Citation
The Influence of the European Commission Data Privacy Directive on Third Countries and the Passenger Name Record Controversy

Material Information

Title:
The Influence of the European Commission Data Privacy Directive on Third Countries and the Passenger Name Record Controversy
Creator:
Mason, Jonathan D
Place of Publication:
[Gainesville, Fla.]
Florida
Publisher:
University of Florida
Publication Date:
Language:
english
Physical Description:
1 online resource (88 p.)

Thesis/Dissertation Information

Degree:
Master's ( M.A.M.C.)
Degree Grantor:
University of Florida
Degree Disciplines:
Mass Communication
Journalism and Communications
Committee Chair:
Chamberlin, William F.
Committee Members:
Ostroff, David H.
Chance, Sandra F.
Graduation Date:
8/11/2007

Subjects

Subjects / Keywords:
Data security ( jstor )
Home security ( jstor )
Homeland ( jstor )
Parliaments ( jstor )
Passengers ( jstor )
Personal information ( jstor )
Privacy rights ( jstor )
Recordings ( jstor )
Securities transfers ( jstor )
Terrorism ( jstor )
Journalism and Communications -- Dissertations, Academic -- UF
adequacy, airline, country, court, data, directive, ec, eu, europe, justice, law, name, passenger, personal, privacy, protection, record, third, us
Genre:
bibliography ( marcgt )
theses ( marcgt )
government publication (state, provincial, terriorial, dependent) ( marcgt )
born-digital ( sobekcm )
Electronic Thesis or Dissertation
Mass Communication thesis, M.A.M.C.

Notes

Abstract:
In an age when governments and businesses transfer personal data of individuals over the Internet, the U.S. and the European Union have tried to protect such data in different ways. Whereas the U.S. has sought to protect specific types of private data (such as health records and financial data), the European Union passed the 1995 Data Privacy Directive as a way to protect all private data. In the 1995 Data Directive, the European Union sought to protect the private data of European citizens within Europe and without. The Data Directive mandates that non-European Union countries must have adequate levels of data protection if they are to transfer private data in or out of Europe. The EU has allowed a handful of nations to transfer private data because the E.U. deemed their laws adequate in protecting private data. The challenge to the E.U. has been trying to work out the protection of private data with the U.S. An important area of contention over transferring private data has been the U.S. requirement since late 2001 that all airline carriers arriving or departing from the U.S. must provide the U.S. government with Passenger Name Records, a packet of data collected by the airlines that contains private data such contact information and financial information. The U.S. requires this information in order to screen passengers for security threats. In 2004, the U.S. and the EU had reached an agreement to transfer this data, but the European Court of Justice annulled this agreement and said that the EU could not use the 1995 Data Directive as a foundation for such an agreement. The Court of Justice gave the two sides until July 2007 to reach a new agreement. An agreement meeting the needs of both sides would protect the privacy of airline passengers while providing the U.S. with the data needed to combat terrorism and protect national security. ( en )
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Thesis:
Thesis (M.A.M.C.)--University of Florida, 2007.
Local:
Adviser: Chamberlin, William F.
Statement of Responsibility:
by Jonathan D Mason.

Record Information

Source Institution:
UFRGP
Rights Management:
Copyright Mason, Jonathan D. Permission granted to the University of Florida to digitize, archive and distribute this item for non-profit research and educational purposes. Any reuse of this item in excess of fair use or other copyright exemptions requires permission of the copyright holder.
Resource Identifier:
662635761 ( OCLC )
Classification:
LD1780 2007 ( lcc )

Downloads

This item has the following downloads:

mason_j.pdf

mason_j_Page_38.txt

mason_j_Page_19.txt

mason_j_Page_03.txt

mason_j_Page_58.txt

mason_j_Page_17.txt

mason_j_Page_85.txt

mason_j_Page_76.txt

mason_j_Page_61.txt

mason_j_Page_75.txt

mason_j_Page_12.txt

mason_j_Page_25.txt

mason_j_Page_01.txt

mason_j_Page_14.txt

mason_j_Page_24.txt

mason_j_Page_83.txt

mason_j_Page_21.txt

mason_j_Page_11.txt

mason_j_Page_06.txt

mason_j_Page_28.txt

mason_j_Page_72.txt

mason_j_Page_77.txt

mason_j_Page_73.txt

mason_j_Page_04.txt

mason_j_Page_53.txt

mason_j_Page_62.txt

mason_j_Page_07.txt

mason_j_Page_81.txt

mason_j_Page_60.txt

mason_j_Page_86.txt

mason_j_Page_37.txt

mason_j_Page_71.txt

mason_j_Page_44.txt

mason_j_Page_08.txt

mason_j_Page_82.txt

mason_j_Page_26.txt

mason_j_Page_20.txt

mason_j_Page_43.txt

mason_j_Page_46.txt

mason_j_Page_41.txt

mason_j_Page_05.txt

mason_j_Page_42.txt

mason_j_Page_02.txt

mason_j_Page_87.txt

mason_j_Page_39.txt

mason_j_Page_18.txt

mason_j_Page_31.txt

mason_j_Page_15.txt

mason_j_Page_64.txt

mason_j_Page_78.txt

mason_j_Page_40.txt

mason_j_Page_33.txt

mason_j_Page_55.txt

mason_j_Page_47.txt

mason_j_Page_36.txt

mason_j_Page_54.txt

mason_j_Page_35.txt

mason_j_Page_27.txt

mason_j_Page_68.txt

mason_j_Page_30.txt

mason_j_Page_66.txt

mason_j_Page_48.txt

mason_j_Page_52.txt

mason_j_Page_22.txt

mason_j_Page_09.txt

mason_j_Page_10.txt

mason_j_Page_69.txt

mason_j_Page_13.txt

mason_j_Page_79.txt

mason_j_pdf.txt

mason_j_Page_51.txt

mason_j_Page_65.txt

mason_j_Page_57.txt

mason_j_Page_67.txt

mason_j_Page_29.txt

mason_j_Page_45.txt

mason_j_Page_63.txt

mason_j_Page_34.txt

mason_j_Page_70.txt

mason_j_Page_74.txt

mason_j_Page_16.txt

mason_j_Page_56.txt

mason_j_Page_32.txt

mason_j_Page_84.txt

mason_j_Page_23.txt

mason_j_Page_59.txt

mason_j_Page_80.txt

mason_j_Page_88.txt

mason_j_Page_50.txt

mason_j_Page_49.txt


Full Text






Undertakings as ensuring adequate levels of protection for the private data in PNRS. 109 As in

previous agreements, the Commission and Council reserved the right to withdraw from the

agreement upon receipt of concerns from the Member States about EU citizens' privacy. 110

Finally, the Council and Commission both agreed that preventing terrorism and transnational

crime were the basis for the agreement to transfer PNR data to the U.S. Customs and Border

Protection, just as previous agreements had stated. "1

The notable difference between the 2004 agreements and the October 2006 agreement was

the latter' s lack of allusions to the 1995 European Commission Data Directive. The October

2006 agreement instead used Article 6(2) of the Treaty on the European Union112 as the legal

basis for respecting privacy as a fundamental right "and in particular to the related right to the

protection of personal data."113 Due to the fact that the Treaty on the European Union applies to

all areas of Europe (not just the common economic market governed by the European

Commission), the agreement appeared to satisfy the literal holding of the Court of Justice' s

ruling that the PNR agreements dealt primarily with terrorism and law enforcement, not the

welfare of the common economic market. Finally, the October 2006 agreement set a date of July

2007 for creating a new, permanent PNR agreement between the Commission and the U.S.

Customs and Border Protection. 114




109Id.

"O0 d. at 28-29.

111 Id. at 29.

112 See Treaty Establishing the European Community, Article 6, at 2. 2002 O.J. (C 325) 69.

113 Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of
passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 29.
11 Id~









errors in that data, as well as to seek compensation from a data controller who misuses the

private data of a data subj ect (criteria 3 and 5).57

Despite the lack of detail and analysis of these acts, the EC report says that the laws of

Guernsey allow for adequate levels of data privacy protection.'" The laws of Guernsey also

meet Zinser' s five criteria for determining adequacy.

United States "Safe Harbor"

Because of different approaches towards data privacy protection in the U.S. and the EU,

and because of the economic interdependence of these two economies, the EU Data Directive

has presented significant challenges for the U.S. and the EU. With little prospect of a U.S.

national law recognizing data privacy as a fundamental right and enacting broad, general privacy

legislation, the European Commission adopted the U.S. Department of Commerce' s "Safe

Harbour Privacy Principles and Frequently Asked Questions"59 (hereafter "Safe Harbor" and

"FAQs") on July 26, 2000.60 The Safe Harbor was created to allow businesses and organizations

in EU Member States to legally (under EU law) transfer personal data to businesses in the U.S.

and to protect trans-Atlantic commerce.

The rules of Safe Harbor apply to businesses under the jurisdiction of the Department of

Commerce and the Federal Trade Commission. These rules allow U. S. businesses to continue

data transfers with EU businesses by opting in to data principles that mirror much of the

provisions of the Directive, including ensuring that data transfers are secure (criterion 4),

granting data subj ects rights to access their data (criterion 3), providing data subjects with


57Id.

58Id. at (9).

59 See U.S. Dept. of Conunerce website, http ://www.export.gov/safeHarbor/index.html.

61) COmmission Decision, 2000/520/EC, 2000 0.J. (L 215) 7.










The Working Party also noted that the Australian PNR agreements mandate "high levels"

of security when working with PNR data. 22 To protect sensitive information in PNRs, Australia

allows only a "small group"23 Of individuals access to PNR data. This group of individuals must

pass through three layers of passwords and identification confirmation before accessing the PNR

records. Additionally, PNR data is stored on an electronic network separate from other networks

in the Australian Customs agency system.24

The Australian PNR law also grants individuals the right to access and correct any data in

their records. Because most PNR data may be stored for only 24-48 hours, this aspect of the law

applies only to individuals who have been charged with violating Customs or border protection

laws. These individuals, whether charged or convicted, have a legal right to access their PNR

data and to rectify errors therein.25

The Australian PNR agreement also grants the Australian Privacy Commissioner the

authority to petition the Australian legislature to change any PNR practices that may not be in

line with existing Australian privacy laws.26 The PNR arrangement also gives the Privacy

Commissioner the authority to investigate alleged abuses of PNR brought forth by either

Australian citizens or non-citizens.27

The European Commission adopted the Working Party's Opinion on the adequacy of

private data protection in Australia's PNR system in January 2004. Under the recommendation


2 2Id

23 Id. at 8.

24 Id. at 10. The Working Party also noted that Customs officials refrain from using PNR data and visa information
together in any way. Id.
25 Id. at 11.

2 6Id

27 Id










developments of the PNR dispute and how this case might affect the enforcement and

effectiveness of the Data Directive in the future.

Research Questions

* R1: How has the EC defined adequate data protection laws for third countries and how has
it applied this definition to third countries thus far?

* R2: What does the Passenger Name Records dispute between the US and the EC show
about the Directive' s third country requirements? How might this effect the future of the
Directive with other third countries?

* R3: How might the European Court of Justice annulment of the Passenger Name Records
agreements potentially affect the Directive, especially its third country requirement?


Research Methods

This thesis is a legal analysis of both international and domestic data privacy laws. The

research for this thesis will include extensive analysis of legal documents concerning the EC

Data Directive, the data privacy laws of third countries, the use of Passenger Name Records by

the US Department of Homeland Security, and the European Court of Justice decision on the

EC/DHS PNR agreements.

Research for this thesis was conducted using LexisNexis, the websites of the European

Union, and relevant websites from the U. S. government (including the Department of Homeland

Security). All primary documents cited may be accessed from these sources.

This thesis conforms to the Bluebook style for legal writing and uses the standard legal

system of footnoting.

Conclusion

The research for this thesis is necessary for contributing to the understanding of how the

EC has applied the Directive's adequacy requirements to third countries thus far. The legal field

has yet to analyze the recent developments in the European Commission/Department of










Plea: the PNR agreement represented an infringement of fundamental rights

In its case, the European Parliament alleged that the PNR agreement between the U.S. and

the E.U. failed to respect the basic human right of protecting personal data. The Parliament

alleged that the system of accessing PNRs intrudes upon privacy and is overly broad in the

information provided to the government. 116 The Advocate General emphasized that, in Europe,

privacy is a fundamental right affirmed in Article 8 of the European Convention on Human

Rights and that any law seeking to limit this right "cannot Eind acceptance in the [European

Community]."ll The PNR agreement, in the Advocate General's opinion, constituted an

obvious--yet justified-intrusion on the right of privacy.

In order to justify an intrusion on private life, the Advocate General pointed out that such a

law must meet three criteria: it must 1) be in accordance with existing law, 2) pursue a lawful

and legitimate aim, 3) and be necessary for a democratic society.ll Whereas the Parliament

contended that the PNR agreement was not in accordance to the law, Advocate General Leger

said that the 2004 Department of Homeland Security Undertakings on the U. S. Passenger Name

Records system ensured that the agreement was indeed in accordance with privacy law, the first

of the three criteria. 119 The Advocate General also stated his opinion that fighting terrorism is a

legitimate governmental aim, consistent with the second criterion. 120

The third and final criterion for justifying an intrusion into private life is the issue of

whether or not the interference is necessary in a democratic society. In his analysis of this


"1Id. at recital 108.

"7 Id. at recital 208.

"8 Id. at recital 214.

"1Id. at recital 221.

12 Id. at recital 222.










request for access to his or her PNR data has been denied an avenue for petition, whether that be

through the Chief Privacy Officer at the Department of Homeland Security or through the

European Commission. The guarantee of an avenue of redress for Europeans would help to ease

European concerns over the rights of data subj ects and the existence of enforcement and control

measures under the U.S. PNR agreement.

Continuing the question of appropriate accommodations for Europe, the DHS promises in

the Undertakings that PNR transfers will occur under secure circumstances, meaning that the

DHS will use technology to protect the processing of PNR data. If followed through, this will

this satisfy the adequacy component of securing the data processing.

To ensure appropriate accommodations for European interests, the Undertakings, as well

as the 2004 and 2006 PNR agreements, mandate that the U.S. and the European Commission

perform annual reviews of the PNR program. The Undertakings and PNR agreements also allow

for the agreements to be void at any moment if the Commission discovers U. S. abuses of PNR

data.

The final appropriate accommodation for European interests is a promise found in the 2004

and 2006 PNR agreements that says the U.S. will not hinder any PNR data from transfer to

Europe if the European government were to pass a PNR law as well. This guarantee of

reciprocity would help to accommodate European interests in a PNR agreement.

Components of a PNR Agreement with Appropriate Accommodations for the U.S.

For a PNR agreement to satisfy U.S. interests, there are several accommodations that

should be guaranteed. As outlined in the 2004 Undertakings and as agreed to by the

Commission, the Council, and the Advocate General, the U.S. should be allowed to keep the

PNR data of high-risk passengers for over 1 1 years. This will allow the U.S. to access the











CHAPTER 3
THE PAS SENGER NAME RECORDS CONTROVERSY

As discussed in Chapter 2, the European Commission has granted adequacy status to

multiple nations since passage of the Data Directive in 1995. In the cases of Switzerland,

Canada, Argentina, Guernsey, and Isle of Man, the Commission stated that those nations' laws

provided adequate levels of protection for private data. In the case of the United States, the

Commission worked with the U.S. government to create the Safe Harbor program wherein

individual businesses guaranteed to provide adequate levels of protection for private data.

Although the Safe Harbor agreement represented compromise, the greatest controversy and

challenges to the Directive have come in the form of laws requiring that commercial airlines

provide governments with Passenger Name Records. As mentioned in Chapter 1, Passenger

Name Records contain large amounts of personally identifiable information including financial

information, itineraries, physical addresses, travel information, and contact information.

Australia and the United States require commercial airline carriers to pass PNR

information to their national customs agencies. The European Commission has worked with

both of these nations in an effort to protect the private data of European citizens in PNRs. The

Australian PNR agreement was met with very little controversy, but the United States PNR

agreement has been the source of one maj or legal challenge in the European court system. These

agreements raise important issues that affect the scope and efficacy of the 1995 Data Directive. 2







SSee supra at note 17.

2 At the time of this thesis, the Australian and United States' PNR agreements are the only such documented PNR
cases with the European Union.










security and the activities of the State in areas of criminal law."21 Under European law, the

European Commission, where the Data Directive originated, concerns the marketplace and

commerce, not criminal law or national security. The EC/DHS agreements used national

security and fighting transnational crime as the primary foundation for transferring PNRs, yet the

European Court of Justice ruled that this foundation fell out of the scope of the Data Directive

and of the Commission' s authority.

The Court of Justice' s opinion and its effect on the most recent agreement on the transfer

of PNRs between the EC and the DHS, raise important legal questions about the Data Directive

yet to be answered. The ECJ' s decision calls into question the scope of the Data Directive22 and

may prove influential in the future enforcement of the Directive in third countries.

Purpose of Thesis

The purposes of this thesis are to 1) analyze Data Directive 95/46/EC and its requirements

for data protection in third countries; 2) analyze how the European Commission has actually

applied the adequacy requirement to third countries; 3) analyze the ongoing dispute between the

United States Department of Homeland Security and the European Commission concerning the

transfer of Passenger Name Records from airline carriers to the DHS, including an analysis of

the annulment by the European Court of Justice of previous EC/DHS agreements; and, 4) to

examine how the European Court of Justice decision, and the Passenger Name Record

agreements, might affect the scope and the enforcement of the Data Directive in the future.

Review of Literature

Most of the legal research surrounding the Data Directive 95/46/EC has focused on the

potential effects of the Directive on business with the U. S., on comparisons between the U. S.

21 Joined Cases C-317/04 and C-318/04, Eur. Parl. v. Eur. Comm'n and Council on Eur. Union, 2006 OJ (C 178) 2.

SSee infra at page 46.










The EC report on Guernsey contains far less specific information on the reasons for

approving this third country for the free flow of personal data transfers with the Member States.

Although the report notes "the legal standards applicable in Guernsey cover all the basic

principles necessary for an adequate level of protection for natural persons," the EC gives almost

no specific reasoning behind their decision.52 The EC report shows that Guernsey has met

criteria 2, 3, 4, and 5. The report never specifically addressed the issue of defining lawfulness in

the processing of data.

Isle of Man

The Isle of Man, an island nation similar to Guernsey, received adequacy status from the

European Commission next. On April 28, 2004, the Commission issued a report approving Isle

of Man as a third country with adequate levels of personal data protection. 53 JUSt as with the

report on Guernsey, the EC report on Isle of Man contains few examples and few reasons for

granting the island nation approved status for data protection. The report cites the Data

Protection Act of 2002,54 the Human Rights Act 2001,5 and the Access to Health Records and

Reports Act 1993 as providing an adequate level of protection for private data. From these acts,

data subj ects in Isle of Man are guaranteed the lawful use of their private data (criterion 1), the

special protection of their private data (criterion 2), and security in the transfer of data (criterion

4).56 Data subj ects in Isle of Man also have the right to access their personal data and to correct



52 Id. at (9).

53 COmmission Decision 2004/411/EC, 2004 OJ (L 151). Like Guernsey, Isle of Man is a protectorate of the British
Crown and is in the same political arrangement as Guernsey.

54 d. at (7).

55Id. at (8).

56 See Isle of Man data privacy website available at http://www.gov.im/odps/yourrights.xml. Last visited on May 4,
2006.










Third Countries and the Data Directive Requirement for Adequate Levels of Data Privacy
Protection

Since passage of the EU Data Privacy Directive, the European Commission has approved

several third countries as having adequate levels of data protection. The Commission has

approved Switzerland, Canada, Argentina, Guernsey, and Isle of Man. The United States,

through the Department of Commerce, has worked out the Safe Harbor, an agreement that allows

individual businesses to agree to maintain adequate levels of data privacy protection in

accordance with the Directive.

Zinser' s five criteria for judging whether a third country's laws adequately protect personal

data provide most of the guidance needed for this chronological analysis of each country deemed

adequate. In each of these cases, the European Commission found that the third country in

question provides adequate data privacy protection.

Switzerland

Switzerland was the first nation to receive the European Commission's adequacy status.

On July 26, 2000, the European Commission issued a decision stating that Switzerland's laws

provided an adequate level of protection governing the transfer of private data. 27 The Swiss

regularly engage in international commerce with the EU Member States. The Commission

report on Switzerland's data privacy protection laws stated that the Swiss Federation provides for

protection at both the federal and cantonal (or state) levels.28

At the federal level, the Commission report stated that "The [Swiss] Federal Constitution .

.. gives every person the right to have his privacy respected and, in particular, to be protected




27Commission Decision 2000/518/EC, art. 1, 2000 OJ (L 215).

28Id. at (5).










European Court of Justice, European Parliament) that are charged to oversee the actions of the

Member States in regards to European policies, but that their role is somewhat inhibited by

limited resources and the autonomy of each Member State's separate legal systems."

Bignami also discussed how the Data Directive grants the EC the authority to oversee

complaints and concerns from Member States regarding the adequacy of data protection laws in

a third country.52 The challenge is whether or not the individual Member States are aware of

questionable data transfers and will report the matters to the EC. Bignami stated that the

Member States have not been active in either blocking dangerous data transfers or being specific

about the conditions for data transfers.53 The author also reported on the fact that the

Commission had openly criticized the Member States for allowing many dangerous and illegal

data transfers in their international trade.54

The points articulated by Bignami demonstrate the difficulty in actually fulfilling the

requirements of the Data Directive for third countries. The author discussed how the PNR

dispute might affect transnational governance in Europe; however, Bignami did not discuss how

the PNR dispute will affect the effectiveness of the Directive itself.

Overall, the literature on the EU Privacy Directive provides help in understanding the

document, but does not look at the texts of the EU documents that led to the approval of third

countries allowed to engage in data privacy transfers with the EU member states. An

examination of these documents should help to see what requirements the EU actually imposes

on nations to win approval as third countries. Also, the literature has yet to examine the recent


51Id. at 824.

52 Id. at 826-27.

53 Id. at 832.

54 Id. at 833.










contact details, details of the travel itinerary,. details of the reservation. [and] other

information," such as frequent flyer data.7 "Sensitive" information that the U.S. agreed not to

use includes information on religious and political affiliations, health records, sexual preferences,

and race. 76 The fact that the U. S. agreed to limit its use of this information showed, at least, a

willingness to adjust on its end. This could be a factor for other countries that wish to conduct

business with the EU but do not have such sweeping privacy protections written into national

law.

On May 17, 2004, three days after the European Commission issued its decision to allow

Customs and Border Protection to continue to transfer Passenger Name Record data, the Council

of the European Union issued its own decision on the matter. 77The Council stated that the

Parliament had failed to act on its authority to approve or disapprove the Commission agreement

and that the issue needed to be resolved quickly because of the pressure placed on the airlines to

comply with competing European and U.S. standards.' The Council also decided that the

agreement between the Commission and the Department of Homeland Security provided an

adequate level of protection for personal data. 79 Due to the urgent nature of the issue, the

Council approved the EC-DHS agreement. so



75 Id. at 5.

76Id.

77Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the
United States of America on the processing and transfer of PNR data by Air Carriers to the United States
Department of Homeland Security, Bureau of Customs and Border Protection, 2004/496/EC. 2004 O.J. (L 183) 83.
available at http://eur-
lex.europa.eu/smartapi/cgi/sga_doc?smartapi celexapi iprod!i CELEXnumdoc&1g= en&numdoc= 32004DO496&model
= guichett.
78Id.

9 Id.

O Id.









The result of the PNR dispute is that only those agreements with the fundamental purpose

of protecting privacy in the common economic market can use the 1995 Data Privacy Directive

as a legal foundation. For matters such as the continuation of trans-Atlantic business covered by

the U.S.-EU Safe Harbor agreement, the Data Privacy Directive stands in full force, strengthened

through the adequacy decisions with multiple countries.

How Might the European Court of Justice Annulment of the Passenger Name Records
Agreements Potentially Affect the Directive, Especially Its Third Country Requirement?

The question remains as to how the PNR case may affect the use of the 1995 Data

Directive and how the European Union will seek to protect private data that falls outside the

scope of the Data Directive.

An analysis of the Advocate General's Opinion on the European Commission- U. S.

government, as well as a look at a 2004 Passenger Name Record agreement between the

Commission and Australia, provide important indicators as to how the Passenger Name Records

cases might affect the efficacy of the Data Directive to require third countries to provide

adequate levels of protection for private data.

The Advocate General's Opinion versus the European Court of Justice's Ruling

As discussed in Chapter 3, the European Court of Justice followed the opinion issued by

Advocate General Leger and annulled both the European Commission's decision on adequacy

and the Council of the European Union' s decision to form the Passenger Name Record

agreement with the U.S. government. The ECJ based its decision solely on the fact that the 1995

Data Directive was an inappropriate legal foundation for a law dealing with national security and

law enforcement. The Court failed to rule on the European Parliament' s other concerns, the

issues that the Advocate General addressed in his opinion. As discussed in Chapter 3, the

Parliament alleged that the 2004 PNR agreement infringed upon fundamental rights; that the










question, Advocate General Leger stated that the European Court of Human Rights has defined

the term "necessary" as a "pressing social need" that "should be proportionate to the legitimate

aim pursued."12 The Advocate General stated that the European courts have sought to balance

the general interest and the interest of the individual in an effort to limit laws from being broadly

infringing on fundamental rights,122 but that the courts have traditionally allowed European

Member States "a wide margin of appreciation," or a great deal of latitude, in laws seeking to

maintain national security and combat terrorism. 123 The PNR case, he said, is an area where the

courts should allow the Commission and the Council "a wide margin of appreciation" because

the case is focused mainly on maintaining national security and combating terrorism. 124

Plea: the Commission and Council went beyond their authority in creating the U.S. PNR
agreement.

Advocate General Leger then sought to determine whether or not the Commission and the

Council exceeded the scope of their wide margin in the Passenger Name Record agreement with

the U.S. 125 He then systematically addressed Parliament' s arguments aimed at proving this plea.

The Parliament argued that the list of 34 personal data items in the PNRsl126 transferred to

the Department of Homeland Security, overstepped the "margin of appreciation" granted to the

Commission and Council. However, Advocate General Leger said that the amount of data







' Id. at recital 226.

I22d. at recital 228.

1 Id. at recital 230.

' Id. at recital 231.

'2 Id. at recital 234.

