at note 218.









The result of the PNR dispute is that only those agreements with the fundamental purpose

of protecting privacy in the common economic market can use the 1995 Data Privacy Directive

as a legal foundation. For matters such as the continuation of trans-Atlantic business covered by

the U.S.-EU Safe Harbor agreement, the Data Privacy Directive stands in full force, strengthened

through the adequacy decisions with multiple countries.

How Might the European Court of Justice Annulment of the Passenger Name Records
Agreements Potentially Affect the Directive, Especially Its Third Country Requirement?

The question remains as to how the PNR case may affect the use of the 1995 Data

Directive and how the European Union will seek to protect private data that falls outside the

scope of the Data Directive.

An analysis of the Advocate General's Opinion on the European Commission- U. S.

government, as well as a look at a 2004 Passenger Name Record agreement between the

Commission and Australia, provide important indicators as to how the Passenger Name Records

cases might affect the efficacy of the Data Directive to require third countries to provide

adequate levels of protection for private data.

The Advocate General's Opinion versus the European Court of Justice's Ruling

As discussed in Chapter 3, the European Court of Justice followed the opinion issued by

Advocate General Leger and annulled both the European Commission's decision on adequacy

and the Council of the European Union' s decision to form the Passenger Name Record

agreement with the U.S. government. The ECJ based its decision solely on the fact that the 1995

Data Directive was an inappropriate legal foundation for a law dealing with national security and

law enforcement. The Court failed to rule on the European Parliament' s other concerns, the

issues that the Advocate General addressed in his opinion. As discussed in Chapter 3, the

Parliament alleged that the 2004 PNR agreement infringed upon fundamental rights; that the










Council and Commission overstepped their legal authority in the agreement; and, that the PNR

agreement was overbroad.4 The Court' s failure to specifically address these issues leaves the

possibility that the Parliament could dispute future PNR agreements with these same unanswered

pleas.

The temporary Passenger Name Record Agreement between Europe and the U.S. from

October 2006 did not use the 1995 European Commission Data Directive as its legal foundation,

but instead based its foundation in the European Convention on Human Rights (ECHR) and its

requirement to protect private data as a human right.' The ECHR applies to all aspects of

European government including security and the economic market. If the European Parliament

challenged the 2006 or future PNR agreements, it would not be able to challenge the use of the

ECHR as the legal foundation for the new agreement because the ECHR covers privacy rights in

both the economic and national security domains.

In the October 2006 PNR agreement, the Commission and the Council held that the U.S.

provided adequate levels of data protection for the PNR data based on the 2004 Undertakings by

the Department of Homeland Security.6 In the Advocate General's Opinion on the 2004 PNR

agreements, he relied upon these same Undertakings to dismiss each of the Parliament' s pleas

related to infringement of the human right of privacy. According to precedence, the Court of

Justice would likely follow the Advocate General's reasoning and rule in favor of a PNR

agreement based on the legal foundation of the ECHR and the PNR system designed in the 2004

Undertakings. The expected July 2007 PNR agreement mandated by the October 2006



4 See supra at page 54.

SSee supra at note 236.

6 For an overview of the Undertakings, see supra at page 41.










temporary PNR agreement' will likely use the 2004 Undertakings as a foundation for

determining adequate levels of data privacy protection just as the previous PNR agreements have

done.

The Passenger Name Record controversy began as a question of determining the adequacy

of data privacy protection based on the 1995 Data Directive but the European Court of Justice' s

2004 ruling effectively changed the legal foundation for such agreements. Although the

European Commission is still the body charged with determining whether the laws of third

countries (the U.S. in this case) provide adequate protection for private data, the Commission can

only require that a third country meets the Data Privacy Directive's definition of adequacy in

cases based on promoting the common economic market. Without the legal framework of the

Data Directive in determining adequacy in the special cases of Passenger Name Records, the

question remains how the Commission will determine adequacy and if there will be consistent

application of such determinations in future PNR deals. If the Commission sticks to an

economic rational for agreements with third countries, the Commission can base the agreement

on the Data Privacy Directive and apply its definition of adequacy to the third country in the

agreement. If the Commission tries again to form a PNR agreement based on the Data Directive,

it is likely to fail because the fundamental purposes for obtaining Passenger Name Records are to

combat terrorism and fight crime.

Although the Passenger Name Record agreement between the EU and the U.S. has sparked

controversy since its inception, this PNR agreement is not the only one reached between Europe

and a third country. As discussed in Chapter 3, the European Commission also formed an





SSee supra at page 53.










agreement with the Australian government in 2004 to transfer PNR data to Australian Customs.

The details of the PNR system in Australia differ significantly from the U. S. system.

The Australian PNR Agreement versus the U.S. PNR agreement

Unlike the situation between the U.S. and the EU, neither governments nor private

organizations have challenged the European Commission's opinion on the adequacy of

Australia's PNR system. Being consistent to a national legal precedence of protecting the

privacy of personal data, the Australian government required specific procedures to ensure, in

the Commission's opinion, high levels of protection for the private data transferred in PNRs.

In the Article 29 Working Party'ss Opinion on the transfer of PNRs to Australia, the

Working Party noted that the Australian system of PNR retention "presents an important and

fundamental difference" compared to the US approach.9 For example, where the U.S.

Department of Homeland Security requires all PNR data to be processed and stored in separate

databases for a long amount of time, the Australian laws only require that the PNR data of .05%-

.1% of passengers be processed and stored in one database for a case specific very short period

of time. 1

Even though the EU-U. S. agreement and the EU-Australian are different in some ways, the

two documents are similar in two important ways. First, the scope of these agreements is

narrowly focused on the question of Passenger Name Records. Whereas Switzerland, Canada,

and the few other countries mentioned in Chapter 2 have received full status for providing



SAs explained in Chapter 2, the Article 29 Working Party consists of privacy commissioners from the Member
States. Among other responsibilities, the Working Party is charged with analyzing the laws of third countries and
reporting its findings to the European Commission. See supra at note 123.

9 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data
from airlines (10031/03/WP 85) at 7.
l Id.










adequate levels of protection for personal data at a national level, the PNR agreements focus only

on the question of adequacy in protecting PNR data.

The second, and perhaps most important, similarity between the Australian and U.S. PNR

agreements with the Commission is that both agreements cite national security and law

enforcement as the reasons for requiring the airlines to provide governments with the Passenger

Name Record information. Citing security and law enforcement as the reasons for the

agreements, both agreements use the 1995 European Commission Data Directive as their legal

foundation. As explained in Chapter 3, the European Court of Justice annulled the U.S.-

European PNR agreements of 2004 on grounds that the 1995 Data Directive cannot apply to

national security and law enforcement because those activities fall outside of the scope of

European Commission law. The annulment of the PNR agreement has forced the Commission

and the United States to base the new PNR agreement on the European Convention on Human

Rights. As Australia and the Commission review their 2004 agreement to transfer PNR data, in

mid 2007, the Commission might need to follow the lead of the October 2006 EU-U. S.

agreement and change the legal foundation for the agreement.

Just as there are similarities between the U.S. and Australian Passenger Name Records

agreements, there are also notable differences between them that help to understand why the U.S.

deal has drawn criticism from Europeans. One major difference is the issue of PNR data

retention. As discussed in Chapter 3, the U.S. system requires the retention of PNR data for a

minimum of three years and six months and grants the U. S. government the right to extend that

retention period by eight years. 12 The Australian PNR system mandates that PNR data be



"1 See supra at note 118.

12 See supra at page 56.










retained for only 24-48 hours after the flight, except in the cases of travelers accused or

convicted of breaking Australian customs laws. Even though the Advocate General ruled in the

U.S. case that these practices were legal, lengthy periods of data retention and an open book to

transfer the personal data in Passenger Name Records has caused concern among European

citizens.

Another difference between the two agreements is the question of transferring PNR data to

other foreign governments. The U.S. PNR system specifically permits Customs and Border

Protection to transfer PNR data to other U.S. government agencies, or to foreign countries, in

order to combat terrorism and fight international crime. The Australian agreement permits

Customs to transfer a small amount of PNR data to other Australian government agencies, but

there is no provision for passing this data to foreign governments. 13

The fact that Australian PNR system contains a higher level of data privacy protection than

the U.S. system might explain why the U.S. PNR agreement has drawn controversy while the

Australian PNR agreement has met no documented opposition. Following the Advocate

General's 2004 Opinion though, both the U.S. and Australian agreements would likely stand as

long as they choose a different legal framework from the Data Directive.

Resolving the Current PNR Agreement

The October 2006 temporary Passenger Name Records agreement between the U.S. and

the European Commission set a July 2007 date for forging a new PNR agreement. As previously

discussed, this agreement will likely use the 2004 Department of Homeland Security

Undertakings analyzed in Chapter 3 and Article 8(2) of the European Convention on Human





13 See supra at note 138.










Rights as legal framework for the deal.14 Taking into consideration the competing needs of

Fighting international crime and protecting private data, the following discussion lays a

framework for a deal that, in the opinion of this author, what would constitute the appropriate

accommodations between U.S. and European interests in the PNR agreement.

Components of a PNR Agreement with Appropriate Accommodations for Europe

For the Europeans, appropriate accommodations would include the guarantees in place

from the 2004 Undertakings that the U.S. PNR system meet Data Privacy Directive's definition

of adequacy. 1 The European Commission, the Council of the European Union, and the

Advocate General of the Court of Justice have all judged the Undertakings to provide an

adequate level of private data protection.

Through the Undertakings, the Department of Homeland Security promises that the data

will be used only for combating terrorism and for law enforcement purposes. The DHS also

promises that "sensitive" data, such as racial background and religious/philosophical

background, will not be transferred from the airlines to the Customs and Border Protection. The

DHS Undertakings also permit individuals, whether U. S. citizen or not, to request their own PNR

Hiles and to correct any wrong information therein. As discussed in Chapter 3, the Undertakings

contain a provision wherein the DHS can deny an individual's request to access his or her PNR

file; 16 however, the DHS said that such a denial would be rare. To appropriately accommodate

European interests, a PNR agreement with the U.S. would also grant the individual whose



14 See supra at note 236.

1s As discussed throughout this thesis, the Data Privacy Directive focuses on five key elements in determining
adequacy: the lawfulness of the processing of data; special protection of sensitive data; rights of the data subject;
security of the actual processing of data; and, the existence of control and enforcement measures. See supra at note
260.

16 See supra at note 180.










request for access to his or her PNR data has been denied an avenue for petition, whether that be

through the Chief Privacy Officer at the Department of Homeland Security or through the

European Commission. The guarantee of an avenue of redress for Europeans would help to ease

European concerns over the rights of data subj ects and the existence of enforcement and control

measures under the U.S. PNR agreement.

Continuing the question of appropriate accommodations for Europe, the DHS promises in

the Undertakings that PNR transfers will occur under secure circumstances, meaning that the

DHS will use technology to protect the processing of PNR data. If followed through, this will

this satisfy the adequacy component of securing the data processing.

To ensure appropriate accommodations for European interests, the Undertakings, as well

as the 2004 and 2006 PNR agreements, mandate that the U.S. and the European Commission

perform annual reviews of the PNR program. The Undertakings and PNR agreements also allow

for the agreements to be void at any moment if the Commission discovers U. S. abuses of PNR

data.

The final appropriate accommodation for European interests is a promise found in the 2004

and 2006 PNR agreements that says the U.S. will not hinder any PNR data from transfer to

Europe if the European government were to pass a PNR law as well. This guarantee of

reciprocity would help to accommodate European interests in a PNR agreement.

Components of a PNR Agreement with Appropriate Accommodations for the U.S.

For a PNR agreement to satisfy U.S. interests, there are several accommodations that

should be guaranteed. As outlined in the 2004 Undertakings and as agreed to by the

Commission, the Council, and the Advocate General, the U.S. should be allowed to keep the

PNR data of high-risk passengers for over 1 1 years. This will allow the U.S. to access the









valuable private data in PNRs throughout the course of potentially lengthy terrorism and crime

investigations.

To appropriately accommodate U.S. interests, a PNR agreement should also continue to

allow the Customs and Border Protection the authority to transfer PNR data to both domestic and

foreign government agencies, as outlined in the 2004 Undertakings. This accommodation should

enable the U.S. to enlist the aid of other governments in combating terrorism and international

crime. In addition to the authority to transfer PNR data to other areas of government, the PNR

agreement should also grant the U.S. the accommodations of continued European participation in

PNR sharing and the right of the DHS to deny a request for an individual's PNR data if granting

the request would hinder a law enforcement operation, accommodations already part of the 2004

Undertakings.

This proposed list of appropriate accommodations for both European and U.S. interests

would create a PNR deal that could satisfy both sides of the Atlantic.

Resolving Future PNR Agreements and Decisions on Adequacy

In the Advocate General's Opinion on the 2004 PNR agreement, he reasoned that although

the Passenger Name Record agreements infringe upon the right to personal data privacy, the

need to use the PNR data to combat terrorism made the infringement legal. Following the

Opinion of the Advocate General, it is likely that the European Court of Justice would rule in

favor of the Commission and the Council of the European Union if the European Parliament

were to allege that the PNR agreement infringes on the right to personal privacy.

The Commission will continue to use the 1995 European Commission Data Directive as a

legal framework for adequacy determinations focused on a third country's privacy protections.

If more countries follow the European model for protecting privacy and seek to have an

adequacy determination from the Commission, as Canada and Argentina have done,










precedence" shows that the Commission will examine that country's privacy laws in comparison

to the definition of adequacy in the Data Directive. What remains to be seen is a case where the

European Commission determines that a country or business does not provide adequate

protection for private data and is unable to reach a compromise as it has done with the United

States.

As discussed previously, scholar Kevin Bloss noted that if the European Commission were

unable to reach a deal with a third country on the transfer of private data, a third country could

bring a challenge to the Data Directive before the World Trade Organization. I Under the

General Agreement on Tariffs and Trade (GATT) rules, a third country could ask the WTO to

mediate between the third country and the European Union. 19 This scenario is plausible and

would likely hinge on how much the European Union and the third country in the dispute would

have demonstrated a willingness to work with governments and businesses to ensure both

continued data transfers and the protection of private data.

Conclusion

With the creation of the 1995 Data Privacy Directive, the European Union sought to unify

the data protection laws of its Member States and to ensure an adequate level of data privacy

protection in all European data transfers. Since its passage, a handful of nations have followed

Europe's lead and have been granted the status of countries that adequately protect private data.

The European Commission has been consistent in applying the Data Privacy Directive's

definition of adequacy to deal with third countries so far. The Commission has also shown its


'7 In this case, the precedence being that the European Commission has consistently applied the definition of
adequacy in its third country assessments thus far. See Chapter 2.
18Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy, 9 MINN. J.
GLOBAL TRADE 645 (2000).
19 Id. at 655.









willingness to work with the Australian government on a PNR agreement and the U.S.

government on the Safe Harbor and PNR agreements.

Thus far, the biggest challenges to the European Data Privacy Directive have come from

negotiating the protection of private data with the United States government and U.S. businesses.

The cases of the Safe Harbor and the Passenger Name Records have shown how the scope of the

Directive is limited to protecting private data in matters concerning the European common

economic market. The PNR cases have also revealed how the European Commission is willing

to balance the protection of Europeans' individual privacy with the Australian and U. S. needs to

combat terrorism and fight international crime. Although the controversy over the European-

U.S. PNR case continues and Europeans citizens continue to feel threatened by the U.S.

government' s use of their private data in Passenger Name Records,20 the PNR dispute has shown

that Europe is willing to negotiate with third countries in an effort to protect the uses and

transfers of European citizens' private data in PNR programs designed to combat terrorism. The

challenge for Europe is how it is going to balance its commitment to privacy with the fight

against terrorism.

It is possible that in the current situation where terrorism is a global concern, more third

countries will enact legislation requiring the transfer of Passenger Name Records to that

country's government. If this is the case, it is likely that the European Commission will seek to

negotiate a PNR agreement with that nation in an effort to protect the privacy of Europeans'

private data. It is also probable that, with time, more nations will enact other legislation

protecting the distribution of personal information between businesses and governments that will

require negotiations with the European Commission due to the Data Privacy Directive's third


20 See supra at note 47.










country requirement. As of the time of this thesis in June 2007, the European Commission has

not announced any inquiries into either the Passenger Name Records or national privacy laws of

any third countries.

Despite the continued development of international agreements and European case law

surrounding the 1995 Data Directive, another challenge to the effectiveness of the Directive is

perhaps its enforcement inside Europe. The Directive only functions as it should when the

individual EU Member States, and the businesses in them, discover that a third country or a

business in a third country does not maintain adequate levels of data privacy protection and then

lodges a complaint. Unless a Member State or European business goes through this process, or a

third country voluntarily seeks a Commission study on that country's level of protection for

private data, the Directive fails to ensure that the private data of European citizens is adequately

protected by third country governments and businesses. The challenge of trying to ensure that all

data transfers are secure from a EU Member State to a third country is daunting.

A dual challenge to the effectiveness of the Data Privacy Directive is the practical question

of whether or not the governments and businesses of the Member States themselves protect the

data of European citizens. The European Commission has previously studied the

implementation of the Data Privacy Directive into the individual Member States in an effort to

see how they were doing at protecting Europeans' private data.21 As explained in Chapter 1,

Directives are enacted at the European Union level, then adapted into the laws of the individual

Member States by a given date. 22 The subj ect of how each Member State has specifically

implemented the provisions of the Data Privacy Directive merits a comprehensive study of its


21 See European Commission's Status of implementation of Directive 95 46 at Freedom, Security, and Justice
web site, available at http://ec.europa. eu/justice_home/fsj /privacy/law/implementation~en. htm.
22See supra at note 7.









own and should be the subj ect of future research. Understanding how the Member States are

protecting data privacy within may shed light on the practicality of enforcing the Data Directive

in third countries as well.