126 See supra at 17.










temporary PNR agreement' will likely use the 2004 Undertakings as a foundation for

determining adequate levels of data privacy protection just as the previous PNR agreements have

done.

The Passenger Name Record controversy began as a question of determining the adequacy

of data privacy protection based on the 1995 Data Directive but the European Court of Justice' s

2004 ruling effectively changed the legal foundation for such agreements. Although the

European Commission is still the body charged with determining whether the laws of third

countries (the U.S. in this case) provide adequate protection for private data, the Commission can

only require that a third country meets the Data Privacy Directive's definition of adequacy in

cases based on promoting the common economic market. Without the legal framework of the

Data Directive in determining adequacy in the special cases of Passenger Name Records, the

question remains how the Commission will determine adequacy and if there will be consistent

application of such determinations in future PNR deals. If the Commission sticks to an

economic rational for agreements with third countries, the Commission can base the agreement

on the Data Privacy Directive and apply its definition of adequacy to the third country in the

agreement. If the Commission tries again to form a PNR agreement based on the Data Directive,

it is likely to fail because the fundamental purposes for obtaining Passenger Name Records are to

combat terrorism and fight crime.

Although the Passenger Name Record agreement between the EU and the U.S. has sparked

controversy since its inception, this PNR agreement is not the only one reached between Europe

and a third country. As discussed in Chapter 3, the European Commission also formed an





SSee supra at page 53.









The fundamental purpose of the Data Privacy Directive was to unify the data privacy protection

laws of the individual European Union Member States.9

Third Countries and the Data Directive

Among the most debated and the most controversial portions of the Directive in non-

European nations is Chapter IV, Article 25(1), which requires that

The Member States shall provide that the transfer to a third country 10 of personal data
which are undergoing processing or are intended for processing after transfer may take
place only if .. the third country in question ensures an adequate level of protection. 1

In other words, as a condition to transferring private data, the Data Privacy Directive

indirectly requires non-European Union nations, or third countries, to protect private data

according to the levels of protection outlined for the Union' s own Member States in the

Directive. Any business transferring private data between an organization in a EU Member State

and an organization in a third country may only do so if the third country provides adequate

protections governing the transfers of private data. Because of the great amounts of data

transfers required for international business and because of Europe' s economic importance in the

world economy, this section of the Directive could potentially impact the laws of every nation.

In order to determine if a nation meets the adequate level of protection requirement, the

Directive empowers the EC to officially approve the free flow of data between a EU Member

State and a third country. Article 25(6) of the Directive authorizes the EC to consider a








9 The term "Member States" refers to the individual nations comprising the European Union.

'0 The term "third country" refers to a nation or state that does not belong to the European Union.

11 Commission Directive 95/46/EC, art. 25(1), 1995 O.J. (L 281)










requested is necessary for combating terrorism and therefore was within the "margin of

appreciation" in this case. 2

The Parliament also contended that the PNR agreement overstepped the "margin of

appreciation" because the U.S. authorities would hold the PNR data for a long period, up to three

years and six months for most records and up to eleven years and six months for data on

passengers deemed as posing a high risk to U.S. national security. 128 Addressing this concern,

Advocate General Leger stated that the length of time for the data storage did not necessarily

infringe on the right to respect of privacy. He said that "although it is in principle desirable that

personal data should be kept for a short period, it is necessary, in this case, to consider the period

of storage of data from PNR in light of their usefulness, not only for purposes of preventing

terrorism but, more widely, for law-enforcement purposes."129 111 Other words, the Advocate

General felt that the long period of data storage in the PNR agreement did not overstep the

considerable latitude granted to laws aimed at combating terrorism and crime. 130

The Parliament also argued that the PNR agreements did not allow for any judicial review

of the PNR program by U. S. authorities, meaning that the U. S. court system could not impose

safeguards on the U. S. government' s use of PNR data. 131 Advocate General Leger stated that the

safeguards for protecting the PNR data from abuse in the U.S. government were adequate in

protecting personal privacy while using the data to combat terrorism. 132 The Advocate General


'27 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Conun'n and Council of the Eur. Union, 2006 May 30, at
recital 238.

12s Id. at recital 240.

129 Id. at recital 242.

'30 Id. at recital 243.

'31 Id. at recital 244.

'32 Id. at recital 246.










laws and EU data privacy protection laws,23 and analyses of the "Safe Harbor"24 agreement

between the U. S. Department of Commerce and the EU.25 The literature does an excellent j ob of

discussing some of the issues and problems raised by the EU Data Directive. The extant

literature lays an important groundwork for the purposes of this thesis.

Alexander Zinser, a technology lawyer in Switzerland,26 discussed the Directive's five

critical aspects of data privacy protection that could be used as criteria in approving data

transfers to third countries in his 2003 article in the John Marshall Journal of Computer and'

Information Law/.27 Zinser argued that the Directive does not specifically say whether the level

of protection in the EU laws28 Or in the Member State laws29 is most applicable. This question of

which level of protection to use (the EU or the Member States) arises from the nature of

directives and how Member States could conceivably adopt stricter standards for data protection

than the EC did for Europe as a whole.









23 See 23 COMP. LAB. L. & POL'Y J. 251 (2002). This issue contained comparative articles focusing on some of the
issues surrounding U.S. and EU data protection law, including a focus on how the Directive and U.S. laws vary
concerning data privacy in e-commerce.

24See infra pp.24-26.

25See David A. Castor, Note: Treading Water in the Data Privacy 4ge: 4n analysis of Safe Harbor 's First Year. 12
IND. INT'L & COMP. L. REV. 265 (2002). This article contains a helpful and insightful analysis of the Safe Harbor
agreement between the U.S. Department of Commerce and the European Commission. Castor examines some of the
changes U.S. businesses have made to be in accordance with Safe Harbor as well as looking at some of the potential
difficulties in enforcing the agreement in the U.S.

26Alexander Zinser, International Data Transfer Out of the European Union: the adequate Level of Data Protection
according to article 25 of the European Data Directive. 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003).

27Id. at 549-553.

28Id. at 557.

9 Id. at 565.










The Directive has been criticized for failing to specify the definition of an "adequate level

of protection" and the exact process a third country needs to receive approval from the European

Commission. Scholars have attempted to define "adequacy" and to document the requirements

for EC approval, but none have focused on analyzing the laws of nations that have already been

approved and comparing them to the Directive's language. Such an analysis is important in

understanding how the Commission itself has used the Directive to ensure data privacy when

transferring data to third countries. Since 1995, the Commission has used the third country

adequacy requirement from the Directive as a tool in negotiating with third countries for

protecting the transfer and use of private data; however, the Commission' s efforts to enforce the

Directive' s requirements for adequate levels of protection of private data has met some

challenges along the way.

Passenger Name Records

A key challenge to the enforcement of the Data Directive involves the United States and its

use of the private information found in airline passengers' Passenger Name Records (PNRs).

PNRs contain passenger information collected by commercial airlines including names,

addresses, phone numbers, travel itineraries, numbers of luggage items used in travel, travel

agency or reservation data, credit card information, dietary information, passport numbers, and

social security card information. 1 Air carriers collect this data and are required to pass it along



'7 The categories of information contained in PNRs include: PNR record locator code, date of reservation, date of
intended travel, name, other names on PNR, address, forms of payment information, billing address, contact
telephone numbers, travel itinerary for the specific PNR, frequent flyer information, travel agency information,
travel agent name, code share PNR information, travel status of passenger, split/divided PNR information, e-mail
address, ticketing field information, general remarks, seat number, ticket number, date of ticket issuance, "no show"
history, bag tag numbers, no show information, other supplementary information, special service information,
received from information, historical changes to the PNR, other travelers on PNR, seat information, one-way ticket
information, advance passenger information, and any other field of information the airline might include. See
Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger Name Record Data,
69 Fed. Reg. 41,543, 41,547 (July 9, 2004).










The Canadian Act mandated the creation a Canadian Federal Privacy Commissioner to

oversee privacy issues at the national level.36 The privacy commissioner has the authority to

hear claims and complaints pertaining to personal data protection from individuals and

organizations, to summon witnesses, to audit businesses' privacy practices, to administer oaths,

and to "compel the production of evidence if voluntary co-operation is not forthcoming."37 The

authority granted to the privacy commissioner meets the requirements of criterion 5 by

implementing control and enforcement measures.

The EC decided that Canada' s laws and practices provide adequate levels of private data

protection; furthermore, Canada' s laws met each of Zinser's five criteria. The language of the

Canadian Act demonstrates a general approach to protecting personal data that is similar to the

EU Data Directive.

Argentina

Argentina became the next nation to receive an adequacy decision from the European

Commission. On June 30, 2003, the Commission decided that Argentina' s data privacy

protection laws provided adequate levels of private data protection in accordance with Article 25

of the EU Directive. 38 The Commission stated that Argentina' s legal standards for the protection

of personal data have been provided for in binding general and sector-specific rules.39

The Constitution of Argentina treats privacy as a fundamental right, just as Switzerland' s

constitution and the ECPHRR. 40 The Constitution of Argentina includes a "habeas data" rule


3 6Id

37 Information obtained from the Office of the Privacy Commissioner of Canada website available at
bli \l u\ llprivcom.gc.ca/aboutUs/index~e.asp. Last visited on April 19, 2006.
38 COmmission Decision 2003/1731/EC, 2003 OJ (L 168).
39 Id. at 3.

40 See supra 14.










on May 14, 2004 the Commission and Homeland Security went ahead with an agreement to

continue to allow airlines to transfer PNRs to Customs and Border Protection.70

The Commission agreed that the CBP provided adequate levels of data protection for the

PNRs and that the practice of allowing the U.S. government to access PNR data from the

airlines' databases could continue "only until there is a satisfactory system in place allowing for

transmission of [PNRs] by the air carriers"" to the CBP. Nowhere in the document did the

European Commission mention when such a system would appear or how the system would

differ from the current one.

To punctuate the strenuous relationship between the EU and the U. S. in the matter of the

Passenger Name Records, the EC also added that the present agreement would in no way serve

as a precedent for future agreements between the U.S. and the EC in matters of protecting

personal privacy.72 Although this agreement allowed the transfer of personal data in the name of

public safety, the Commission made it clear that this was not to become a common practice and

that the rules of the Directive applying to third countries were going to be enforced in the

future. 73

The U. S. also conceded to limit its use of "sensitive" information in PNRs.74 In

negotiations, the U. S. agreed to limit its use of PNR information to "the passenger' s name,


"0 Agreement between the European Community and the United States of America on the processing and transfer of
PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border
Protection, signed in Washington on 28.5.2004 at 4. 2004 O.J. (L 183) 83. 4vailab le at http://europaeeu int/eur-
lex/lex/LexUriServ/LexUriSery.do?uri= CELEX304O9:EN:HTML.

71 Id. at 5.

I2d. at 4.

73Id

74See Opinion 8/2004 on the information for passengers concerning the transfer of PNR data on flights between the
European Union and the United States of America (Sep. 30, 2004). available at
http://europa. eu. int/comm/justice_home/fsj /privacy/docs/wpdoc s/2004/wp97_e.pdf










Schwartz showed that the laws of most EU member states require an "equivalent" level of

protection when transferring private data to a third country, but the Data Directive only requires

an "adequate" level of protection by third countries, thereby potentially lowering the level of

security required for this third country data transfer.35 According to Schwartz' analysis, third

countries that have received European Commission approval for data transfers could potentially

be held to lower data privacy protection standards than before the Data Directive.

Zinser had mentioned in his 2004 article that the Directive does not state whether the

standards of the EU or of an individual Member State will be used to judge adequacy in a third

country. If the EU determines adequacy using the Directive, third countries will probably be

held to one standard for adequacy; however, if the laws of the Member States determine

adequacy, there could be 25 different standards, potentially leading to a third country or a

business "bargain-shopping" for the most lenient level of adequacy amongst the Member States.

Joel Reidenberg, professor at the Fordham University School of Law, while comparing in

2001 the positions of the U. S. and the EU on data protection,36 Said that while "democratic

states" agree that information privacy "is a critical element of civil society," the United States

has left the protection of privacy to markets rather than law. In contrast, Reidenberg said,

Europe treats privacy "as a political imperative anchored in fundamental human rights."37

Reidenberg said that although the EU Privacy Directive requires businesses to report potential

violations of third countries to their own officials, studies show that few businesses were doing





35Id. at 472.

36 JOel Reidenberg, E-Conunerce and Privacy Anstitute for intellectual Property &~ Aforination Law Swinposiuin: E-
Conunerce and Trans-4tlantic Privacy. 38 Hous. L. REV. 717 (2001).
37Id. at 730-731.










requires this information in order to screen passengers for security threats. In 2004, the U.S. and

the EU had reached an agreement to transfer this data, but the European Court of Justice

annulled this agreement and said that the EU could not use the 1995 Data Directive as a

foundation for such an agreement. The Court of Justice gave the two sides until July 2007 to

reach a new agreement. An agreement meeting the needs of both sides would protect the privacy

of airline passengers while providing the U.S. with the data needed to combat terrorism and

protect national security.










agreement with Australia in January 2004, that agreement met no controversy in Europe. In the

United States however, the amount of personal data in each PNR, obtained in an effort to combat

terrorism and aid law enforcement measures, has caused European concerns over both the uses

of the data and the security of transferring such data to the U. S. government.

At the time of the 2004 PNR agreement, the Commission and the U. S. government seemed

to have reached a satisfactory agreement to share this data, but the European Parliament

challenged this PNR agreement in the European Court of Justice. The ECJ then proceeded to

annul the agreement, stating that the Commission could not base its PNR agreements on the 1995

Data Directive because the Commission does not oversee national security and terrorism

activities. The European Commission, whose mission is to oversee the European common

economic market, had inappropriately used a directive focused on ensuring the protection of

private data in commercial activities to an agreement aimed at protecting private data used for

security purposes.

How Has the EC Defined Adequate Data Protection Laws for Third Countries and How
Has the EC Applied This Definition to Third Countries Thus Far?

Although the Data Directive never specifically defines "adequacy," an analysis of the

Directive provides a list of five elements of data protection that the European Commission

examines in determining adequacy:

* The lawfulness of the processing of personal data
* The special protection of sensitive data
* The rights of the data subj ects
* The security of the actual processing of data
* The existence of control and enforcement measures.2




2 See Alexander Zinser, International Data Transfer Out of the European Union: the adequate Level of Data
Protection according to article 25 of the European Data Directive. 21 J. MARSHALL J. COMPUTER & INFO. L. 547,
559 (2003).










In an article from 2005, Francesca Bignami discussed numerous aspects of the Data

Directive and the EC/US Passenger Name Records dispute.45 Much of Bignami's article focused

on the concept of transgovernmental organizations (such as the EU) and the difficulties in

maintaining a sense of democracy in such networks. The author argued that the PNR dispute

could serve to strengthen the unity of the EU Member States because it represents a unified effort

to protect privacy against the differing US approach.46 Bignami argued that the PNR dispute

could lead to reducing the democratic deficit that exists between the EU Member States;47

however, the author' s idea may prove overly optimistic if the ECJ annulment of the PNR

agreements reduces the scope and effectiveness of the Directive as a whole. Bignami questioned

why the European governmental organizations would choose to focus so much effort on the PNR

dispute. She argued that the PNR case appealed to a fundamental European right and that the US

PNR was perceived as a threat to Europeans.48

Bignami also focused on the challenge of enforcing the Data Directive in Europe, due to

the "dizzying array of institutional arrangements" for implementing and enforcing the Data

Directive.49 The mixed procedure form of creating laws at the European level then placing

responsibility for implementation and enforcement on the individual nations differs even from

the transnational organizations of the United Nations or the World Trade Organization. 50

Bignami pointed out that Europe has supranational organizations (European Commission,


45 Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European Information Privacy
Network, 26 MICH J. INT'L L. 807 (2005).
46 Id. at 811.

47 Id.

48 Id. at 865.

49 Id. at 819.

so Id. at 823.









What Does the Passenger Name Records Dispute Between the US and the EC Show about
the Directive's Third Country Requirements?

The Court of Justice' s opinion in the PNR agreement seemed to refocus, for the European

Commission, the scope of the 1995 Data Directive to purely economic matters. In agreements

based on securing the protection of private data in business matters, the Commission has

consistently applied its definition of adequacy. With the PNR dispute, the European

Commission was forced to negotiate with the United States to provide "adequate" levels of data

privacy protection for the PNR data of European citizens. But, the Court of Justice ruled in the

PNR case, the Directive could not serve as a legal foundation for an agreement whose primary

focus is national security and combating terrorism.

Through the PNR cases, the Court of Justice that the Data Privacy Directive can only serve

as a legal foundation for protecting privacy in the common economic market. Although this

concept seemed clear from the Directive's creation in 1995 because it originated in the European

Commission-overseers of the European common economic market--the PNR case has served

as a tool for judging when an agreement falls outside of the common market. As discussed in

Chapter 3, the PNR agreements concerned the transfer of data from commercial airlines to the

Australian and U.S. governments. Because the agreements dealt with the commercial airlines,

the European Commission claimed that the underlying purpose of the PNR agreement with the

U.S. was to protect European citizens' private data in an economic setting (the commercial

airlines). Both the Advocate General of the Court of Justice and the European Court of Justice

itself disagreed with the Commission' s claim and instead found that the language of the

agreements clearly indicated that the primary purpose behind the PNR agreements was fighting

terrorism and crime.3


3 See supra at note 218.










government or business be accessible by data subj ects, that the data not be kept on record for

longer than necessary, and that a supervisory authority oversee the uses of the personal data. 34

In response, the U. S. Customs and Border Protection argued that the transfers of this data

are allowable under Article 13 of the Directive because the data is used in national and public

security, specifically to combat terrorism.35 Article 13 grants the EU and its Member States

room to restrict the scope of the Data Directive obligations on data protections if the government

deems such restrictions as a necessary safeguard in certain key areas.36 The key areas for

exemptions to the Directive's data protection guidelines include lifting data privacy restrictions

to aid in national security,37 defense,38 public security,39 fighting crime (including white collar

crime),40 maintaining economic interests,41 monitoring or inspecting crimes,42 and the protection

of the rights and freedoms of the data subj ect and others.43




3Id

35See Council Decision of 17 May 2004 on the conclusion of an agreement between the European Community and
the United States of America on the processing and transfer of PNR data by Air Carriers to the United States
Department of Homeland Security, Bureau of Customs and Border Protection (lIs1 4 ~~96/EC).

36 COmmission Directive 95/46/EC, art. 13(1), 1995 O.J. (L 281).

37Id. at art. 13(1)(a).

38Id. at art. 13(1)(b).

39 Id. at art. 13(1)(c).

40 Id. at art. 13(1)(d). In addition to granting exemptions for data protection in the act of preventing, discovering,
investigating, and prosecuting criminal offences, the Directive explicitly mentions that this exemption applies to
investigations and prosecutions of "breaches of ethics for regulated professions." Id. The Directive does not define
regulated professions.

41 Id. at art. 13(1)(e). The Directive states that economic interests include "monetary, budgetary, and taxation
matters." Id.

I2d. at art. 13(1)(f).

43Id. at art. 13(1)(g).










European Commission's Status ofimplementation of Directive 95/46 at Freedom, Security, and
Justice website, accessed March 14, 2006, available at
http ://ec.europa.eu/justice~home/fsj/privacy/awipentioenhm

Griswold v. Connecticut 381 U. S. 479, 483 (1965).

How does the EU work? The decision-making triangle, accessed June 12, 2007, available at
http:.//europa.eu/abc/1 21essons/lesson_4/index_en.htm.

Joined Cases C-3 17/04 & C-3 18/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union,
2006 May 30, accessed July 31, 2007 available at
http://ec. europa.eu/justice~home/fsj/privacy .

Letter from Frits Bolkenstein, Member of European Commission, to Tom Ridge, Director of
Homeland Security (Dec. 18, 2003), March 14, 2006, available at
http://ec. europa.eu/justice~home/fsj/privacy .

Office of the Privacy Commissioner of Canada website accessed March 14, 2006, available at
http:.//www.privcom.gc. ca/aboutUs/index_e.asp.

Opinion of Advocate General [English translation], delivered to the European Court of Justice on
22 November 2005, July 31, 2007, available at http://curia.eu.int.

Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger
Name Record data from airlines (10031/03/WP 85).

Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air
Passengers to Be Transferred to the United States' Bureau of Customs and Border
Protection (10019/04/WP 87).

Opinion 8/2004 on the information for passengers concerning the transfer of PNR data on flights
between the European Union and the United States of America (Sep. 30, 2004).

Privacy Act of 1974, 5 U.S.C. ( 552a.

Joel Reidenberg, E-Commerce and Privacy Institute for Intellectual Property & Information Law/
Symposium: E-Commerce and Trans-Atlt~lt~ltlanltltict~ Privacy. 38 HOUS. L. REV. 717 (2001).

Paul Schwartz, Data Protection Law/ and the European Union 's Directive: the Challenge for the
United States: European Data Protection Law/ and Restrictions on International Data
Flows. 80 IOWAL. REV. 471 (1995).

The 2005 CIA World Factbook, accessed March 14, 2006, available at http://ww.cia.gov.

The Personal Data Protection Act No. 25.326 of 4 October 2000 (Arg.).

Treaty Establishing the European Community, art. 249, accessed March 14, 2006, available at
http:.//eur-lex.europa. eu/en/index.htm.










so at the time of his article.38 Still, Reidenberg asserted that the European model for data privacy

protection influences other nations more than the U. S model. He noted that countries such as

Australia, Canada, and Hungary used the European model to form their own national data

privacy protection laws.39

In an article from 2000, Kevin Bloss, focusing on the battle between the U.S. and the EU,40

argued that the Directive might not hold up to scrutiny if the U. S., or another nation, were to

bring portions of the Data Directive before the World Trade Organization.41 Bloss argued that

the fact that the Data Directive unilaterally requires non-European nations to enact specific laws

at the risk of losing the ability to do business with European businesses, could constitute a

violation of fair-trade agreements.42

Bloss supported his position by arguing that one of the WTO/General Agreement on

Tariffs and Trade (GATT) rules that Europe might be breaking is called the "Most Favored

Nation" obligation.43 This obligation requires all GATT nations to give every other party to

GATT/WTO "identical privileges with respect to any given product either imported or

exported."44 Bloss posited that the U.S. could bring a challenge to the Data Directive before the

WTO on grounds of a violation of this obligation because the Data Directive requires third

countries to treat EU Member States with un-identical privileges.


38Id. at 734-735.

39 Id. at 735.

o0 Kevin Bloss, Raising or Razing the e-Curtain ?: The EU Directive on the Protection of Data Privacy, 9 MINN. J.
GLOBAL TRADE 645 (2000).
41 Id. at 654-655.

I2d. at 654.

43Id. at 655.

I4d.










requires any non-EU nation to have adequate levels of data privacy protection as a precursor to

conducting personal data transfers. Because the free flow of personal data has become such an

important commodity in recent years, nations all over the world must consider adopting laws that

protect personal data.

The Directive provides third countries an opportunity to demonstrate an adequate level of

protection and gain approval from the Commission to ensure a free flow of information and a

continuation of business with EU Member States. In determining adequacy, the EC has applied

fiye criteria:

* The lawfulness of the processing of personal data.
* The special protection of sensitive data.
* The rights of the data subj ects.
* The security of the actual processing of data.
* The existence of control and enforcement measures.

Using these criteria the European Commission has given approval for Member States to

transfer personal data to Switzerland, Canada, Argentina, Guernsey, Isle of Man, and to the U. S.

(in limited scope). Despite the EC's consistent application of adequacy standards with other

nations, the case of the Safe Harbor for the U. S. demonstrates that the Commission shows some

flexibility in working with third countries. The PNR case may shed further light on how far the

EC will go to arrange an agreement with a third country (in this case, the U.S.).

Zinser' s fiye criteria proved accurate and helpful in analyzing the reports on each nation's

approval. A comparison of the official EC decisions granting these third countries approved

status reveals some interesting similarities and differences.

The EC reports on Switzerland, Canada, and Argentina contained detailed analysis of the

laws of those nations that protect private data. Each of these countries granted the concept of

data privacy the status of a general law, with Switzerland and Argentina declaring data privacy










retained for only 24-48 hours after the flight, except in the cases of travelers accused or

convicted of breaking Australian customs laws. Even though the Advocate General ruled in the

U.S. case that these practices were legal, lengthy periods of data retention and an open book to

transfer the personal data in Passenger Name Records has caused concern among European

citizens.

Another difference between the two agreements is the question of transferring PNR data to

other foreign governments. The U.S. PNR system specifically permits Customs and Border

Protection to transfer PNR data to other U.S. government agencies, or to foreign countries, in

order to combat terrorism and fight international crime. The Australian agreement permits

Customs to transfer a small amount of PNR data to other Australian government agencies, but

there is no provision for passing this data to foreign governments. 13

The fact that Australian PNR system contains a higher level of data privacy protection than

the U.S. system might explain why the U.S. PNR agreement has drawn controversy while the

Australian PNR agreement has met no documented opposition. Following the Advocate

General's 2004 Opinion though, both the U.S. and Australian agreements would likely stand as

long as they choose a different legal framework from the Data Directive.

Resolving the Current PNR Agreement

The October 2006 temporary Passenger Name Records agreement between the U.S. and

the European Commission set a July 2007 date for forging a new PNR agreement. As previously

discussed, this agreement will likely use the 2004 Department of Homeland Security

Undertakings analyzed in Chapter 3 and Article 8(2) of the European Convention on Human





13 See supra at note 138.











Summary of the Advocate General's Opinion on the PNR case ...........__.................66
Conclusion ........... ......_ ...............67...

4 CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE ........._.....68

Sum m ary of the Issues .............. ... ...... .... ....... ..__ ... .. .. .. ... ..........6
How Has the EC Defined Adequate Data Protection Laws for Third Countries and
How Has the EC Applied This Definition to Third Countries Thus Far? ...................69
What Does the Passenger Name Records Dispute Between the US and the EC
Show about the Directive' s Third Country Requirements? .............. .. ..........__ ...71
How Might the European Court of Justice Annulment of the Passenger Name
Records Agreements Potentially Affect the Directive, Especially Its Third
Country Requirement? ............. .... .... .. .. ....... .............7
The Advocate General's Opinion versus the European Court of Justice' s Ruling .........72
The Australian PNR Agreement versus the U. S. PNR agreement .............. ..............75
Resolving the Current PNR Agreement .............. ........ ... ... ... .. .......7
Components of a PNR Agreement with Appropriate Accommodations for Europe ......78
Components of a PNR Agreement with Appropriate Accommodations for the U.S......79
Resolving Future PNR Agreements and Decisions on Adequacy............. .._.........___....80
Conclusion ................. ...............81........ ......

REFERENCE LIST .............. ...............85....

BIOGRAPHICAL SKETCH .............. ...............88....









BIOGRAPHICAL SKETCH

Jonathan Mason received a Bachelor of Arts in communications from Brigham Young

University in 2005. Following his undergraduate education, he entered the College of

Journalism and Communications at the University of Florida in the media law program, studying

with Dr. Bill Chamberlin. During his undergraduate studies, Jonathan spent 2 years in France

and western Switzerland as missionary, where he gained great interest in European culture,

history, and politics.










precedence" shows that the Commission will examine that country's privacy laws in comparison

to the definition of adequacy in the Data Directive. What remains to be seen is a case where the

European Commission determines that a country or business does not provide adequate

protection for private data and is unable to reach a compromise as it has done with the United

States.

As discussed previously, scholar Kevin Bloss noted that if the European Commission were

unable to reach a deal with a third country on the transfer of private data, a third country could

bring a challenge to the Data Directive before the World Trade Organization. I Under the

General Agreement on Tariffs and Trade (GATT) rules, a third country could ask the WTO to

mediate between the third country and the European Union. 19 This scenario is plausible and

would likely hinge on how much the European Union and the third country in the dispute would

have demonstrated a willingness to work with governments and businesses to ensure both

continued data transfers and the protection of private data.

Conclusion

With the creation of the 1995 Data Privacy Directive, the European Union sought to unify

the data protection laws of its Member States and to ensure an adequate level of data privacy

protection in all European data transfers. Since its passage, a handful of nations have followed

Europe's lead and have been granted the status of countries that adequately protect private data.

The European Commission has been consistent in applying the Data Privacy Directive's

definition of adequacy to deal with third countries so far. The Commission has also shown its


'7 In this case, the precedence being that the European Commission has consistently applied the definition of
adequacy in its third country assessments thus far. See Chapter 2.
18Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy, 9 MINN. J.
GLOBAL TRADE 645 (2000).
19 Id. at 655.









should pay attention to the purpose of the data transfer (criterion 1) and the duration of the

transfer (criterion 4).24 In addition to these directions, Article 25(2) also requires that the

Member State or the EC look at the third country's laws relating to the security of processing

data, a requirement that falls under criterion 4 on the security of the actual processing of data.

If the Commission finds that a third country does not provide an adequate level of personal

data protection, the Directive requires them to "prevent any transfer of data of the same type to

the third country in question," a provision that is primarily a control and enforcement measure

from the EU (criterion 5).25

Article 28 of the Directive states that each Member State must appoint a public authority to

supervise the implementation of the Data Directive into the laws of that Member State. This

article falls under criterion 5 on the existence of control and enforcement measures. A data

authority must have authority to intervene when private data might be released without consent

or when private data records need be blocked from being transferred or erased and to prosecute

when data laws are broken.26 The presence of such an official in third countries could contribute

to the ability of a third country to demonstrate an adequate level of data privacy protection.

Because the Directive fails to specifically define what constitutes an adequate level of

protection, Zinser' s five criteria help to create a picture of the criteria the EU might use in

determining if the third countries' data privacy laws maintain an adequate level of protection.

The analysis of the third countries that have been approved for data transfers will reveal how the

EC has or has not applied these criteria.



24 Id. at art. 25(2).

25 Id. at art. 25(4).

26 Id. at art. 28(1-3).









own and should be the subj ect of future research. Understanding how the Member States are

protecting data privacy within may shed light on the practicality of enforcing the Data Directive

in third countries as well.

Further research should focus on several important questions surrounding the 1995 Data

Privacy Directive. As mentioned above, research should explore the issue of the implementation

of the Data Privacy Directive into the individual Member States. Further research should also

address the difficult question of why so few of Europe' s trade partners have sought an adequacy

ruling or been the subj ect of a privacy concern by European citizens. Further research should

also focus on how the U.S. is actually using the PNR data and if it is following the principles set

forth in the 2004 Undertakings of the PNR system. Additionally, further research should attempt

to find out what nations other than the United States and Australia are doing with Passenger

Name Records. These important research subj ects fell outside of the scope of this thesis, yet

they must be addressed in order to continue to understand the effectiveness of the 1995 Data

Privacy Directive.










The Opinion of the Advocate General versus the Court of Justice's Holding in the
Passenger Name Record Case

In its decision to annul the European Commission-U. S. Department of Homeland Security

agreement, the European Court of Justice only addressed one of the European Parliament' s

concerns over the Passenger Name Record agreement. The ECJ held that the PNR agreement

infringed upon Article 3(2) of the 1995 Data Directive, namely that the Directive only applies to

protecting personal data in economic activities and not security and law enforcement activities.

Having found that the Directive was not an appropriate legal basis for the PNR agreement, the

ECJ annulled the agreement solely on these grounds.

The Court of Justice refrained from even addressing Parliament' s other arguments saying,

"it is not necessary to consider the other pleas relied upon by Parliament"" in order to annul the

agreement. By basing its ruling solely on one argument in the case, the Court failed to address

these other important concerns over the agreement, concerns that may prove problematic for

future PNR agreements. The Advocate General examined each of these pleas in his Opinion on

the case, siding with the European Commission and the Council of the European Union on every

count. The other pleas set forth by Parliament against the PNR agreements are that the PNR

agreement infringed on fundamental rights, that the PNR agreement was overbroad, and that the

Commission and Council overstepped their authority in the creation of the PNR agreement.

The Parliament' s pleas will be discussed in separate sections. An examination of the

Advocate General's response to these pleas provides valuable insight into potential problems

with future PNR agreements.




"5 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union, 2006 May 30, at
recital 70. available at
http://ec. europa. eu/j ustice_home/fsj /privacy/docs/adequacy/pnr/j udgement~ecj _3 0_05_06_pnr en~pdf.










to the Department of Homeland Security (DHS) for all passengers on transnational flights. Is The

DHS collects this information as a way of combating transnational crimes and terrorism, but in

2003 19 the EC took issue with the use of European citizens' PNRs. The EC based its concerns

on the third country adequacy requirements in the Data Directive.

Since 2003, the European Commission's Directorate for Justice, Freedom, and Security

and the U. S. government have negotiated the use of Passenger Name Records by the U. S.

Department Homeland Security and the program's legality under European law. During this

period, the two sides have made a number of agreements to allow the use of PNRs under certain

conditions, and the latest agreement was reached in October 2006.20 The multi-year discourse

between the EU and the US provides excellent insight into the enforcement process that the EC

will use to ensure that the principles of the Data Directive are followed domestically and in third

countries.

Despite the numerous agreements on the use of PNRs, on May 30, 2006, the European

Court of Justice (ECJ) annulled two 2004 agreements reached between the European

Commission, the Council of the European Union and the U. S. government on the transfer of

PNRs to the Department of Homeland Security. In its ruling, the ECJ annulled these agreements

on the grounds that the enforcement of the use of PNRs falls outside the scope of the Data

Directive because it involves "processing operations concerning public security, defence, State




's For basic information on PNRs, visit the Department of Homeland Security website, "Frequently Asked
Que stions" section, availab le at http://www.dhs. gov/xlibrary/assets/privacy/privacyfaq_pn cb.pdf.
19 See Letter from Frits Bolkenstein, Member of European Commission, to Tom Ridge, Director of Homeland
Security (Dec. 18, 2003), available at http://ec.europa.eu/justice_home/fsj/privc/osaeuypn2031-8
letter-bolkestein~en. pdf.

20 See Agreement between the European Union and the United States of America on the processing and transfer of
passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, 2006 O.J.
(L 298/29).










said that the PNR agreement allowed for an individual to access his or her PNR data and to

correct any errors contained therein, 133 and guaranteed that the Chief Privacy Officer at the

Department of Homeland Security would pursue any complaints about the misuse of PNR data

from the EU Member States on an expedited basis. 134 In his opinion, the safeguards for the PNR

program kept the agreement within the "wide margin of appreciation" in this case. 135

Plea: the U.S. PNR agreement was overbroad

Finally, the Parliament also argued that the PNR agreement was overbroad in that it

permitted the U.S. Customs and Border Protection to transfer PNR data to other U.S. government

agencies and to foreign governments. 136 Again, Advocate General Leger disagreed with the

Parliament on this issue. He stated that safeguards in the DHS Undertakings were sufficient to

protect PNR data from abuse in transfers to other governmental bodies. 137 The Advocate

General said that the Customs and Border Protection would only transfer PNR data to other

government bodies if the data was needed to pursue law enforcement activities and that the

governmental body receiving the PNR data would have to have written permission from the CBP

to use the PN\R data. 138

Summary of the Advocate General's Opinion on the PNR case

Following his reasoning in each of the issues mentioned above, Advocate General Leger

dismissed the Parliament' s plea alleging that the Passenger Name Record agreement infringed



1 Id. at recital 249.

I34d. at recital 251.

' Id. at recital 254.

136 Id. at recital 255.

1 Id. at recital 258.

1 Id. at recitals 259-260.









from the misuse of data concerning him."29 This right falls under criterion 3, granting data

subj ects their rights to privacy.

The EC report also stated that Switzerland's court systems at both the federal and cantonal

levels have developed binding case law that protects "the quality of the data processed, the right

of access of the persons concerned, and the right to request the correction or destruction of

data."30 These constitutional and case-law based laws meet the requirements of the criteria that

data is of a high quality, that data subj ects have rights to access and correct their personal data,

and that the data is protected (criteria 2 and 3).

The Commission report also discussed the Swiss Data Protection Act of June 1992, which

permits citizens to have access to their personal information in files and created a supervisory

authority to oversee data privacy issues in the nation.31 The presence of a data authority is

consistent with criterion 5 on the existence of control and enforcement measures. As in the EU

Member States, this supervisory authority has power to investigate, prosecute, and hear claims

from organizations about breaches of personal data protection laws.

The Commission also recognized that most of the Swiss cantons have passed their own

data privacy legislation, focusing on local issues such as regulating how private data can be

transferred (criterion 4).32 This relates the lawful protection of the processing of private data

(criterion 1) granting sensitive data special protections (criterion 2).

The Swiss approach towards the protection of personal data is very similar to the EU Data

Directive model in that it grants data privacy the status of being a fundamental right and contains


29 Id. at (6).
30 Id.

31 Id. at (7).

32 d. at (8).










Acting under its authority, the Article 29 Working Party44 issued an opinion in January

2004 that highlighted many of the legal issues of the PNR debate. 45 In its opinion, the Working

Party acknowledged that the fight against terrorism is necessary but emphasized the necessity to

balance fighting terrorism the need to ensure human rights,46 including the fundamental human

right of privacy.47 The Working Party also expressed concern about the amount of personally

identifiable information contained in the PNRs passed to the U. S. government.48 Despite the fact

that the Commission had recently reached its agreement to transfer PNR data to the Australian

government,49 the Working Party stated that the Commission had no legal precedence to follow

in this case and could not issue a solid decision on what to do.'

In response to the Working Party's concerns over the level of protection of Passenger

Name Record data when transferred to Customs and Border Protection, the Department of

Homeland Security issued further explanations of the CBP PNR system in May 2004.51 The

document, titled the Undertakings, outlined the framework that the CBP would follow in its use

of the PNR data.

In the Undertakings, the Department of Homeland Security said that the Customs and

Border Protection only uses Passenger Name Record data in terrorist and law enforcement


44See supra at note 123.

45Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be
Transferred to the United States' Bureau of Customs and Border Protection (10019/04/WP 87). available at
http://europa.eu.int/comm/justice_home/fs/racdo/poc 21**14 u ps7_en.pdf.
I6d. at 3.

47Id.

48Id. at 4.

4 9Id.

"0Id. at 5. The Working Party did not provide any explanation as to why there was no legal precedence_for the PNR
case even though they had recently reached a PNR agreement with the Australian government.

51Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection Regarding the
Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543 (July 9, 2004).










the airlines, the PNR agreement focused on the completely different use of the data for security

and crime Eighting.93

The Advocate General expounded on this point in his Opinion, pointing out that despite the

Council's argument that the agreement existed to protect the common market, the decision on

adequacy proved the opposite.94 The primary purpose of the agreement, he said, was to provide

the United States with data that would be used in fighting terrorism.95 The Advocate General

pointed out that both the EC-DHS agreement and the Council's decision contained a paragraph

that mandated that the U. S. would actively promote the cooperation of U. S. airline companies in

providing PNR data to the EU in the future if either the European Union or one of its Member

States desired PNR data for Eighting terrorism in Europe.96 The Advocate General stated the

European Commission could not claim that the purpose of the PNR agreement was to protect

European citizens' private data in international economic activities such as air travel when the

Commission had explicitly based its decision to continue PNR transfers in order to aid the U.S.

in Fighting terrorism and crime.97

The European Court of Justice, in its decision, ruled in favor of Parliament' s concern that

the PNR agreement infringed on Article 3(2)98 Of the Directive and that the Council decision on




93 Id. at recital 57.

94 Opinion of advocate General [English translation], delivered to the European Court of Justice on 22 November
200 5, 20. 4 vailab le at http://curia.eu. int/jurisp/cgi-bin/form. pl?lang=en& Submit= Submit...f=C-
3 17%2FO4&datefs=&datefe= &nomusuel= &domaie&mt=rsax 100.

95 Id.

9 6Id.

97 Id.

98 See Commission Directive 95/46/EC, 1995 O.J. (L 281) article 3(2). "This Directive shall not apply to the
processing of personal data in the course of an activity which falls outside the scope of Community law, such as
.. operations concerning public security, defence, State security, .. and areas of criminal law."









ACKNOWLEDGMENTS

I would like to thank my committee members for their contributions. Special thanks goes

to Dr. Bill Chamberlin for his time and mentoring. I would especially like to thank my wife,

Erin, for her incredible patience and love.










as a fundamental human right. Each of these reports also contained examples of how these

nations protect privacy at both the general and the sectoral level, just as the EU protects privacy.

As stated in the analysis above, the reports on Guernsey and Isle of Man are brief and lack

the detail of the others. This may be a result of the fact that these nations are protectorates of the

United Kingdom and opted into the privacy protection laws of the United Kingdom. These two

island nations benefit greatly from a free flow of personal data as their economies are based

mainly on offshore banking and insurance, which might explain the reason that they sought

approval status from the EC.

As previously stated, the EC decision to work with the U.S. to create the Safe Harbor

differs greatly from its approval of other third countries. Despite the fact that the U.S. has no

general protection for personal data, the EU showed it was willing to work out compromises on

data protection in order to allow for international trade even when a nation was not in full

compliance with the EU Data Directive.

One question that arises is why so few nations have sought to gain the status of full

approval for personal data transfers with the EU. It is possible that some nations are skeptical

about the enforcement of the Directive as it pertains to adequacy in third countries. Zinser, in an

article previously discussed, pointed out that the Directive never specifies whether the EU or the

Member States will enforce the Directive or what methods they might use to enforce it.65

Without specific sanctions for noncompliance (which may prove difficult to craft and avoid








65 See Alexander Zinser: European Data Protection Directive: the Determination of the adequacy Requirement in
International Data Transfers. 6 TUL. J. TECH. & INTELL. PROP. 171 (lr1114.










protections at the federal level and the local level. The EC report granting Switzerland the status

of being an approved third country recognizes that Swiss laws and practices meet each of the five

requirements for third countries in the Directive.

Canada

After Switzerland, Canada became the next country to receive adequacy status. On

December 20, 2001, the European Commission judged Canada' s privacy laws, particularly the

Personal Information Protection and Electronic Documents Act of 2000 (hereafter "the Canadian

Act"), as adequately protecting personal data.33 Although Canada does not have a constitutional

statement that recognizes data privacy as a fundamental right as Switzerland does, the EC report

praised Canada for passing legislation that protects privacy generally and sectorally.

The Canadian Act requires businesses to protect personal data and provides that the data

protection "will extend to every organisation that collects, uses or discloses personal information

in the course of a commercial activity."34 The Canadian Act defines the lawfulness of the

processing of data and limits it to when the data subj ects has authorized the transfer (criterion 1).

This act grants data subj ects the rights to petition organizations for their private data and to

correct inaccurate data, as well as to protest the improper use of their data (criterion 3). The act

also calls for secure processing of private data (criterion 4).35 This law seemingly meets the

criteria that the data is lawfully obtained (in this case through commercial activity) and that

sensitive data is protected.






33 COmmission Decision 2002/2/EC, art. 1, 2001 O.J. (L 2/13)

34 Id. at (5).
3 5 Id.










Using this definition of adequacy, the European Commission has been fairly consistent in

determining whether or not a third country provides adequate levels of data privacy protection.

As discussed in Chapter 2, the Commission systematically studied the privacy laws of

Switzerland, Canada, Argentina, Guernsey, and Isle of Man. In each decision, the Commission

found that the laws of these nations adequately protect data privacy according to the Hyve-part

definition from the 1995 Data Privacy Directive.

In the case of the United States, the European Commission has sought to compromise in

order to continue trans-Atlantic commerce while protecting private data. In negotiating a Safe

Harbor agreement, the Commission found a way for U.S. businesses to meet the definition of

adequacy from the 1995 Data Directive and thereby to continue the practice of transferring data.

Apart from the Safe Harbor agreement, the European Commission has worked to negotiate an

agreement with the United States government to transfer the Passenger Name Records of all

travelers on flights landing in or leaving from the U.S. As with the Safe Harbor agreement, the

Commission has sought to apply the principles of adequacy in the 1995 Data Privacy Directive

and protect the transfer of data to a specific destination, the U. S. Department of Homeland

Security.

Overall, the European Commission has consistently used the 1995 Data Privacy Directive

as a legal framework for determining the adequacy of the handful of countries that have sought

adequacy determinations from the Commission. The consistent use of the adequacy definition

has created precedence for future adequacy determinations concerning the transfer of private data

to a third country government or business.






































O 2007 Jonathan D. Mason









valuable private data in PNRs throughout the course of potentially lengthy terrorism and crime

investigations.

To appropriately accommodate U.S. interests, a PNR agreement should also continue to

allow the Customs and Border Protection the authority to transfer PNR data to both domestic and

foreign government agencies, as outlined in the 2004 Undertakings. This accommodation should

enable the U.S. to enlist the aid of other governments in combating terrorism and international

crime. In addition to the authority to transfer PNR data to other areas of government, the PNR

agreement should also grant the U.S. the accommodations of continued European participation in

PNR sharing and the right of the DHS to deny a request for an individual's PNR data if granting

the request would hinder a law enforcement operation, accommodations already part of the 2004

Undertakings.

This proposed list of appropriate accommodations for both European and U.S. interests

would create a PNR deal that could satisfy both sides of the Atlantic.

Resolving Future PNR Agreements and Decisions on Adequacy

In the Advocate General's Opinion on the 2004 PNR agreement, he reasoned that although

the Passenger Name Record agreements infringe upon the right to personal data privacy, the

need to use the PNR data to combat terrorism made the infringement legal. Following the

Opinion of the Advocate General, it is likely that the European Court of Justice would rule in

favor of the Commission and the Council of the European Union if the European Parliament

were to allege that the PNR agreement infringes on the right to personal privacy.

The Commission will continue to use the 1995 European Commission Data Directive as a

legal framework for adequacy determinations focused on a third country's privacy protections.

If more countries follow the European model for protecting privacy and seek to have an

adequacy determination from the Commission, as Canada and Argentina have done,










that allows the data subj ect to know both the "content and purpose of all the data pertaining to

him or her contained in public records or databanks, or in private ones."41 Under the "habeas

data" rule, citizens also have the right to demand that their information be corrected, deleted, or

made confidential,42 a right that relates to criteria 3 and 5. The EC report also states "Argentine

jurisprudence has recognized 'habeas data' as a fundamental and directly applicable right."43

The EC report also cited another Argentine privacy law, the Personal Data Protection Act

of 2000.44 This law follows the Data Directive model of granting citizens access to their

personal data, mandating the protection of personal data (criterion 2), the lawful obtaining of

data through businesses and government agencies based on data subj ects' consent (criterion 1),

and the secure processing of personal data (criterion 4).45 These rights meet the criteria of the

Directive by ensuring that data subj ects have access to their personal information, that the data

transfers stay secure, and that data is collected lawfully.

The Argentine government also has a National Directorate for the Protection of Personal

Data, a body charged with ensuring the protection of data privacy and with judging adjudicating

disputes about data privacy.46 The National Directorate has authority to impose sanctions on

organizations and even to pursue criminal liabilities for individuals and organizations that breach

data privacy protection laws. This national data authority constitutes a level of control and

enforcement measures (criterion 5).



41 COnst. Arg, Art. 43.3.
4 2Id.

43 COmmission Decision 2003/1731/EC, 2003 O.J. (L 168), 3
44 The Personal Data Protection Act No. 25.326 of 4 October 2000.

45 COmmission Decision 2003/1731/EC, 2003 O.J. (L 168), 3-4.
46 Id. at 4.









CHAPTER 2
OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON THIRD
COUNTRIES

Purposes of the Data Directive

The Data Privacy Directive was created to protect the personal data of European citizens.

The Directive defines personal data in Article 2(a) as "any information relating to an identified

or identifiable natural person." An "identifiable person is one who can be identified, directly or

indirectly, in particular by reference to an identification number or to one or more factors

specific to his physical, physiological, mental, economic, cultural or social identity."' Due to its

broad definitions of personal data and identifiable person the Directive applies to arguably all

forms of personal data. The Directive' s stated purposes are as follows.

* Promote the common European market by unifying the Member States' laws on data privacy
protection

* Protect the right of privacy for citizens in Member StateS3 both in local and international
markets and with non-European third countries

* Remove the obstacles to the free, trans-border flow of information between Member States
that stem from differing data privacy protection laws in each nation'

* Adapt European Community laws to fit advances in technology and communication

* Ensure that individuals have access to their private data in order to confirm that it is accurate
and being protected'




i Commission Directive 95/46/EC, art. 2(a), 1995 O.J. (L 281).

2 Id. at recitals 1, 3-5.
3 Id. at recital 2.

4 Id. at recital 20

SId. at recitals 7-9.

6 Id. at recitals 6, 14, 16.

SId. at recital 25.










Council and Commission overstepped their legal authority in the agreement; and, that the PNR

agreement was overbroad.4 The Court' s failure to specifically address these issues leaves the

possibility that the Parliament could dispute future PNR agreements with these same unanswered

pleas.

The temporary Passenger Name Record Agreement between Europe and the U.S. from

October 2006 did not use the 1995 European Commission Data Directive as its legal foundation,

but instead based its foundation in the European Convention on Human Rights (ECHR) and its

requirement to protect private data as a human right.' The ECHR applies to all aspects of

European government including security and the economic market. If the European Parliament

challenged the 2006 or future PNR agreements, it would not be able to challenge the use of the

ECHR as the legal foundation for the new agreement because the ECHR covers privacy rights in

both the economic and national security domains.

In the October 2006 PNR agreement, the Commission and the Council held that the U.S.

provided adequate levels of data protection for the PNR data based on the 2004 Undertakings by

the Department of Homeland Security.6 In the Advocate General's Opinion on the 2004 PNR

agreements, he relied upon these same Undertakings to dismiss each of the Parliament' s pleas

related to infringement of the human right of privacy. According to precedence, the Court of

Justice would likely follow the Advocate General's reasoning and rule in favor of a PNR

agreement based on the legal foundation of the ECHR and the PNR system designed in the 2004

Undertakings. The expected July 2007 PNR agreement mandated by the October 2006



4 See supra at page 54.

SSee supra at note 236.

6 For an overview of the Undertakings, see supra at page 41.










The Opinion of the Advocate General and the European Court of Justice Decision on the
PNR Case

Despite the agreement between the European Commission and the U.S., the European

Parliament was not satisfied with the decisions of the Commission and the Council. Parliament

brought suit to the European Court of Justice in July 2004, asking the ECJ to annul the European

Commission and Council of the European Union decisions permitting the transfer of the PNRs.s

In the European Union system, the European Court of Justice (ECJ) takes cases from Member

States that require a clarification of European law and from Parliament when challenging an

action of the European Commission. The ECJ consists of a judge from each Member State and

eight Advocates General. Upon receiving a case, the ECJ passes it on to one Advocate General

who then issues a non-binding opinion on the case. The ECJ traditionally adopts the opinions of

the Advocate General.82

The Court of Justice referred this case to Advocate General Philippe Leger, who issued an

opinion on the case on November 22, 2005. In his opinion on the combined cases of the 2004

Commission and Council decisions on PNR agreements, Leger sided with the European

Parliament and suggested that the Court of Justice annul the agreements issued by the EC and the

Council concerning the transfer of PNRs.8s3

The Advocate General argued that the Commission's ruling that the U.S. provides

adequate protection of private data was faulty. According to the Advocate General, "the

[European Commission Data Directive] does not apply to the processing of personal data


st Opinion ofAd'vocate General [English translation], delivered to the European Court of Justice on 22 November
200 5. Available at http://curia. eu. int/jurisp/cgi-bin/form.pl?lang=en& Submit= Submit...f=C-
3 17%2FO4&datefs= &datefe= &nomusuel= &domaie&mt=rsax 100.

82 See European Court of Justice website for further information at
http://curia. eu. int/en/instit/pre sentationf r/index~cj e.htm.
8 3 Id.










undertaken in pursuance of activities that do not fall within the scope of Community law,

particularly the processing of such data for such matters as public security and the activities of

the State in relation to areas of criminal law."84 In Other words, the Directive cannot regulate the

transfer of private data for security or law enforcement purposes. The Directive comes from, and

applies to, the European Commission. The sole mission of the European Commission is to

promote the common economic market in the European Union and the EC is not involved in law

enforcement or investigations into criminal activity."

Regarding the decision of the Council to allow the PNR transfers, the Advocate General

advised the Court of Justice to annul this decision as well.86 He used the same reasoning, that

the Data Directive, or any other European Commission directive, cannot be employed in the

realm of national security, defense, or law enforcement because they fall outside the

Commission' s authority to promote the European common market."'