Further research should focus on several important questions surrounding the 1995 Data

Privacy Directive. As mentioned above, research should explore the issue of the implementation

of the Data Privacy Directive into the individual Member States. Further research should also

address the difficult question of why so few of Europe' s trade partners have sought an adequacy

ruling or been the subj ect of a privacy concern by European citizens. Further research should

also focus on how the U.S. is actually using the PNR data and if it is following the principles set

forth in the 2004 Undertakings of the PNR system. Additionally, further research should attempt

to find out what nations other than the United States and Australia are doing with Passenger

Name Records. These important research subj ects fell outside of the scope of this thesis, yet

they must be addressed in order to continue to understand the effectiveness of the 1995 Data

Privacy Directive.









REFERENCE LIST


Agreement between the European Community and the United States of America on the
processing and transfer of PNR data by air carriers to the United States Department of
Homeland Security, Bureau of Customs and Border Protection, signed in Washington on
28.5.2004 at 4. 2004 O.J. (L 183) 83.

Agreement between the European Union and the United States of America on the processing and
transfer of passenger name record (PNR) data by air carriers to the United States
Department of Homeland Security, 2006 O.J. (L 298) 29.

Aviation and Transportation Security Act of 2001, Pub. L. No. 107--71, 115 Stat. 597.

Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European
Information Privacy Network, 26 MICH J. INT'L L. 807 (2005).

Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data
Privacy, 9 MINN. J. GLOBAL, TRADE 645 (2000).

Border Security Legislation Amendment (Terrorism) Act, 2002, c. 64 (Austl.).

David A. Castor, Note: Tread'ing Water in the Data Privacy Age: An Analysis of Safe H~arbor 's
First Year. 12 IND. INT'L & CO1VP. L. REV. 265; 2002.

Commission Decision, 2000/520/EC, 2000 0.J. (L 215) 7.

Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3.

Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5

Commission Decision 2004/411/EC, 2004 OJ (L 151).

Commission Directive 95/46/EC, Directive of the European Parliament~~PPP~~~PP~~~PP and' of the Council of 24
October 1995 on the protection of individuals nI ithr regard' to the processing of personal
data and' on the fr~ee movement of such data, 1995 O.J. (L 28 1).

Commonwealth Privacy Act, 1988, c. 118 (Austl.).

Council Decision of 17 May 2004 on the conclusion of an agreement between the European
Community and the United States of America on the processing and transfer of PNR data
by Air Carriers to the United States Department of Homeland Security, Bureau of
Customs and Border Protection (2004/496/EC).

Council Decision on the signing of an Agreement between the EU and the US on the processing
and transfer of passenger name record (PNR) data by air carriers to the US Dept. of
Homeland Security, 2006 O.J. (L 298) 27.










European Commission's Status ofimplementation of Directive 95/46 at Freedom, Security, and
Justice website, accessed March 14, 2006, available at
http ://ec.europa.eu/justice~home/fsj/privacy/awipentioenhm

Griswold v. Connecticut 381 U. S. 479, 483 (1965).

How does the EU work? The decision-making triangle, accessed June 12, 2007, available at
http:.//europa.eu/abc/1 21essons/lesson_4/index_en.htm.

Joined Cases C-3 17/04 & C-3 18/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union,
2006 May 30, accessed July 31, 2007 available at
http://ec. europa.eu/justice~home/fsj/privacy .

Letter from Frits Bolkenstein, Member of European Commission, to Tom Ridge, Director of
Homeland Security (Dec. 18, 2003), March 14, 2006, available at
http://ec. europa.eu/justice~home/fsj/privacy .

Office of the Privacy Commissioner of Canada website accessed March 14, 2006, available at
http:.//www.privcom.gc. ca/aboutUs/index_e.asp.

Opinion of Advocate General [English translation], delivered to the European Court of Justice on
22 November 2005, July 31, 2007, available at http://curia.eu.int.

Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger
Name Record data from airlines (10031/03/WP 85).

Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air
Passengers to Be Transferred to the United States' Bureau of Customs and Border
Protection (10019/04/WP 87).

Opinion 8/2004 on the information for passengers concerning the transfer of PNR data on flights
between the European Union and the United States of America (Sep. 30, 2004).

Privacy Act of 1974, 5 U.S.C. ( 552a.

Joel Reidenberg, E-Commerce and Privacy Institute for Intellectual Property & Information Law/
Symposium: E-Commerce and Trans-Atlt~lt~ltlanltltict~ Privacy. 38 HOUS. L. REV. 717 (2001).

Paul Schwartz, Data Protection Law/ and the European Union 's Directive: the Challenge for the
United States: European Data Protection Law/ and Restrictions on International Data
Flows. 80 IOWAL. REV. 471 (1995).

The 2005 CIA World Factbook, accessed March 14, 2006, available at http://ww.cia.gov.

The Personal Data Protection Act No. 25.326 of 4 October 2000 (Arg.).

Treaty Establishing the European Community, art. 249, accessed March 14, 2006, available at
http:.//eur-lex.europa. eu/en/index.htm.










Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger
Name Record Data, 69 Fed. Reg. 41,543, 41,547 (July 9, 2004).

U.S. CONST. amend. IV.

U.S. Dept. of Commerce website, accessed March 14, 2006,
http://www.export.gov/safeHarbor/index.ht.

Alexander Zinser; European Data Protection Directive: the Determination of the Adequacy
Requirement in International Data Transfers. 6 TUL. J. TECH. & INTELL. PROP. 171
(2004).

Alexander Zinser, International Data Transfer Out of the European Union: the Adequate Level
ofData Protection According to Article 25 of the European Data Directive. 21 J.
MARSHALL J. COMPUTER & INFO. L. 547, (2003).









BIOGRAPHICAL SKETCH

Jonathan Mason received a Bachelor of Arts in communications from Brigham Young

University in 2005. Following his undergraduate education, he entered the College of

Journalism and Communications at the University of Florida in the media law program, studying

with Dr. Bill Chamberlin. During his undergraduate studies, Jonathan spent 2 years in France

and western Switzerland as missionary, where he gained great interest in European culture,

history, and politics.





PAGE 1

1 THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PR IVACY DIRECTIVE ON THIRD COUNTRIES AND THE PASSENGE R NAME RECORD CONTROVERSY By JONATHAN D. MASON A THESIS PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLOR IDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF ARTS IN MASS COMMUNICATION UNIVERSITY OF FLORIDA 2007

PAGE 2

2 2007 Jonathan D. Mason

PAGE 3

3 To my wife, Erin; and to my son, Sam. They make all of this worth doing.

PAGE 4

4 ACKNOWLEDGMENTS I would like to thank my committee members fo r their contributions. Special thanks goes to Dr. Bill Chamberlin for his time and mentoring. I would especially like to thank my wife, Erin, for her incredible patience and love.

PAGE 5

5 TABLE OF CONTENTS page ACKNOWLEDGMENTS...............................................................................................................4 ABSTRACT....................................................................................................................... ..............7 CHAPTER 1 INTRODUCTION................................................................................................................... .9 Private Data in the Digital Age................................................................................................ .9 Third Countries and the Data Directive...........................................................................11 Passenger Name Records................................................................................................13 Purpose of Thesis.............................................................................................................. ......15 Review of Literature........................................................................................................... ....15 Research Questions............................................................................................................. ....22 Research Methods............................................................................................................... ....22 Conclusion..................................................................................................................... .........22 2 OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON THIRD COUNTRIES.............................................................................................................24 Purposes of the Data Directive...............................................................................................24 Key Provisions for Third Countri es in the Data Directive.....................................................25 Third Countries and the Data Directive Re quirement for Adequate Levels of Data Privacy Protection............................................................................................................. ..29 Switzerland.................................................................................................................... ..29 Canada......................................................................................................................... ....31 Argentina...................................................................................................................... ...32 Guernsey....................................................................................................................... ...34 Isle of Man.................................................................................................................... ...35 United States Safe Harbor............................................................................................36 Conclusion..................................................................................................................... .........37 3 THE PASSENGER NAME RE CORDS CONTROVERSY..................................................41 The Australian Passenger Name Record Agreement..............................................................42 The United States Passenger Name Records Agreement.......................................................46 The Opinion of the Advocate General and the European Court of Justice Decision on the PNR Case..........................................................................................................55 The Opinion of the Advocate General versus the Court of Justices Holding in the Passenger Name Record Case......................................................................................62 Plea: the PNR agreement represented an infringement of fundamental rights........63 Plea: the Commission and Council went be yond their authority in creating the U.S. PNR agreement.............................................................................................64 Plea: the U.S. PNR agreement was overbroad.........................................................66

PAGE 6

6 Summary of the Advocate Genera ls Opinion on the PNR case.....................................66 Conclusion..................................................................................................................... .........67 4 CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE.................68 Summary of the Issues.......................................................................................................... ..68 How Has the EC Defined Adequate Data Protection Laws for Third Countries and How Has the EC Applied This Defin ition to Third Countries Thus Far?...................69 What Does the Passenger Name Records Dispute Between the US and the EC Show about the Directives Third Country Requirements?.........................................71 How Might the European Court of Jus tice Annulment of the Passenger Name Records Agreements Potentially Affect the Directive, Especially Its Third Country Requirement?.................................................................................................72 The Advocate Generals Opinion versus th e European Court of Justices Ruling.........72 The Australian PNR Agreement versus the U.S. PNR agreement..................................75 Resolving the Current PNR Agreement.................................................................................77 Components of a PNR Agreement with A ppropriate Accommodations for Europe......78 Components of a PNR Agreement with A ppropriate Accommodations for the U.S......79 Resolving Future PNR Agreements and Decisions on Adequacy..........................................80 Conclusion..................................................................................................................... .........81 REFERENCE LIST................................................................................................................. ......85 BIOGRAPHICAL SKETCH.........................................................................................................88

PAGE 7

7 Abstract of Thesis Presen ted to the Graduate School of the University of Florida in Partial Fulfillment of the Requirements for the Degree of Master of Arts in Mass Communication THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PR IVACY DIRECTIVE ON THIRD COUNTRIES AND THE PASSENGE R NAME RECORD CONTROVERSY By Jonathan D. Mason August 2007 Chair: William F. Chamberlin Major: Mass Communication In an age when governments and businesses transf er personal data of individuals over the Internet, the U.S. and the European Union have tr ied to protect such data in different ways. Whereas the U.S. has sought to protect specific ty pes of private data (such as health records and financial data), the European Union passed the 1 995 Data Privacy Directive as a way to protect all private data. In the 1995 Data Directive, the European Un ion sought to protect the private data of European citizens within Europe and without. The Data Directive mandates that non-European Union countries must have adequate levels of data protection if th ey are to transfer private data in or out of Europe. The EU has allowed a handful of nations to transfer private data because the E.U. deemed their laws adequate in protecting private data. The challenge to the E.U. has been trying to work out the protection of private data with the U.S. An important area of contention over tran sferring private data has been the U.S. requirement since late 2001 that all airline carriers arriving or departing from the U.S. must provide the U.S. government with Passenger Name Records, a packet of data collected by the airlines that contains private da ta such contact information and financial information. The U.S.

PAGE 8

8 requires this information in order to screen passengers for security threats. In 2004, the U.S. and the EU had reached an agreement to transfer this data, but the European Court of Justice annulled this agreement and said that the EU could not use the 1995 Data Directive as a foundation for such an agreement. The Court of Justice gave the two sides until July 2007 to reach a new agreement. An agreement meeting th e needs of both sides would protect the privacy of airline passengers while providing the U.S. w ith the data needed to combat terrorism and protect national security.

PAGE 9

9 CHAPTER 1 INTRODUCTION Private Data in the Digital Age With the arrival of the digital age, more a nd more consumers across the world rely on the Internet for day-to-day services and business transactions. As increasing numbers of consumers follow this trend, more and more commercial es tablishments conduct bus iness on-line. When customers do business either on-lin e or by traditional means, they usually must provide personal information such as addresses, phone numbers, So cial Security numbers, health records, birth dates, and financial information that is then used by the business to complete the transaction requested by the costumer. The use of the info rmation increasingly includ es the transferring of data over the Internet betw een businesses, government bodi es, and other organizations.1 With growing amounts of internationa l business and law enforcement conducted on-line, private data often crosses national borders in the transfer process. This cross-border data flow creates a significant challenge in part because countries have adopted different laws and regulations for the protection of personal data. Specifically, the United States and the European Union, th e two largest economies in the world,2 differ significantly in their resp ective approaches to data privacy pr otection. The United States tends to address privacy concerns by enacting narrow, sect oral laws protecting on ly specific types of 1 An example of data transferred across borders and between organizations occurs when an individual flies on an airline and provides his or her personal information as part of the ticketing process (including, but not limited to name, address, phone number, birth date, Social Security number, passport info rmation, etc.), that information is then transferred to the Bureau of Customs and Border Pa trol through the U.S. Department of Homeland Security. This is the case in the U.S. since the post-9/11 passage of the Aviation and Transportation Security Act of 2001 Pub. L. No. 107--71, 115 Stat. 597. Under this law, airlines landing in the U.S. are required to provide the private information of their passengers to the U.S. customs as part of the ongoing war on terror. See also the Electronic Privacy Information Center website at http ://www.epic.org/privacy/intl/passenger_data.html 2 The European Unions 2005 GDP was $11,650,000,000, second only to the United States whos 2005 GDP was $11,750,000,000. 2005 CIA World Factbook, available at http://ww.cia.gov. Last visited on April 20, 2006.

PAGE 10

10 private data.3 The Fourth Amendment of the U.S. Constitu tion grants a right of the people to be secure in their persons, houses, papers, and e ffects against unreasonable searches and seizures.4 This amendment directly applies to physical intrus ions of privacy, but only indirectly ensures the intangible aspects of privacy such as the right to keep personal information private.5 On the other hand, the European Union (EU) and its Member States6 consider the concept of data privacy as a fundamental human right and enact broad, gene ral legislation aimed at ensuring the legal protection of citizens personal data in government and in business. Due to technology that allows organizations to transfer massive amounts of private data via the Internet, the European Commission (EC) issued, in 1995, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, commonly referred to as the European Union Protection of Data Privacy Directive7 (hereafter referred to as the Data Pr ivacy Directive or the Directive).8 3 An example is the Privacy Act of 197 4, 5 U.S.C. 552a that set laws limiting how the U.S. federal government can use personal data such as tax information. The Privacy Act did not, however, provide general privacy laws for businesses. 4 U.S. CONST. amend. IV. 5 The U.S. Supreme Court has also recognized that the First Amendment has a penumbra where privacy is protected from governmental intrusion. Griswold v. Connecticut 381 U.S. 479, 483(1965). 6 At the time of this thesis composition in early 2007, 25 nations belong to the European Union: Austria, Belgium, Cyprus, Czech Republic, Denmark, Esto nia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Poland, Portugal, Slovakia Slovenia, Spain, Sweden, the Netherlands, and the United Kingdom. Candidate nations vying to join the EU include the nations of Bulgaria, Croatia, Former Yugoslav Republic of Macedonia, Romania, and Turkey. See European Union Member States website at http://europa.eu.int/abc/governments/index_en.htm#members 7 In European Union law, a directive issued by the European Commission is binding on the individual Member States, requiring that each nation in the union must implem ent the policies in the directive into its respective laws. See Treaty Establishing the European Community art. 249, available at http://europa.eu.int/eurlex/en/treaties/dat/ecconstreaty&us. 8 Commission Directive 95/46/EC, Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1995 O.J. (L 281).

PAGE 11

11 The fundamental purpose of the Data Privacy Dir ective was to unify the data privacy protection laws of the individual Eur opean Union Member States.9 Third Countries and the Data Directive Among the most debated and the most contr oversial portions of the Directive in nonEuropean nations is Chapter IV, Ar ticle 25(1), which requires that The Member States shall provide th at the transfer to a third country10 of personal data which are undergoing processing or are intended for processi ng after transfer may take place only if the third country in ques tion ensures an adequate level of protection.11 In other words, as a condition to transferri ng private data, the Data Privacy Directive indirectly requires non-European Union nations, or third countries, to protect private data according to the levels of protection outlined for the Unions own Member States in the Directive. Any business transferring private data between an organization in a EU Member State and an organization in a third country may only do so if the third country provides adequate protections governing the transfers of private data. Because of the great amounts of data transfers required for international business and b ecause of Europes economic importance in the world economy, this section of the Directive coul d potentially impact the laws of every nation. In order to determine if a nation meets the adequate level of protection requirement, the Directive empowers the EC to officially approv e the free flow of data between a EU Member State and a third country. Artic le 25(6) of the Directive authorizes the EC to consider a 9 The term Member States refers to the individual nations comprising the European Union. 10 The term third country refers to a nation or state that does not belong to the European Union. 11 Commission Directive 95/46/EC, art. 25(1), 1995 O.J. (L 281)

PAGE 12

12 recommendation made by the data authorities of the Member States and to act on such a recommendation or not.12 Since the implementation of Directive 95/ 46/EC, the European Commission (EC) has judged the data privacy laws of several nations as adequate in protectin g private data and has officially reported that EU busines ses may transfer private data w ith businesses in these nations. The nations thus far approved include Sw itzerland, Canada, Argentina, Guernsey,13 Isle of Man.14 To a certain extent, the EC has granted th e U.S. approved status through what is called the Safe Harbor agreement15 and through the agreement to al low the transfer of airline passenger data.16 In the case of each of these nati ons, the European Commission studied the laws of the nation applying for approval and judged that the nation provided adequate levels of protection for private data, there by enabling the EC to give Eur opean businesses the green light to deal with busine sses in these nations. 12 Id. at art. 25(6). Upon a recommendation of the Working Party (Article 29), comprised of data authorities from the Member States, the Article 31 Management Team deliver s the opinion of the majority of the authorities and the EC report goes to the European Parliament. The Parliament then has 30 days to judge whether or not the EC has acted within its authority and to make recommendations if needed. After this period, the third country can gain approved status. See Commission decisions on the adequacy of the protection of personal data in third countries, available at http://europa.eu.int/comm/justice_home/fsj/privacy/thridcountries/index_en.htm. 13 The Bailiwick of Guernsey, located in the Channel Isla nds (population 61,000), is a protectorate of the United Kingdom. This island gleans roughly 55% of its income from banking and insurance, providing motivation to gain approval status from the EC on transferring private data. Information obtained from Guernsey government website. available at http://www.gov.gg. 14 The Isle of Man is a small (population 73,600) protectorate of the UK located in the Irish Sea. Forty-five percent of the Isles economy comes from offshore banking. The Isle also boasts offering incentives to high-technology companies and financial institutions to locate on the island has paid off. The nature of the Isles economy meant that the Isle could benefit from an approval on data tr ansfers from the EC and the Is le now enjoys free access to European Union markets. Information obtained from an Isle of Man website available at http://www.isleofman.com/ and http://www.gov.im. 15 Information obtained from European Union website. Last visited March 14, 2006. http://europa.eu.int/comm/justice_home/fs j/privacy/thridcount ries/index_en.htm. 16 Id.

PAGE 13

13 The Directive has been criticized for failing to specify the definition of an adequate level of protection and the exact process a third coun try needs to receive approval from the European Commission. Scholars have attempted to define adequacy and to document the requirements for EC approval, but none have focused on analyzi ng the laws of nations that have already been approved and comparing them to the Directives language. Such an analysis is important in understanding how the Commission itself has used the Directive to ensure data privacy when transferring data to third countries. Since 1995, the Commission has used the third country adequacy requirement from the Directive as a tool in negotiating with third countries for protecting the transfer an d use of private data; however, the Commissions efforts to enforce the Directives requirements for adequate levels of protection of privat e data has met some challenges along the way. Passenger Name Records A key challenge to the enforcement of the Data Directive involves the United States and its use of the private information found in airline passengers Passenger Name Records (PNRs). PNRs contain passenger information collected by commercial airlines including names, addresses, phone numbers, travel itineraries, numbers of luggage items used in travel, travel agency or reservation data, cr edit card information, dietary information, passport numbers, and social security card information.17 Air carriers collect this data and are required to pass it along 17 The categories of informati on contained in PNRs include: PNR record locator code, date of reservation, date of intended travel, name, other names on PNR, address, forms of payment information, billing address, contact telephone numbers, travel itinerary for the specific PNR, frequent flyer information, travel agency information, travel agent name, code share PNR information, travel st atus of passenger, split/divided PNR information, e-mail address, ticketing field information, general remarks, seat number, ticket number, date of ticket issuance, no show history, bag tag numbers, no show information, other supplementary information, special service information, received from information, historical ch anges to the PNR, other travelers on PNR, seat information, one-way ticket information, advance passenger information, and any other field of information the airline might include. See Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543, 41,547 (July 9, 2004).

PAGE 14

14 to the Department of Homeland Security (DHS ) for all passengers on transnational flights.18 The DHS collects this information as a way of comba ting transnational crimes and terrorism, but in 200319 the EC took issue with the us e of European citizens PNRs. The EC based its concerns on the third country ade quacy requirements in the Data Directive. Since 2003, the European Commi ssions Directorate for Justic e, Freedom, and Security and the U.S. government have negotiated the use of Passenger Name Records by the U.S. Department Homeland Security and the programs legality under European law. During this period, the two sides have made a number of agreem ents to allow the use of PNRs under certain conditions, and the latest agreem ent was reached in October 2006.20 The multi-year discourse between the EU and the US provide s excellent insight into the enforcement process that the EC will use to ensure that the principles of the Data Directive are followed domestically and in third countries. Despite the numerous agreements on the use of PNRs, on May 30, 2006, the European Court of Justice (ECJ) annu lled two 2004 agreements reached between the European Commission, the Council of the European Union and the U.S. government on the transfer of PNRs to the Department of Homeland Security. In its ruling, the ECJ annulled these agreements on the grounds that the enforcement of the use of PNRs falls outside the scope of the Data Directive because it involves processing operati ons concerning public security, defence, State 18 For basic information on PNRs, visit the Department of Homeland Security website, Frequently Asked Questions section, available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_faq_pnr_cbp.pdf. 19 See Letter from Frits Bolkenstein, Member of European Commission, to Tom Ridge, Director of Homeland Security (Dec. 18, 2003), available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/2003-12-18letter-bolkestein_en.pdf. 20 See Agreement between the Euro pean Union and the United States of Amer ica on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, 2006 O.J. (L 298/29).

PAGE 15

15 security and the activities of the State in areas of criminal law.21 Under European law, the European Commission, where the Data Directiv e originated, concerns the marketplace and commerce, not criminal law or national security. The EC/DHS agreements used national security and fighting transnational crime as the primary foundation for transferring PNRs, yet the European Court of Justice ruled that this founda tion fell out of the scope of the Data Directive and of the Commissions authority. The Court of Justices opinion and its effect on the most recent agreement on the transfer of PNRs between the EC and the DHS, raise impo rtant legal questions ab out the Data Directive yet to be answered. The ECJs decision calls into question the scope of the Data Directive22 and may prove influential in the future enfor cement of the Directive in third countries. Purpose of Thesis The purposes of this thesis are to 1) analyze Data Directive 95/46/EC and its requirements for data protection in third c ountries; 2) analyze how the Eur opean Commission has actually applied the adequacy requirement to third countr ies; 3) analyze the ongoing dispute between the United States Department of Homeland Security and the European Commission concerning the transfer of Passenger Name Reco rds from airline carriers to th e DHS, including an analysis of the annulment by the European Court of Justice of previous EC/DHS agreements; and, 4) to examine how the European Court of Justic e decision, and the Passenger Name Record agreements, might affect the scope and the enfo rcement of the Data Directive in the future. Review of Literature Most of the legal research surrounding the Data Directive 95/46/EC has focused on the potential effects of the Directive on business wi th the U.S., on comparisons between the U.S. 21 Joined Cases C-317/04 and C-318/04, Eur. Parl. v. Eur. Commn and Council on Eur. Union, 2006 OJ (C 178) 2. 22 See infra at page 46.

PAGE 16

16 laws and EU data privacy protection laws,23 and analyses of the Safe Harbor24 agreement between the U.S. Department of Commerce and the EU.25 The literature does an excellent job of discussing some of the issues and problems rais ed by the EU Data Directive. The extant literature lays an important groundwork for the purposes of this thesis. Alexander Zinser, a technol ogy lawyer in Switzerland,26 discussed the Directives five critical aspects of data privacy protection that could be used as criteria in approving data transfers to third countries in his 2003 article in the John Marshall Journal of Computer and Information Law .27 Zinser argued that the Directive does not specifica lly say whether the level of protection in the EU laws28 or in the Member State laws29 is most applicable. This question of which level of protection to us e (the EU or the Member States) arises from the nature of directives and how Member States could conceiva bly adopt stricter standa rds for data protection than the EC did for Europe as a whole. 23 See 23 COMP. LAB. L. & POL'Y J. 251 (2002). This issue contained comp arative articles focusing on some of the issues surrounding U.S. and EU data protection law, incl uding a focus on how the Dire ctive and U.S. laws vary concerning data privacy in e-commerce. 24 See infra pp.24-26. 25 See David A. Castor, Note: Treading Water in the Data Privacy Age: An Analysis of Safe Harbors First Year 12 IND. INT'L & COMP. L. REV. 265 (2002). This article contains a helpful and insightful analysis of the Safe Harbor agreement between the U.S. Department of Commerce and the Euro pean Commission. Castor examines some of the changes U.S. businesses have made to be in accordance with Safe Harbor as well as looking at some of the potential difficulties in enforcing the agreement in the U.S. 26 Alexander Zinser, International Data Transfer Out of the European Union: the Ad equate Level of Data Protection According to Article 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003). 27 Id. at 549-553. 28 Id. at 557. 29 Id. at 565.

PAGE 17

17 In another article by Zi nser, appearing in the Tulane Journal of Tec hnology & Intellectual Property (Spring 2004),30 he asserted that Article 25, which re quires that data transfers to third countries occur only with adequate levels of data protection, empowers the European Commission and EU Member States to judge the third countrys leve l of data protection but fails to specify how these government s would physically or technologica lly intervene to restrict the actual transfer of data to a country that does not meet the levels of adequacy.31 He posited that perhaps telecom operators would be aske d to intervene and block any transfer.32 Zinser also pointed out that the Directive ne ver explicitly lays out a way that either a Member State or the EU will even be aware of a data transfer to an unsecure country.33 If the EU or the Member States are not aware of non-secu red data transfers to th ird countries, then the Data Directive could prove ineffective in prot ecting trans-national transfers of Europeans private data. In an article written shortly af ter the passage of the Data Di rective in 1995, Paul Schwartz, law professor at the University of Arkansas, Fayetteville, illustrate d some of the important issues raised by the language of the Directive.34 Schwartz focused mainly on how the Data Directive could affect the United States; however, he also provided important information relevant to a discussion of the Directive s effects on other nations. 30 Alexander Zinser; European Data Protection Directive: the De termination of the Adequacy Requirement in International Data Transfers 6 TUL. J. TECH. & INTELL. PROP. 171 (2004). 31 Id. at 175. 32 Id. 33 Id. at 178. 34 Paul Schwartz, Data Protection Law and the European Unions Directive: the Challenge for the United States: European Data Protection Law and Restrictions on International Data Flows 80 IOWA L. REV. 471 (1995).

PAGE 18

18 Schwartz showed that the laws of most EU member states re quire an equivalent level of protection when transferring privat e data to a third country, but the Data Directive only requires an adequate level of protecti on by third countries, thereby pote ntially lowering the level of security required for this third country data transfer.35 According to Schwartz analysis, third countries that have received Eu ropean Commission approval for da ta transfers could potentially be held to lower data privacy protection stan dards than before the Data Directive. Zinser had mentioned in his 2004 article that the Directive does not state whether the standards of the EU or of an individual Member State will be used to judge adequacy in a third country. If the EU determines adequacy using the Directive, third count ries will probably be held to one standard for adequacy; however, if the laws of the Member States determine adequacy, there could be 25 different standards, potentially leading to a third country or a business bargain-shopping for the most lenient le vel of adequacy amongst the Member States. Joel Reidenberg, professor at the Fordham University School of Law, while comparing in 2001 the positions of the U.S. and the EU on data protection,36 said that while democratic states agree that information priv acy is a critical element of ci vil society, the United States has left the protection of privacy to markets rather than law. In contrast, Reidenberg said, Europe treats privacy as a pol itical imperative anchored in fundamental human rights.37 Reidenberg said that although the EU Privacy Directive requires businesses to report potential violations of third countries to their own officials, studies sh ow that few businesses were doing 35 Id. at 472. 36 Joel Reidenberg, E-Commerce and Privacy Institute for Intellect ual Property & Information Law Symposium: ECommerce and Trans-Atlantic Privacy 38 HOUS. L. REV. 717 (2001). 37 Id. at 730-731.

PAGE 19

19 so at the time of his article.38 Still, Reidenberg asserted that the European model for data privacy protection influences other nations more than the U.S model. He noted that countries such as Australia, Canada, and Hungary used the Eur opean model to form their own national data privacy protection laws.39 In an article from 2000, Kevin Bloss, focusing on the battle between the U.S. and the EU,40 argued that the Directive might not hold up to sc rutiny if the U.S., or another nation, were to bring portions of the Data Directive before the World Trade Organization.41 Bloss argued that the fact that the Data Directive unilaterally requ ires non-European nations to enact specific laws at the risk of losing the ability to do business with European businesses, could constitute a violation of fair-trade agreements.42 Bloss supported his position by arguing that one of the WTO/General Agreement on Tariffs and Trade (GATT) rules that Europe might be breaking is called the Most Favored Nation obligation.43 This obligation requires all GATT na tions to give every other party to GATT/WTO identical privileges with respect to any give n product either imported or exported.44 Bloss posited that the U.S. could bring a challenge to the Data Directive before the WTO on grounds of a violation of this obligatio n because the Data Directive requires third countries to treat EU Member Stat es with un-identic al privileges. 38 Id. at 734-735. 39 Id. at 735. 40 Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy 9 MINN. J. GLOBAL TRADE 645 (2000). 41 Id. at 654-655. 42 Id. at 654. 43 Id. at 655. 44 Id.

PAGE 20

20 In an article from 2005, Francesca Bignami discussed numerous aspects of the Data Directive and the EC/US Passenger Name Records dispute.45 Much of Bignamis article focused on the concept of transgovernmental organizatio ns (such as the EU) a nd the difficulties in maintaining a sense of democracy in such netw orks. The author argued that the PNR dispute could serve to strengthen the unity of the EU Memb er States because it represents a unified effort to protect privacy against the differing US approach.46 Bignami argued that the PNR dispute could lead to reducing the democratic deficit that exists between the EU Member States;47 however, the authors idea may prove overly op timistic if the ECJ annulment of the PNR agreements reduces the scope and effectiveness of the Directive as a whole. Bignami questioned why the European governmental organizations woul d choose to focus so much effort on the PNR dispute. She argued that the PNR case appealed to a fundamental European right a nd that the US PNR was perceived as a threat to Europeans.48 Bignami also focused on the challenge of enfo rcing the Data Directive in Europe, due to the dizzying array of institutional arrangement s for implementing and enforcing the Data Directive.49 The mixed procedure form of creating la ws at the European level then placing responsibility for implementation and enforcemen t on the individual nations differs even from the transnational organizations of the Unite d Nations or the World Trade Organization.50 Bignami pointed out that Europe has supran ational organizations (European Commission, 45 Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European Information Privacy Network 26 MICH J. INTL L. 807 (2005). 46 Id. at 811. 47 Id. 48 Id. at 865. 49 Id. at 819. 50 Id. at 823.

PAGE 21

21 European Court of Justice, European Parliament) that are charged to oversee the actions of the Member States in regards to European policies, but that their role is somewhat inhibited by limited resources and the autonomy of each Member States separate legal systems.51 Bignami also discussed how the Data Directiv e grants the EC the authority to oversee complaints and concerns from Member States rega rding the adequacy of data protection laws in a third country.52 The challenge is whether or not the individual Member States are aware of questionable data transfers and will report the matters to the EC. Bignami stated that the Member States have not been active in either bl ocking dangerous data tran sfers or being specific about the conditions for data transfers.53 The author also reported on the fact that the Commission had openly criticized the Member States for allo wing many dangerous and illegal data transfers in their international trade.54 The points articulated by Bignami demonstrat e the difficulty in actually fulfilling the requirements of the Data Directive for third countries. The author discussed how the PNR dispute might affect transnatio nal governance in Europe; howeve r, Bignami did not discuss how the PNR dispute will affect the eff ectiveness of the Directive itself. Overall, the literature on th e EU Privacy Directive provi des help in understanding the document, but does not look at the texts of the EU documents that led to the approval of third countries allowed to engage in data privacy transfers with the EU member states. An examination of these documents should help to se e what requirements the EU actually imposes on nations to win approval as th ird countries. Also, the literature has yet to examine the recent 51 Id. at 824. 52 Id. at 826-27. 53 Id. at 832. 54 Id. at 833.

PAGE 22

22 developments of the PNR dispute and how th is case might affect the enforcement and effectiveness of the Data Directive in the future. Research Questions R1 : How has the EC defined adequate data prot ection laws for third countries and how has it applied this definition to third countries thus far? R2 : What does the Passenger Name Records di spute between the US and the EC show about the Directives third country requirements? How might this effect the future of the Directive with other third countries? R3 : How might the European Court of Justi ce annulment of the Passenger Name Records agreements potentially affect the Directive, especially its third country requirement? Research Methods This thesis is a legal analysis of both inte rnational and domestic data privacy laws. The research for this thesis will include extensive analysis of legal documents concerning the EC Data Directive, the data privacy laws of thir d countries, the use of Passenger Name Records by the US Department of Homeland Security, and th e European Court of Justice decision on the EC/DHS PNR agreements. Research for this thesis was conducted usi ng LexisNexis, the websites of the European Union, and relevant websites from the U.S. gove rnment (including the Department of Homeland Security). All primary documents c ited may be accessed from these sources. This thesis conforms to the Bluebook style fo r legal writing and uses the standard legal system of footnoting. Conclusion The research for this thesis is necessary for contributing to the understanding of how the EC has applied the Directives adequacy requirements to third countries thus far. The legal field has yet to analyze the recent developments in the European Commission/Department of

PAGE 23

23 Homeland Security dispute over th e transfer of the private da ta included in Passenger Name Records. An analysis of the European Cour t of Justice annulment of the previous PNR agreements and an analysis of how the EC has a pplied the Directive to other third countries may call into question both the validity and effectiveness of the Directive as it re quires high levels of data privacy in all European international trade.

PAGE 24

24 CHAPTER 2 OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON THIRD COUNTRIES Purposes of the Data Directive The Data Privacy Directive was created to protect the personal data of European citizens. The Directive defines personal data in Article 2(a) as any information relating to an identified or identifiable natural person. An identifiable person is one w ho can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental economic, cultural or social identity.1 Due to its broad definitions of personal data and identifiab le person the Directive applies to arguably all forms of personal data. The Directiv es stated purposes are as follows. Promote the common European market by unifyin g the Member States laws on data privacy protection2 Protect the right of privacy fo r citizens in Member States3 both in local and international markets and with non-European third countries4 Remove the obstacles to the free, trans-border flow of information between Member States that stem from differing data priv acy protection laws in each nation5 Adapt European Community laws to fit advances in technology and communication6 Ensure that individuals have access to their privat e data in order to confirm that it is accurate and being protected7 1 Commission Directive 95/46/EC, art. 2(a), 1995 O.J. (L 281). 2 Id. at recitals 1, 3-5. 3 Id. at recital 2. 4 Id. at recital 20 5 Id. at recitals 7-9. 6 Id. at recitals 6, 14, 16. 7 Id. at recital 25.