Following the opinion of Advocate General Leger, the European Court of Justice annulled

both the Commission' s agreement to permit the transfer of PNRs to the U. S. Department of

Homeland Security and the Council decision affirming the agreement on the Passenger Name

Records. ss As expected by tradition, the ECJ followed the reasoning and the conclusion of the

Advocate General in its ruling.



84 d. at 17.

85For more information about the structure of the EU government, visit
http://europa. eu.int/abc/euroj argon/index~en. htm

86 Opinion ofAd'vocate General [English translation], delivered to the European Court of Justice on 22 November
200 5, 3 6. A vailab le at http://curia.eu. int/jurisp/cgi-bin/form. pl?lang=en& Submit= Submit...f=C-
3 17%2FO4&datefs= &datefe= &nomusuel= &domaie&mt=rsax 100.

87Id.

""Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union, 2006 May 30.
Available at http://ec.europa.eu/justice_home/fsj/privaydc/dqayprjdeetej3_50_n npf










In another article by Zinser, appearing in the Tulanze Journal of Technology & Intellectual

Property (Spring 2004),30 he asserted that Article 25, which requires that data transfers to third

countries occur only with "adequate levels of data protection," empowers the European

Commission and EU Member States to judge the third country's level of data protection but fails

to specify how these governments would physically or technologically intervene to restrict the

actual transfer of data to a country that does not meet the levels of adequacy.31 He posited that

perhaps "telecom operators would be asked to intervene and block any transfer.32"

Zinser also pointed out that the Directive never explicitly lays out a way that either a

Member State or the EU will even "be aware of a data transfer to an unsecure country."33 If the

EU or the Member States are not aware of non-secured data transfers to third countries, then the

Data Directive could prove ineffective in protecting trans-national transfers of European' s

private data.

In an article written shortly after the passage of the Data Directive in 1995, Paul Schwartz,

law professor at the University of Arkansas, Fayetteville, illustrated some of the important issues

raised by the language of the Directive.34 Schwartz focused mainly on how the Data Directive

could affect the United States; however, he also provided important information relevant to a

discussion of the Directive's effects on other nations.





30 Alexander Zinser; European Data Protection Directive: the Determination of the Adequacy Requirement in
International Data Transfers. 6 TUL. J. TECH. & INTELL. PROP. 171 (lr1114.
31 Id. at 175.

3 2Id

33 Id. at 178.

34 Paul Schwartz, Data Protection Law and the European Union 's Directive: the C Illl. g.- for the United States:
European Data Protection Law and Restrictions on International Data Flows. 80 IOWA L. REV. 471 (1995).










adequate levels of protection for personal data at a national level, the PNR agreements focus only

on the question of adequacy in protecting PNR data.

The second, and perhaps most important, similarity between the Australian and U.S. PNR

agreements with the Commission is that both agreements cite national security and law

enforcement as the reasons for requiring the airlines to provide governments with the Passenger

Name Record information. Citing security and law enforcement as the reasons for the

agreements, both agreements use the 1995 European Commission Data Directive as their legal

foundation. As explained in Chapter 3, the European Court of Justice annulled the U.S.-

European PNR agreements of 2004 on grounds that the 1995 Data Directive cannot apply to

national security and law enforcement because those activities fall outside of the scope of

European Commission law. The annulment of the PNR agreement has forced the Commission

and the United States to base the new PNR agreement on the European Convention on Human

Rights. As Australia and the Commission review their 2004 agreement to transfer PNR data, in

mid 2007, the Commission might need to follow the lead of the October 2006 EU-U. S.

agreement and change the legal foundation for the agreement.

Just as there are similarities between the U.S. and Australian Passenger Name Records

agreements, there are also notable differences between them that help to understand why the U.S.

deal has drawn criticism from Europeans. One major difference is the issue of PNR data

retention. As discussed in Chapter 3, the U.S. system requires the retention of PNR data for a

minimum of three years and six months and grants the U. S. government the right to extend that

retention period by eight years. 12 The Australian PNR system mandates that PNR data be



"1 See supra at note 118.

12 See supra at page 56.










The European Commission, the Council of the European Union, and the European

Parliament comprise "the decision-making triangle"67 Of European governance. Understanding

the roles of these separate European governmental bodies is important to the present study

because of their involvement in the PNR controversy. In the European Union governmental

structure, the European Commission acts as the executive arm of the government for all matters

concerning the internal market. Its members are appointed by the Member States and approved

by the European Parliament.

The European Parliament, its members elected by EU citizens, is charged with supervising

the EU' s activities. In its supervisory responsibilities, Parliament can require the Commission to

include parliamentary proposals in Commission directives and must give approval to any

international agreement negotiated by the Commission.

The third EU governmental body, the Council of the European Union, shares legislative

power with the Parliament. Through a co-decision procedure, both the Council and the

Parliament must approve legislation on any matter dealing with the EU common economic

market. The Council is comprised of ministers from each EU Member State.68 In addition to

sharing authority with the Parliament, the Council also directs the European Commission when

to open negotiations with non-European Union nations.69

Because the Parliament failed to approve or disapprove the European Commission

Department of Homeland Security agreement on Passenger Name Records within its time limits,





67 How does the EU work? The decision-making triangle, http://europa.eu/abc/121essons/lesson_4ide4n/t
(last visited Apr. 17, 2006).
6 8 Id

6 9Id










country requirement. As of the time of this thesis in June 2007, the European Commission has

not announced any inquiries into either the Passenger Name Records or national privacy laws of

any third countries.

Despite the continued development of international agreements and European case law

surrounding the 1995 Data Directive, another challenge to the effectiveness of the Directive is

perhaps its enforcement inside Europe. The Directive only functions as it should when the

individual EU Member States, and the businesses in them, discover that a third country or a

business in a third country does not maintain adequate levels of data privacy protection and then

lodges a complaint. Unless a Member State or European business goes through this process, or a

third country voluntarily seeks a Commission study on that country's level of protection for

private data, the Directive fails to ensure that the private data of European citizens is adequately

protected by third country governments and businesses. The challenge of trying to ensure that all

data transfers are secure from a EU Member State to a third country is daunting.

A dual challenge to the effectiveness of the Data Privacy Directive is the practical question

of whether or not the governments and businesses of the Member States themselves protect the

data of European citizens. The European Commission has previously studied the

implementation of the Data Privacy Directive into the individual Member States in an effort to

see how they were doing at protecting Europeans' private data.21 As explained in Chapter 1,

Directives are enacted at the European Union level, then adapted into the laws of the individual

Member States by a given date. 22 The subj ect of how each Member State has specifically

implemented the provisions of the Data Privacy Directive merits a comprehensive study of its


21 See European Commission's Status of implementation of Directive 95 46 at Freedom, Security, and Justice
web site, available at http://ec.europa. eu/justice_home/fsj /privacy/law/implementation~en. htm.
22See supra at note 7.










* The first human eyes to see any of the data are those of a Customs officer who reviews the
3% 5% of passengers flagged by the software screening and determines whether or not
the government should detain the passenger upon arrival in the country

* Computer software automatically deletes the PNR data of the 95% 97% of passengers
who clear the initial software screening"

* A Customs officer deletes all PNR data for every individual eventually cleared of any
concerns by the Customs and Border Patrols agencieS16

* Computer software automatically deletes flight information from Customs databases 24-48
hours after the flight"

* Computer software filters out "sensitive" information including racial or ethnic origin,
political opinions, religious or philosophical beliefs, or data on health problems

* The BSA limits the third parties authorized to receive the PNR data (namely Australian
law enforcement agencies)19

* The B SA limits the use of PNR data by law enforcement agencies to law enforcement
activities guided by judicially authorized warrants20

* The B SA bans the use of PNR data for a secondary purpose except where authorized by
the individual identified in the data or mandated by Australia federal law.21

As understood by the Article 29 Working Party, the above regulations governing the

collection and use of PNR data serve to protect the privacy of personal data at an adequate level

as defined in the EC Data Directive.



13Id~

1 Id~

1 Id. at 6.

1 6Id~

17 Id. at 7.

Is Id. at 8.

'19 d. at 9.

20 Id. at 9. The Working Party noted that in order to receive credit card and telephone records from Customs' PNR
data, law enforcement agencies must provide Customs proof of having obtained a warrant. Id.

21 Id. at 10.









THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PRIVACY DIRECTIVE ON
THIRD COUNTRIES AND THE PASSENGER NAME RECORD CONTROVERSY




















By

JONATHAN D. MASON


A THESIS PRESENTED TO THE GRADUATE SCHOOL
OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OF
MASTER OF ARTS INT MASS COMMUNICATION

UNIVERSITY OF FLORIDA

2007










The Member States shall provide that the transfer to a third country30 Of personal data
which are undergoing processing or are intended for processing after transfer may take
place only if .. the third country in question ensures an adequate level of protection. 31

This particular portion of the Data Directive has caused tension between the U. S. and the

EU because of the United States' sectoral, case-by-case approach to data privacy legislation. If

EU businesses and Member States follow the legal frameworks of the Directive regarding third

country adequacy of protecting private data, the trans-Atlantic flow of personal data could be

limited and business would be greatly disrupted between the world's two top economies. In the

case of the PNRs, airlines that refuse to provide this data to the CBP would be subj ect to fines

and potential loss of privileges to land in the U. S., resulting in a maj or loss of business due to

differences in privacy laws.

After the passage of ASTA, the European Commission notified the U. S. government that

the requirement to provide the CBP with PNRs violated provisions of the Data Privacy Directive

of 1995.32 The EC said it had learned that the PNRs of EU citizens were being transferred to the

United States Department of Homeland Security (DHS) for access by the CBP. In 2002, the EC

officially issued a report denouncing this practice as an invasion of the privacy of EU citizens.33

Because the ASTA failed to provide the data subj ect the authority to access his or her personal

data held by the DHS and to correct errors in that data, the Commission said the sharing of this

information violated the Data Directive. The Directive requires that personal data held by any




30A "third country" refers to a nation or state that does not belong to the European Union.

31 Directive 95/46/EC, Art. 25(1).

32See Conununication from the Conunission to the Council and the Parliament, December 16, 2003, on PNRs.
Accessed from EC website, available at http://europa.eu.int/comm/justice_home/fs/rvcdo/aeuyap-
communication/apis_en. pdf.

33 Opinion of the European Commission, Opinion 2/2004. available at
http://europa.eu.int/comm/justice_home/fsjpiaydc \\pdioes lai-'' n' pNl7_en.pdf.










* Establish safeguards for data transfers to and from controllers residing in third countries
without adequate levels of data

* Provide a way for individuals or organizations to demonstrate "adequate levels" of data
protection despite residing in a "third country void of adequate protections to data privacy"9

* Create data privacy authorities to oversee data privacy in the Member States and to unify
them into a Working Party that oversees data privacy in the EU and communicates with the
European Commission on data privacy matters. 10

These purposes demonstrate the sweeping intent of the European Commission to enact

legislation governing data privacy in a broad and general way. This approach is very different

than the U. S attempts to protect privacy by enacting subj ect-specific laws. 1

Key Provisions for Third Countries in the Data Directive

The Data Directive requires that a third country provide "adequate levels of protection" in

order to transfer data with a business from the EU. Despite this requirement, the Directive never

explicitly defines adequacy. Alexander Zinser, a technology lawyer based in Lausanne,

Switzerland, has written extensively on the question of determining the definition of adequacy in

the Directive. In his 2003 article on the Directive, Zinser pointed out that the Data Directive

contains no specific definition of an "adequate level of data protection,"12 but that the Directive

does provide, in different places, at least five critical areas of data privacy that could be used as

criteria in approving data transfers to a third country.





SId. at recitals 56-57.

9 Id. at recital 59.

10 Id. at recitals 62-65.

'' See Joel Reidenberg, E-Commerce and Privacy Institute for Intellectual Property &~ Information Law Symposium:
E-Commerce and Trans-Atlantic Privacy. 38 Hous. L. Rev. 717, 730-731 (2001). See also supra at note 3.

12 Alexander Zinser, International Data Transfer Out of the European Union: the Adequate Level of Data Protection
According to Article 25 of the European Data Directive. 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003).










From these critical areas of data privacy, Zinser identified five criteria used to determine

whether or not a third country provides an adequate level of protection. These five criteria are:

* The lawfulness of the processing of personal data
* The special protection of sensitive data
* The rights of the data subj ects
* The security of the actual processing of data
* The existence of control and enforcement measures. 13

The task of grouping each provision of the Data Directive into these five criteria is

complex; however, this process helps in understanding the definition of adequate levels of data

protection. Each article in the Data Directive may be classified into one or more of the five

criteria.

An example of this complexity can be found in one of the key provisions of the Directive,

Article 6. This article outlines the requirements for maintaining the quality and accuracy of

personal data. Although these requirements come from Article 6, they apply to each separate

part of the five criterial4 Article 6(a), that Member States must ensure that data be lawfully

processed, 1 is the essence of criterion 1. Article 6(b), that data must be collected for a specific

purpose,16 also deals with criterion 1, the lawfulness of data. Article 6(d), that data must be kept

as accurate and as up to date as possible," could also concern criterion 2 (special protection of

data) by requiring Member States to protect the accuracy of data, and criterion 3 (rights of data



13 Id. at 559.

14 COmmission Directive 95/46/EC, art. 6, 1995 O.J. (L 281).

Is Id. at art. 6(a).

16 Id. at art. 6(b). This article also states that furtherhr processing of data for historical, statistical or scientific
purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards."
Although the original data must be collected for a specific, legitimate purpose, the Directive does not state that there
need be a specific purpose in the "further processing of data" for these purposes.

17 Id. at art. 6(d). The Directive states that data should be kept accurate and up to date taking "every reasonable
step" but it never defines what constitutes a "reasonable" step.










CHAPTER 1
INTTRODUCTION

Private Data in the Digital Age

With the arrival of the digital age, more and more consumers across the world rely on the

Internet for day-to-day services and business transactions. As increasing numbers of consumers

follow this trend, more and more commercial establishments conduct business on-line. When

customers do business either on-line or by traditional means, they usually must provide personal

information such as addresses, phone numbers, Social Security numbers, health records, birth

dates, and financial information that is then used by the business to complete the transaction

requested by the costumer. The use of the information increasingly includes the transferring of

data over the Internet between businesses, government bodies, and other organizations. With

growing amounts of international business and law enforcement conducted on-line, private data

often crosses national borders in the transfer process.

This cross-border data flow creates a significant challenge in part because countries have

adopted different laws and regulations for the protection of personal data. Specifically, the

United States and the European Union, the two largest economies in the world,2 differ

significantly in their respective approaches to data privacy protection. The United States tends to

address privacy concerns by enacting narrow, sectoral laws protecting only specific types of




SAn example of data transferred across borders and between organizations occurs when an individual flies on an
airline and provides his or her personal information as part of the ticketing process (including, but not limited to
name, address, phone number, birth date, Social Security number, passport information, etc.), that information is
then transferred to the Bureau of Customs and Border Patrol through the U.S. Department of Homeland Security.
This is the case in the U.S. since the post-9/1 1 passage of the Aviation and Transportation Security Act of 2001 Pub.
L. No. 107--71, 115 Stat. 597. Under this law, airlines landing in the U. S. are required to provide the private
information of their passengers to the U. S. customs as part of the ongoing war on terror. See also the Electronic
Privacy Information Center website at httpl w\ \\ \\ .epic .org/privacy/intl/passenger~data. html

2 The European Union's 2005 GDP was $11,650,000,000, second only to the United States who's 2005 GDP was
$11,750,000,000. 2005 CIA World Factbook, available atll! htt w i .cia.gov. Last visited on April 20, 2006.










adequacy must be annulled.99 Having followed the opinion of Advocate General Leger in the

first part of the case, the Court then turned to its analysis of Case C-3 17/04, Parliament' s suit

over the EC-DHS PNR agreement. 100

In its suit, the European Parliament argued that as with the Council's decision on

adequacy, the 1995 Data Directive did not constitute the appropriate legal foundation for the

PNR agreement because it fell outside the Commission' s purpose of protecting the common

market. 101 The Commission asserted that under the auspices of Article 95 of the Treaty

Establishing the European thrion, the Commission and the Council had authority to seek the

harmonization of law where there is a clear conflict in international law between the EC and a

third country that would affect the common market. 102 Under this authority, the Commission

claimed the right to use the 1995 Data Privacy Directive as the foundation for the PNR

agreements .

The Court of Justice, however, ruled that Article 95 granted the Commission and Council

the authority to harmonize international laws relating to the European common market and not to

matters of national security. 103 Because the EC-DHS agreement relied on the authority to

regulate the common market from Article 95 of the Treaty Establishing the European thrion and

the authority to protect the common market from data privacy concerns in third countries from




99 JOined Cases C-3 17/04 & C-3 18/04, Eur. Parl. v. Eur. Comm'n and Council of the Eur. Union, 2006 May 30, at
recital 60. available at
http://ec. europa. eu/j ustice_home/fsj /privacy/docs/adequacy/pnr/j udgement~ecj _3 0_05_06_pnren.pdf.
'oold. at recital 62.

101 Id. at recital 63.

102 See Treaty Establishing the European Community, Article 95, 2002 O.J. L (C 325) 69. available at http://eur-
lex.europa.eu/LexUriServ/LexUriSery.do?uri CLX12002EO95:EN:HTML.

103 Id. at 67.









activities.52 The DHS stated that it "believes that it will be rare than an individual PNR will

include a full set of data." 53 For those individuals flagged as "high risk," the DHS said that its

employees would manually search through the PNR data; otherwise, PNR data would be

analyzed by automated software.54 Finally, the DHS assured that it would follow legal channels

to obtain credit card transactions, e-mail communications, and phone records information on

high risk individuals."

In the Undertakings, the Department of Homeland Security also stated that PNR data

would be transferred to the Transportation Security Administration (TSA) for analysis56 and to

other government agencies, both domestic and foreign, on a case-by-case basis." In providing

PNR data to the TSA and other governments, the DHS stated that the PNR data would be filtered

for "sensitive" data (including race and ethnicity, religious beliefs, and union memberships) and

that the data would be used solely for terrorist screening purposes." The DHS promised that any

transfers and storage would be secured by the latest technologies.59

The Undertakings mentioned that neither U. S. citizens nor non-U. S. citizens would have

access to PNR data because the data would be exempt from disclosure as confidential

commercial information.60 The Undertakings mentioned that through a Freedom of Information


5Id

53Id. at 41,544.
5Id

55Id

5 6Id

57Id. at 41,545.

58Id. at 41,544.
5 9Id

601)d. at 41,545.










WTO/GATT problems)66, many third countries might not make the efforts to enact adequate

privacy legislation or to encourage businesses to conform to Safe Harbor type principles.

Countries with general laws protecting data privacy might be those that stand to benefit the

most from EC approvals. For nations such as the U.S. where there is less chance of enacting

general privacy protections, the fact that the Directive allows individual businesses to have

adequate levels of protection makes the Safe Harbor (or potentially another plan with other third

countries) the best option for now for businesses. As stated previously, the Safe Harbor,

however, applies only to businesses and not to the transfer of private data by and to the United

States government; therefore, the debate between the United States and the European

Commission over Passenger Name Records falls outside the scope of the Safe Harbor and

necessitates a separate agreement.



























66 See Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy, 9 MINN.
J. GLOBAL TRADE 645 (2000).










upon the right of protection of personal data. 139 The Advocate General recommended that the

Court of Justice annul the PNR case because the Commission had inappropriately based the

agreement on the 1995 Data Privacy Directive; however, the Advocate General disagreed with

the Parliament on every other plea. The fact that the Advocate General sided with the European

Commission and the Council of the European Union on all but one of the Parliament' s pleas is

potentially important for future PNR agreements. The potential significance of the Advocate

General's Opinion will be addressed in Chapter 4.

Conclusion

The Passenger Name Records disputes between the European Union and the U.S.

government provide a revealing look at how Europe has attempted to enforce the third country

adequate levels of protection for private data requirements in the 1995 Data Directive. Despite

substantially different approaches to privacy law, the U.S. and Europe have worked to try and

find a balance between sharing data to combat terrorism and protecting individual privacy.

The questions remain as to how Europe will apply its Directive to continued PNR

agreements with the U.S. and Australia, as well as how these PNR agreement might affect the

future of how the European Commission enforces the Data Directive to enforce data privacy

protection in non-PNR cases.














139 Id. at recital 262.










the 1995 European Commission Data Directive as its legal basis, the agreement had to be

annulled. 104

The Court said that the both Article 95 and the 1995 Data Directive concern the

functioning of the European common economic market, but that the Commission' s decision on

adequacy "does not have as its obj ective and subject-matter the establishment and functioning of

the internal market." tos In its decision to annul the 2004 agreements, the European Court of

Justice held that because the PNR transfers were for the purpose of combating terrorism and

crime, activities outside the scope of the European Commission' s mandate to promote the

common economic market, the Data Directive did not constitute an appropriate legal basis for

the PNR agreement. 106

Despite the Court of Justice' s annulment of the both the EC-DHS agreement and the

Council decision on adequacy, the ECJ held that the PNR agreement should remain applicable

for a period of 90 days so that the governments could work on a new agreement in that time.

The Court said that the agreement would not be preserved past September 30, 2006. 107

In October 2006, the Council of the European Union issued a decision to sign a new

temporary agreement between the European Union and the U.S. government on the transfer of

PNR data. 10s This new agreement resembled the 2004 agreements in the Commission's

adequacy decision and the Council's decision on adequacy that were annulled by the European

Court of Justice. As with the 2004 agreements, the Council and Commission cited the 2004

1o Id. at 67-70.

'05 Id. at 63.

106 See supra at note 218.

107 Id. at 74.

10s Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of
passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 27.










agreement with the Australian government in 2004 to transfer PNR data to Australian Customs.

The details of the PNR system in Australia differ significantly from the U. S. system.

The Australian PNR Agreement versus the U.S. PNR agreement

Unlike the situation between the U.S. and the EU, neither governments nor private

organizations have challenged the European Commission's opinion on the adequacy of

Australia's PNR system. Being consistent to a national legal precedence of protecting the

privacy of personal data, the Australian government required specific procedures to ensure, in

the Commission's opinion, high levels of protection for the private data transferred in PNRs.

In the Article 29 Working Party'ss Opinion on the transfer of PNRs to Australia, the

Working Party noted that the Australian system of PNR retention "presents an important and

fundamental difference" compared to the US approach.9 For example, where the U.S.

Department of Homeland Security requires all PNR data to be processed and stored in separate

databases for a long amount of time, the Australian laws only require that the PNR data of .05%-

.1% of passengers be processed and stored in one database for a case specific very short period

of time. 1

Even though the EU-U. S. agreement and the EU-Australian are different in some ways, the

two documents are similar in two important ways. First, the scope of these agreements is

narrowly focused on the question of Passenger Name Records. Whereas Switzerland, Canada,

and the few other countries mentioned in Chapter 2 have received full status for providing



SAs explained in Chapter 2, the Article 29 Working Party consists of privacy commissioners from the Member
States. Among other responsibilities, the Working Party is charged with analyzing the laws of third countries and
reporting its findings to the European Commission. See supra at note 123.

9 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data
from airlines (10031/03/WP 85) at 7.
l Id.










Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger
Name Record Data, 69 Fed. Reg. 41,543, 41,547 (July 9, 2004).

U.S. CONST. amend. IV.

U.S. Dept. of Commerce website, accessed March 14, 2006,
http://www.export.gov/safeHarbor/index.ht.

Alexander Zinser; European Data Protection Directive: the Determination of the Adequacy
Requirement in International Data Transfers. 6 TUL. J. TECH. & INTELL. PROP. 171
(2004).

Alexander Zinser, International Data Transfer Out of the European Union: the Adequate Level
ofData Protection According to Article 25 of the European Data Directive. 21 J.
MARSHALL J. COMPUTER & INFO. L. 547, (2003).









Homeland Security dispute over the transfer of the private data included in Passenger Name

Records. An analysis of the European Court of Justice annulment of the previous PNR

agreements and an analysis of how the EC has applied the Directive to other third countries may

call into question both the validity and effectiveness of the Directive as it requires high levels of

data privacy in all European international trade.










recommendation made by the data authorities of the Member States and to act on such a

recommendation or not. 12

Since the implementation of Directive 95/46/EC, the European Commission (EC) has

judged the data privacy laws of several nations as "adequate" in protecting private data and has

officially reported that EU businesses may transfer private data with businesses in these nations.

The nations thus far approved include Switzerland, Canada, Argentina, Guernsey, 13 ISlC Of

Man. 14 To a certain extent, the EC has granted the U.S. approved status through what is called

the "Safe Harbor" agreement and through the agreement to allow the transfer of airline

passenger data. 16 In the case of each of these nations, the European Commission studied the

laws of the nation applying for approval and judged that the nation provided adequate levels of

protection for private data, thereby enabling the EC to give European businesses the green light

to deal with businesses in these nations.





12 Id. at art. 25(6). Upon a recommendation of the Working Party (Article 29), comprised of data authorities from
the Member States, the Article 3 1 Management Team delivers the opinion of the majority of the authorities and the
EC report goes to the European Parliament. The Parliament then has 30 days to judge whether or not the EC has
acted within its authority and to make recommendations if needed. After this period, the third country can gain
approved status. See Commission decisions on the adequacy of the protection of personal data in third countries,
availab le at http://europa. eu.int/comm/j ustice_home/fsj/privacy/thridcountries/indx nhtm.

13 The Bailiwick of Guernsey, located in the Channel Islands (population 61,000), is a protectorate of the United
Kingdom. This island gleans roughly 55% of its income from banking and insurance, providing motivation to gain
approval status from the EC on transferring private data. Information obtained from Guernsey government website.
available at ht tp u sal .gov.gg.

14 The Isle of Man is a small (population 73,600) protectorate of the UK located in the Irish Sea. Forty-five percent
of the Isle's economy comes from offshore banking. The Isle also boasts "offering incentives to high-technology
companies and financial institutions to locate on the island has paid off." The nature of the Isle's economy meant
that the Isle could benefit from an approval on data transfers from the EC and the Isle now enjoys "free access to
European Union markets." Information obtained from an Isle of Man website available at
htl1 \p w\ il .isleofman.com/ and http://wwwwggov~im.

1s Information obtained from European Union website. Last visited March 14, 2006.
http://europa. eu. int/comm/justice _home/fsj /privacy/thridcountrie s/index~en. htm.

1 6Id~










subjects) by requiring that individuals have the right to have accurate data. Article 6(e), that data

be kept in a form that permits identification of data subj ects for no longer than necessary, I

concerns criterion 2 and criterion 3 as well.