PAGE 25

25 Establish safeguards for data transfers to and from controllers residi ng in third countries without adequate levels of data8 Provide a way for individuals or organizations to demonstrate adequate levels of data protection despite residing in a third country vo id of adequate protections to data privacy9 Create data privacy authorities to oversee data privacy in the Member States and to unify them into a Working Party that oversees data privacy in the EU and communicates with the European Commission on data privacy matters.10 These purposes demonstrate the sweeping inte nt of the European Commission to enact legislation governing data privac y in a broad and general way. This approach is very different than the U.S attempts to protect pr ivacy by enacting subject-specific laws.11 Key Provisions for Third Countries in the Data Directive The Data Directive requires that a third country provide adequate leve ls of protection in order to transfer data with a bus iness from the EU. Despite this requirement, the Directive never explicitly defines adequacy. Alexander Zi nser, a technology lawyer based in Lausanne, Switzerland, has written extensivel y on the question of determining the definition of adequacy in the Directive. In his 2003 article on the Direc tive, Zinser pointed out that the Data Directive contains no specific definition of an adequate level of data protection,12 but that the Directive does provide, in different places, at least five critical areas of data privacy that could be used as criteria in approving data tr ansfers to a third country. 8 Id. at recitals 56-57. 9 Id. at recital 59. 10 Id. at recitals 62-65. 11 See Joel Reidenberg, E-Commerce and Privacy Institute for Intellectual Property & Information Law Symposium: E-Commerce and Trans-Atlantic Privacy 38 Hous. L. Rev. 717, 730-731 (2001). See also supra at note 3. 12 Alexander Zinser, International Data Transfer Out of the European Union: the Ad equate Level of Data Protection According to Article 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003).

PAGE 26

26 From these critical areas of data privacy, Zins er identified five criteria used to determine whether or not a third country prov ides an adequate level of prot ection. These five criteria are: The lawfulness of the processing of personal data The special protection of sensitive data The rights of the data subjects The security of the act ual processing of data The existence of control and enforcement measures.13 The task of grouping each provision of the Da ta Directive into thes e five criteria is complex; however, this process helps in understandi ng the definition of adequate levels of data protection. Each article in the Da ta Directive may be classified into one or more of the five criteria. An example of this complexity can be found in one of the key provisions of the Directive, Article 6. This article outlines the requirements for maintaining the quality and accuracy of personal data. Although these requirements come from Article 6, they ap ply to each separate part of the five criteria14 Article 6(a), that Member States mu st ensure that data be lawfully processed,15 is the essence of criterion 1. Article 6(b) that data must be collected for a specific purpose,16 also deals with criterion 1, th e lawfulness of data. Article 6(d), that data must be kept as accurate and as up to date as possible,17 could also concern criteri on 2 (special protection of data) by requiring Member States to protect the accu racy of data, and criterion 3 (rights of data 13 Id. at 559. 14 Commission Directive 95/46/EC, art. 6, 1995 O.J. (L 281). 15 Id. at art. 6(a). 16 Id. at art. 6(b). This article also stat es that [f]urther processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provid e appropriate safeguards. Although the original data must be coll ected for a specific, legitimate purpose, the Directive does not state that there need be a specific purpose in the further processing of data for these purposes. 17 Id. at art. 6(d). The Directive states that data should be kept accurate and up to date taking every reasonable step but it never defines what constitutes a reasonable step.

PAGE 27

27 subjects) by requiring that individuals have the right to have accurate data. Article 6(e), that data be kept in a form that permits identificati on of data subjects for no longer than necessary,18 concerns criterion 2 a nd criterion 3 as well. A few other articles of the Directive provide insight towa rds understanding the EU data privacy laws expectations for th ird countries. Article 12 grants da ta subjects the right to find out how companies and agencies use their private data,19 falling under criterion 5 (existence of control and enforcement measures). These artic les also concern criteri on 3 (rights of data subjects) because they gran t rights to data subjects. Another article related to criterion 3 is Articl e 14, which allows the data subject to petition the transfer of his or her pers onal data to the data controller20 and to do so free of monetary charge.21 Article 17 requires the data controller to implement appropr iate technical and organizational measures to protect personal data,22 a requirement that addresses criterion 4 on the security of processing data. Of greatest relevance to this thesis is Article 25, Transfe r of Personal Data to Third Countries. This Directive articl e states that data cannot be tran sferred to a third country unless adequate levels of protection ar e provided for in the nations laws.23 Article 25(2) says that in determining the adequacy of data protection in the third country, the Member States or the EC 18 Id. at art. 6(e). The article says that Member States sh ould regulate any long-term storage of data in cases of historical, statistical, or scientific use. 19 Id. at art. 12. 20 The directive defines a controller as the person or en tity in charge of determining the purposes and means of the processing of personal data. Commission Directive 95/46/EC, article 2(d). 21 Id. at art. 14. 22 Id. at art. 17(1). 23 Id. at art. 25(1).

PAGE 28

28 should pay attention to the purpos e of the data transfer (crite rion 1) and the duration of the transfer (criterion 4).24 In addition to these directions, Ar ticle 25(2) also requires that the Member State or the EC look at the third countrys laws relating to the security of processing data, a requirement that falls und er criterion 4 on the s ecurity of the actual processing of data. If the Commission finds that a third country doe s not provide an adequa te level of personal data protection, the Directive require s them to prevent any transfer of data of the same type to the third country in question, a provision that is primarily a control and enforcement measure from the EU (criterion 5).25 Article 28 of the Directive states that each Memb er State must appoint a public authority to supervise the implementation of the Data Directive into the laws of that Member State. This article falls under criterion 5 on the existence of control and enforcement measures. A data authority must have authority to intervene when private data mi ght be released without consent or when private data records need be blocked from being transfe rred or erased and to prosecute when data laws are broken.26 The presence of such an official in third countries could contribute to the ability of a thir d country to demonstrate an adequate level of data privacy protection. Because the Directive fails to specifically de fine what constitutes an adequate level of protection, Zinsers five criteria help to create a picture of th e criteria the EU might use in determining if the third countries data privacy laws maintain an adequate level of protection. The analysis of the third countries that have been approved for data transfers will reveal how the EC has or has not applied these criteria. 24 Id. at art. 25(2). 25 Id. at art. 25(4). 26 Id. at art. 28(1-3).

PAGE 29

29 Third Countries and the Data Directive Requirem ent for Adequate Levels of Data Privacy Protection Since passage of the EU Data Privacy Direct ive, the European Commission has approved several third countries as having adequate levels of data protection. The Commission has approved Switzerland, Canada, Argentina, Guerns ey, and Isle of Man. The United States, through the Department of Commerce, has worked out the Safe Harbor, an agreement that allows individual businesses to agree to maintain ad equate levels of data privacy protection in accordance with the Directive. Zinsers five criteria for judging whether a th ird countrys laws ade quately protect personal data provide most of the guidance needed for this chronological analysis of each country deemed adequate. In each of these cases, the Europ ean Commission found that the third country in question provides adequate data privacy protection. Switzerland Switzerland was the first nation to receive th e European Commissions adequacy status. On July 26, 2000, the European Commission issued a decision stating that Switzerlands laws provided an adequate level of protection governing the tr ansfer of private data.27 The Swiss regularly engage in international commerce w ith the EU Member States. The Commission report on Switzerlands data privacy protection laws stated that th e Swiss Federation provides for protection at both the federal a nd cantonal (or state) levels.28 At the federal level, the Commission report stat ed that The [Swiss] Federal Constitution gives every person the right to have his privacy respected and, in partic ular, to be protected 27 Commission Decision 2000/518/EC, art. 1, 2000 OJ (L 215). 28 Id. at (5).

PAGE 30

30 from the misuse of data concerning him.29 This right falls under criterion 3, granting data subjects their rights to privacy. The EC report also stated that Switzerlands court systems at both the federal and cantonal levels have developed binding case law that protects the quality of the data processed, the right of access of the persons concerned, and the right to request the correcti on or destruction of data.30 These constitutional and case-law based laws meet the requirements of the criteria that data is of a high quality, that data subjects have rights to access and correct their personal data, and that the data is prot ected (criteria 2 and 3). The Commission report also di scussed the Swiss Data Protection Act of June 1992, which permits citizens to have access to their personal information in files and created a supervisory authority to oversee data pr ivacy issues in the nation.31 The presence of a data authority is consistent with criterion 5 on the existence of co ntrol and enforcement measures. As in the EU Member States, this supervisory authority has po wer to investigate, prosecute, and hear claims from organizations about breaches of personal data protection laws. The Commission also recognized that most of the Swiss cantons have passed their own data privacy legislation, focusi ng on local issues such as regu lating how private data can be transferred (criterion 4).32 This relates the lawful protecti on of the processing of private data (criterion 1) granting sensitive data special protections (criterion 2). The Swiss approach towards the protection of pe rsonal data is very similar to the EU Data Directive model in that it grants data privacy the status of bei ng a fundamental right and contains 29 Id. at (6). 30 Id. 31 Id. at (7). 32 Id. at (8).

PAGE 31

31 protections at the federa l level and the local level. The EC report granting Swit zerland the status of being an approved third country recognizes that Swiss laws and practices meet each of the five requirements for third countries in the Directive. Canada After Switzerland, Canada became the next country to receive adequacy status. On December 20, 2001, the European Commission judged Canadas privacy laws, particularly the Personal Information Protection an d Electronic Documents Act of 2000 (hereafter "the Canadian Act), as adequately protecting personal data.33 Although Canada does not have a constitutional statement that recognizes data pr ivacy as a fundamental right as Switzerland does, the EC report praised Canada for passing legislation that protects privacy gene rally and sectorally. The Canadian Act requires businesses to protect personal data and provides that the data protection will extend to every organisation that collects, uses or discloses personal information in the course of a commercial activity.34 The Canadian Act defines the lawfulness of the processing of data and limits it to when the data subjects has authorized the transfer (criterion 1). This act grants data subjects the rights to peti tion organizations for thei r private data and to correct inaccurate data, as well as to protest the improper use of their data (criterion 3). The act also calls for secure processing of private data (criterion 4).35 This law seemingly meets the criteria that the data is lawfully obtained (i n this case through comme rcial activity) and that sensitive data is protected. 33 Commission Decision 2002/2/EC, art. 1, 2001 O.J. (L 2/13) 34 Id. at (5). 35 Id.

PAGE 32

32 The Canadian Act mandated the creation a Ca nadian Federal Privacy Commissioner to oversee privacy issues at the national level.36 The privacy commissioner has the authority to hear claims and complaints pertaining to personal data protection from individuals and organizations, to summon witnesses, to audit busin esses privacy practices, to administer oaths, and to compel the production of evidence if voluntary co-operation is not forthcoming.37 The authority granted to the privacy commissioner meets the requirements of criterion 5 by implementing control and enforcement measures. The EC decided that Canadas laws and practi ces provide adequate le vels of private data protection; furthermore, Canadas laws met each of Zinsers five criteria. The language of the Canadian Act demonstrates a general approach to protecting personal data that is similar to the EU Data Directive. Argentina Argentina became the next nation to receive an adequacy decision from the European Commission. On June 30, 2003, th e Commission decided that Argentinas data privacy protection laws provided adequate levels of private data protec tion in accordance with Article 25 of the EU Directive.38 The Commission stated that Argentin as legal standards for the protection of personal data have been provided for in binding general and sector-specific rules.39 The Constitution of Argentina treats privacy as a fundamental right, ju st as Switzerlands constitution and the ECPHRR.40 The Constitution of Argentina includes a habeas data rule 36 Id. 37 Information obtained from the Office of the Privacy Commissioner of Canada website available at http://www.privcom.gc.ca/aboutUs/index_e.asp. Last visited on April 19, 2006. 38 Commission Decision 2003/1731/EC, 2003 OJ (L 168). 39 Id. at 3. 40 See supra 14.

PAGE 33

33 that allows the data subject to know both the con tent and purpose of all the data pertaining to him or her contained in public record s or databanks, or in private ones.41 Under the habeas data rule, citizens also have the right to demand that their information be corrected, deleted, or made confidential,42 a right that relates to criteria 3 and 5. The EC report also states Argentine jurisprudence has recognised h abeas data as a fundamental a nd directly applicable right.43 The EC report also cited another Argentine pr ivacy law, the Personal Data Protection Act of 2000.44 This law follows the Data Directive model of granting citi zens access to their personal data, mandating the protection of personal data (criterion 2), th e lawful obtaining of data through businesses and govern ment agencies based on data su bjects consent (criterion 1), and the secure processing of personal data (criterion 4).45 These rights meet the criteria of the Directive by ensuring that data subjects have access to their pe rsonal information, that the data transfers stay secure, and that data is collected lawfully. The Argentine government also has a National Directorate for the Protection of Personal Data, a body charged with ensuring the protection of data privacy and with judging adjudicating disputes about data privacy.46 The National Directorate has authority to impose sanctions on organizations and even to pursue criminal liabilitie s for individuals and orga nizations that breach data privacy protection laws. This national da ta authority constitutes a level of control and enforcement measures (criterion 5). 41 Const. Arg, Art. 43.3. 42 Id. 43 Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3 44 The Personal Data Protection Act No. 25.326 of 4 October 2000. 45 Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3-4. 46 Id. at 4.

PAGE 34

34 As with Switzerland and Canada, Argentine la w meets each of Zinse rs five criteria and meets the EC standards for providing an adequate level of protection. Guernsey The Bailiwick of Guernsey, a small island nation in the English Channel, became the next nation to receive adequacy status from th e European Commission. On November 21, 2003 the EC granted Guernsey, a British protectorate that f unctions as a separate legal entity from the UK, approved status as a third country with ad equate levels of data privacy protection.47 In this report, the EC stated that the basis for EC appr oval of Guernsey was based on the passage of the Data Protection Law of 2001, a law based on th e standards set out in Directive 95/46/EC.48 In other words, the EC fully acknowledged that the Directive serves as th e foundation for the data privacy laws of Guernsey. In the Data Privacy Law of 2001, Guernsey gr anted data subjects th e rights to their personal data and the rights to change or erase this data (criterion 3).49 The law also mandates that data transfers be protected with technological safeguards and that a supervisory privacy authority be set up (criteria 2, 4, and 5).50 As with the other approved third countries, the data authority in Guernsey has powers to investigate and to intervene when there has been a breach of data privacy protection.51 47 Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5. In its report, the EC recognizes Guernsey as a third country because although it is a British protectorate, it ma intains complete liberty from the Crown except in a few international matters such as defense. 48 Id. at (7). 49 Id. at (7). 50 Id. 51 Id. at (8).

PAGE 35

35 The EC report on Guernsey contains far less specific information on the reasons for approving this third country for th e free flow of personal data tran sfers with the Member States. Although the report notes the le gal standards applicable in Guernsey cover all the basic principles necessary for an adequate level of pr otection for natural person s, the EC gives almost no specific reasoning behind their decision.52 The EC report shows that Guernsey has met criteria 2, 3, 4, and 5. The report never specifical ly addressed the issue of defining lawfulness in the processing of data. Isle of Man The Isle of Man, an island nation similar to Guernsey, received adequacy status from the European Commission next. On April 28, 2004, th e Commission issued a report approving Isle of Man as a third country with adequa te levels of personal data protection.53 Just as with the report on Guernsey, the EC report on Isle of Man contains few examples and few reasons for granting the island nation approved status for da ta protection. The report cites the Data Protection Act of 2002,54 the Human Rights Act 2001,55 and the Access to Health Records and Reports Act 1993 as providing an ad equate level of protection for pr ivate data. From these acts, data subjects in Isle of Man are guaranteed the lawful use of thei r private data (criterion 1), the special protection of their private data (criterion 2), and security in the transfer of data (criterion 4).56 Data subjects in Isle of Man also have the right to access thei r personal data and to correct 52 Id. at (9). 53 Commission Decision 2004/411/EC, 2004 OJ (L 151). Like Guernsey, Isle of Man is a protectorate of the British Crown and is in the same political arrangement as Guernsey. 54 Id. at (7). 55 Id. at (8). 56 See Isle of Man data privacy website available at http://www.gov.im/odps /yourrights.xml. Last visited on May 4, 2006.

PAGE 36

36 errors in that data, as well as to seek co mpensation from a data controller who misuses the private data of a data su bject (criteria 3 and 5).57 Despite the lack of detail and analysis of thes e acts, the EC report sa ys that the laws of Guernsey allow for adequate leve ls of data privacy protection.58 The laws of Guernsey also meet Zinsers five criteria for determining adequacy. United States Safe Harbor Because of different approaches towards data privacy protection in the U.S. and the EU, and because of the economic interdependence of these two economies, the EU Data Directive has presented significant challenges for the U.S. and the EU. With little prospect of a U.S. national law recognizing data pr ivacy as a fundamental right a nd enacting broad, general privacy legislation, the European Comm ission adopted the U.S. Depa rtment of Commerces Safe Harbour Privacy Principles a nd Frequently Asked Questions59 (hereafter Safe Harbor and FAQs) on July 26, 2000.60 The Safe Harbor was created to allow businesses and organizations in EU Member States to legally (under EU law) transfer personal data to businesses in the U.S. and to protect trans-Atlantic commerce. The rules of Safe Harbor apply to businesses under the jurisdiction of the Department of Commerce and the Federal Trade Commission. Thes e rules allow U.S. businesses to continue data transfers with EU businesses by opting in to data principles that mirror much of the provisions of the Directive, incl uding ensuring that da ta transfers are secure (criterion 4), granting data subjects rights to access their da ta (criterion 3), providi ng data subjects with 57 Id. 58 Id. at (9). 59 See U.S. Dept. of Commerce website, http ://www.export.gov/safeHarbor/index.html. 60 Commission Decision, 2000/520/EC, 2000 O.J. (L 215) 7.

PAGE 37

37 notification when their personal data will be used (criteria 3 and 5), keeping data accurate and up to date (criterion 2), and creating governmental sanctions for violati ons of Safe Harbor principles (criterion 5).61 In exchange for opting in to the Safe Harbor U.S. businesses involved in disputes over Safe Harbor principles would keep legal acti ons in U.S. courts, not in European courts.62 Each business choosing to opt in must write the Depa rtment of Commerce, make its privacy policy available on-line and with the De partment of Commerce, and have its name published on a list of Safe Harbor businesses.63 Through Safe Harbor, the U.S. has received pa rtial approval from the EC on providing adequate levels of data protec tion; however, because Safe Ha rbor only applies to businesses under the Department of Commerce and the Fede ral Trade Commission, the assurance that the U.S., as a third country, will follow the provisions of the Directive is limited. As of June 2007, 1,196 U.S. businesses had opted in to the Safe Harbor, through the U.S. Department of Commerce.64 The Safe Harbor principles have acc ounted for meeting criteria 2, 3, 4, and 5, but the agreement is different than approval for othe r nations. Other approved third countries have received approval for data transfers as a nati on, but the Safe Harbor does not represent a full approval for the U.S. as providing ad equate levels of private data. Conclusion Since its passage in 1995, the European Data Privacy Directive has had an influence on other nations, an effect resulting from the requi rements of Chapter IV of the Directive that 61 See Safe Harbor Overview on Department of Commerce website for a complete list of the Safe Harbor principles, available at http://www.export.gov/safeHa rbor/sh_overview.html. Last visited on April 20, 2006. 62 Id. at Safe Harbor Benefits. 63 Id. at How does an organization join?. 64 Safe Harbor List, available at http://www.export.gov /safeharbor/doc_safeharbor_index.asp.

PAGE 38

38 requires any non-EU nation to have adequate levels of data privacy protection as a precursor to conducting personal data transfers. Because the fr ee flow of personal data has become such an important commodity in recent years, nations all over the world must consider adopting laws that protect personal data. The Directive provides third countries an opport unity to demonstrate an adequate level of protection and gain approval from the Commission to ensure a free flow of information and a continuation of business with EU Member States. In determining adequacy, the EC has applied five criteria: The lawfulness of the processing of personal data. The special protection of sensitive data. The rights of the data subjects. The security of the act ual processing of data. The existence of control and enforcement measures. Using these criteria the European Commissi on has given approval for Member States to transfer personal data to Switzer land, Canada, Argentina, Guernsey, Isle of Man, and to the U.S. (in limited scope). Despite the ECs consistent application of adequacy standards with other nations, the case of the Safe Harbor for the U. S. demonstrates that the Commission shows some flexibility in working with third countries. Th e PNR case may shed further light on how far the EC will go to arrange an agreement with a third country (in this case, the U.S.). Zinsers five criteria proved accurate and he lpful in analyzing the reports on each nations approval. A comparison of the official EC d ecisions granting these third countries approved status reveals some interesti ng similarities and differences. The EC reports on Switzerland, Canada, and Arge ntina contained detailed analysis of the laws of those nations that protect private data. Each of these countries granted the concept of data privacy the status of a ge neral law, with Switzerland and Ar gentina declaring data privacy

PAGE 39

39 as a fundamental human right. Each of these reports also contained examples of how these nations protect privacy at both the general and the sectoral level, just as the EU protects privacy. As stated in the analysis above the reports on Guernsey and Is le of Man are brief and lack the detail of the others. This may be a result of the fact that these nations are protectorates of the United Kingdom and opted into the privacy prot ection laws of the United Kingdom. These two island nations benefit greatly from a free flow of personal data as their economies are based mainly on offshore banking and insurance, which might explain the reas on that they sought approval status from the EC. As previously stated, the EC decision to work with the U.S. to create the Safe Harbor differs greatly from its approval of other third co untries. Despite the fact that the U.S. has no general protection for personal data, the EU s howed it was willing to work out compromises on data protection in order to allow for internati onal trade even when a nation was not in full compliance with the EU Data Directive. One question that arises is why so few nati ons have sought to gain the status of full approval for personal data transfers with the EU. It is possible that some nations are skeptical about the enforcement of the Directive as it pertains to adequacy in third c ountries. Zinser, in an article previously discussed, point ed out that the Directive never specifies whether the EU or the Member States will enforce the Directive or what methods they might use to enforce it.65 Without specific sanctions for noncompliance (whi ch may prove difficult to craft and avoid 65 See Alexander Zinser; European Data Protection Directive: the De termination of the Adequacy Requirement in International Data Transfers 6 TUL. J. TECH. & INTELL. PROP. 171 (2004).

PAGE 40

40 WTO/GATT problems)66, many third countries might not make the efforts to enact adequate privacy legislation or to enc ourage businesses to conform to Safe Harbor type principles. Countries with general laws prot ecting data privacy might be t hose that stand to benefit the most from EC approvals. For nations such as the U.S. where there is less chance of enacting general privacy protections, the f act that the Directive allows individual businesses to have adequate levels of protection makes the Safe Har bor (or potentially anothe r plan with other third countries) the best option for now for businesse s. As stated previous ly, the Safe Harbor, however, applies only to businesse s and not to the transfer of pr ivate data by and to the United States government; therefore, the debate be tween the United States and the European Commission over Passenger Name Records falls outside the scope of the Safe Harbor and necessitates a separate agreement. 66 See Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy 9 MINN. J. GLOBAL TRADE 645 (2000).

PAGE 41

41 CHAPTER 3 THE PASSENGER NAME RECORDS CONTROVERSY As discussed in Chapter 2, the European Co mmission has granted ad equacy status to multiple nations since passage of the Data Di rective in 1995. In the cases of Switzerland, Canada, Argentina, Guernsey, and Isle of Man, the Commission stated that those nations laws provided adequate levels of prot ection for private data. In th e case of the United States, the Commission worked with the U.S. government to create the Safe Ha rbor program wherein individual businesses guaranteed to provide adequate levels of protection for private data. Although the Safe Harbor agreem ent represented compromise, the greatest controversy and challenges to the Directive have come in the fo rm of laws requiring that commercial airlines provide governments with Passenger Name Reco rds. As mentioned in Chapter 1, Passenger Name Records contain large amounts of personally identifiable information including financial information, itineraries, physical addresses, travel information, and contact information.1 Australia and the United States require co mmercial airline carriers to pass PNR information to their national customs agencies The European Commission has worked with both of these nations in an effort to protect the private data of European citizens in PNRs. The Australian PNR agreement was met with very little controversy, but the United States PNR agreement has been the source of one major legal challenge in the European court system. These agreements raise important issues that affect the scope and efficacy of the 1995 Data Directive.2 1 See supra at note 17. 2 At the time of this thesis, the Australian and United States PNR agreements are th e only such documented PNR cases with the European Union.

PAGE 42

42 The Australian Passenger Name Record Agreement Following the terrorist attacks of Septembe r 11, 2001 on the United States, the Australian government implemented new security policies th at included a requirement that commercial airlines provide the government w ith Passenger Name Record data.3 Upon introduction of these new requirements in the Border Security Legislation Amendment (Terrorism) Act 2002 (hereafter Border Security Act), the Governme nt of Australia request ed that the European Commission officially determine the adequacy of Au stralias data protection laws for the transfer of PNR data. In accordance with the legal framework laid out in the Data Directive, the Commission assigned the task of determining adequacy to the Article 29 Working Party.4 As created in Article 29 of th e Data Directive, the data pr otection commissioners of each Member State and the EC data commissioner co mprise the Working Party on the Protection of Individuals with regard to th e Processing of Personal Data (h ereinafter referred to as the Working Party).5 Under Article 30, the Working Party is charged with addressing concerns (such as the PNR concerns) over da ta protection in third countries6 and informing the Commission about any issue concerni ng data privacy for EU citizens.7 In January 2004, the Commission adopted the Article 29 Working Partys opinion that Australia provided an adequate 3 Border Security Legislation Amendment (Terrorism) Act, 2002, c. 64 (Austl.). 4 See Commission Directive 95/46/EC, Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1995 O.J. (L 281). 5 Id. at art. 29(1). 6 Id. at art. 30(b). 7 Id. at art. 30(c).

PAGE 43

43 level of protection of private da ta in its transfers of PNR data to the Australian Customs and Border Protections agencies.8 The Border Security Act amended a number of laws governing the activities of Customs and the Border Protection agencies in Australia. As mentioned above, one requirement of this 2002 act is that commercial airlin es must transfer PNR data to the Australian government for use in terrorist risk assessment. In its opinion on adequacy, the Working Party noted that the PNR requirement in the Border Security Act had to comply with Australian privacy laws9 guaranteeing the privacy of personal information.10 The Working Party noted that Australia has a strong legal foundation of protecting the collection, use, transf er, and retention of private data in the public and private sectors.11 Keeping with the tradition of favoring th e privacy of personal data, the Australian government required specific procedures to ensure what the Australian government considered to be highest possible levels of pr otection for the private data tran sferred in PNRs. The Borders Security Act (hereafter BSA), seeks to ensure th e protection of the private data in PNRs in the following ways. Passenger Name Records accessed contain only cu rrent flight data and not historical PNR data12 Computer software weeds out the data of 95% 97% of all passengers on an average flight because they are determined to be of no risk to the security of the country13 8 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85). 9 See Commonwealth Privacy Act, 1988, c. 118 (Austl.). 10 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85) at 3. 11 Id. at 3-5. 12 Id. at 5.

PAGE 44

44 The first human eyes to see any of the data are those of a Customs officer who reviews the 3% 5% of passengers flagged by the software screening and determines whether or not the government should detain the pa ssenger upon arrival in the country14 Computer software automatically deletes th e PNR data of the 95% 97% of passengers who clear the initial software screening15 A Customs officer deletes all PNR data for ev ery individual eventually cleared of any concerns by the Customs and Border Patrols agencies16 Computer software automatically deletes fli ght information from Customs databases 24-48 hours after the flight17 Computer software filters out sensitive info rmation including racial or ethnic origin, political opinions, religious or philosophical beliefs, or data on health problems18 The BSA limits the third parties authorized to receive the PNR data (namely Australian law enforcement agencies)19 The BSA limits the use of PNR data by law enforcement agencies to law enforcement activities guided by judicially authorized warrants20 The BSA bans the use of PNR data for a secondary purpose except where authorized by the individual identified in the data or mandated by Australia federal law.21 As understood by the Article 29 Working Pa rty, the above regulations governing the collection and use of PNR data serv e to protect the privacy of pers onal data at an adequate level as defined in the EC Data Directive. 13 Id. 14 Id. 15 Id. at 6. 16 Id. 17 Id. at 7. 18 Id. at 8. 19 Id. at 9. 20 Id. at 9. The Working Party noted that in order to receive credit card and telephone records from Customs PNR data, law enforcement agencies must provide Customs proof of having obtained a warrant. Id. 21 Id. at 10.

PAGE 45

45 The Working Party also noted that the Austra lian PNR agreements mandate high levels of security when working with PNR data.22 To protect sensitive info rmation in PNRs, Australia allows only a small group23 of individuals access to PNR data. This group of individuals must pass through three layers of passwords and identification c onfirmation before accessing the PNR records. Additionally, PNR data is stored on an electronic network separate from other networks in the Australian Customs agency system.24 The Australian PNR law also gran ts individuals the right to a ccess and correct any data in their records. Because most PNR data may be st ored for only 24-48 hours, this aspect of the law applies only to individuals who have been char ged with violating Customs or border protection laws. These individuals, whether charged or convicted, have a legal right to access their PNR data and to rectify errors therein.25 The Australian PNR agreement also grants the Australian Privacy Commissioner the authority to petition the Australi an legislature to change any PN R practices that may not be in line with existing Australian privacy laws.26 The PNR arrangement also gives the Privacy Commissioner the authority to investigate alleged abuses of PNR brought forth by either Australian citizens or non-citizens.27 The European Commission adopted the Work ing Partys Opinion on the adequacy of private data protection in Aust ralias PNR system in January 2004. Under the recommendation 22 Id. 23 Id. at 8. 24 Id. at 10. The Working Party also noted that Customs officials refrain from using PNR data and visa information together in any way. Id. 25 Id. at 11. 26 Id. 27 Id.

PAGE 46

46 of the Working Party, the Commi ssion set a three-year time period on the present agreement with a required review of the PNR system set for mid 2007.28 Since the European-Australian PNR agreement in 2004, neither side has formally cha llenged the legality of the agreement or the expressed concerns over the prot ection of individuals private da ta when transferred to the Australian government. Although this agreement has not met legal challenges, the European-United States Passenger Name Records has raised controversy fr om the European government and its citizens. The United States Passenger Name Records Agreement Despite the agreement between the United Stat es and the European Union to create the Safe Harbor, the trans-Atlantic battle over the protection of priv ate data was renewed in late 2003. In post 9/11 legislation aimed at combati ng terrorism the United States Congress passed the Aviation and Transporta tion Security Act (ATSA) that required airlines to transfer all Passenger Name Records (PNRs) to the U. S. Customs and Border Protection (CBP).29 ATSA required airlines flying in and out of the United St ates to provide this information to the CBP or risk penalties. This new law quickly raised concerns in Eur ope over the uses and tr ansfers of European citizens private data in PNRs The controversy between the EU and the U.S. over the PNRs sheds additional light on how the EU might apply the Data Directive to third countries. From the European perspective, the concerns about the transfer of PNRs to the U.S. government are founded in Chapter IV, Article 25(1) of the Directive. This article states that 28 Id. at 12. At the time of the present study in June 2007, neither the European Commission nor the Australian government has publicly announced an end to, or a renewal of, the PNR agreement. 29 Aviation and Transportation Security Act of 2001, Pub. L. No. 107--71, 115 Stat. 597. The Customs and Border Protection is a U.S. governmental agency under the Department of Homeland Security (DHS). In this light, much of the EU/U.S. debate over PNRs is directed towards the DHS.

PAGE 47

47 The Member States shall provide th at the transfer to a third country30 of personal data which are undergoing processing or are intended for processi ng after transfer may take place only if the third country in ques tion ensures an adequate level of protection.31 This particular portion of the Data Directive has caused tension betw een the U.S. and the EU because of the United States sectoral, case-bycase approach to data pr ivacy legislation. If EU businesses and Member States follow the lega l frameworks of the Directive regarding third country adequacy of protecting private data, the trans-Atlantic flow of personal data could be limited and business would be greatly disrupted be tween the worlds two top economies. In the case of the PNRs, airlines that re fuse to provide this data to th e CBP would be subject to fines and potential loss of privileges to land in the U. S., resulting in a major loss of business due to differences in privacy laws. After the passage of ASTA, the European Commission notified the U.S. government that the requirement to provide the CBP with PNRs vi olated provisions of the Data Privacy Directive of 1995.32 The EC said it had learned that the PNRs of EU citizens were being transferred to the United States Department of Homeland Security (DHS) for access by the CBP. In 2002, the EC officially issued a report denouncing this practi ce as an invasion of the privacy of EU citizens.33 Because the ASTA failed to provide the data subj ect the authority to acc ess his or her personal data held by the DHS and to correct errors in that data, the Commission said the sharing of this information violated the Data Directive. The Di rective requires that pe rsonal data held by any 30 A third country refers to a nation or state that does not belong to the European Union. 31 Directive 95/46/EC, Art. 25(1). 32 See Communication from the Commission to the Council and the Parliament December 16, 2003, on PNRs. Accessed from EC website, available at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/adequacy/apiscommunication/apis_en.pdf. 33 Opinion of the European Commission, Opinion 2/2004. Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp87_en.pdf.

PAGE 48

48 government or business be accessible by data subject s, that the data not be kept on record for longer than necessary, and that a supervisory authority oversee the uses of the personal data.34 In response, the U.S. Customs and Border Prot ection argued that the tr ansfers of this data are allowable under Article 13 of the Directive b ecause the data is used in national and public security, specifically to combat terrorism.35 Article 13 grants the EU and its Member States room to restrict the scope of the Data Directiv e obligations on data prot ections if the government deems such restrictions as a necessary safeguard in certain key areas.36 The key areas for exemptions to the Directives data protection gui delines include lifting data privacy restrictions to aid in national security,37 defense,38 public security,39 fighting crime (including white collar crime),40 maintaining economic interests,41 monitoring or inspecting crimes,42 and the protection of the rights and freedoms of the data subject and others.43 34 Id. 35 See Council Decision of 17 May 2004 on the conclusion of an agreement between the European Community and the United States of America on the processing and tran sfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (2004/496/EC). 36 Commission Directive 95/46/EC, art. 13(1), 1995 O.J. (L 281). 37 Id. at art. 13(1)(a). 38 Id. at art. 13(1)(b). 39 Id. at art. 13(1)(c). 40 Id. at art. 13(1)(d). In addition to granting exemptions fo r data protection in the act of preventing, discovering, investigating, and prosecuting criminal offences, the Direct ive explicitly mentions that this exemption applies to investigations and prosecutions of breaches of ethics for regulated professions. Id. The Directive does not define regulated professions. 41 Id. at art. 13(1)(e). The Directive states that econo mic interests include monetary, budgetary, and taxation matters. Id. 42 Id. at art. 13(1)(f). 43 Id. at art. 13(1)(g).

PAGE 49

49 Acting under its authority, the Article 29 Working Party44 issued an opinion in January 2004 that highlighted many of the le gal issues of the PNR debate.45 In its opinion, the Working Party acknowledged that the fight against terrorism is necessary but emphasized the necessity to balance fighting terrorism the need to ensure human rights,46 including the fundamental human right of privacy.47 The Working Party also expressed concern about the amount of personally identifiable information contained in the PNRs passed to the U.S. government.48 Despite the fact that the Commission had recently reached its agreem ent to transfer PNR da ta to the Australian government,49 the Working Party stated that the Co mmission had no legal precedence to follow in this case and could not issue a solid decision on what to do.50 In response to the Working Partys concerns over the level of protection of Passenger Name Record data when transferred to Cust oms and Border Protection, the Department of Homeland Security issued further explanat ions of the CBP PNR system in May 2004.51 The document, titled the Undertakings, outlined the fr amework that the CBP would follow in its use of the PNR data. In the Undertakings, the Depa rtment of Homeland Security said that the Customs and Border Protection only uses Passenger Name R ecord data in terrorist and law enforcement 44 See supra at note 123. 45 Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection (10019/04/WP 87). Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp87_en.pdf. 46 Id. at 3. 47 Id. 48 Id. at 4. 49 Id. 50 Id. at 5. The Working Party did not provide any explanation as to why there was no legal precedence for the PNR case even though they had rece ntly reached a PNR agreement with the Australian government. 51 Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection Regarding the Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543 (July 9, 2004).