A few other articles of the Directive provide insight towards understanding the EU data

privacy law' s expectations for third countries. Article 12 grants data subj ects the right to find out

how companies and agencies use their private data,19 falling under criterion 5 (existence of

control and enforcement measures). These articles also concern criterion 3 (rights of data

subj ects) because they grant rights to data subj ects.

Another article related to criterion 3 is Article 14, which allows the data subj ect to petition

the transfer of his or her personal data to the data controllers and to do so free of monetary

charge.21 Article 17 requires the data controller to "implement appropriate technical and

organizational measures to protect personal data,"22 a requirement that addresses criterion 4 on

the security of processing data.

Of greatest relevance to this thesis is Article 25, "Transfer of Personal Data to Third

Countries." This Directive article states that data cannot be transferred to a third country unless

"adequate levels of protection" are provided for in the nation' s laws.23 Article 25(2) says that in

determining the adequacy of data protection in the third country, the Member States or the EC



1s Id. at art. 6(e). The article says that Member States should regulate any long-term storage of data in cases of
"historical, statistical, or scientific use."

19 Id. at art. 12.

20 The directive defines a "controller" as the person or entity in charge of determining "the purposes and means of
the processing of personal data." Commission Directive 95/46/EC, article 2(d).
21 Id. at art. 14.

I2d. at art. 17(1).

23Id. at art. 25(1).










The Australian Passenger Name Record Agreement

Following the terrorist attacks of September 11, 2001 on the United States, the Australian

government implemented new security policies that included a requirement that commercial

airlines provide the government with Passenger Name Record data.3 Upon introduction of these

new requirements in the Border Security Legislation Amendment (Terrorism) Act 2002

(hereafter "Border Security Act"), the Government of Australia requested that the European

Commission officially determine the adequacy of Australia' s data protection laws for the transfer

of PNR data. In accordance with the legal framework laid out in the Data Directive, the

Commission assigned the task of determining adequacy to the Article 29 Working Party.4

As created in Article 29 of the Data Directive, the data protection commissioners of each

Member State and the EC data commissioner comprise the "Working Party on the Protection of

Individuals with regard to the Processing of Personal Data" (hereinafter referred to as the

"Working Party").s Under Article 30, the Working Party is charged with addressing concerns

(such as the PNR concerns) over data protection in third countries and informing the

Commission about any issue concerning data privacy for EU citizens.' In January 2004, the

Commission adopted the Article 29 Working Party's opinion that Australia provided an adequate







3 Border Security Legislation Amendment (Terrorism) Act, 2002, c. 64 (Austl.).

4 See Commission Directive 95/46/EC, Directive of the European Parliament and of the Council of24 October 1995
on the protection of individuals with regard to the processing ofpersonal data and on the fr~ee movement of such
data, 1995 O.J. (L 281).
SId. at art. 29(1).

6 Id. at art. 30(b).

SId. at art. 30(c).










notification when their personal data will be used (criteria 3 and 5), keeping data accurate and up

to date (criterion 2), and creating governmental sanctions for violations of Safe Harbor principles

(criterion 5).61

In exchange for opting in to the Safe Harbor, U.S. businesses involved in disputes over

Safe Harbor principles would keep legal actions in U.S. courts, not in European courts.62 Each

business choosing to opt in must write the Department of Commerce, make its privacy policy

available on-line and with the Department of Commerce, and have its name published on a list of

Safe Harbor businesses.63

Through Safe Harbor, the U.S. has received partial approval from the EC on providing

adequate levels of data protection; however, because Safe Harbor only applies to businesses

under the Department of Commerce and the Federal Trade Commission, the assurance that the

U. S., as a third country, will follow the provisions of the Directive is limited. As of June 2007,

1,196 U.S. businesses had opted in to the Safe Harbor, through the U.S. Department of

Commerce.64 The Safe Harbor principles have accounted for meeting criteria 2, 3, 4, and 5, but

the agreement is different than approval for other nations. Other approved third countries have

received approval for data transfers as a nation, but the Safe Harbor does not represent a full

approval for the U. S. as providing adequate levels of private data.

Conclusion

Since its passage in 1995, the European Data Privacy Directive has had an influence on

other nations, an effect resulting from the requirements of Chapter IV of the Directive that

61 See "Safe Harbor Overview" on Department of Conunerce website for a complete list of the Safe Harbor
principles, available at http://www.export.gov/safeHarbor/sh overiewhtl Last visited on April 20, 2006.
62 Id. at "Safe Harbor Benefits."

63 Id. at "How does an organization join?".

64 Safe Harbor List, available at httpl w\ il \t .export.gov/safeharbor/doc_safeharbor~indexap









REFERENCE LIST


Agreement between the European Community and the United States of America on the
processing and transfer of PNR data by air carriers to the United States Department of
Homeland Security, Bureau of Customs and Border Protection, signed in Washington on
28.5.2004 at 4. 2004 O.J. (L 183) 83.

Agreement between the European Union and the United States of America on the processing and
transfer of passenger name record (PNR) data by air carriers to the United States
Department of Homeland Security, 2006 O.J. (L 298) 29.

Aviation and Transportation Security Act of 2001, Pub. L. No. 107--71, 115 Stat. 597.

Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European
Information Privacy Network, 26 MICH J. INT'L L. 807 (2005).

Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data
Privacy, 9 MINN. J. GLOBAL, TRADE 645 (2000).

Border Security Legislation Amendment (Terrorism) Act, 2002, c. 64 (Austl.).

David A. Castor, Note: Tread'ing Water in the Data Privacy Age: An Analysis of Safe H~arbor 's
First Year. 12 IND. INT'L & CO1VP. L. REV. 265; 2002.

Commission Decision, 2000/520/EC, 2000 0.J. (L 215) 7.

Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3.

Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5

Commission Decision 2004/411/EC, 2004 OJ (L 151).

Commission Directive 95/46/EC, Directive of the European Parliament~~PPP~~~PP~~~PP and' of the Council of 24
October 1995 on the protection of individuals nI ithr regard' to the processing of personal
data and' on the fr~ee movement of such data, 1995 O.J. (L 28 1).

Commonwealth Privacy Act, 1988, c. 118 (Austl.).

Council Decision of 17 May 2004 on the conclusion of an agreement between the European
Community and the United States of America on the processing and transfer of PNR data
by Air Carriers to the United States Department of Homeland Security, Bureau of
Customs and Border Protection (2004/496/EC).

Council Decision on the signing of an Agreement between the EU and the US on the processing
and transfer of passenger name record (PNR) data by air carriers to the US Dept. of
Homeland Security, 2006 O.J. (L 298) 27.









CHAPTER 4
CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE

The study conducted in this thesis seeks to answer three fundamental questions about the

1995 European Commission Data Privacy Directive. These questions are:

* R1: How has the EC defined adequate data protection laws for third countries and how has
it applied this definition to third countries thus far?
* R2: What does the Passenger Name Records dispute between the US and the EC show
about the Directive's third country requirements?
* R3: How might the European Court of Justice annulment of the Passenger Name Records
agreements potentially affect the Directive, especially its third country requirement?
This concluding chapter will constitute a summary of the issues, systematic answers to

these research questions, and some concluding remarks.

Summary of the Issues

Since passage of the 1995 European Commission Directive on the protection of personal

data, the European Union has required that governments and businesses of its Member States

may only transfer private data to a third country if that country assures an adequate level of data

privacy protection. As of the time of writing, the European Commission has granted national

adequacy rulings to Switzerland, Canada, Argentina, Guernsey, and Isle of Man. The

Commission has also worked with the United States to ensure that businesses can provide

adequate levels of protection for private data through the Safe Harbor program. Through these

agreements, the European Commission has consistently analyzed the laws of these nations in

order to determine if that nation provides an adequate level of protection.

A recent and controversial effect of the European Commission' s requirements that third

countries provide adequate levels of protection for private data has been the challenges to the

United States' post-9/11 laws requiring that commercial airlines provide U.S. Customs and

Border Protection with Passenger Name Record data. Although the Commission reached a PNR

See supra at note 112.












TABLE OF CONTENTS


page

ACKNOWLEDGMENT S .............. ...............4.....


AB S TRAC T ......_ ................. ............_........7


CHAPTER


1 INTRODUCTION ................. ...............9.......... ......


Private Data in the Digital Age ................. ...............9...............
Third Countries and the Data Directive ................. ...............11...............
Passenger Name Records .............. .....................13
Purpose of The si s ................ ...............15........... ...
Review of Literature ................ ...............15........... ....
Research Questions............... ...............2
Research Methods............... ...............22
Conclusion ................ ...............22.................


2 OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON
THIRD COUNTRIES............... ...............2


Purposes of the Data Directive ................. ............ .... ...............24.....
Key Provisions for Third Countries in the Data Directive .............. ... ............ .........2
Third Countries and the Data Directive Requirement for Adequate Levels of Data
Privacy Protection ................. ...............29.................
Switzerland ................. ...............29.......... ......
Canada ................. ...............3.. 1..............

Argentina ................. ...............32.................
Guernsey ........._..... ..... ._. ...............3 4....
Isle of M an...................... .. .............3
United States Safe Harbor" ........._.._.._ ...............36.._._._ ...
Conclusion ........._.._.. ...._... ...............37....


3 THE PAS SENGER NAME RECORD S CONTROVERSY ......____ ..... ... ._ ..............41


The Australian Passenger Name Record Agreement ....._.._ ............... ........._..... ....42
The United States Passenger Name Records Agreement .............. .. ............................ 4
The Opinion of the Advocate General and the European Court of Justice Decision
on the PNR Case .............. ... ..._ ...... ... .. .......... .... .......5
The Opinion of the Advocate General versus the Court of Justice' s Holding in the
Passenger Name Record Case............... ............... ..................6
Plea: the PNR agreement represented an infringement of fundamental rights ........63
Plea: the Commission and Council went beyond their authority in creating the
U. S. PNR agreement. ............ _.. ....._ .. ...............64
Plea: the U. S. PNR agreement was overbroad ................. ............................66










private data.3 The Fourth Amendment of the U. S. Constitution grants a "right of the people to be

secure in their persons, houses, papers, and effects against unreasonable searches and seizures."4

This amendment directly applies to physical intrusions of privacy, but only indirectly ensures the

intangible aspects of privacy such as the right to keep personal information private. On the other

hand, the European Union (EU) and its Member StateS6 COnsider the concept of data privacy as a

fundamental human right and enact broad, general legislation aimed at ensuring the legal

protection of citizens' personal data in government and in business.

Due to technology that allows organizations to transfer massive amounts of private data via

the Internet, the European Commission (EC) issued, in 1995, Directive 95/46/EC "on the

protection of individuals with regard to the processing of personal data and on the free

movement of such data," commonly referred to as the European Union Protection of Data

Privacy Directive' (hereafter referred to as the "Data Privacy Directive" or "the Directive").8




3 An example is the Privacy Act of 1974, 5 U.S.C. # 552a that set laws limiting how the U.S. federal government
can use personal data such as tax information. The Privacy Act did not, however, provide general privacy laws for
businesses.

4 U.S. CONST. amend. IV.

5 The U.S. Supreme Court has also recognized that "the First Amendment has a penumbra where privacy is
protected from governmental intrusion." Griswold v. Connecticut 381 U.S. 479, 483(1965).

6 At the time of this thesis' composition in early 2007, 25 nations belong to the European Union: Austria, Belgium,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, the Netherlands, and the
United Kingdom. Candidate nations vying to join the EU include the nations of Bulgaria, Croatia, Former Yugoslav
Republic of Macedonia, Romania, and Turkey. See European Union Member States website at
http://europa. eu. int/abc/governments/index~en. htm#members

SIn European Union law, a directive issued by the European Commission is binding on the individual Member
States, requiring that each nation in the union must implement the policies in the directive into its respective laws.
See Treaty Establishing the European Community, art. 249, availab le at http://europaeeu int/eur-
lex/en/treatie s/dat/ecconstreaty&us .

SCommission Directive 95/46/EC, Directive of the European Parliament and of the Council of24 October 1995 on
the protection of individuals with regard to the processing ofpersonal data and on the fr~ee movement of such data,
1995 O.J. (L 281).









Abstract of Thesis Presented to the Graduate School
of the University of Florida in Partial Fulfillment of the
Requirements for the Degree of
Master of Arts in Mass Communication

THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PRIVACY DIRECTIVE ON
THIRD COUNTRIES AND THE PASSENGER NAME RECORD CONTROVERSY

By

Jonathan D. Mason

August 2007

Chair: William F. Chamberlin
Major: Mass Communication

In an age when governments and businesses transfer personal data of individuals over the

Intemet, the U.S. and the European Union have tried to protect such data in different ways.

Whereas the U. S. has sought to protect specific types of private data (such as health records and

financial data), the European Union passed the 1995 Data Privacy Directive as a way to protect

all private data.

In the 1995 Data Directive, the European Union sought to protect the private data of

European citizens within Europe and without. The Data Directive mandates that non-European

Union countries must have adequate levels of data protection if they are to transfer private data

in or out of Europe. The EU has allowed a handful of nations to transfer private data because the

E.U. deemed their laws adequate in protecting private data. The challenge to the E.U. has been

trying to work out the protection of private data with the U. S.

An important area of contention over transferring private data has been the U.S.

requirement since late 2001 that all airline carriers arriving or departing from the U.S. must

provide the U.S. government with Passenger Name Records, a packet of data collected by the

airlines that contains private data such contact information and financial information. The U.S.










As with Switzerland and Canada, Argentine law meets each of Zinser' s five criteria and

meets the EC standards for providing an adequate level of protection.

Guernsey

The Bailiwick of Guernsey, a small island nation in the English Channel, became the next

nation to receive adequacy status from the European Commission. On November 21, 2003 the

EC granted Guernsey, a British protectorate that functions as a separate legal entity from the UK,

approved status as a third country with adequate levels of data privacy protection.47 In this

report, the EC stated that the basis for EC approval of Guernsey was based on the passage of the

Data Protection Law of 2001, a law "based on the standards set out in Directive 95/46/EC."48 In

other words, the EC fully acknowledged that the Directive serves as the foundation for the data

privacy laws of Guernsey.

In the Data Privacy Law of 2001, Guernsey granted data subj ects the rights to their

personal data and the rights to change or erase this data (criterion 3).49 The law also mandates

that data transfers be protected with technological safeguards and that a supervisory privacy

authority be set up (criteria 2, 4, and 5).50 As with the other approved third countries, the data

authority in Guernsey has powers to investigate and to intervene when there has been a breach of

data privacy protection."





47Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5. In its report, the EC recognizes Guernsey as a third
country because although it is a British protectorate, it maintains complete liberty from the Crown except in a few
international matters such as defense.

48Id. at (7).

49 d. at (7).
" Id.

51Id. at (8).










of the Working Party, the Commission set a three-year time period on the present agreement with

a required review of the PNR system set for mid 2007.28 Since the European-Australian PNR

agreement in 2004, neither side has formally challenged the legality of the agreement or the

expressed concerns over the protection of individuals' private data when transferred to the

Australian government.

Although this agreement has not met legal challenges, the European-United States

Passenger Name Records has raised controversy from the European government and its citizens.

The United States Passenger Name Records Agreement

Despite the agreement between the United States and the European Union to create the

Safe Harbor, the trans-Atlantic battle over the protection of private data was renewed in late

2003. In post 9/11 legislation aimed at combating terrorism the United States Congress passed

the Aviation and Transportation Security Act (ATSA) that required airlines to transfer all

Passenger Name Records (PNRs) to the U.S. Customs and Border Protection (CBP).29 ATSA

required airlines flying in and out of the United States to provide this information to the CBP or

risk penalties.

This new law quickly raised concerns in Europe over the uses and transfers of European

citizens' private data in PNRs. The controversy between the EU and the U.S. over the PNRs

sheds additional light on how the EU might apply the Data Directive to third countries.

From the European perspective, the concerns about the transfer of PNRs to the U.S.

government are founded in Chapter IV, Article 25(1) of the Directive. This article states that


28 Id. at 12. At the time of the present study in June 2007, neither the European Commission nor the Australian
government has publicly announced an end to, or a renewal of, the PNR agreement.
29 Aviation and Transportation Security Act of 2001, Pub. L. No. 107--71, 115 Stat. 597. The Customs and Border
Protection is a U. S. governmental agency under the Department of Homeland Security (DHS). In this light, much of
the EU/U.S. debate over PNRs is directed towards the DHS.










The Court' s analysis of how the PNR case relates to Directive 95/45/EC provides

important insight into the Directive. In its decision, the Court addressed Parliament' s arguments

against the agreement in a systematic fashion. First, the Court considered Case C-318/04,

Parliament' s suit to annul the Council decision on adequacy from May 17, 2004 that had

legalized the continuing program of PNR transfers to Homeland Security. In its suit, the

European Parliament argued that because Article 3(2) of the Directive specifically excludes the

Directive from applying to issues that fall outside the scope of European Community law, the

Directive could not serve as a legal foundation for a Passenger Name Record deal with the U.S.

Department of Homeland Security.89

Parliament contended that the PNR agreement was aimed primarily at providing the U.S.

with personal data for the sake of fighting terrorism and organized crime.90 The Commission

argued that although the U.S. was seeking this data for those purposes, the Commission made the

agreement in order to protect the personal data of citizens' and to protect airlines from fines and

other penalties that could affect the common market.91 The ECJ, however, disagreed with the

EC on this issue.

The Court reasoned that the text of the Council's decision on adequacy clearly states that

the purpose of the agreement was to support the United States' efforts to combat terrorism and

international crime and to provide data to a third country solely for this purpose.92 The ECJ

reasoned that despite the fact that the PNR data is initially collected as a commercial activity by




89 Id. at recital 51.

901)d. at recital 52.

91 Id. at recital 53.

92 Id. at recital 55.










Rights as legal framework for the deal.14 Taking into consideration the competing needs of

Fighting international crime and protecting private data, the following discussion lays a

framework for a deal that, in the opinion of this author, what would constitute the appropriate

accommodations between U.S. and European interests in the PNR agreement.

Components of a PNR Agreement with Appropriate Accommodations for Europe

For the Europeans, appropriate accommodations would include the guarantees in place

from the 2004 Undertakings that the U.S. PNR system meet Data Privacy Directive's definition

of adequacy. 1 The European Commission, the Council of the European Union, and the

Advocate General of the Court of Justice have all judged the Undertakings to provide an

adequate level of private data protection.

Through the Undertakings, the Department of Homeland Security promises that the data

will be used only for combating terrorism and for law enforcement purposes. The DHS also

promises that "sensitive" data, such as racial background and religious/philosophical

background, will not be transferred from the airlines to the Customs and Border Protection. The

DHS Undertakings also permit individuals, whether U. S. citizen or not, to request their own PNR

Hiles and to correct any wrong information therein. As discussed in Chapter 3, the Undertakings

contain a provision wherein the DHS can deny an individual's request to access his or her PNR

file; 16 however, the DHS said that such a denial would be rare. To appropriately accommodate

European interests, a PNR agreement with the U.S. would also grant the individual whose



14 See supra at note 236.

1s As discussed throughout this thesis, the Data Privacy Directive focuses on five key elements in determining
adequacy: the lawfulness of the processing of data; special protection of sensitive data; rights of the data subject;
security of the actual processing of data; and, the existence of control and enforcement measures. See supra at note
260.

16 See supra at note 180.









willingness to work with the Australian government on a PNR agreement and the U.S.

government on the Safe Harbor and PNR agreements.

Thus far, the biggest challenges to the European Data Privacy Directive have come from

negotiating the protection of private data with the United States government and U.S. businesses.

The cases of the Safe Harbor and the Passenger Name Records have shown how the scope of the

Directive is limited to protecting private data in matters concerning the European common

economic market. The PNR cases have also revealed how the European Commission is willing

to balance the protection of Europeans' individual privacy with the Australian and U. S. needs to

combat terrorism and fight international crime. Although the controversy over the European-

U.S. PNR case continues and Europeans citizens continue to feel threatened by the U.S.

government' s use of their private data in Passenger Name Records,20 the PNR dispute has shown

that Europe is willing to negotiate with third countries in an effort to protect the uses and

transfers of European citizens' private data in PNR programs designed to combat terrorism. The

challenge for Europe is how it is going to balance its commitment to privacy with the fight

against terrorism.

It is possible that in the current situation where terrorism is a global concern, more third

countries will enact legislation requiring the transfer of Passenger Name Records to that

country's government. If this is the case, it is likely that the European Commission will seek to

negotiate a PNR agreement with that nation in an effort to protect the privacy of Europeans'

private data. It is also probable that, with time, more nations will enact other legislation

protecting the distribution of personal information between businesses and governments that will

require negotiations with the European Commission due to the Data Privacy Directive's third


20 See supra at note 47.


































To my wife, Erin; and to my son, Sam. They make all of this worth doing.










Act request, the data subj ect would be allowed to see his or her PNR data unless Customs and

Border Protection determined that providing the data would interfere with a law enforcement or

security activity.61 The DHS stated that denying an FOIA request because of concerns that data

disclosure would interfere with law enforcement would represent an "exceptional case."62

Finally, the DHS said that the PNR agreement would be subj ect to yearly j oint review by the

European Commission and the U.S. Department of Homeland Security in an effort to ensure that

privacy remain a priority in the U.S. PNR data searches.63 The European Commission, despite

its concerns over the U. S. government' s PNR uses, used the Undertakings as a guide for reaching

a May 2004 agreement to continue sharing PNR data between the U.S. and the EU.

The European Commission, in its report on the European-United States PNR agreement,

stated that the European Parliament had been given the chance to review the agreement but had

not acted within the time limits provided by European Community law.64 The Council stated

that, under Article 300(3) of the Treaty Establishing the European Union,65 Parliament must

deliver its opinion on the Commission's actions within a time limit chosen by the Council.66 In

this case, Parliament failed to act in time and provided no reason for the delay.






61 Id. at 41,546.

I2d.

63Id. at 41,547.

I4d. at 2.

65Treaty Establishing the European Union, 1997 O.J. (L 340) at 298. available at http://eur-
lex.europa.eu/smartapi/cgi/sga_doc?smartapi celexapi iprod!iCELEXnumdoc&numdoc= 11997E3 00&model=guichet
t&1g-en.

66Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be
Transferred to the United States' Bureau of Customs and Border Protection (10019/04/WP 87) at 2. available at
http://europa.eu.int/comm/justice_home/fs/racdo/poc 21**14 u ps7_en.pdf.










level of protection of private data in its transfers of PNR data to the Australian Customs and

Border Protections agencies.8

The Border Security Act amended a number of laws governing the activities of Customs

and the Border Protection agencies in Australia. As mentioned above, one requirement of this

2002 act is that commercial airlines must transfer PNR data to the Australian government for use

in terrorist risk assessment. In its opinion on adequacy, the Working Party noted that the PNR

requirement in the Border Security Act had to comply with Australian privacy laws

guaranteeing the privacy of personal information. 10 The Working Party noted that Australia has

a strong legal foundation of protecting the collection, use, transfer, and retention of private data

in the public and private sectors.l

Keeping with the tradition of favoring the privacy of personal data, the Australian

government required specific procedures to ensure what the Australian government considered to

be highest possible levels of protection for the private data transferred in PNRs. The Borders

Security Act (hereafter "BSA"), seeks to ensure the protection of the private data in PNRs in the

following ways.

* Passenger Name Records accessed contain only current flight data and not historical PNR
datal12

* Computer software weeds out the data of 95% 97% of all passengers on an average flight
because they are determined to be of no risk to the security of the countryl13



SOpinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data
from airlines (10031/03/WP 85).

9 See Commonwealth Privacy Act, 1988, c. 118 (Austl.).

'0 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record
data from airlines (10031/03/WP 85) at 3.
11 Id. at 3-5.

I2d. at 5.




Full Text

PAGE 1

1 THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PR IVACY DIRECTIVE ON THIRD COUNTRIES AND THE PASSENGE R NAME RECORD CONTROVERSY By JONATHAN D. MASON A THESIS PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLOR IDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF ARTS IN MASS COMMUNICATION UNIVERSITY OF FLORIDA 2007

PAGE 2

2 2007 Jonathan D. Mason

PAGE 3

3 To my wife, Erin; and to my son, Sam. They make all of this worth doing.

PAGE 4

4 ACKNOWLEDGMENTS I would like to thank my committee members fo r their contributions. Special thanks goes to Dr. Bill Chamberlin for his time and mentoring. I would especially like to thank my wife, Erin, for her incredible patience and love.