PAGE 50

50 activities.52 The DHS stated that it believes that it will be rare than an individual PNR will include a full set of data.53 For those individuals flagged as high risk, the DHS said that its employees would manually search through the PNR data; otherwise, PNR data would be analyzed by automated software.54 Finally, the DHS assured that it would follow legal channels to obtain credit card transactions, e-mail co mmunications, and phone records information on high risk individuals.55 In the Undertakings, the Depart ment of Homeland Security also stated that PNR data would be transferred to the Transportation Security Administration (TSA) for analysis56 and to other government agencies, both domestic and foreign, on a case-by-case basis.57 In providing PNR data to the TSA and other governments, the DHS stated that the PNR data would be filtered for sensitive data (including ra ce and ethnicity, religious belie fs, and union memberships) and that the data would be used sole ly for terrorist screening purposes.58 The DHS promised that any transfers and storage would be s ecured by the latest technologies.59 The Undertakings mentioned that neither U.S. citizens nor non-U.S. citizens would have access to PNR data because the data would be exempt from disclosure as confidential commercial information.60 The Undertakings mentioned that through a Freedom of Information 52 Id. 53 Id. at 41,544. 54 Id. 55 Id. 56 Id. 57 Id. at 41,545. 58 Id. at 41,544. 59 Id. 60 Id. at 41,545.

PAGE 51

51 Act request, the data subject would be allowed to see his or her PNR data unless Customs and Border Protection determined that providing the data would interf ere with a law enforcement or security activity.61 The DHS stated that denying an FOIA request because of concerns that data disclosure would interfere with law enfor cement would represent an exceptional case.62 Finally, the DHS said that the PNR agreement w ould be subject to year ly joint review by the European Commission and the U.S. Department of Ho meland Security in an effort to ensure that privacy remain a priority in the U.S. PNR data searches.63 The European Commission, despite its concerns over the U.S. governments PNR uses, used the Undertakings as a guide for reaching a May 2004 agreement to continue sharing PNR data between the U.S. and the EU. The European Commission, in its report on th e European-United States PNR agreement, stated that the European Parliament had been given the chance to review the agreement but had not acted within the time limits provided by European Community law.64 The Council stated that, under Article 300(3) of the Trea ty Establishing the European Union,65 Parliament must deliver its opinion on the Commissions acti ons within a time limit chosen by the Council.66 In this case, Parliament failed to act in time and provided no reason for the delay. 61 Id. at 41,546. 62 Id. 63 Id. at 41,547. 64 Id. at 2. 65 Treaty Establishing the European Union, 1997 O.J. (L 340) at 298. Available at http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&numdoc=11997E300&model=guichet t&lg=en. 66 Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bu reau of Customs and Border Protection (10019/04/WP 87) at 2. Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp87_en.pdf.

PAGE 52

52 The European Commission, the Council of the European Union, and the European Parliament comprise the decision-making triangle67 of European governance. Understanding the roles of these separate European governme ntal bodies is important to the present study because of their involvement in the PNR cont roversy. In the European Union governmental structure, the European Commi ssion acts as the executive arm of the government for all matters concerning the internal market. Its members ar e appointed by the Member States and approved by the European Parliament. The European Parliament, its members elected by EU citizens, is charged with supervising the EUs activities. In its supervisory responsib ilities, Parliament can require the Commission to include parliamentary proposals in Commission directives and must give approval to any international agreement negotiated by the Commission. The third EU governmental body, the Council of the European Union, shares legislative power with the Parliament. Through a co-d ecision procedure, bot h the Council and the Parliament must approve legislation on any matter dealing with the EU common economic market. The Council is comprised of ministers from each EU Member State.68 In addition to sharing authority with the Parl iament, the Council also direct s the European Commission when to open negotiations with non-European Union nations.69 Because the Parliament failed to approve or disapprove the European Commission Department of Homeland Security agreement on Passenger Name Records within its time limits, 67 How does the EU work? The decision-making triangle, http://europa.eu/abc/12lessons/lesson_4/index_en.htm ( last visited Apr. 17, 2006). 68 Id. 69 Id.

PAGE 53

53 on May 14, 2004 the Commission and Homeland Security went ahead with an agreement to continue to allow airlines to transfer PNRs to Customs and Border Protection.70 The Commission agreed that the CBP provided ad equate levels of da ta protection for the PNRs and that the practice of allowing the U.S. government to access PNR data from the airlines databases could continue only until th ere is a satisfactory system in place allowing for transmission of [PNRs] by the air carriers71 to the CBP. Nowhere in the document did the European Commission mention when such a syst em would appear or how the system would differ from the current one. To punctuate the strenuous relationship between the EU and the U.S. in the matter of the Passenger Name Records, the EC also added that the present agreement would in no way serve as a precedent for future agreements between the U.S. and the EC in matters of protecting personal privacy.72 Although this agreement a llowed the transfer of pers onal data in the name of public safety, the Commission made it clear that this was not to become a common practice and that the rules of the Di rective applying to third countries were going to be enforced in the future.73 The U.S. also conceded to limit its use of sensitive information in PNRs.74 In negotiations, the U.S. agreed to limit its use of PNR information to the passengers name, 70 Agreement between the Europ ean Community and the United States of Am erica on the processing and transfer of PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, signed in Washington on 28.5.2004 at 4. 2004 O.J. (L 183) 83. Available at http://europa.eu.int/eurlex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32004D0496:EN:HTML. 71 Id. at 5. 72 Id. at 4. 73 Id. 74 See Opinion 8/2004 on the information for passengers concerning the transfer of PNR data on flights between the European Union and the United States of America (Sep. 30, 2004). Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp97_en.pdf.

PAGE 54

54 contact details, details of the travel itinerar y,. details of the rese rvation. [and] other information, such as frequent flyer data.75 Sensitive information that the U.S. agreed not to use includes information on religious and political affiliations, health records, sexual preferences, and race.76 The fact that the U.S. agreed to limit it s use of this information showed, at least, a willingness to adjust on its end. This could be a factor for other countries that wish to conduct business with the EU but do not have such sweep ing privacy protections written into national law. On May 17, 2004, three days after the European Commission issued it s decision to allow Customs and Border Protection to continue to tr ansfer Passenger Name Record data, the Council of the European Union issued its own decision on the matter.77 The Council stated that the Parliament had failed to act on its authority to approve or di sapprove the Commission agreement and that the issue needed to be resolved quickly because of the pressure placed on the airlines to comply with competing European and U.S. standards.78 The Council also decided that the agreement between the Commission and the Depa rtment of Homeland Security provided an adequate level of protection for personal data.79 Due to the urgent nature of the issue, the Council approved the EC-DHS agreement.80 75 Id. at 5. 76 Id. 77 Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the pro cessing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 2004/496/EC. 2004 O.J. (L 183) 83. Available at http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32004D0496&model =guichett. 78 Id. 79 Id. 80 Id.

PAGE 55

55 The Opinion of the Advocate General and the Eu ropean Court of Justice Decision on the PNR Case Despite the agreement between the European Commission and the U.S., the European Parliament was not satisfied with the decisions of the Commission and the Council. Parliament brought suit to the European Cour t of Justice in July 2004, asking the ECJ to annul the European Commission and Council of the European Union decisions permitting the transfer of the PNRs.81 In the European Union system, the European C ourt of Justice (ECJ) takes cases from Member States that require a clarificat ion of European law and from Parliament when challenging an action of the European Commission. The ECJ cons ists of a judge from each Member State and eight Advocates General. Upon receiving a case the ECJ passes it on to one Advocate General who then issues a non-binding opinion on the case. The ECJ traditionally adopts the opinions of the Advocate General.82 The Court of Justice referred this case to Advocate General Philippe Lger, who issued an opinion on the case on November 22, 2005. In his opinion on the combined cases of the 2004 Commission and Council decisions on PNR ag reements, Lger sided with the European Parliament and suggested that the Court of Justi ce annul the agreements issued by the EC and the Council concerning the transfer of PNRs.83 The Advocate General argued that the Comm issions ruling that the U.S. provides adequate protection of private data was fault y. According to the Advocate General, the [European Commission Data Directive] does not apply to the proces sing of personal data 81 Opinion of Advocate General [English translation], delivered to the Eu ropean Court of Justice on 22 November 2005. Available at http://curia.eu.int/jur isp/cgi-bin/form.pl?la ng=en&Submit=Submit...f=C317%2F04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100. 82 See European Court of Justice website for further information at http://curia.eu.int/en/instit/presentationfr/index_cje.htm. 83 Id.

PAGE 56

56 undertaken in pursuance of activ ities that do not fall within the scope of Community law, particularly the processing of such data for such matters as public security and the activities of the State in relation to areas of criminal law.84 In other words, the Di rective cannot regulate the transfer of private data for security or law en forcement purposes. The Directive comes from, and applies to, the European Commission. The sole mission of the European Commission is to promote the common economic market in the Europ ean Union and the EC is not involved in law enforcement or investigations into criminal activity.85 Regarding the decision of the Council to allo w the PNR transfers, the Advocate General advised the Court of Justice to annul this decision as well.86 He used the same reasoning, that the Data Directive, or any ot her European Commission directiv e, cannot be employed in the realm of national security, defense, or law enforcement because they fall outside the Commissions authority to promot e the European common market.87 Following the opinion of Advocate General Lger, the European Court of Justice annulled both the Commissions agreement to permit the tran sfer of PNRs to the U.S. Department of Homeland Security and the Council decision a ffirming the agreement on the Passenger Name Records.88 As expected by tradition, the ECJ followe d the reasoning and the conclusion of the Advocate General in its ruling. 84 Id. at 17. 85 For more information about the structure of the EU government, visit http://europa.eu.int/abc/eurojargon/index_en.htm 86 Opinion of Advocate General [English translation], delivered to the Eu ropean Court of Justice on 22 November 2005, 36. Available at http://curia.eu.int/jurisp/cgi-bin/ form.pl?lang=en&Submit=Submit...f=C317%2F04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100. 87 Id. 88 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/judgement_ecj_30_05_06_pnr_en.pdf.

PAGE 57

57 The Courts analysis of how the PNR case relates to Directive 95/45/EC provides important insight into the Direc tive. In its decision, the Court addressed Parliaments arguments against the agreement in a systematic fashi on. First, the Court considered Case C-318/04, Parliaments suit to annul the Council d ecision on adequacy from May 17, 2004 that had legalized the continuing program of PNR transfers to Homeland Security. In its suit, the European Parliament argued that because Article 3(2) of the Directive specifically excludes the Directive from applying to issues that fall outs ide the scope of Europ ean Community law, the Directive could not serve as a legal foundation fo r a Passenger Name Record deal with the U.S. Department of Homeland Security.89 Parliament contended that the PNR agreemen t was aimed primarily at providing the U.S. with personal data for the sake of fighting terrorism and organized crime.90 The Commission argued that although the U.S. was seeking this data for those pur poses, the Commission made the agreement in order to protect the personal data of citizens and to protect airlines from fines and other penalties that could affect the common market.91 The ECJ, however, disagreed with the EC on this issue. The Court reasoned that the text of the Counc ils decision on adequacy clearly states that the purpose of the agreement was to support the Un ited States efforts to combat terrorism and international crime and to provide data to a third country solely for this purpose.92 The ECJ reasoned that despite the fact th at the PNR data is initially co llected as a commercial activity by 89 Id. at recital 51. 90 Id. at recital 52. 91 Id. at recital 53. 92 Id. at recital 55.

PAGE 58

58 the airlines, the PNR agreement focused on the comp letely different use of the data for security and crime fighting.93 The Advocate General expounded on this point in his Opinion, pointing out that despite the Councils argument that the ag reement existed to protect th e common market, the decision on adequacy proved the opposite.94 The primary purpose of the agreement, he said, was to provide the United States with data that w ould be used in fighting terrorism.95 The Advocate General pointed out that both the EC-DHS agreement and the Councils decision contained a paragraph that mandated that the U.S. woul d actively promote the cooperation of U.S. airline companies in providing PNR data to the EU in the future if ei ther the European Union or one of its Member States desired PNR data for fighting terrorism in Europe.96 The Advocate General stated the European Commission could not claim that the purpose of the PNR agreement was to protect European citizens private data in international economic activities such as air travel when the Commission had explicitly based its decision to continue PNR transf ers in order to aid the U.S. in fighting terrorism and crime.97 The European Court of Justice, in its decision, ruled in favor of Parliaments concern that the PNR agreement infringed on Article 3(2)98 of the Directive and that the Council decision on 93 Id. at recital 57. 94 Opinion of Advocate General [English translation], delivered to the Eu ropean Court of Justice on 22 November 2005, 20. Available at http://curia.eu.int/jurisp/cgi-bin/ form.pl?lang=en&Submit=Submit...f=C317%2F04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100. 95 Id. 96 Id. 97 Id. 98 See Commission Directive 95/46/EC, 1995 O.J. (L 281) artic le 3(2). This Directive shall not apply to the processing of personal data in the course of an activity which falls outside the scope of Community law, such as operations concerning public security, defence, State security, and areas of criminal law.

PAGE 59

59 adequacy must be annulled.99 Having followed the opinion of Advocate General Lger in the first part of the case, the Court then turned to its analysis of Case C-317/04, Parliaments suit over the EC-DHS PNR agreement.100 In its suit, the European Parliament argue d that as with the Councils decision on adequacy, the 1995 Data Directive did not consti tute the appropriate legal foundation for the PNR agreement because it fell outside the Commissions purpose of protecting the common market.101 The Commission asserted that under the auspices of Article 95 of the Treaty Establishing the European Union the Commission and the Council had authority to seek the harmonization of law where there is a clear conf lict in international law between the EC and a third country that would affect the common market.102 Under this authority, the Commission claimed the right to use the 1995 Data Priv acy Directive as the foundation for the PNR agreements. The Court of Justice, however, ruled that Article 95 granted th e Commission and Council the authority to harmonize international laws rela ting to the European common market and not to matters of national security.103 Because the EC-DHS agreem ent relied on the authority to regulate the common market from Article 95 of the Treaty Establishing the European Union and the authority to protect the common market from data privacy concerns in third countries from 99 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, at recital 60. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/judgement_ecj_30_05_06_pnr_en.pdf. 100 Id. at recital 62. 101 Id. at recital 63. 102 See Treaty Establishing the European Community, Article 95, 2002 O.J. L (C 325) 69. Available at http://eurlex.europa.eu/LexUriServ/LexUriSer v.do?uri=CELEX:12002E095:EN:HTML. 103 Id. at 67.

PAGE 60

60 the 1995 European Commission Data Directive as its legal basis, the agreement had to be annulled.104 The Court said that the both Article 95 and the 1995 Data Directive concern the functioning of the European common economic market, but that the Commissions decision on adequacy does not have as its objective and su bject-matter the establis hment and functioning of the internal market.105 In its decision to annul the 2004 agreements, the European Court of Justice held that because the PNR transfers we re for the purpose of combating terrorism and crime, activities outside the scope of the Eu ropean Commissions mandate to promote the common economic market, the Data Directive did not constitute an appropriate legal basis for the PNR agreement.106 Despite the Court of Justices annulment of the both the EC-DHS agreement and the Council decision on adequacy, the ECJ held that the PNR agreement should remain applicable for a period of 90 days so that the governments could work on a new agreement in that time. The Court said that the agreement would not be preserved past September 30, 2006.107 In October 2006, the Council of the European Union issued a decision to sign a new temporary agreement between the European Uni on and the U.S. government on the transfer of PNR data.108 This new agreement resembled the 2004 agreements in the Commissions adequacy decision and the Counc ils decision on adequacy that were annulled by the European Court of Justice. As with the 2004 agreements, the Council and Commission cited the 2004 104 Id. at 67-70. 105 Id. at 63. 106 See supra at note 218. 107 Id. at 74. 108 Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 27.

PAGE 61

61 Undertakings as ensuring adequate levels of protection for the pr ivate data in PNRs.109 As in previous agreements, the Commission and Council reserved the right to withdraw from the agreement upon receipt of concerns from the Member States about EU citizens privacy.110 Finally, the Council and Commissi on both agreed that preventing terrorism and transnational crime were the basis for the agreement to transf er PNR data to the U.S. Customs and Border Protection, just as previous agreements had stated.111 The notable difference between the 2004 agr eements and the October 2006 agreement was the latters lack of allusions to the 1995 European Commission Data Directive. The October 2006 agreement instead used Article 6(2) of the Treaty on the European Union112 as the legal basis for respecting privacy as a fundamental right and in particular to the related right to the protection of personal data.113 Due to the fact that the Treaty on the European Union applies to all areas of Europe (not just the common economic market governed by the European Commission), the agreement appeared to satisfy the literal holding of the Court of Justices ruling that the PNR agreements dealt primarily with terrorism and law enforcement, not the welfare of the common economic market. Finally, the October 2006 agreement set a date of July 2007 for creating a new, permanent PNR agreem ent between the Commission and the U.S. Customs and Border Protection.114 109 Id. 110 Id. at 28-29. 111 Id. at 29. 112 See Treaty Establishing the European Community, Article 6, at 2. 2002 O.J. (C 325) 69. 113 Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 29. 114 Id.

PAGE 62

62 The Opinion of the Advocate General versus the Court of Justices Holding in the Passenger Name Record Case In its decision to annul the European Commission-U.S. Depa rtment of Homeland Security agreement, the European Court of Justice only addressed one of the European Parliaments concerns over the Passenger Name Record agre ement. The ECJ held that the PNR agreement infringed upon Article 3(2) of the 1995 Data Directiv e, namely that the Dire ctive only applies to protecting personal data in economic activities an d not security and law enforcement activities. Having found that the Directive wa s not an appropriate legal basi s for the PNR agreement, the ECJ annulled the agreement solely on these grounds. The Court of Justice refrained from even a ddressing Parliaments other arguments saying, it is not necessary to consider th e other pleas relied upon by Parliament115 in order to annul the agreement. By basing its ruling solely on one argu ment in the case, the Court failed to address these other important concerns over the agreement, concerns that may prove problematic for future PNR agreements. The Advocate General ex amined each of these pleas in his Opinion on the case, siding with the European Commission and the Council of the European Union on every count. The other pleas set forth by Parliament against the PNR agreements are that the PNR agreement infringed on fundamental rights, that the PNR agreement was overbroad, and that the Commission and Council overstepped their auth ority in the creation of the PNR agreement. The Parliaments pleas will be discussed in separate sections. An examination of the Advocate Generals response to th ese pleas provides valuable insi ght into potential problems with future PNR agreements. 115 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, at recital 70. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/judgement_ecj_30_05_06_pnr_en.pdf.

PAGE 63

63 Plea: the PNR agreement represented an in fringement of fundamental rights In its case, the European Parliament alleged that the PNR agreement between the U.S. and the E.U. failed to respect the basic human right of protecting personal data. The Parliament alleged that the system of accessing PNRs intr udes upon privacy and is overly broad in the information provided to the government.116 The Advocate General emphasized that, in Europe, privacy is a fundamental right affirmed in Article 8 of the European Convention on Human Rights and that any law seeking to limit this right cannot find acceptance in the [European Community].117 The PNR agreement, in the Advo cate Generals opinion, constituted an obviousyet justifiedintrusion on the right of privacy. In order to justify an intrusion on private life the Advocate General pointed out that such a law must meet three criteria: it must 1) be in accordance with existing law, 2) pursue a lawful and legitimate aim, 3) and be necessary for a democratic society.118 Whereas the Parliament contended that the PNR agreement was not in a ccordance to the law, Advocate General Lger said that the 2004 Department of Homeland Security Undertakings on the U.S. Passenger Name Records system ensured that the agreement was i ndeed in accordance with privacy law, the first of the three criteria.119 The Advocate General also stated hi s opinion that fighting terrorism is a legitimate governmental aim, cons istent with the second criterion.120 The third and final criterion for justifying an intrusion into private life is the issue of whether or not the interference is necessary in a democratic soci ety. In his analysis of this 116 Id. at recital 108. 117 Id. at recital 208. 118 Id. at recital 214. 119 Id. at recital 221. 120 Id. at recital 222.

PAGE 64

64 question, Advocate General Lger stated that th e European Court of Hu man Rights has defined the term necessary as a pressi ng social need that should be proportionate to the legitimate aim pursued.121 The Advocate General stated that the European courts have sought to balance the general interest and the interest of the individual in an effort to limit laws from being broadly infringing on fundamental rights,122 but that the courts have traditionally allowed European Member States a wide margin of appreciation, or a great deal of latitude, in laws seeking to maintain national security and combat terrorism.123 The PNR case, he said, is an area where the courts should allow the Commi ssion and the Council a wide ma rgin of appreciation because the case is focused mainly on maintaining national security and combating terrorism.124 Plea: the Commission and Council went beyond their authority in creating the U.S. PNR agreement. Advocate General Lger then sought to dete rmine whether or not the Commission and the Council exceeded the scope of thei r wide margin in the Passenge r Name Record agreement with the U.S.125 He then systematically addressed Parliament s arguments aimed at proving this plea. The Parliament argued that the list of 34 personal data items in the PNRs126 transferred to the Department of Homeland Security, overstepped the margin of appreciation granted to the Commission and Council. However, Advocate Ge neral Lger said that the amount of data 121 Id. at recital 226. 122 Id. at recital 228. 123 Id. at recital 230. 124 Id. at recital 231. 125 Id. at recital 234. 126 See supra at 17.

PAGE 65

65 requested is necessary for combating terrorism and therefore was within the margin of appreciation in this case.127 The Parliament also contended that the PNR agreement overstepped the margin of appreciation because the U.S. authorities woul d hold the PNR data for a long period, up to three years and six months for most records and up to eleven years and six months for data on passengers deemed as posing a high risk to U.S. national security.128 Addressing this concern, Advocate General Lger stated that the length of time for the data storage did not necessarily infringe on the right to respect of privacy. He sa id that although it is in principle desirable that personal data should be kept for a short period, it is necessary, in this case, to consider the period of storage of data from PNR in light of thei r usefulness, not only for purposes of preventing terrorism but, more widely, for law-enforcement purposes.129 In other words, the Advocate General felt that the long pe riod of data storage in the PN R agreement did not overstep the considerable latitude granted to laws aimed at combating terrorism and crime.130 The Parliament also argued that the PNR agr eements did not allow for any judicial review of the PNR program by U.S. authorities, meanin g that the U.S. court system could not impose safeguards on the U.S. governments use of PNR data.131 Advocate General Lger stated that the safeguards for protecting the PNR data from abuse in the U.S. government were adequate in protecting personal privacy while usi ng the data to combat terrorism.132 The Advocate General 127 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, at recital 238. 128 Id. at recital 240. 129 Id. at recital 242. 130 Id. at recital 243. 131 Id. at recital 244. 132 Id. at recital 246.

PAGE 66

66 said that the PNR agreement allowed for an i ndividual to access his or her PNR data and to correct any errors contained therein,133 and guaranteed that the Chief Privacy Officer at the Department of Homeland Security would pursue any complaints about the misuse of PNR data from the EU Member States on an expedited basis.134 In his opinion, the safeguards for the PNR program kept the agreement within the wid e margin of appreciation in this case.135 Plea: the U.S. PNR agreement was overbroad Finally, the Parliament also argued that th e PNR agreement was overbroad in that it permitted the U.S. Customs and Border Protection to transfer PNR data to other U.S. government agencies and to foreign governments.136 Again, Advocate General Lger disagreed with the Parliament on this issue. He st ated that safeguards in the DHS Undertakings were sufficient to protect PNR data from abuse in tr ansfers to other governmental bodies.137 The Advocate General said that the Customs and Border Protection would only transfer PNR data to other government bodies if the data was needed to pursue law enforcement ac tivities and that the governmental body receiving the PNR data would ha ve to have written permission from the CBP to use the PNR data.138 Summary of the Advocate Genera ls Opinion on the PNR case Following his reasoning in each of the issues mentioned above, Advocate General Lger dismissed the Parliaments plea alleging that the Passenger Name Record agreement infringed 133 Id. at recital 249. 134 Id. at recital 251. 135 Id. at recital 254. 136 Id. at recital 255. 137 Id. at recital 258. 138 Id. at recitals 259-260.

PAGE 67

67 upon the right of protection of personal data.139 The Advocate General recommended that the Court of Justice annul the PNR case because the Commission had ina ppropriately based the agreement on the 1995 Data Privacy Directive; however, the Advocate Ge neral disagreed with the Parliament on every other plea. The fact th at the Advocate General sided with the European Commission and the Council of the European Uni on on all but one of the Parliaments pleas is potentially important for future PNR agreemen ts. The potential significance of the Advocate Generals Opinion will be addressed in Chapter 4. Conclusion The Passenger Name Records disputes be tween the European Union and the U.S. government provide a revealing l ook at how Europe has attempte d to enforce the third country adequate levels of protection fo r private data requirements in the 1995 Data Directive. Despite substantially different approaches to privacy law, the U.S. and Europe have worked to try and find a balance between sharing data to combat terrorism and protecting individual privacy. The questions remain as to how Europe will apply its Directive to continued PNR agreements with the U.S. and Australia, as we ll as how these PNR agreement might affect the future of how the European Commission enforces the Data Directive to enforce data privacy protection in non-PNR cases. 139 Id. at recital 262.

PAGE 68

68 CHAPTER 4 CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE The study conducted in this thes is seeks to answer three f undamental questions about the 1995 European Commission Data Privacy Di rective. These questions are: R1: How has the EC defined adequate data pr otection laws for third countries and how has it applied this definition to third countries thus far? R2: What does the Passenger Name Records dispute between the US and the EC show about the Directives third country requirements? R3: How might the European Court of Justi ce annulment of the Pa ssenger Name Records agreements potentially affect the Directive, especially its third country requirement? This concluding chapter will constitute a summary of the issues, systematic answers to these research questions, and some concluding remarks. Summary of the Issues Since passage of the 1995 European Commissi on Directive on the protection of personal data, the European Union has required that gover nments and businesses of its Member States may only transfer private data to a third country if that country a ssures an adequate level of data privacy protection. As of the time of writing, the European Commissi on has granted national adequacy rulings to Switzerland, Canada, Arge ntina, Guernsey, and Isle of Man. The Commission has also worked with the United St ates to ensure that businesses can provide adequate levels of protection for privat e data through the Safe Harbor program.1 Through these agreements, the European Commission has consiste ntly analyzed the laws of these nations in order to determine if that nation provi des an adequate level of protection. A recent and controversial effect of the Eur opean Commissions requirements that third countries provide adequate levels of protection for private data has been the challenges to the United States post-9/11 laws requiring that co mmercial airlines provide U.S. Customs and Border Protection with Passenger Name Record data. Although the Commission reached a PNR 1 See supra at note 112.

PAGE 69

69 agreement with Australia in January 2004, that ag reement met no controversy in Europe. In the United States however, the amount of personal data in each PNR, obtained in an effort to combat terrorism and aid law enforcement measures, ha s caused European concerns over both the uses of the data and the security of transferring such data to the U.S. government. At the time of the 2004 PNR agreement, the Commission and the U.S. government seemed to have reached a satisfactory agreement to share this data, but the European Parliament challenged this PNR agreement in the European C ourt of Justice. The ECJ then proceeded to annul the agreement, stating th at the Commission could not base its PNR agreements on the 1995 Data Directive because the Commission does not oversee national security and terrorism activities. The European Commission, whose mission is to oversee the European common economic market, had inappropriately used a di rective focused on ensuring the protection of private data in commercial activities to an agr eement aimed at protecting private data used for security purposes. How Has the EC Defined Adequate Data Protection Laws for Third Countries and How Has the EC Applied This Definition to Third Countries Thus Far? Although the Data Directive neve r specifically defines adequ acy, an analysis of the Directive provides a list of five elements of data prot ection that the European Commission examines in determining adequacy: The lawfulness of the processing of personal data The special protection of sensitive data The rights of the data subjects The security of the act ual processing of data The existence of control and enforcement measures.2 2 See Alexander Zinser, International Data Transfer Out of the European Union: the Adequate Level of Data Protection According to Article 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 559 (2003).

PAGE 70

70 Using this definition of adequacy, the European Commission has been fa irly consistent in determining whether or not a thir d country provides ade quate levels of data privacy protection. As discussed in Chapter 2, the Commission systematically studied the privacy laws of Switzerland, Canada, Argentina, Guernsey, and Isle of Man. In each decision, the Commission found that the laws of these nations adequately protect data privacy acco rding to the five-part definition from the 1995 Data Privacy Directive. In the case of the United States, the Eur opean Commission has sought to compromise in order to continue trans-Atlantic commerce while protecting private data. In negotiating a Safe Harbor agreement, the Commission found a way fo r U.S. businesses to meet the definition of adequacy from the 1995 Data Directive and thereby to continue the practice of transferring data. Apart from the Safe Harbor agreement, the Eu ropean Commission has worked to negotiate an agreement with the United States government to transfer the Passenge r Name Records of all travelers on flights landing in or l eaving from the U.S. As with the Safe Harbor agreement, the Commission has sought to apply th e principles of adequacy in the 1995 Data Privacy Directive and protect the transfer of data to a specifi c destination, the U.S. Department of Homeland Security. Overall, the European Commission has consis tently used the 1995 Data Privacy Directive as a legal framework for determining the adequacy of the handful of countries that have sought adequacy determinations from the Commission. The consistent use of the adequacy definition has created precedence for future adequacy determin ations concerning the transfer of private data to a third country government or business.

PAGE 71

71 What Does the Passenger Name Records Dis pute Between the US and the EC Show about the Directives Third Country Requirements? The Court of Justices opinion in the PNR agr eement seemed to refocus, for the European Commission, the scope of the 1995 Data Directive to purely economic matters. In agreements based on securing the protection of private da ta in business matters, the Commission has consistently applied its definition of adequ acy. With the PNR dispute, the European Commission was forced to negotiate with the United States to provide ade quate levels of data privacy protection for the PNR data of European ci tizens. But, the Court of Justice ruled in the PNR case, the Directive could not serve as a legal foundation for an agreement whose primary focus is national security and combating terrorism. Through the PNR cases, the Court of Justice that the Data Privacy Directive can only serve as a legal foundation for protecting privacy in the common economic market. Although this concept seemed clear from the Directives creati on in 1995 because it originated in the European Commissionoverseers of the European common economic marketthe PNR case has served as a tool for judging when an agreement falls ou tside of the common mark et. As discussed in Chapter 3, the PNR agreements concerned the transf er of data from commercial airlines to the Australian and U.S. governments. Because the agreements dealt with the commercial airlines, the European Commission claimed that the underlying purpose of the PNR agreement with the U.S. was to protect European citizens private data in an economic setting (the commercial airlines). Both the Advocate General of the Cour t of Justice and the Eur opean Court of Justice itself disagreed with the Comm issions claim and instead f ound that the language of the agreements clearly indicated that the primar y purpose behind the PNR agreements was fighting terrorism and crime.3 3 See supra at note 218.

PAGE 72

72 The result of the PNR dispute is that only those agreements with the fundamental purpose of protecting privacy in the common economic ma rket can use the 1995 Data Privacy Directive as a legal foundation. For matters such as the c ontinuation of trans-Atlan tic business covered by the U.S.-EU Safe Harbor agreement, the Data Priv acy Directive stands in full force, strengthened through the adequacy decisions with multiple countries. How Might the European Court of Justice Annulment of the Passenger Name Records Agreements Potentially Affect the Directive, Especially Its Third Country Requirement? The question remains as to how the PNR case may affect the use of the 1995 Data Directive and how the European Union will seek to protect private data that falls outside the scope of the Data Directive. An analysis of the Advocate Generals Op inion on the European CommissionU.S. government, as well as a look at a 2004 Passe nger Name Record agreement between the Commission and Australia, provide important in dicators as to how the Passenger Name Records cases might affect the efficacy of the Data Di rective to require third countries to provide adequate levels of prot ection for private data. The Advocate Generals Opinion versus th e European Court of Justices Ruling As discussed in Chapter 3, the European Cour t of Justice followed the opinion issued by Advocate General Lger and annulled both the European Commissions decision on adequacy and the Council of the European Unions decision to form the Passenger Name Record agreement with the U.S. government. The ECJ base d its decision solely on the fact that the 1995 Data Directive was an inappropria te legal foundation for a law dea ling with national security and law enforcement. The Court failed to rule on the European Parliaments other concerns, the issues that the Advocate Genera l addressed in his opinion. As discussed in Chapter 3, the Parliament alleged that the 2004 PNR agreement infringed upon fundament al rights; that the

PAGE 73

73 Council and Commission overstepped their legal authority in th e agreement; and, that the PNR agreement was overbroad.4 The Courts failure to specifical ly address these issues leaves the possibility that the Parliament could dispute fu ture PNR agreements with these same unanswered pleas. The temporary Passenger Name Record Agreem ent between Europe and the U.S. from October 2006 did not use the 1995 European Commi ssion Data Directive as its legal foundation, but instead based its foundation in the European Convention on Human Rights (ECHR) and its requirement to protect private data as a human right.5 The ECHR applies to all aspects of European government including s ecurity and the economic market. If the European Parliament challenged the 2006 or future PNR agreements, it w ould not be able to ch allenge the use of the ECHR as the legal foundation for the new agreemen t because the ECHR covers privacy rights in both the economic and national security domains. In the October 2006 PNR agreement, the Commission and the Council held that the U.S. provided adequate levels of da ta protection for the PNR data based on the 2004 Undertakings by the Department of Homeland Security.6 In the Advocate Genera ls Opinion on the 2004 PNR agreements, he relied upon these same Undertaki ngs to dismiss each of the Parliaments pleas related to infringement of the human right of privacy. According to pr ecedence, the Court of Justice would likely follow the Advocate Genera ls reasoning and rule in favor of a PNR agreement based on the legal foundation of the ECHR and the PNR system designed in the 2004 Undertakings. The expected July 2007 PN R agreement mandated by the October 2006 4 See supra at page 54. 5 See supra at note 236 6 For an overview of the Undertakings, see supra at page 41.

PAGE 74

74 temporary PNR agreement7 will likely use the 2004 Undertakings as a foundation for determining adequate levels of data privacy prot ection just as the previ ous PNR agreements have done. The Passenger Name Record controversy began as a question of determining the adequacy of data privacy protection based on the 1995 Data Directive but the Europ ean Court of Justices 2004 ruling effectively changed the legal f oundation for such agreements. Although the European Commission is still the body charged with determining whether the laws of third countries (the U.S. in this case) provide adequa te protection for private data, the Commission can only require that a third country meets the Data Privacy Directives definition of adequacy in cases based on promoting the common economic market. Without the legal framework of the Data Directive in determining adequacy in th e special cases of Passenger Name Records, the question remains how the Commission will determine adequacy and if there will be consistent application of such determinations in future PNR deals. If the Commission sticks to an economic rational for agreements with third c ountries, the Commission can base the agreement on the Data Privacy Directive and apply its definition of adequacy to the third country in the agreement. If the Commission tries again to fo rm a PNR agreement based on the Data Directive, it is likely to fail because the fundamental purpos es for obtaining Passenger Name Records are to combat terrorism and fight crime. Although the Passenger Name Record agreement between the EU and the U.S. has sparked controversy since its inception, this PNR agreem ent is not the only one reached between Europe and a third country. As discu ssed in Chapter 3, the European Commission also formed an 7 See supra at page 53.