PAGE 5

5 TABLE OF CONTENTS page ACKNOWLEDGMENTS...............................................................................................................4 ABSTRACT....................................................................................................................... ..............7 CHAPTER 1 INTRODUCTION................................................................................................................... .9 Private Data in the Digital Age................................................................................................ .9 Third Countries and the Data Directive...........................................................................11 Passenger Name Records................................................................................................13 Purpose of Thesis.............................................................................................................. ......15 Review of Literature........................................................................................................... ....15 Research Questions............................................................................................................. ....22 Research Methods............................................................................................................... ....22 Conclusion..................................................................................................................... .........22 2 OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON THIRD COUNTRIES.............................................................................................................24 Purposes of the Data Directive...............................................................................................24 Key Provisions for Third Countri es in the Data Directive.....................................................25 Third Countries and the Data Directive Re quirement for Adequate Levels of Data Privacy Protection............................................................................................................. ..29 Switzerland.................................................................................................................... ..29 Canada......................................................................................................................... ....31 Argentina...................................................................................................................... ...32 Guernsey....................................................................................................................... ...34 Isle of Man.................................................................................................................... ...35 United States Safe Harbor............................................................................................36 Conclusion..................................................................................................................... .........37 3 THE PASSENGER NAME RE CORDS CONTROVERSY..................................................41 The Australian Passenger Name Record Agreement..............................................................42 The United States Passenger Name Records Agreement.......................................................46 The Opinion of the Advocate General and the European Court of Justice Decision on the PNR Case..........................................................................................................55 The Opinion of the Advocate General versus the Court of Justices Holding in the Passenger Name Record Case......................................................................................62 Plea: the PNR agreement represented an infringement of fundamental rights........63 Plea: the Commission and Council went be yond their authority in creating the U.S. PNR agreement.............................................................................................64 Plea: the U.S. PNR agreement was overbroad.........................................................66

PAGE 6

6 Summary of the Advocate Genera ls Opinion on the PNR case.....................................66 Conclusion..................................................................................................................... .........67 4 CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE.................68 Summary of the Issues.......................................................................................................... ..68 How Has the EC Defined Adequate Data Protection Laws for Third Countries and How Has the EC Applied This Defin ition to Third Countries Thus Far?...................69 What Does the Passenger Name Records Dispute Between the US and the EC Show about the Directives Third Country Requirements?.........................................71 How Might the European Court of Jus tice Annulment of the Passenger Name Records Agreements Potentially Affect the Directive, Especially Its Third Country Requirement?.................................................................................................72 The Advocate Generals Opinion versus th e European Court of Justices Ruling.........72 The Australian PNR Agreement versus the U.S. PNR agreement..................................75 Resolving the Current PNR Agreement.................................................................................77 Components of a PNR Agreement with A ppropriate Accommodations for Europe......78 Components of a PNR Agreement with A ppropriate Accommodations for the U.S......79 Resolving Future PNR Agreements and Decisions on Adequacy..........................................80 Conclusion..................................................................................................................... .........81 REFERENCE LIST................................................................................................................. ......85 BIOGRAPHICAL SKETCH.........................................................................................................88

PAGE 7

7 Abstract of Thesis Presen ted to the Graduate School of the University of Florida in Partial Fulfillment of the Requirements for the Degree of Master of Arts in Mass Communication THE INFLUENCE OF THE EUROPEAN COMMISSION DATA PR IVACY DIRECTIVE ON THIRD COUNTRIES AND THE PASSENGE R NAME RECORD CONTROVERSY By Jonathan D. Mason August 2007 Chair: William F. Chamberlin Major: Mass Communication In an age when governments and businesses transf er personal data of individuals over the Internet, the U.S. and the European Union have tr ied to protect such data in different ways. Whereas the U.S. has sought to protect specific ty pes of private data (such as health records and financial data), the European Union passed the 1 995 Data Privacy Directive as a way to protect all private data. In the 1995 Data Directive, the European Un ion sought to protect the private data of European citizens within Europe and without. The Data Directive mandates that non-European Union countries must have adequate levels of data protection if th ey are to transfer private data in or out of Europe. The EU has allowed a handful of nations to transfer private data because the E.U. deemed their laws adequate in protecting private data. The challenge to the E.U. has been trying to work out the protection of private data with the U.S. An important area of contention over tran sferring private data has been the U.S. requirement since late 2001 that all airline carriers arriving or departing from the U.S. must provide the U.S. government with Passenger Name Records, a packet of data collected by the airlines that contains private da ta such contact information and financial information. The U.S.

PAGE 8

8 requires this information in order to screen passengers for security threats. In 2004, the U.S. and the EU had reached an agreement to transfer this data, but the European Court of Justice annulled this agreement and said that the EU could not use the 1995 Data Directive as a foundation for such an agreement. The Court of Justice gave the two sides until July 2007 to reach a new agreement. An agreement meeting th e needs of both sides would protect the privacy of airline passengers while providing the U.S. w ith the data needed to combat terrorism and protect national security.

PAGE 9

9 CHAPTER 1 INTRODUCTION Private Data in the Digital Age With the arrival of the digital age, more a nd more consumers across the world rely on the Internet for day-to-day services and business transactions. As increasing numbers of consumers follow this trend, more and more commercial es tablishments conduct bus iness on-line. When customers do business either on-lin e or by traditional means, they usually must provide personal information such as addresses, phone numbers, So cial Security numbers, health records, birth dates, and financial information that is then used by the business to complete the transaction requested by the costumer. The use of the info rmation increasingly includ es the transferring of data over the Internet betw een businesses, government bodi es, and other organizations.1 With growing amounts of internationa l business and law enforcement conducted on-line, private data often crosses national borders in the transfer process. This cross-border data flow creates a significant challenge in part because countries have adopted different laws and regulations for the protection of personal data. Specifically, the United States and the European Union, th e two largest economies in the world,2 differ significantly in their resp ective approaches to data privacy pr otection. The United States tends to address privacy concerns by enacting narrow, sect oral laws protecting on ly specific types of 1 An example of data transferred across borders and between organizations occurs when an individual flies on an airline and provides his or her personal information as part of the ticketing process (including, but not limited to name, address, phone number, birth date, Social Security number, passport info rmation, etc.), that information is then transferred to the Bureau of Customs and Border Pa trol through the U.S. Department of Homeland Security. This is the case in the U.S. since the post-9/11 passage of the Aviation and Transportation Security Act of 2001 Pub. L. No. 107--71, 115 Stat. 597. Under this law, airlines landing in the U.S. are required to provide the private information of their passengers to the U.S. customs as part of the ongoing war on terror. See also the Electronic Privacy Information Center website at http ://www.epic.org/privacy/intl/passenger_data.html 2 The European Unions 2005 GDP was $11,650,000,000, second only to the United States whos 2005 GDP was $11,750,000,000. 2005 CIA World Factbook, available at http://ww.cia.gov. Last visited on April 20, 2006.

PAGE 10

10 private data.3 The Fourth Amendment of the U.S. Constitu tion grants a right of the people to be secure in their persons, houses, papers, and e ffects against unreasonable searches and seizures.4 This amendment directly applies to physical intrus ions of privacy, but only indirectly ensures the intangible aspects of privacy such as the right to keep personal information private.5 On the other hand, the European Union (EU) and its Member States6 consider the concept of data privacy as a fundamental human right and enact broad, gene ral legislation aimed at ensuring the legal protection of citizens personal data in government and in business. Due to technology that allows organizations to transfer massive amounts of private data via the Internet, the European Commission (EC) issued, in 1995, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, commonly referred to as the European Union Protection of Data Privacy Directive7 (hereafter referred to as the Data Pr ivacy Directive or the Directive).8 3 An example is the Privacy Act of 197 4, 5 U.S.C. 552a that set laws limiting how the U.S. federal government can use personal data such as tax information. The Privacy Act did not, however, provide general privacy laws for businesses. 4 U.S. CONST. amend. IV. 5 The U.S. Supreme Court has also recognized that the First Amendment has a penumbra where privacy is protected from governmental intrusion. Griswold v. Connecticut 381 U.S. 479, 483(1965). 6 At the time of this thesis composition in early 2007, 25 nations belong to the European Union: Austria, Belgium, Cyprus, Czech Republic, Denmark, Esto nia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Poland, Portugal, Slovakia Slovenia, Spain, Sweden, the Netherlands, and the United Kingdom. Candidate nations vying to join the EU include the nations of Bulgaria, Croatia, Former Yugoslav Republic of Macedonia, Romania, and Turkey. See European Union Member States website at http://europa.eu.int/abc/governments/index_en.htm#members 7 In European Union law, a directive issued by the European Commission is binding on the individual Member States, requiring that each nation in the union must implem ent the policies in the directive into its respective laws. See Treaty Establishing the European Community art. 249, available at http://europa.eu.int/eurlex/en/treaties/dat/ecconstreaty&us. 8 Commission Directive 95/46/EC, Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1995 O.J. (L 281).

PAGE 11

11 The fundamental purpose of the Data Privacy Dir ective was to unify the data privacy protection laws of the individual Eur opean Union Member States.9 Third Countries and the Data Directive Among the most debated and the most contr oversial portions of the Directive in nonEuropean nations is Chapter IV, Ar ticle 25(1), which requires that The Member States shall provide th at the transfer to a third country10 of personal data which are undergoing processing or are intended for processi ng after transfer may take place only if the third country in ques tion ensures an adequate level of protection.11 In other words, as a condition to transferri ng private data, the Data Privacy Directive indirectly requires non-European Union nations, or third countries, to protect private data according to the levels of protection outlined for the Unions own Member States in the Directive. Any business transferring private data between an organization in a EU Member State and an organization in a third country may only do so if the third country provides adequate protections governing the transfers of private data. Because of the great amounts of data transfers required for international business and b ecause of Europes economic importance in the world economy, this section of the Directive coul d potentially impact the laws of every nation. In order to determine if a nation meets the adequate level of protection requirement, the Directive empowers the EC to officially approv e the free flow of data between a EU Member State and a third country. Artic le 25(6) of the Directive authorizes the EC to consider a 9 The term Member States refers to the individual nations comprising the European Union. 10 The term third country refers to a nation or state that does not belong to the European Union. 11 Commission Directive 95/46/EC, art. 25(1), 1995 O.J. (L 281)

PAGE 12

12 recommendation made by the data authorities of the Member States and to act on such a recommendation or not.12 Since the implementation of Directive 95/ 46/EC, the European Commission (EC) has judged the data privacy laws of several nations as adequate in protectin g private data and has officially reported that EU busines ses may transfer private data w ith businesses in these nations. The nations thus far approved include Sw itzerland, Canada, Argentina, Guernsey,13 Isle of Man.14 To a certain extent, the EC has granted th e U.S. approved status through what is called the Safe Harbor agreement15 and through the agreement to al low the transfer of airline passenger data.16 In the case of each of these nati ons, the European Commission studied the laws of the nation applying for approval and judged that the nation provided adequate levels of protection for private data, there by enabling the EC to give Eur opean businesses the green light to deal with busine sses in these nations. 12 Id. at art. 25(6). Upon a recommendation of the Working Party (Article 29), comprised of data authorities from the Member States, the Article 31 Management Team deliver s the opinion of the majority of the authorities and the EC report goes to the European Parliament. The Parliament then has 30 days to judge whether or not the EC has acted within its authority and to make recommendations if needed. After this period, the third country can gain approved status. See Commission decisions on the adequacy of the protection of personal data in third countries, available at http://europa.eu.int/comm/justice_home/fsj/privacy/thridcountries/index_en.htm. 13 The Bailiwick of Guernsey, located in the Channel Isla nds (population 61,000), is a protectorate of the United Kingdom. This island gleans roughly 55% of its income from banking and insurance, providing motivation to gain approval status from the EC on transferring private data. Information obtained from Guernsey government website. available at http://www.gov.gg. 14 The Isle of Man is a small (population 73,600) protectorate of the UK located in the Irish Sea. Forty-five percent of the Isles economy comes from offshore banking. The Isle also boasts offering incentives to high-technology companies and financial institutions to locate on the island has paid off. The nature of the Isles economy meant that the Isle could benefit from an approval on data tr ansfers from the EC and the Is le now enjoys free access to European Union markets. Information obtained from an Isle of Man website available at http://www.isleofman.com/ and http://www.gov.im. 15 Information obtained from European Union website. Last visited March 14, 2006. http://europa.eu.int/comm/justice_home/fs j/privacy/thridcount ries/index_en.htm. 16 Id.

PAGE 13

13 The Directive has been criticized for failing to specify the definition of an adequate level of protection and the exact process a third coun try needs to receive approval from the European Commission. Scholars have attempted to define adequacy and to document the requirements for EC approval, but none have focused on analyzi ng the laws of nations that have already been approved and comparing them to the Directives language. Such an analysis is important in understanding how the Commission itself has used the Directive to ensure data privacy when transferring data to third countries. Since 1995, the Commission has used the third country adequacy requirement from the Directive as a tool in negotiating with third countries for protecting the transfer an d use of private data; however, the Commissions efforts to enforce the Directives requirements for adequate levels of protection of privat e data has met some challenges along the way. Passenger Name Records A key challenge to the enforcement of the Data Directive involves the United States and its use of the private information found in airline passengers Passenger Name Records (PNRs). PNRs contain passenger information collected by commercial airlines including names, addresses, phone numbers, travel itineraries, numbers of luggage items used in travel, travel agency or reservation data, cr edit card information, dietary information, passport numbers, and social security card information.17 Air carriers collect this data and are required to pass it along 17 The categories of informati on contained in PNRs include: PNR record locator code, date of reservation, date of intended travel, name, other names on PNR, address, forms of payment information, billing address, contact telephone numbers, travel itinerary for the specific PNR, frequent flyer information, travel agency information, travel agent name, code share PNR information, travel st atus of passenger, split/divided PNR information, e-mail address, ticketing field information, general remarks, seat number, ticket number, date of ticket issuance, no show history, bag tag numbers, no show information, other supplementary information, special service information, received from information, historical ch anges to the PNR, other travelers on PNR, seat information, one-way ticket information, advance passenger information, and any other field of information the airline might include. See Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543, 41,547 (July 9, 2004).

PAGE 14

14 to the Department of Homeland Security (DHS ) for all passengers on transnational flights.18 The DHS collects this information as a way of comba ting transnational crimes and terrorism, but in 200319 the EC took issue with the us e of European citizens PNRs. The EC based its concerns on the third country ade quacy requirements in the Data Directive. Since 2003, the European Commi ssions Directorate for Justic e, Freedom, and Security and the U.S. government have negotiated the use of Passenger Name Records by the U.S. Department Homeland Security and the programs legality under European law. During this period, the two sides have made a number of agreem ents to allow the use of PNRs under certain conditions, and the latest agreem ent was reached in October 2006.20 The multi-year discourse between the EU and the US provide s excellent insight into the enforcement process that the EC will use to ensure that the principles of the Data Directive are followed domestically and in third countries. Despite the numerous agreements on the use of PNRs, on May 30, 2006, the European Court of Justice (ECJ) annu lled two 2004 agreements reached between the European Commission, the Council of the European Union and the U.S. government on the transfer of PNRs to the Department of Homeland Security. In its ruling, the ECJ annulled these agreements on the grounds that the enforcement of the use of PNRs falls outside the scope of the Data Directive because it involves processing operati ons concerning public security, defence, State 18 For basic information on PNRs, visit the Department of Homeland Security website, Frequently Asked Questions section, available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_faq_pnr_cbp.pdf. 19 See Letter from Frits Bolkenstein, Member of European Commission, to Tom Ridge, Director of Homeland Security (Dec. 18, 2003), available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/2003-12-18letter-bolkestein_en.pdf. 20 See Agreement between the Euro pean Union and the United States of Amer ica on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, 2006 O.J. (L 298/29).

PAGE 15

15 security and the activities of the State in areas of criminal law.21 Under European law, the European Commission, where the Data Directiv e originated, concerns the marketplace and commerce, not criminal law or national security. The EC/DHS agreements used national security and fighting transnational crime as the primary foundation for transferring PNRs, yet the European Court of Justice ruled that this founda tion fell out of the scope of the Data Directive and of the Commissions authority. The Court of Justices opinion and its effect on the most recent agreement on the transfer of PNRs between the EC and the DHS, raise impo rtant legal questions ab out the Data Directive yet to be answered. The ECJs decision calls into question the scope of the Data Directive22 and may prove influential in the future enfor cement of the Directive in third countries. Purpose of Thesis The purposes of this thesis are to 1) analyze Data Directive 95/46/EC and its requirements for data protection in third c ountries; 2) analyze how the Eur opean Commission has actually applied the adequacy requirement to third countr ies; 3) analyze the ongoing dispute between the United States Department of Homeland Security and the European Commission concerning the transfer of Passenger Name Reco rds from airline carriers to th e DHS, including an analysis of the annulment by the European Court of Justice of previous EC/DHS agreements; and, 4) to examine how the European Court of Justic e decision, and the Passenger Name Record agreements, might affect the scope and the enfo rcement of the Data Directive in the future. Review of Literature Most of the legal research surrounding the Data Directive 95/46/EC has focused on the potential effects of the Directive on business wi th the U.S., on comparisons between the U.S. 21 Joined Cases C-317/04 and C-318/04, Eur. Parl. v. Eur. Commn and Council on Eur. Union, 2006 OJ (C 178) 2. 22 See infra at page 46.

PAGE 16

16 laws and EU data privacy protection laws,23 and analyses of the Safe Harbor24 agreement between the U.S. Department of Commerce and the EU.25 The literature does an excellent job of discussing some of the issues and problems rais ed by the EU Data Directive. The extant literature lays an important groundwork for the purposes of this thesis. Alexander Zinser, a technol ogy lawyer in Switzerland,26 discussed the Directives five critical aspects of data privacy protection that could be used as criteria in approving data transfers to third countries in his 2003 article in the John Marshall Journal of Computer and Information Law .27 Zinser argued that the Directive does not specifica lly say whether the level of protection in the EU laws28 or in the Member State laws29 is most applicable. This question of which level of protection to us e (the EU or the Member States) arises from the nature of directives and how Member States could conceiva bly adopt stricter standa rds for data protection than the EC did for Europe as a whole. 23 See 23 COMP. LAB. L. & POL'Y J. 251 (2002). This issue contained comp arative articles focusing on some of the issues surrounding U.S. and EU data protection law, incl uding a focus on how the Dire ctive and U.S. laws vary concerning data privacy in e-commerce. 24 See infra pp.24-26. 25 See David A. Castor, Note: Treading Water in the Data Privacy Age: An Analysis of Safe Harbors First Year 12 IND. INT'L & COMP. L. REV. 265 (2002). This article contains a helpful and insightful analysis of the Safe Harbor agreement between the U.S. Department of Commerce and the Euro pean Commission. Castor examines some of the changes U.S. businesses have made to be in accordance with Safe Harbor as well as looking at some of the potential difficulties in enforcing the agreement in the U.S. 26 Alexander Zinser, International Data Transfer Out of the European Union: the Ad equate Level of Data Protection According to Article 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003). 27 Id. at 549-553. 28 Id. at 557. 29 Id. at 565.

PAGE 17

17 In another article by Zi nser, appearing in the Tulane Journal of Tec hnology & Intellectual Property (Spring 2004),30 he asserted that Article 25, which re quires that data transfers to third countries occur only with adequate levels of data protection, empowers the European Commission and EU Member States to judge the third countrys leve l of data protection but fails to specify how these government s would physically or technologica lly intervene to restrict the actual transfer of data to a country that does not meet the levels of adequacy.31 He posited that perhaps telecom operators would be aske d to intervene and block any transfer.32 Zinser also pointed out that the Directive ne ver explicitly lays out a way that either a Member State or the EU will even be aware of a data transfer to an unsecure country.33 If the EU or the Member States are not aware of non-secu red data transfers to th ird countries, then the Data Directive could prove ineffective in prot ecting trans-national transfers of Europeans private data. In an article written shortly af ter the passage of the Data Di rective in 1995, Paul Schwartz, law professor at the University of Arkansas, Fayetteville, illustrate d some of the important issues raised by the language of the Directive.34 Schwartz focused mainly on how the Data Directive could affect the United States; however, he also provided important information relevant to a discussion of the Directive s effects on other nations. 30 Alexander Zinser; European Data Protection Directive: the De termination of the Adequacy Requirement in International Data Transfers 6 TUL. J. TECH. & INTELL. PROP. 171 (2004). 31 Id. at 175. 32 Id. 33 Id. at 178. 34 Paul Schwartz, Data Protection Law and the European Unions Directive: the Challenge for the United States: European Data Protection Law and Restrictions on International Data Flows 80 IOWA L. REV. 471 (1995).

PAGE 18

18 Schwartz showed that the laws of most EU member states re quire an equivalent level of protection when transferring privat e data to a third country, but the Data Directive only requires an adequate level of protecti on by third countries, thereby pote ntially lowering the level of security required for this third country data transfer.35 According to Schwartz analysis, third countries that have received Eu ropean Commission approval for da ta transfers could potentially be held to lower data privacy protection stan dards than before the Data Directive. Zinser had mentioned in his 2004 article that the Directive does not state whether the standards of the EU or of an individual Member State will be used to judge adequacy in a third country. If the EU determines adequacy using the Directive, third count ries will probably be held to one standard for adequacy; however, if the laws of the Member States determine adequacy, there could be 25 different standards, potentially leading to a third country or a business bargain-shopping for the most lenient le vel of adequacy amongst the Member States. Joel Reidenberg, professor at the Fordham University School of Law, while comparing in 2001 the positions of the U.S. and the EU on data protection,36 said that while democratic states agree that information priv acy is a critical element of ci vil society, the United States has left the protection of privacy to markets rather than law. In contrast, Reidenberg said, Europe treats privacy as a pol itical imperative anchored in fundamental human rights.37 Reidenberg said that although the EU Privacy Directive requires businesses to report potential violations of third countries to their own officials, studies sh ow that few businesses were doing 35 Id. at 472. 36 Joel Reidenberg, E-Commerce and Privacy Institute for Intellect ual Property & Information Law Symposium: ECommerce and Trans-Atlantic Privacy 38 HOUS. L. REV. 717 (2001). 37 Id. at 730-731.

PAGE 19

19 so at the time of his article.38 Still, Reidenberg asserted that the European model for data privacy protection influences other nations more than the U.S model. He noted that countries such as Australia, Canada, and Hungary used the Eur opean model to form their own national data privacy protection laws.39 In an article from 2000, Kevin Bloss, focusing on the battle between the U.S. and the EU,40 argued that the Directive might not hold up to sc rutiny if the U.S., or another nation, were to bring portions of the Data Directive before the World Trade Organization.41 Bloss argued that the fact that the Data Directive unilaterally requ ires non-European nations to enact specific laws at the risk of losing the ability to do business with European businesses, could constitute a violation of fair-trade agreements.42 Bloss supported his position by arguing that one of the WTO/General Agreement on Tariffs and Trade (GATT) rules that Europe might be breaking is called the Most Favored Nation obligation.43 This obligation requires all GATT na tions to give every other party to GATT/WTO identical privileges with respect to any give n product either imported or exported.44 Bloss posited that the U.S. could bring a challenge to the Data Directive before the WTO on grounds of a violation of this obligatio n because the Data Directive requires third countries to treat EU Member Stat es with un-identic al privileges. 38 Id. at 734-735. 39 Id. at 735. 40 Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy 9 MINN. J. GLOBAL TRADE 645 (2000). 41 Id. at 654-655. 42 Id. at 654. 43 Id. at 655. 44 Id.

PAGE 20

20 In an article from 2005, Francesca Bignami discussed numerous aspects of the Data Directive and the EC/US Passenger Name Records dispute.45 Much of Bignamis article focused on the concept of transgovernmental organizatio ns (such as the EU) a nd the difficulties in maintaining a sense of democracy in such netw orks. The author argued that the PNR dispute could serve to strengthen the unity of the EU Memb er States because it represents a unified effort to protect privacy against the differing US approach.46 Bignami argued that the PNR dispute could lead to reducing the democratic deficit that exists between the EU Member States;47 however, the authors idea may prove overly op timistic if the ECJ annulment of the PNR agreements reduces the scope and effectiveness of the Directive as a whole. Bignami questioned why the European governmental organizations woul d choose to focus so much effort on the PNR dispute. She argued that the PNR case appealed to a fundamental European right a nd that the US PNR was perceived as a threat to Europeans.48 Bignami also focused on the challenge of enfo rcing the Data Directive in Europe, due to the dizzying array of institutional arrangement s for implementing and enforcing the Data Directive.49 The mixed procedure form of creating la ws at the European level then placing responsibility for implementation and enforcemen t on the individual nations differs even from the transnational organizations of the Unite d Nations or the World Trade Organization.50 Bignami pointed out that Europe has supran ational organizations (European Commission, 45 Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European Information Privacy Network 26 MICH J. INTL L. 807 (2005). 46 Id. at 811. 47 Id. 48 Id. at 865. 49 Id. at 819. 50 Id. at 823.

PAGE 21

21 European Court of Justice, European Parliament) that are charged to oversee the actions of the Member States in regards to European policies, but that their role is somewhat inhibited by limited resources and the autonomy of each Member States separate legal systems.51 Bignami also discussed how the Data Directiv e grants the EC the authority to oversee complaints and concerns from Member States rega rding the adequacy of data protection laws in a third country.52 The challenge is whether or not the individual Member States are aware of questionable data transfers and will report the matters to the EC. Bignami stated that the Member States have not been active in either bl ocking dangerous data tran sfers or being specific about the conditions for data transfers.53 The author also reported on the fact that the Commission had openly criticized the Member States for allo wing many dangerous and illegal data transfers in their international trade.54 The points articulated by Bignami demonstrat e the difficulty in actually fulfilling the requirements of the Data Directive for third countries. The author discussed how the PNR dispute might affect transnatio nal governance in Europe; howeve r, Bignami did not discuss how the PNR dispute will affect the eff ectiveness of the Directive itself. Overall, the literature on th e EU Privacy Directive provi des help in understanding the document, but does not look at the texts of the EU documents that led to the approval of third countries allowed to engage in data privacy transfers with the EU member states. An examination of these documents should help to se e what requirements the EU actually imposes on nations to win approval as th ird countries. Also, the literature has yet to examine the recent 51 Id. at 824. 52 Id. at 826-27. 53 Id. at 832. 54 Id. at 833.

PAGE 22

22 developments of the PNR dispute and how th is case might affect the enforcement and effectiveness of the Data Directive in the future. Research Questions R1 : How has the EC defined adequate data prot ection laws for third countries and how has it applied this definition to third countries thus far? R2 : What does the Passenger Name Records di spute between the US and the EC show about the Directives third country requirements? How might this effect the future of the Directive with other third countries? R3 : How might the European Court of Justi ce annulment of the Passenger Name Records agreements potentially affect the Directive, especially its third country requirement? Research Methods This thesis is a legal analysis of both inte rnational and domestic data privacy laws. The research for this thesis will include extensive analysis of legal documents concerning the EC Data Directive, the data privacy laws of thir d countries, the use of Passenger Name Records by the US Department of Homeland Security, and th e European Court of Justice decision on the EC/DHS PNR agreements. Research for this thesis was conducted usi ng LexisNexis, the websites of the European Union, and relevant websites from the U.S. gove rnment (including the Department of Homeland Security). All primary documents c ited may be accessed from these sources. This thesis conforms to the Bluebook style fo r legal writing and uses the standard legal system of footnoting. Conclusion The research for this thesis is necessary for contributing to the understanding of how the EC has applied the Directives adequacy requirements to third countries thus far. The legal field has yet to analyze the recent developments in the European Commission/Department of

PAGE 23

23 Homeland Security dispute over th e transfer of the private da ta included in Passenger Name Records. An analysis of the European Cour t of Justice annulment of the previous PNR agreements and an analysis of how the EC has a pplied the Directive to other third countries may call into question both the validity and effectiveness of the Directive as it re quires high levels of data privacy in all European international trade.

PAGE 24

24 CHAPTER 2 OVERVIEW OF THE EUROPEAN DATA DIRECTIVE AND ITS EFFECTS ON THIRD COUNTRIES Purposes of the Data Directive The Data Privacy Directive was created to protect the personal data of European citizens. The Directive defines personal data in Article 2(a) as any information relating to an identified or identifiable natural person. An identifiable person is one w ho can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental economic, cultural or social identity.1 Due to its broad definitions of personal data and identifiab le person the Directive applies to arguably all forms of personal data. The Directiv es stated purposes are as follows. Promote the common European market by unifyin g the Member States laws on data privacy protection2 Protect the right of privacy fo r citizens in Member States3 both in local and international markets and with non-European third countries4 Remove the obstacles to the free, trans-border flow of information between Member States that stem from differing data priv acy protection laws in each nation5 Adapt European Community laws to fit advances in technology and communication6 Ensure that individuals have access to their privat e data in order to confirm that it is accurate and being protected7 1 Commission Directive 95/46/EC, art. 2(a), 1995 O.J. (L 281). 2 Id. at recitals 1, 3-5. 3 Id. at recital 2. 4 Id. at recital 20 5 Id. at recitals 7-9. 6 Id. at recitals 6, 14, 16. 7 Id. at recital 25.

PAGE 25

25 Establish safeguards for data transfers to and from controllers residi ng in third countries without adequate levels of data8 Provide a way for individuals or organizations to demonstrate adequate levels of data protection despite residing in a third country vo id of adequate protections to data privacy9 Create data privacy authorities to oversee data privacy in the Member States and to unify them into a Working Party that oversees data privacy in the EU and communicates with the European Commission on data privacy matters.10 These purposes demonstrate the sweeping inte nt of the European Commission to enact legislation governing data privac y in a broad and general way. This approach is very different than the U.S attempts to protect pr ivacy by enacting subject-specific laws.11 Key Provisions for Third Countries in the Data Directive The Data Directive requires that a third country provide adequate leve ls of protection in order to transfer data with a bus iness from the EU. Despite this requirement, the Directive never explicitly defines adequacy. Alexander Zi nser, a technology lawyer based in Lausanne, Switzerland, has written extensivel y on the question of determining the definition of adequacy in the Directive. In his 2003 article on the Direc tive, Zinser pointed out that the Data Directive contains no specific definition of an adequate level of data protection,12 but that the Directive does provide, in different places, at least five critical areas of data privacy that could be used as criteria in approving data tr ansfers to a third country. 8 Id. at recitals 56-57. 9 Id. at recital 59. 10 Id. at recitals 62-65. 11 See Joel Reidenberg, E-Commerce and Privacy Institute for Intellectual Property & Information Law Symposium: E-Commerce and Trans-Atlantic Privacy 38 Hous. L. Rev. 717, 730-731 (2001). See also supra at note 3. 12 Alexander Zinser, International Data Transfer Out of the European Union: the Ad equate Level of Data Protection According to Article 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 549 (2003).

PAGE 26

26 From these critical areas of data privacy, Zins er identified five criteria used to determine whether or not a third country prov ides an adequate level of prot ection. These five criteria are: The lawfulness of the processing of personal data The special protection of sensitive data The rights of the data subjects The security of the act ual processing of data The existence of control and enforcement measures.13 The task of grouping each provision of the Da ta Directive into thes e five criteria is complex; however, this process helps in understandi ng the definition of adequate levels of data protection. Each article in the Da ta Directive may be classified into one or more of the five criteria. An example of this complexity can be found in one of the key provisions of the Directive, Article 6. This article outlines the requirements for maintaining the quality and accuracy of personal data. Although these requirements come from Article 6, they ap ply to each separate part of the five criteria14 Article 6(a), that Member States mu st ensure that data be lawfully processed,15 is the essence of criterion 1. Article 6(b) that data must be collected for a specific purpose,16 also deals with criterion 1, th e lawfulness of data. Article 6(d), that data must be kept as accurate and as up to date as possible,17 could also concern criteri on 2 (special protection of data) by requiring Member States to protect the accu racy of data, and criterion 3 (rights of data 13 Id. at 559. 14 Commission Directive 95/46/EC, art. 6, 1995 O.J. (L 281). 15 Id. at art. 6(a). 16 Id. at art. 6(b). This article also stat es that [f]urther processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provid e appropriate safeguards. Although the original data must be coll ected for a specific, legitimate purpose, the Directive does not state that there need be a specific purpose in the further processing of data for these purposes. 17 Id. at art. 6(d). The Directive states that data should be kept accurate and up to date taking every reasonable step but it never defines what constitutes a reasonable step.

PAGE 27

27 subjects) by requiring that individuals have the right to have accurate data. Article 6(e), that data be kept in a form that permits identificati on of data subjects for no longer than necessary,18 concerns criterion 2 a nd criterion 3 as well. A few other articles of the Directive provide insight towa rds understanding the EU data privacy laws expectations for th ird countries. Article 12 grants da ta subjects the right to find out how companies and agencies use their private data,19 falling under criterion 5 (existence of control and enforcement measures). These artic les also concern criteri on 3 (rights of data subjects) because they gran t rights to data subjects. Another article related to criterion 3 is Articl e 14, which allows the data subject to petition the transfer of his or her pers onal data to the data controller20 and to do so free of monetary charge.21 Article 17 requires the data controller to implement appropr iate technical and organizational measures to protect personal data,22 a requirement that addresses criterion 4 on the security of processing data. Of greatest relevance to this thesis is Article 25, Transfe r of Personal Data to Third Countries. This Directive articl e states that data cannot be tran sferred to a third country unless adequate levels of protection ar e provided for in the nations laws.23 Article 25(2) says that in determining the adequacy of data protection in the third country, the Member States or the EC 18 Id. at art. 6(e). The article says that Member States sh ould regulate any long-term storage of data in cases of historical, statistical, or scientific use. 19 Id. at art. 12. 20 The directive defines a controller as the person or en tity in charge of determining the purposes and means of the processing of personal data. Commission Directive 95/46/EC, article 2(d). 21 Id. at art. 14. 22 Id. at art. 17(1). 23 Id. at art. 25(1).

PAGE 28

28 should pay attention to the purpos e of the data transfer (crite rion 1) and the duration of the transfer (criterion 4).24 In addition to these directions, Ar ticle 25(2) also requires that the Member State or the EC look at the third countrys laws relating to the security of processing data, a requirement that falls und er criterion 4 on the s ecurity of the actual processing of data. If the Commission finds that a third country doe s not provide an adequa te level of personal data protection, the Directive require s them to prevent any transfer of data of the same type to the third country in question, a provision that is primarily a control and enforcement measure from the EU (criterion 5).25 Article 28 of the Directive states that each Memb er State must appoint a public authority to supervise the implementation of the Data Directive into the laws of that Member State. This article falls under criterion 5 on the existence of control and enforcement measures. A data authority must have authority to intervene when private data mi ght be released without consent or when private data records need be blocked from being transfe rred or erased and to prosecute when data laws are broken.26 The presence of such an official in third countries could contribute to the ability of a thir d country to demonstrate an adequate level of data privacy protection. Because the Directive fails to specifically de fine what constitutes an adequate level of protection, Zinsers five criteria help to create a picture of th e criteria the EU might use in determining if the third countries data privacy laws maintain an adequate level of protection. The analysis of the third countries that have been approved for data transfers will reveal how the EC has or has not applied these criteria. 24 Id. at art. 25(2). 25 Id. at art. 25(4). 26 Id. at art. 28(1-3).

PAGE 29

29 Third Countries and the Data Directive Requirem ent for Adequate Levels of Data Privacy Protection Since passage of the EU Data Privacy Direct ive, the European Commission has approved several third countries as having adequate levels of data protection. The Commission has approved Switzerland, Canada, Argentina, Guerns ey, and Isle of Man. The United States, through the Department of Commerce, has worked out the Safe Harbor, an agreement that allows individual businesses to agree to maintain ad equate levels of data privacy protection in accordance with the Directive. Zinsers five criteria for judging whether a th ird countrys laws ade quately protect personal data provide most of the guidance needed for this chronological analysis of each country deemed adequate. In each of these cases, the Europ ean Commission found that the third country in question provides adequate data privacy protection. Switzerland Switzerland was the first nation to receive th e European Commissions adequacy status. On July 26, 2000, the European Commission issued a decision stating that Switzerlands laws provided an adequate level of protection governing the tr ansfer of private data.27 The Swiss regularly engage in international commerce w ith the EU Member States. The Commission report on Switzerlands data privacy protection laws stated that th e Swiss Federation provides for protection at both the federal a nd cantonal (or state) levels.28 At the federal level, the Commission report stat ed that The [Swiss] Federal Constitution gives every person the right to have his privacy respected and, in partic ular, to be protected 27 Commission Decision 2000/518/EC, art. 1, 2000 OJ (L 215). 28 Id. at (5).

PAGE 30

30 from the misuse of data concerning him.29 This right falls under criterion 3, granting data subjects their rights to privacy. The EC report also stated that Switzerlands court systems at both the federal and cantonal levels have developed binding case law that protects the quality of the data processed, the right of access of the persons concerned, and the right to request the correcti on or destruction of data.30 These constitutional and case-law based laws meet the requirements of the criteria that data is of a high quality, that data subjects have rights to access and correct their personal data, and that the data is prot ected (criteria 2 and 3). The Commission report also di scussed the Swiss Data Protection Act of June 1992, which permits citizens to have access to their personal information in files and created a supervisory authority to oversee data pr ivacy issues in the nation.31 The presence of a data authority is consistent with criterion 5 on the existence of co ntrol and enforcement measures. As in the EU Member States, this supervisory authority has po wer to investigate, prosecute, and hear claims from organizations about breaches of personal data protection laws. The Commission also recognized that most of the Swiss cantons have passed their own data privacy legislation, focusi ng on local issues such as regu lating how private data can be transferred (criterion 4).32 This relates the lawful protecti on of the processing of private data (criterion 1) granting sensitive data special protections (criterion 2). The Swiss approach towards the protection of pe rsonal data is very similar to the EU Data Directive model in that it grants data privacy the status of bei ng a fundamental right and contains 29 Id. at (6). 30 Id. 31 Id. at (7). 32 Id. at (8).

PAGE 31

31 protections at the federa l level and the local level. The EC report granting Swit zerland the status of being an approved third country recognizes that Swiss laws and practices meet each of the five requirements for third countries in the Directive. Canada After Switzerland, Canada became the next country to receive adequacy status. On December 20, 2001, the European Commission judged Canadas privacy laws, particularly the Personal Information Protection an d Electronic Documents Act of 2000 (hereafter "the Canadian Act), as adequately protecting personal data.33 Although Canada does not have a constitutional statement that recognizes data pr ivacy as a fundamental right as Switzerland does, the EC report praised Canada for passing legislation that protects privacy gene rally and sectorally. The Canadian Act requires businesses to protect personal data and provides that the data protection will extend to every organisation that collects, uses or discloses personal information in the course of a commercial activity.34 The Canadian Act defines the lawfulness of the processing of data and limits it to when the data subjects has authorized the transfer (criterion 1). This act grants data subjects the rights to peti tion organizations for thei r private data and to correct inaccurate data, as well as to protest the improper use of their data (criterion 3). The act also calls for secure processing of private data (criterion 4).35 This law seemingly meets the criteria that the data is lawfully obtained (i n this case through comme rcial activity) and that sensitive data is protected. 33 Commission Decision 2002/2/EC, art. 1, 2001 O.J. (L 2/13) 34 Id. at (5). 35 Id.

PAGE 32

32 The Canadian Act mandated the creation a Ca nadian Federal Privacy Commissioner to oversee privacy issues at the national level.36 The privacy commissioner has the authority to hear claims and complaints pertaining to personal data protection from individuals and organizations, to summon witnesses, to audit busin esses privacy practices, to administer oaths, and to compel the production of evidence if voluntary co-operation is not forthcoming.37 The authority granted to the privacy commissioner meets the requirements of criterion 5 by implementing control and enforcement measures. The EC decided that Canadas laws and practi ces provide adequate le vels of private data protection; furthermore, Canadas laws met each of Zinsers five criteria. The language of the Canadian Act demonstrates a general approach to protecting personal data that is similar to the EU Data Directive. Argentina Argentina became the next nation to receive an adequacy decision from the European Commission. On June 30, 2003, th e Commission decided that Argentinas data privacy protection laws provided adequate levels of private data protec tion in accordance with Article 25 of the EU Directive.38 The Commission stated that Argentin as legal standards for the protection of personal data have been provided for in binding general and sector-specific rules.39 The Constitution of Argentina treats privacy as a fundamental right, ju st as Switzerlands constitution and the ECPHRR.40 The Constitution of Argentina includes a habeas data rule 36 Id. 37 Information obtained from the Office of the Privacy Commissioner of Canada website available at http://www.privcom.gc.ca/aboutUs/index_e.asp. Last visited on April 19, 2006. 38 Commission Decision 2003/1731/EC, 2003 OJ (L 168). 39 Id. at 3. 40 See supra 14.

PAGE 33

33 that allows the data subject to know both the con tent and purpose of all the data pertaining to him or her contained in public record s or databanks, or in private ones.41 Under the habeas data rule, citizens also have the right to demand that their information be corrected, deleted, or made confidential,42 a right that relates to criteria 3 and 5. The EC report also states Argentine jurisprudence has recognised h abeas data as a fundamental a nd directly applicable right.43 The EC report also cited another Argentine pr ivacy law, the Personal Data Protection Act of 2000.44 This law follows the Data Directive model of granting citi zens access to their personal data, mandating the protection of personal data (criterion 2), th e lawful obtaining of data through businesses and govern ment agencies based on data su bjects consent (criterion 1), and the secure processing of personal data (criterion 4).45 These rights meet the criteria of the Directive by ensuring that data subjects have access to their pe rsonal information, that the data transfers stay secure, and that data is collected lawfully. The Argentine government also has a National Directorate for the Protection of Personal Data, a body charged with ensuring the protection of data privacy and with judging adjudicating disputes about data privacy.46 The National Directorate has authority to impose sanctions on organizations and even to pursue criminal liabilitie s for individuals and orga nizations that breach data privacy protection laws. This national da ta authority constitutes a level of control and enforcement measures (criterion 5). 41 Const. Arg, Art. 43.3. 42 Id. 43 Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3 44 The Personal Data Protection Act No. 25.326 of 4 October 2000. 45 Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3-4. 46 Id. at 4.

PAGE 34

34 As with Switzerland and Canada, Argentine la w meets each of Zinse rs five criteria and meets the EC standards for providing an adequate level of protection. Guernsey The Bailiwick of Guernsey, a small island nation in the English Channel, became the next nation to receive adequacy status from th e European Commission. On November 21, 2003 the EC granted Guernsey, a British protectorate that f unctions as a separate legal entity from the UK, approved status as a third country with ad equate levels of data privacy protection.47 In this report, the EC stated that the basis for EC appr oval of Guernsey was based on the passage of the Data Protection Law of 2001, a law based on th e standards set out in Directive 95/46/EC.48 In other words, the EC fully acknowledged that the Directive serves as th e foundation for the data privacy laws of Guernsey. In the Data Privacy Law of 2001, Guernsey gr anted data subjects th e rights to their personal data and the rights to change or erase this data (criterion 3).49 The law also mandates that data transfers be protected with technological safeguards and that a supervisory privacy authority be set up (criteria 2, 4, and 5).50 As with the other approved third countries, the data authority in Guernsey has powers to investigate and to intervene when there has been a breach of data privacy protection.51 47 Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5. In its report, the EC recognizes Guernsey as a third country because although it is a British protectorate, it ma intains complete liberty from the Crown except in a few international matters such as defense. 48 Id. at (7). 49 Id. at (7). 50 Id. 51 Id. at (8).

PAGE 35

35 The EC report on Guernsey contains far less specific information on the reasons for approving this third country for th e free flow of personal data tran sfers with the Member States. Although the report notes the le gal standards applicable in Guernsey cover all the basic principles necessary for an adequate level of pr otection for natural person s, the EC gives almost no specific reasoning behind their decision.52 The EC report shows that Guernsey has met criteria 2, 3, 4, and 5. The report never specifical ly addressed the issue of defining lawfulness in the processing of data. Isle of Man The Isle of Man, an island nation similar to Guernsey, received adequacy status from the European Commission next. On April 28, 2004, th e Commission issued a report approving Isle of Man as a third country with adequa te levels of personal data protection.53 Just as with the report on Guernsey, the EC report on Isle of Man contains few examples and few reasons for granting the island nation approved status for da ta protection. The report cites the Data Protection Act of 2002,54 the Human Rights Act 2001,55 and the Access to Health Records and Reports Act 1993 as providing an ad equate level of protection for pr ivate data. From these acts, data subjects in Isle of Man are guaranteed the lawful use of thei r private data (criterion 1), the special protection of their private data (criterion 2), and security in the transfer of data (criterion 4).56 Data subjects in Isle of Man also have the right to access thei r personal data and to correct 52 Id. at (9). 53 Commission Decision 2004/411/EC, 2004 OJ (L 151). Like Guernsey, Isle of Man is a protectorate of the British Crown and is in the same political arrangement as Guernsey. 54 Id. at (7). 55 Id. at (8). 56 See Isle of Man data privacy website available at http://www.gov.im/odps /yourrights.xml. Last visited on May 4, 2006.

PAGE 36

36 errors in that data, as well as to seek co mpensation from a data controller who misuses the private data of a data su bject (criteria 3 and 5).57 Despite the lack of detail and analysis of thes e acts, the EC report sa ys that the laws of Guernsey allow for adequate leve ls of data privacy protection.58 The laws of Guernsey also meet Zinsers five criteria for determining adequacy. United States Safe Harbor Because of different approaches towards data privacy protection in the U.S. and the EU, and because of the economic interdependence of these two economies, the EU Data Directive has presented significant challenges for the U.S. and the EU. With little prospect of a U.S. national law recognizing data pr ivacy as a fundamental right a nd enacting broad, general privacy legislation, the European Comm ission adopted the U.S. Depa rtment of Commerces Safe Harbour Privacy Principles a nd Frequently Asked Questions59 (hereafter Safe Harbor and FAQs) on July 26, 2000.60 The Safe Harbor was created to allow businesses and organizations in EU Member States to legally (under EU law) transfer personal data to businesses in the U.S. and to protect trans-Atlantic commerce. The rules of Safe Harbor apply to businesses under the jurisdiction of the Department of Commerce and the Federal Trade Commission. Thes e rules allow U.S. businesses to continue data transfers with EU businesses by opting in to data principles that mirror much of the provisions of the Directive, incl uding ensuring that da ta transfers are secure (criterion 4), granting data subjects rights to access their da ta (criterion 3), providi ng data subjects with 57 Id. 58 Id. at (9). 59 See U.S. Dept. of Commerce website, http ://www.export.gov/safeHarbor/index.html. 60 Commission Decision, 2000/520/EC, 2000 O.J. (L 215) 7.

PAGE 37

37 notification when their personal data will be used (criteria 3 and 5), keeping data accurate and up to date (criterion 2), and creating governmental sanctions for violati ons of Safe Harbor principles (criterion 5).61 In exchange for opting in to the Safe Harbor U.S. businesses involved in disputes over Safe Harbor principles would keep legal acti ons in U.S. courts, not in European courts.62 Each business choosing to opt in must write the Depa rtment of Commerce, make its privacy policy available on-line and with the De partment of Commerce, and have its name published on a list of Safe Harbor businesses.63 Through Safe Harbor, the U.S. has received pa rtial approval from the EC on providing adequate levels of data protec tion; however, because Safe Ha rbor only applies to businesses under the Department of Commerce and the Fede ral Trade Commission, the assurance that the U.S., as a third country, will follow the provisions of the Directive is limited. As of June 2007, 1,196 U.S. businesses had opted in to the Safe Harbor, through the U.S. Department of Commerce.64 The Safe Harbor principles have acc ounted for meeting criteria 2, 3, 4, and 5, but the agreement is different than approval for othe r nations. Other approved third countries have received approval for data transfers as a nati on, but the Safe Harbor does not represent a full approval for the U.S. as providing ad equate levels of private data. Conclusion Since its passage in 1995, the European Data Privacy Directive has had an influence on other nations, an effect resulting from the requi rements of Chapter IV of the Directive that 61 See Safe Harbor Overview on Department of Commerce website for a complete list of the Safe Harbor principles, available at http://www.export.gov/safeHa rbor/sh_overview.html. Last visited on April 20, 2006. 62 Id. at Safe Harbor Benefits. 63 Id. at How does an organization join?. 64 Safe Harbor List, available at http://www.export.gov /safeharbor/doc_safeharbor_index.asp.

PAGE 38

38 requires any non-EU nation to have adequate levels of data privacy protection as a precursor to conducting personal data transfers. Because the fr ee flow of personal data has become such an important commodity in recent years, nations all over the world must consider adopting laws that protect personal data. The Directive provides third countries an opport unity to demonstrate an adequate level of protection and gain approval from the Commission to ensure a free flow of information and a continuation of business with EU Member States. In determining adequacy, the EC has applied five criteria: The lawfulness of the processing of personal data. The special protection of sensitive data. The rights of the data subjects. The security of the act ual processing of data. The existence of control and enforcement measures. Using these criteria the European Commissi on has given approval for Member States to transfer personal data to Switzer land, Canada, Argentina, Guernsey, Isle of Man, and to the U.S. (in limited scope). Despite the ECs consistent application of adequacy standards with other nations, the case of the Safe Harbor for the U. S. demonstrates that the Commission shows some flexibility in working with third countries. Th e PNR case may shed further light on how far the EC will go to arrange an agreement with a third country (in this case, the U.S.). Zinsers five criteria proved accurate and he lpful in analyzing the reports on each nations approval. A comparison of the official EC d ecisions granting these third countries approved status reveals some interesti ng similarities and differences. The EC reports on Switzerland, Canada, and Arge ntina contained detailed analysis of the laws of those nations that protect private data. Each of these countries granted the concept of data privacy the status of a ge neral law, with Switzerland and Ar gentina declaring data privacy

PAGE 39

39 as a fundamental human right. Each of these reports also contained examples of how these nations protect privacy at both the general and the sectoral level, just as the EU protects privacy. As stated in the analysis above the reports on Guernsey and Is le of Man are brief and lack the detail of the others. This may be a result of the fact that these nations are protectorates of the United Kingdom and opted into the privacy prot ection laws of the United Kingdom. These two island nations benefit greatly from a free flow of personal data as their economies are based mainly on offshore banking and insurance, which might explain the reas on that they sought approval status from the EC. As previously stated, the EC decision to work with the U.S. to create the Safe Harbor differs greatly from its approval of other third co untries. Despite the fact that the U.S. has no general protection for personal data, the EU s howed it was willing to work out compromises on data protection in order to allow for internati onal trade even when a nation was not in full compliance with the EU Data Directive. One question that arises is why so few nati ons have sought to gain the status of full approval for personal data transfers with the EU. It is possible that some nations are skeptical about the enforcement of the Directive as it pertains to adequacy in third c ountries. Zinser, in an article previously discussed, point ed out that the Directive never specifies whether the EU or the Member States will enforce the Directive or what methods they might use to enforce it.65 Without specific sanctions for noncompliance (whi ch may prove difficult to craft and avoid 65 See Alexander Zinser; European Data Protection Directive: the De termination of the Adequacy Requirement in International Data Transfers 6 TUL. J. TECH. & INTELL. PROP. 171 (2004).

PAGE 40

40 WTO/GATT problems)66, many third countries might not make the efforts to enact adequate privacy legislation or to enc ourage businesses to conform to Safe Harbor type principles. Countries with general laws prot ecting data privacy might be t hose that stand to benefit the most from EC approvals. For nations such as the U.S. where there is less chance of enacting general privacy protections, the f act that the Directive allows individual businesses to have adequate levels of protection makes the Safe Har bor (or potentially anothe r plan with other third countries) the best option for now for businesse s. As stated previous ly, the Safe Harbor, however, applies only to businesse s and not to the transfer of pr ivate data by and to the United States government; therefore, the debate be tween the United States and the European Commission over Passenger Name Records falls outside the scope of the Safe Harbor and necessitates a separate agreement. 66 See Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy 9 MINN. J. GLOBAL TRADE 645 (2000).

PAGE 41

41 CHAPTER 3 THE PASSENGER NAME RECORDS CONTROVERSY As discussed in Chapter 2, the European Co mmission has granted ad equacy status to multiple nations since passage of the Data Di rective in 1995. In the cases of Switzerland, Canada, Argentina, Guernsey, and Isle of Man, the Commission stated that those nations laws provided adequate levels of prot ection for private data. In th e case of the United States, the Commission worked with the U.S. government to create the Safe Ha rbor program wherein individual businesses guaranteed to provide adequate levels of protection for private data. Although the Safe Harbor agreem ent represented compromise, the greatest controversy and challenges to the Directive have come in the fo rm of laws requiring that commercial airlines provide governments with Passenger Name Reco rds. As mentioned in Chapter 1, Passenger Name Records contain large amounts of personally identifiable information including financial information, itineraries, physical addresses, travel information, and contact information.1 Australia and the United States require co mmercial airline carriers to pass PNR information to their national customs agencies The European Commission has worked with both of these nations in an effort to protect the private data of European citizens in PNRs. The Australian PNR agreement was met with very little controversy, but the United States PNR agreement has been the source of one major legal challenge in the European court system. These agreements raise important issues that affect the scope and efficacy of the 1995 Data Directive.2 1 See supra at note 17. 2 At the time of this thesis, the Australian and United States PNR agreements are th e only such documented PNR cases with the European Union.

PAGE 42

42 The Australian Passenger Name Record Agreement Following the terrorist attacks of Septembe r 11, 2001 on the United States, the Australian government implemented new security policies th at included a requirement that commercial airlines provide the government w ith Passenger Name Record data.3 Upon introduction of these new requirements in the Border Security Legislation Amendment (Terrorism) Act 2002 (hereafter Border Security Act), the Governme nt of Australia request ed that the European Commission officially determine the adequacy of Au stralias data protection laws for the transfer of PNR data. In accordance with the legal framework laid out in the Data Directive, the Commission assigned the task of determining adequacy to the Article 29 Working Party.4 As created in Article 29 of th e Data Directive, the data pr otection commissioners of each Member State and the EC data commissioner co mprise the Working Party on the Protection of Individuals with regard to th e Processing of Personal Data (h ereinafter referred to as the Working Party).5 Under Article 30, the Working Party is charged with addressing concerns (such as the PNR concerns) over da ta protection in third countries6 and informing the Commission about any issue concerni ng data privacy for EU citizens.7 In January 2004, the Commission adopted the Article 29 Working Partys opinion that Australia provided an adequate 3 Border Security Legislation Amendment (Terrorism) Act, 2002, c. 64 (Austl.). 4 See Commission Directive 95/46/EC, Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1995 O.J. (L 281). 5 Id. at art. 29(1). 6 Id. at art. 30(b). 7 Id. at art. 30(c).