PAGE 75

75 agreement with the Australian government in 2004 to transfer PNR data to Australian Customs. The details of the PNR system in Australia differ significantly from the U.S. system. The Australian PNR Agreement versus the U.S. PNR agreement Unlike the situation between the U.S. and the EU, neither governments nor private organizations have challenged the Europ ean Commissions opinion on the adequacy of Australias PNR system. Being consistent to a national legal precedence of protecting the privacy of personal data, the Australian government required specific proc edures to ensure, in the Commissions opinion, high levels of protecti on for the private data transferred in PNRs. In the Article 29 Working Partys8 Opinion on the transfer of PNRs to Australia, the Working Party noted that the Australian system of PNR retention presents an important and fundamental difference compared to the US approach.9 For example, where the U.S. Department of Homeland Security requires all PNR data to be processed a nd stored in separate databases for a long amount of time, the Australian laws only require that the PNR data of .05%.1% of passengers be processed and stored in one database for a case specific very short period of time.10 Even though the EU-U.S. agreement and the EU-A ustralian are different in some ways, the two documents are similar in two important ways First, the scope of these agreements is narrowly focused on the question of Passenger Na me Records. Whereas Switzerland, Canada, and the few other countries mentioned in Chap ter 2 have received full status for providing 8 As explained in Chapter 2, the Article 29 Working Party consists of privacy commissioners from the Member States. Among other responsibilities, the Working Party is charged with analyzing the la ws of third countries and reporting its findings to the European Commission. See supra at note 123. 9 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85) at 7. 10 Id.

PAGE 76

76 adequate levels of protection for personal data at a national level, the PNR agreements focus only on the question of adequacy in protecting PNR data. The second, and perhaps most important, simila rity between the Australian and U.S. PNR agreements with the Commission is that both agreements cite national security and law enforcement as the reasons for requiring the air lines to provide governme nts with the Passenger Name Record information. Citing security and law enforcement as the reasons for the agreements, both agreements use the 1995 Europ ean Commission Data Directive as their legal foundation. As explained in Chapter 3, the Eu ropean Court of Jus tice annulled the U.S.European PNR agreements of 2004 on grounds that the 1995 Data Directive cannot apply to national security and law enforcement because those activities fall outside of the scope of European Commission law.11 The annulment of the PNR agreement has forced the Commission and the United States to base the new PNR agreement on the European Convention on Human Rights. As Australia and the Commission review their 2004 agreement to transfer PNR data, in mid 2007, the Commission might need to follo w the lead of the October 2006 EU-U.S. agreement and change the lega l foundation for the agreement. Just as there are similarities between the U.S. and Australian Passenger Name Records agreements, there are also notable differences betw een them that help to understand why the U.S. deal has drawn criticism from Europeans. On e major difference is the issue of PNR data retention. As discussed in Chapter 3, the U.S. system requires the retention of PNR data for a minimum of three years and six months and grants the U.S. government the right to extend that retention period by eight years.12 The Australian PNR system mandates that PNR data be 11 See supra at note 118. 12 See supra at page 56.

PAGE 77

77 retained for only 24-48 hours afte r the flight, except in the ca ses of travelers accused or convicted of breaking Australian customs laws. Even though the Advocate General ruled in the U.S. case that these practices were legal, leng thy periods of data rete ntion and an open book to transfer the personal data in Passenger Na me Records has caused concern among European citizens. Another difference between the two agreements is the question of tran sferring PNR data to other foreign governments. The U.S. PNR syst em specifically permits Customs and Border Protection to transfer PNR data to other U.S. gove rnment agencies, or to foreign countries, in order to combat terrorism and fight international crime. The Australian agreement permits Customs to transfer a small amount of PNR data to other Australian government agencies, but there is no provision for passing th is data to foreign governments.13 The fact that Australian PNR system contains a higher level of data privacy protection than the U.S. system might explain why the U.S. PNR agreement has drawn controversy while the Australian PNR agreement has met no documented opposition. Following the Advocate Generals 2004 Opinion though, both the U.S. and Au stralian agreements would likely stand as long as they choose a different legal framework from the Data Directive. Resolving the Current PNR Agreement The October 2006 temporary Passenger Name Records agreement between the U.S. and the European Commission set a July 2007 date for forging a new PNR agreement. As previously discussed, this agreement will likely use the 2004 Department of Homeland Security Undertakings analyzed in Chapter 3 and Artic le 8(2) of the European Convention on Human 13 See supra at note 138.

PAGE 78

78 Rights as legal framework for the deal.14 Taking into considerati on the competing needs of fighting international crime and protecting pr ivate data, the following discussion lays a framework for a deal that, in the opinion of this author, what would constitute the appropriate accommodations between U.S. and European interests in the PNR agreement. Components of a PNR Agreement with Ap propriate Accommodations for Europe For the Europeans, appropriate accommodations would include the guarantees in place from the 2004 Undertakings that the U.S. PNR sy stem meet Data Privacy Directives definition of adequacy.15 The European Commission, the Counc il of the European Union, and the Advocate General of the Court of Justice have all judged the Undertakings to provide an adequate level of priv ate data protection. Through the Undertakings, the Department of Homeland Security promises that the data will be used only for combating terrorism and for law enforcement purposes. The DHS also promises that sensitive data, such as racial background and re ligious/philosophical background, will not be transferred from the airlines to the Customs and Border Protection. The DHS Undertakings also permit indi viduals, whether U.S. citizen or not, to request their own PNR files and to correct any wrong information therein. As discussed in Chap ter 3, the Undertakings contain a provision wherein the DHS can deny an individuals request to access his or her PNR file;16 however, the DHS said that such a denial w ould be rare. To appr opriately accommodate European interests, a PNR agreement with th e U.S. would also gran t the individual whose 14 See supra at note 236. 15 As discussed throughout this thesis the Data Privacy Directive focuses on five key elements in determining adequacy: the lawfulness of the processing of data; speci al protection of sensitive data; rights of the data subject; security of the actual processing of data; and, th e existence of control and enforcement measures. See supra at note 260. 16 See supra at note 180.

PAGE 79

79 request for access to his or her PN R data has been denied an ave nue for petition, whether that be through the Chief Privacy Officer at the Department of Home land Security or through the European Commission. The guarantee of an avenue of redress for Europeans would help to ease European concerns over the rights of data subjects and the existence of enforcement and control measures under the U.S. PNR agreement. Continuing the question of appropriate accommod ations for Europe, the DHS promises in the Undertakings that PNR transfers will occur under secure circumstances, meaning that the DHS will use technology to protect the processi ng of PNR data. If followed through, this will this satisfy the adequacy component of securing the data processing. To ensure appropriate accommodations for Eur opean interests, the Undertakings, as well as the 2004 and 2006 PNR agreements, mandate th at the U.S. and the European Commission perform annual reviews of the PNR program. Th e Undertakings and PNR agreements also allow for the agreements to be void at any moment if the Commission discovers U.S. abuses of PNR data. The final appropriate accommodation for Europ ean interests is a promise found in the 2004 and 2006 PNR agreements that says the U.S. will not hinder any PNR data from transfer to Europe if the European government were to pass a PNR law as well. This guarantee of reciprocity would help to accommodate Eu ropean interests in a PNR agreement. Components of a PNR Agreement with Ap propriate Accommodations for the U.S. For a PNR agreement to satisfy U.S. intere sts, there are severa l accommodations that should be guaranteed. As outlined in the 2004 Undertakings and as agreed to by the Commission, the Council, and the Advocate General, the U.S. should be allowed to keep the PNR data of high-risk passengers for over 11 year s. This will allow the U.S. to access the

PAGE 80

80 valuable private data in PNRs throughout the co urse of potentially lengthy terrorism and crime investigations. To appropriately accommodate U.S. interests, a PNR agreement should also continue to allow the Customs and Border Protection the author ity to transfer PNR data to both domestic and foreign government agencies, as outlined in th e 2004 Undertakings. This accommodation should enable the U.S. to enlist the aid of other gove rnments in combating terrorism and international crime. In addition to the aut hority to transfer PNR data to other areas of government, the PNR agreement should also grant the U.S. the accommoda tions of continued Eur opean participation in PNR sharing and the right of the DHS to deny a re quest for an individuals PNR data if granting the request would hinder a law enforcement operation, accommodations already part of the 2004 Undertakings. This proposed list of appropriate accommodati ons for both European and U.S. interests would create a PNR deal that could satisfy both sides of the Atlantic. Resolving Future PNR Agreements and Decisions on Adequacy In the Advocate Generals Opinion on the 2004 PNR agreement, he reasoned that although the Passenger Name Record agreements infringe upon the right to personal data privacy, the need to use the PNR data to combat terrorism made the infringement legal. Following the Opinion of the Advocate General, it is likely that the European Court of Justice would rule in favor of the Commission and the Council of the European Union if the European Parliament were to allege that the PNR agreement infringes on the right to personal privacy. The Commission will continue to use the 1995 European Commission Data Directive as a legal framework for adequacy determinations fo cused on a third countrys privacy protections. If more countries follow the European model for protecting privacy and seek to have an adequacy determination from the Commissi on, as Canada and Argentina have done,

PAGE 81

81 precedence17 shows that the Commission will examine th at countrys privacy laws in comparison to the definition of adequacy in the Data Directiv e. What remains to be seen is a case where the European Commission determines that a coun try or business does not provide adequate protection for private data and is unable to reach a compromise as it has done with the United States. As discussed previously, scholar Kevin Bloss noted that if the Eur opean Commission were unable to reach a deal with a th ird country on the transf er of private data, a third country could bring a challenge to the Data Directiv e before the World Trade Organization.18 Under the General Agreement on Tariffs and Trade (GATT) rules, a third country could ask the WTO to mediate between the third count ry and the European Union.19 This scenario is plausible and would likely hinge on how much the European Uni on and the third country in the dispute would have demonstrated a willingness to work w ith governments and businesses to ensure both continued data transfers and th e protection of private data. Conclusion With the creation of the 1995 Data Privacy Dire ctive, the European Union sought to unify the data protection laws of its Me mber States and to ensure an adequate level of data privacy protection in all European data transfers. Sin ce its passage, a handful of nations have followed Europes lead and have been granted the status of countries that adequately protect private data. The European Commission has been consistent in applying the Data Privacy Directives definition of adequacy to deal with third countries so far. The Commission has also shown its 17 In this case, the precedence being that the European Commission has cons istently applied the definition of adequacy in its third country assessments thus far. See Chapter 2. 18 Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy, 9 MINN. J. GLOBAL TRADE 645 (2000). 19 Id. at 655.

PAGE 82

82 willingness to work with the Australian government on a PNR agreement and the U.S. government on the Safe Harbor and PNR agreements. Thus far, the biggest challenges to the Europ ean Data Privacy Directive have come from negotiating the protection of privat e data with the United States gove rnment and U.S. businesses. The cases of the Safe Harbor and the Passenger Name Records have shown how the scope of the Directive is limited to protecting private data in matters concerning the European common economic market. The PNR cases have also re vealed how the European Commission is willing to balance the protection of Eur opeans individual privacy with the Australian and U.S. needs to combat terrorism and fight inte rnational crime. Although the controversy over the EuropeanU.S. PNR case continues and Europeans citizens continue to feel threatened by the U.S. governments use of their private data in Passenger Name Records,20 the PNR dispute has shown that Europe is willing to negotiate with third countries in an effort to protect the uses and transfers of European citizens private data in PNR programs desi gned to combat terrorism. The challenge for Europe is how it is going to bala nce its commitment to privacy with the fight against terrorism. It is possible that in the current situation where terrorism is a global concern, more third countries will enact legislation requiring the transfer of Passenger Name Records to that countrys government. If this is the case, it is likely that the European Commission will seek to negotiate a PNR agreement with that nation in an effort to protect the privacy of Europeans private data. It is also probable that, with time, more nations will enact other legislation protecting the distri bution of personal information between businesses and governments that will require negotiations with the European Commissi on due to the Data Privacy Directives third 20 See supra at note 47.

PAGE 83

83 country requirement. As of the time of this thesis in June 2007, the European Commission has not announced any inquiries into e ither the Passenger Name Record s or national privacy laws of any third countries. Despite the continued development of intern ational agreements and European case law surrounding the 1995 Data Directive, another challenge to the effec tiveness of the Directive is perhaps its enforcement inside Europe. The Di rective only functions as it should when the individual EU Member States, and the businesse s in them, discover that a third country or a business in a third country does not maintain adequa te levels of data privacy protection and then lodges a complaint. Unless a Member State or Eu ropean business goes through this process, or a third country voluntarily seeks a Commission study on that country s level of protection for private data, the Directive fails to ensure that th e private data of European citizens is adequately protected by third country governments and businesses. The challenge of tryi ng to ensure that all data transfers are secure from a EU Memb er State to a third country is daunting. A dual challenge to the effectiveness of the Da ta Privacy Directive is the practical question of whether or not the governments and businesses of the Member States themselves protect the data of European citizens. The Europ ean Commission has previously studied the implementation of the Data Privacy Directive into the individual Member States in an effort to see how they were doing at prot ecting Europeans private data.21 As explained in Chapter 1, Directives are enacted at the European Union leve l, then adapted into the laws of the individual Member States by a given date.22 The subject of how each Me mber State has specifically implemented the provisions of the Data Privacy Directive merits a co mprehensive study of its 21 See European Commissions Status of implementation of Directive 95/46 at Freedom, Security, and Justice website, available at http://ec.europa.eu/justice_home/fsj/privacy/law/implementation_en.htm. 22 See supra at note 7.

PAGE 84

84 own and should be the subject of future research. Understandi ng how the Member States are protecting data privacy within may shed light on the practicality of enforcing the Data Directive in third countries as well. Further research should focus on several important questions surrounding the 1995 Data Privacy Directive. As mentioned above, research should explore the issue of the implementation of the Data Privacy Directive into the individual Member States. Further research should also address the difficult question of w hy so few of Europes trade part ners have sought an adequacy ruling or been the subject of a privacy concern by European citizens. Further research should also focus on how the U.S. is actually using the PNR data and if it is following the principles set forth in the 2004 Undertakings of the PNR system. Additionally, further research should attempt to find out what nations other than the United States and Australia are doing with Passenger Name Records. These important research subjects fell outside of the scope of this thesis, yet they must be addressed in order to continue to understand the effec tiveness of the 1995 Data Privacy Directive.

PAGE 85

85 REFERENCE LIST Agreement between the European Community and the United States of America on the processing and transfer of PNR data by air carr iers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, si gned in Washington on 28.5.2004 at 4. 2004 O.J. (L 183) 83. Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) da ta by air carriers to the United States Department of Homeland Security, 2006 O.J. (L 298) 29. Aviation and Transportation Security Ac t of 2001, Pub. L. No. 107--71, 115 Stat. 597. Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European Information Privacy Network 26 MICH J. INTL L. 807 (2005). Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy 9 MINN. J. GLOBAL TRADE 645 (2000). Border Security Legislation Amendmen t (Terrorism) Act, 2002, c. 64 (Austl.). David A. Castor, Note: Treading Water in the Data Privacy Age: An Analysis of Safe Harbors First Year 12 IND. INT'L & COMP. L. REV. 265; 2002. Commission Decision, 2000/520/EC, 2000 O.J. (L 215) 7. Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3. Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5 Commission Decision 2004/ 411/EC, 2004 OJ (L 151). Commission Directive 95/46/EC, Directive of the European Par liament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1995 O.J. (L 281). Commonwealth Privacy Act, 1988, c. 118 (Austl.). Council Decision of 17 May 2004 on the conclusion of an agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Depart ment of Homeland Security, Bureau of Customs and Border Protection (2004/496/EC). Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of passenger name record (PNR ) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 27.

PAGE 86

86 European Commissions Status of implementati on of Directive 95/46 at Freedom, Security, and Justice website, accessed March 14, 2006, available at http://ec.europa.eu/justice_home/ fsj/privacy/law/implementation_en.htm Griswold v. Connecticut 381 U.S. 479, 483 (1965). How does the EU work? The decision-m aking triangle, accessed June 12, 2007, available at http://europa.eu/abc/12less ons/lesson_4/index_en.htm. Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, accessed July 31, 2007 available at http://ec.europa.eu/ju stice_home/fsj/privacy. Letter from Frits Bolkenstein, Member of European Commissi on, to Tom Ridge, Director of Homeland Security (Dec. 18, 2003), March 14, 2006, available at http://ec.europa.eu/ju stice_home/fsj/privacy. Office of the Privacy Commissioner of Canada website accessed March 14, 2006, available at http://www.privcom.gc.ca/aboutUs/index_e.asp. Opinion of Advocate General [English translation], delivered to the European Court of Justice on 22 November 2005, July 31, 2007, available at http://curia.eu.int. Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85). Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the Unite d States' Bureau of Customs and Border Protection (10019/04/WP 87). Opinion 8/2004 on the information for passengers c oncerning the transfer of PNR data on flights between the European Union and the Un ited States of America (Sep. 30, 2004). Privacy Act of 1974, 5 U.S.C. 552a. Joel Reidenberg, E-Commerce and Privacy Institute for Inte llectual Property & Information Law Symposium: E-Commerce and Trans-Atlantic Privacy 38 HOUS. L. REV. 717 (2001). Paul Schwartz, Data Protection Law and the European Uni ons Directive: the Challenge for the United States: European Data Protection La w and Restrictions on International Data Flows 80 IOWA L. REV. 471 (1995). The 2005 CIA World Factbook, accessed March 14, 2006, available at http://ww.cia.gov. The Personal Data Protection Act No. 25.326 of 4 October 2000 (Arg.). Treaty Establishing the European Community art. 249, accessed March 14, 2006, available at http://eur-lex.europa.eu/en/index.htm.

PAGE 87

87 Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543, 41,547 (July 9, 2004). U.S. CONST. amend. IV. U.S. Dept. of Commerce website, accessed March 14, 2006, http://www.export.gov/s afeHarbor/index.html. Alexander Zinser; European Data Protection Directive: the Determination of the Adequacy Requirement in International Data Transfers 6 TUL. J. TECH. & INTELL. PROP. 171 (2004). Alexander Zinser, International Data Transfer Out of th e European Union: the Adequate Level of Data Protection According to Arti cle 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, (2003).

PAGE 88

88 BIOGRAPHICAL SKETCH Jonathan Mason received a Bachelor of Ar ts in communications from Brigham Young University in 2005. Following his undergradu ate education, he entered the College of Journalism and Communications at the University of Florida in the media law program, studying with Dr. Bill Chamberlin. During his undergradu ate studies, Jonathan spent 2 years in France and western Switzerland as missiona ry, where he gained great inte rest in European culture, history, and politics.