PAGE 43

43 level of protection of private da ta in its transfers of PNR data to the Australian Customs and Border Protections agencies.8 The Border Security Act amended a number of laws governing the activities of Customs and the Border Protection agencies in Australia. As mentioned above, one requirement of this 2002 act is that commercial airlin es must transfer PNR data to the Australian government for use in terrorist risk assessment. In its opinion on adequacy, the Working Party noted that the PNR requirement in the Border Security Act had to comply with Australian privacy laws9 guaranteeing the privacy of personal information.10 The Working Party noted that Australia has a strong legal foundation of protecting the collection, use, transf er, and retention of private data in the public and private sectors.11 Keeping with the tradition of favoring th e privacy of personal data, the Australian government required specific procedures to ensure what the Australian government considered to be highest possible levels of pr otection for the private data tran sferred in PNRs. The Borders Security Act (hereafter BSA), seeks to ensure th e protection of the private data in PNRs in the following ways. Passenger Name Records accessed contain only cu rrent flight data and not historical PNR data12 Computer software weeds out the data of 95% 97% of all passengers on an average flight because they are determined to be of no risk to the security of the country13 8 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85). 9 See Commonwealth Privacy Act, 1988, c. 118 (Austl.). 10 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85) at 3. 11 Id. at 3-5. 12 Id. at 5.

PAGE 44

44 The first human eyes to see any of the data are those of a Customs officer who reviews the 3% 5% of passengers flagged by the software screening and determines whether or not the government should detain the pa ssenger upon arrival in the country14 Computer software automatically deletes th e PNR data of the 95% 97% of passengers who clear the initial software screening15 A Customs officer deletes all PNR data for ev ery individual eventually cleared of any concerns by the Customs and Border Patrols agencies16 Computer software automatically deletes fli ght information from Customs databases 24-48 hours after the flight17 Computer software filters out sensitive info rmation including racial or ethnic origin, political opinions, religious or philosophical beliefs, or data on health problems18 The BSA limits the third parties authorized to receive the PNR data (namely Australian law enforcement agencies)19 The BSA limits the use of PNR data by law enforcement agencies to law enforcement activities guided by judicially authorized warrants20 The BSA bans the use of PNR data for a secondary purpose except where authorized by the individual identified in the data or mandated by Australia federal law.21 As understood by the Article 29 Working Pa rty, the above regulations governing the collection and use of PNR data serv e to protect the privacy of pers onal data at an adequate level as defined in the EC Data Directive. 13 Id. 14 Id. 15 Id. at 6. 16 Id. 17 Id. at 7. 18 Id. at 8. 19 Id. at 9. 20 Id. at 9. The Working Party noted that in order to receive credit card and telephone records from Customs PNR data, law enforcement agencies must provide Customs proof of having obtained a warrant. Id. 21 Id. at 10.

PAGE 45

45 The Working Party also noted that the Austra lian PNR agreements mandate high levels of security when working with PNR data.22 To protect sensitive info rmation in PNRs, Australia allows only a small group23 of individuals access to PNR data. This group of individuals must pass through three layers of passwords and identification c onfirmation before accessing the PNR records. Additionally, PNR data is stored on an electronic network separate from other networks in the Australian Customs agency system.24 The Australian PNR law also gran ts individuals the right to a ccess and correct any data in their records. Because most PNR data may be st ored for only 24-48 hours, this aspect of the law applies only to individuals who have been char ged with violating Customs or border protection laws. These individuals, whether charged or convicted, have a legal right to access their PNR data and to rectify errors therein.25 The Australian PNR agreement also grants the Australian Privacy Commissioner the authority to petition the Australi an legislature to change any PN R practices that may not be in line with existing Australian privacy laws.26 The PNR arrangement also gives the Privacy Commissioner the authority to investigate alleged abuses of PNR brought forth by either Australian citizens or non-citizens.27 The European Commission adopted the Work ing Partys Opinion on the adequacy of private data protection in Aust ralias PNR system in January 2004. Under the recommendation 22 Id. 23 Id. at 8. 24 Id. at 10. The Working Party also noted that Customs officials refrain from using PNR data and visa information together in any way. Id. 25 Id. at 11. 26 Id. 27 Id.

PAGE 46

46 of the Working Party, the Commi ssion set a three-year time period on the present agreement with a required review of the PNR system set for mid 2007.28 Since the European-Australian PNR agreement in 2004, neither side has formally cha llenged the legality of the agreement or the expressed concerns over the prot ection of individuals private da ta when transferred to the Australian government. Although this agreement has not met legal challenges, the European-United States Passenger Name Records has raised controversy fr om the European government and its citizens. The United States Passenger Name Records Agreement Despite the agreement between the United Stat es and the European Union to create the Safe Harbor, the trans-Atlantic battle over the protection of priv ate data was renewed in late 2003. In post 9/11 legislation aimed at combati ng terrorism the United States Congress passed the Aviation and Transporta tion Security Act (ATSA) that required airlines to transfer all Passenger Name Records (PNRs) to the U. S. Customs and Border Protection (CBP).29 ATSA required airlines flying in and out of the United St ates to provide this information to the CBP or risk penalties. This new law quickly raised concerns in Eur ope over the uses and tr ansfers of European citizens private data in PNRs The controversy between the EU and the U.S. over the PNRs sheds additional light on how the EU might apply the Data Directive to third countries. From the European perspective, the concerns about the transfer of PNRs to the U.S. government are founded in Chapter IV, Article 25(1) of the Directive. This article states that 28 Id. at 12. At the time of the present study in June 2007, neither the European Commission nor the Australian government has publicly announced an end to, or a renewal of, the PNR agreement. 29 Aviation and Transportation Security Act of 2001, Pub. L. No. 107--71, 115 Stat. 597. The Customs and Border Protection is a U.S. governmental agency under the Department of Homeland Security (DHS). In this light, much of the EU/U.S. debate over PNRs is directed towards the DHS.

PAGE 47

47 The Member States shall provide th at the transfer to a third country30 of personal data which are undergoing processing or are intended for processi ng after transfer may take place only if the third country in ques tion ensures an adequate level of protection.31 This particular portion of the Data Directive has caused tension betw een the U.S. and the EU because of the United States sectoral, case-bycase approach to data pr ivacy legislation. If EU businesses and Member States follow the lega l frameworks of the Directive regarding third country adequacy of protecting private data, the trans-Atlantic flow of personal data could be limited and business would be greatly disrupted be tween the worlds two top economies. In the case of the PNRs, airlines that re fuse to provide this data to th e CBP would be subject to fines and potential loss of privileges to land in the U. S., resulting in a major loss of business due to differences in privacy laws. After the passage of ASTA, the European Commission notified the U.S. government that the requirement to provide the CBP with PNRs vi olated provisions of the Data Privacy Directive of 1995.32 The EC said it had learned that the PNRs of EU citizens were being transferred to the United States Department of Homeland Security (DHS) for access by the CBP. In 2002, the EC officially issued a report denouncing this practi ce as an invasion of the privacy of EU citizens.33 Because the ASTA failed to provide the data subj ect the authority to acc ess his or her personal data held by the DHS and to correct errors in that data, the Commission said the sharing of this information violated the Data Directive. The Di rective requires that pe rsonal data held by any 30 A third country refers to a nation or state that does not belong to the European Union. 31 Directive 95/46/EC, Art. 25(1). 32 See Communication from the Commission to the Council and the Parliament December 16, 2003, on PNRs. Accessed from EC website, available at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/adequacy/apiscommunication/apis_en.pdf. 33 Opinion of the European Commission, Opinion 2/2004. Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp87_en.pdf.

PAGE 48

48 government or business be accessible by data subject s, that the data not be kept on record for longer than necessary, and that a supervisory authority oversee the uses of the personal data.34 In response, the U.S. Customs and Border Prot ection argued that the tr ansfers of this data are allowable under Article 13 of the Directive b ecause the data is used in national and public security, specifically to combat terrorism.35 Article 13 grants the EU and its Member States room to restrict the scope of the Data Directiv e obligations on data prot ections if the government deems such restrictions as a necessary safeguard in certain key areas.36 The key areas for exemptions to the Directives data protection gui delines include lifting data privacy restrictions to aid in national security,37 defense,38 public security,39 fighting crime (including white collar crime),40 maintaining economic interests,41 monitoring or inspecting crimes,42 and the protection of the rights and freedoms of the data subject and others.43 34 Id. 35 See Council Decision of 17 May 2004 on the conclusion of an agreement between the European Community and the United States of America on the processing and tran sfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (2004/496/EC). 36 Commission Directive 95/46/EC, art. 13(1), 1995 O.J. (L 281). 37 Id. at art. 13(1)(a). 38 Id. at art. 13(1)(b). 39 Id. at art. 13(1)(c). 40 Id. at art. 13(1)(d). In addition to granting exemptions fo r data protection in the act of preventing, discovering, investigating, and prosecuting criminal offences, the Direct ive explicitly mentions that this exemption applies to investigations and prosecutions of breaches of ethics for regulated professions. Id. The Directive does not define regulated professions. 41 Id. at art. 13(1)(e). The Directive states that econo mic interests include monetary, budgetary, and taxation matters. Id. 42 Id. at art. 13(1)(f). 43 Id. at art. 13(1)(g).

PAGE 49

49 Acting under its authority, the Article 29 Working Party44 issued an opinion in January 2004 that highlighted many of the le gal issues of the PNR debate.45 In its opinion, the Working Party acknowledged that the fight against terrorism is necessary but emphasized the necessity to balance fighting terrorism the need to ensure human rights,46 including the fundamental human right of privacy.47 The Working Party also expressed concern about the amount of personally identifiable information contained in the PNRs passed to the U.S. government.48 Despite the fact that the Commission had recently reached its agreem ent to transfer PNR da ta to the Australian government,49 the Working Party stated that the Co mmission had no legal precedence to follow in this case and could not issue a solid decision on what to do.50 In response to the Working Partys concerns over the level of protection of Passenger Name Record data when transferred to Cust oms and Border Protection, the Department of Homeland Security issued further explanat ions of the CBP PNR system in May 2004.51 The document, titled the Undertakings, outlined the fr amework that the CBP would follow in its use of the PNR data. In the Undertakings, the Depa rtment of Homeland Security said that the Customs and Border Protection only uses Passenger Name R ecord data in terrorist and law enforcement 44 See supra at note 123. 45 Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection (10019/04/WP 87). Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp87_en.pdf. 46 Id. at 3. 47 Id. 48 Id. at 4. 49 Id. 50 Id. at 5. The Working Party did not provide any explanation as to why there was no legal precedence for the PNR case even though they had rece ntly reached a PNR agreement with the Australian government. 51 Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection Regarding the Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543 (July 9, 2004).

PAGE 50

50 activities.52 The DHS stated that it believes that it will be rare than an individual PNR will include a full set of data.53 For those individuals flagged as high risk, the DHS said that its employees would manually search through the PNR data; otherwise, PNR data would be analyzed by automated software.54 Finally, the DHS assured that it would follow legal channels to obtain credit card transactions, e-mail co mmunications, and phone records information on high risk individuals.55 In the Undertakings, the Depart ment of Homeland Security also stated that PNR data would be transferred to the Transportation Security Administration (TSA) for analysis56 and to other government agencies, both domestic and foreign, on a case-by-case basis.57 In providing PNR data to the TSA and other governments, the DHS stated that the PNR data would be filtered for sensitive data (including ra ce and ethnicity, religious belie fs, and union memberships) and that the data would be used sole ly for terrorist screening purposes.58 The DHS promised that any transfers and storage would be s ecured by the latest technologies.59 The Undertakings mentioned that neither U.S. citizens nor non-U.S. citizens would have access to PNR data because the data would be exempt from disclosure as confidential commercial information.60 The Undertakings mentioned that through a Freedom of Information 52 Id. 53 Id. at 41,544. 54 Id. 55 Id. 56 Id. 57 Id. at 41,545. 58 Id. at 41,544. 59 Id. 60 Id. at 41,545.

PAGE 51

51 Act request, the data subject would be allowed to see his or her PNR data unless Customs and Border Protection determined that providing the data would interf ere with a law enforcement or security activity.61 The DHS stated that denying an FOIA request because of concerns that data disclosure would interfere with law enfor cement would represent an exceptional case.62 Finally, the DHS said that the PNR agreement w ould be subject to year ly joint review by the European Commission and the U.S. Department of Ho meland Security in an effort to ensure that privacy remain a priority in the U.S. PNR data searches.63 The European Commission, despite its concerns over the U.S. governments PNR uses, used the Undertakings as a guide for reaching a May 2004 agreement to continue sharing PNR data between the U.S. and the EU. The European Commission, in its report on th e European-United States PNR agreement, stated that the European Parliament had been given the chance to review the agreement but had not acted within the time limits provided by European Community law.64 The Council stated that, under Article 300(3) of the Trea ty Establishing the European Union,65 Parliament must deliver its opinion on the Commissions acti ons within a time limit chosen by the Council.66 In this case, Parliament failed to act in time and provided no reason for the delay. 61 Id. at 41,546. 62 Id. 63 Id. at 41,547. 64 Id. at 2. 65 Treaty Establishing the European Union, 1997 O.J. (L 340) at 298. Available at http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&numdoc=11997E300&model=guichet t&lg=en. 66 Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bu reau of Customs and Border Protection (10019/04/WP 87) at 2. Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp87_en.pdf.

PAGE 52

52 The European Commission, the Council of the European Union, and the European Parliament comprise the decision-making triangle67 of European governance. Understanding the roles of these separate European governme ntal bodies is important to the present study because of their involvement in the PNR cont roversy. In the European Union governmental structure, the European Commi ssion acts as the executive arm of the government for all matters concerning the internal market. Its members ar e appointed by the Member States and approved by the European Parliament. The European Parliament, its members elected by EU citizens, is charged with supervising the EUs activities. In its supervisory responsib ilities, Parliament can require the Commission to include parliamentary proposals in Commission directives and must give approval to any international agreement negotiated by the Commission. The third EU governmental body, the Council of the European Union, shares legislative power with the Parliament. Through a co-d ecision procedure, bot h the Council and the Parliament must approve legislation on any matter dealing with the EU common economic market. The Council is comprised of ministers from each EU Member State.68 In addition to sharing authority with the Parl iament, the Council also direct s the European Commission when to open negotiations with non-European Union nations.69 Because the Parliament failed to approve or disapprove the European Commission Department of Homeland Security agreement on Passenger Name Records within its time limits, 67 How does the EU work? The decision-making triangle, http://europa.eu/abc/12lessons/lesson_4/index_en.htm ( last visited Apr. 17, 2006). 68 Id. 69 Id.

PAGE 53

53 on May 14, 2004 the Commission and Homeland Security went ahead with an agreement to continue to allow airlines to transfer PNRs to Customs and Border Protection.70 The Commission agreed that the CBP provided ad equate levels of da ta protection for the PNRs and that the practice of allowing the U.S. government to access PNR data from the airlines databases could continue only until th ere is a satisfactory system in place allowing for transmission of [PNRs] by the air carriers71 to the CBP. Nowhere in the document did the European Commission mention when such a syst em would appear or how the system would differ from the current one. To punctuate the strenuous relationship between the EU and the U.S. in the matter of the Passenger Name Records, the EC also added that the present agreement would in no way serve as a precedent for future agreements between the U.S. and the EC in matters of protecting personal privacy.72 Although this agreement a llowed the transfer of pers onal data in the name of public safety, the Commission made it clear that this was not to become a common practice and that the rules of the Di rective applying to third countries were going to be enforced in the future.73 The U.S. also conceded to limit its use of sensitive information in PNRs.74 In negotiations, the U.S. agreed to limit its use of PNR information to the passengers name, 70 Agreement between the Europ ean Community and the United States of Am erica on the processing and transfer of PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, signed in Washington on 28.5.2004 at 4. 2004 O.J. (L 183) 83. Available at http://europa.eu.int/eurlex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32004D0496:EN:HTML. 71 Id. at 5. 72 Id. at 4. 73 Id. 74 See Opinion 8/2004 on the information for passengers concerning the transfer of PNR data on flights between the European Union and the United States of America (Sep. 30, 2004). Available at http://europa.eu.int/comm/justice_home/fsj/ privacy/docs/wpdocs /2004/wp97_en.pdf.

PAGE 54

54 contact details, details of the travel itinerar y,. details of the rese rvation. [and] other information, such as frequent flyer data.75 Sensitive information that the U.S. agreed not to use includes information on religious and political affiliations, health records, sexual preferences, and race.76 The fact that the U.S. agreed to limit it s use of this information showed, at least, a willingness to adjust on its end. This could be a factor for other countries that wish to conduct business with the EU but do not have such sweep ing privacy protections written into national law. On May 17, 2004, three days after the European Commission issued it s decision to allow Customs and Border Protection to continue to tr ansfer Passenger Name Record data, the Council of the European Union issued its own decision on the matter.77 The Council stated that the Parliament had failed to act on its authority to approve or di sapprove the Commission agreement and that the issue needed to be resolved quickly because of the pressure placed on the airlines to comply with competing European and U.S. standards.78 The Council also decided that the agreement between the Commission and the Depa rtment of Homeland Security provided an adequate level of protection for personal data.79 Due to the urgent nature of the issue, the Council approved the EC-DHS agreement.80 75 Id. at 5. 76 Id. 77 Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the pro cessing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 2004/496/EC. 2004 O.J. (L 183) 83. Available at http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32004D0496&model =guichett. 78 Id. 79 Id. 80 Id.

PAGE 55

55 The Opinion of the Advocate General and the Eu ropean Court of Justice Decision on the PNR Case Despite the agreement between the European Commission and the U.S., the European Parliament was not satisfied with the decisions of the Commission and the Council. Parliament brought suit to the European Cour t of Justice in July 2004, asking the ECJ to annul the European Commission and Council of the European Union decisions permitting the transfer of the PNRs.81 In the European Union system, the European C ourt of Justice (ECJ) takes cases from Member States that require a clarificat ion of European law and from Parliament when challenging an action of the European Commission. The ECJ cons ists of a judge from each Member State and eight Advocates General. Upon receiving a case the ECJ passes it on to one Advocate General who then issues a non-binding opinion on the case. The ECJ traditionally adopts the opinions of the Advocate General.82 The Court of Justice referred this case to Advocate General Philippe Lger, who issued an opinion on the case on November 22, 2005. In his opinion on the combined cases of the 2004 Commission and Council decisions on PNR ag reements, Lger sided with the European Parliament and suggested that the Court of Justi ce annul the agreements issued by the EC and the Council concerning the transfer of PNRs.83 The Advocate General argued that the Comm issions ruling that the U.S. provides adequate protection of private data was fault y. According to the Advocate General, the [European Commission Data Directive] does not apply to the proces sing of personal data 81 Opinion of Advocate General [English translation], delivered to the Eu ropean Court of Justice on 22 November 2005. Available at http://curia.eu.int/jur isp/cgi-bin/form.pl?la ng=en&Submit=Submit...f=C317%2F04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100. 82 See European Court of Justice website for further information at http://curia.eu.int/en/instit/presentationfr/index_cje.htm. 83 Id.

PAGE 56

56 undertaken in pursuance of activ ities that do not fall within the scope of Community law, particularly the processing of such data for such matters as public security and the activities of the State in relation to areas of criminal law.84 In other words, the Di rective cannot regulate the transfer of private data for security or law en forcement purposes. The Directive comes from, and applies to, the European Commission. The sole mission of the European Commission is to promote the common economic market in the Europ ean Union and the EC is not involved in law enforcement or investigations into criminal activity.85 Regarding the decision of the Council to allo w the PNR transfers, the Advocate General advised the Court of Justice to annul this decision as well.86 He used the same reasoning, that the Data Directive, or any ot her European Commission directiv e, cannot be employed in the realm of national security, defense, or law enforcement because they fall outside the Commissions authority to promot e the European common market.87 Following the opinion of Advocate General Lger, the European Court of Justice annulled both the Commissions agreement to permit the tran sfer of PNRs to the U.S. Department of Homeland Security and the Council decision a ffirming the agreement on the Passenger Name Records.88 As expected by tradition, the ECJ followe d the reasoning and the conclusion of the Advocate General in its ruling. 84 Id. at 17. 85 For more information about the structure of the EU government, visit http://europa.eu.int/abc/eurojargon/index_en.htm 86 Opinion of Advocate General [English translation], delivered to the Eu ropean Court of Justice on 22 November 2005, 36. Available at http://curia.eu.int/jurisp/cgi-bin/ form.pl?lang=en&Submit=Submit...f=C317%2F04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100. 87 Id. 88 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/judgement_ecj_30_05_06_pnr_en.pdf.

PAGE 57

57 The Courts analysis of how the PNR case relates to Directive 95/45/EC provides important insight into the Direc tive. In its decision, the Court addressed Parliaments arguments against the agreement in a systematic fashi on. First, the Court considered Case C-318/04, Parliaments suit to annul the Council d ecision on adequacy from May 17, 2004 that had legalized the continuing program of PNR transfers to Homeland Security. In its suit, the European Parliament argued that because Article 3(2) of the Directive specifically excludes the Directive from applying to issues that fall outs ide the scope of Europ ean Community law, the Directive could not serve as a legal foundation fo r a Passenger Name Record deal with the U.S. Department of Homeland Security.89 Parliament contended that the PNR agreemen t was aimed primarily at providing the U.S. with personal data for the sake of fighting terrorism and organized crime.90 The Commission argued that although the U.S. was seeking this data for those pur poses, the Commission made the agreement in order to protect the personal data of citizens and to protect airlines from fines and other penalties that could affect the common market.91 The ECJ, however, disagreed with the EC on this issue. The Court reasoned that the text of the Counc ils decision on adequacy clearly states that the purpose of the agreement was to support the Un ited States efforts to combat terrorism and international crime and to provide data to a third country solely for this purpose.92 The ECJ reasoned that despite the fact th at the PNR data is initially co llected as a commercial activity by 89 Id. at recital 51. 90 Id. at recital 52. 91 Id. at recital 53. 92 Id. at recital 55.

PAGE 58

58 the airlines, the PNR agreement focused on the comp letely different use of the data for security and crime fighting.93 The Advocate General expounded on this point in his Opinion, pointing out that despite the Councils argument that the ag reement existed to protect th e common market, the decision on adequacy proved the opposite.94 The primary purpose of the agreement, he said, was to provide the United States with data that w ould be used in fighting terrorism.95 The Advocate General pointed out that both the EC-DHS agreement and the Councils decision contained a paragraph that mandated that the U.S. woul d actively promote the cooperation of U.S. airline companies in providing PNR data to the EU in the future if ei ther the European Union or one of its Member States desired PNR data for fighting terrorism in Europe.96 The Advocate General stated the European Commission could not claim that the purpose of the PNR agreement was to protect European citizens private data in international economic activities such as air travel when the Commission had explicitly based its decision to continue PNR transf ers in order to aid the U.S. in fighting terrorism and crime.97 The European Court of Justice, in its decision, ruled in favor of Parliaments concern that the PNR agreement infringed on Article 3(2)98 of the Directive and that the Council decision on 93 Id. at recital 57. 94 Opinion of Advocate General [English translation], delivered to the Eu ropean Court of Justice on 22 November 2005, 20. Available at http://curia.eu.int/jurisp/cgi-bin/ form.pl?lang=en&Submit=Submit...f=C317%2F04&datefs=&datefe=&nomusuel=&domaine=&mots=&resmax=100. 95 Id. 96 Id. 97 Id. 98 See Commission Directive 95/46/EC, 1995 O.J. (L 281) artic le 3(2). This Directive shall not apply to the processing of personal data in the course of an activity which falls outside the scope of Community law, such as operations concerning public security, defence, State security, and areas of criminal law.

PAGE 59

59 adequacy must be annulled.99 Having followed the opinion of Advocate General Lger in the first part of the case, the Court then turned to its analysis of Case C-317/04, Parliaments suit over the EC-DHS PNR agreement.100 In its suit, the European Parliament argue d that as with the Councils decision on adequacy, the 1995 Data Directive did not consti tute the appropriate legal foundation for the PNR agreement because it fell outside the Commissions purpose of protecting the common market.101 The Commission asserted that under the auspices of Article 95 of the Treaty Establishing the European Union the Commission and the Council had authority to seek the harmonization of law where there is a clear conf lict in international law between the EC and a third country that would affect the common market.102 Under this authority, the Commission claimed the right to use the 1995 Data Priv acy Directive as the foundation for the PNR agreements. The Court of Justice, however, ruled that Article 95 granted th e Commission and Council the authority to harmonize international laws rela ting to the European common market and not to matters of national security.103 Because the EC-DHS agreem ent relied on the authority to regulate the common market from Article 95 of the Treaty Establishing the European Union and the authority to protect the common market from data privacy concerns in third countries from 99 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, at recital 60. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/judgement_ecj_30_05_06_pnr_en.pdf. 100 Id. at recital 62. 101 Id. at recital 63. 102 See Treaty Establishing the European Community, Article 95, 2002 O.J. L (C 325) 69. Available at http://eurlex.europa.eu/LexUriServ/LexUriSer v.do?uri=CELEX:12002E095:EN:HTML. 103 Id. at 67.

PAGE 60

60 the 1995 European Commission Data Directive as its legal basis, the agreement had to be annulled.104 The Court said that the both Article 95 and the 1995 Data Directive concern the functioning of the European common economic market, but that the Commissions decision on adequacy does not have as its objective and su bject-matter the establis hment and functioning of the internal market.105 In its decision to annul the 2004 agreements, the European Court of Justice held that because the PNR transfers we re for the purpose of combating terrorism and crime, activities outside the scope of the Eu ropean Commissions mandate to promote the common economic market, the Data Directive did not constitute an appropriate legal basis for the PNR agreement.106 Despite the Court of Justices annulment of the both the EC-DHS agreement and the Council decision on adequacy, the ECJ held that the PNR agreement should remain applicable for a period of 90 days so that the governments could work on a new agreement in that time. The Court said that the agreement would not be preserved past September 30, 2006.107 In October 2006, the Council of the European Union issued a decision to sign a new temporary agreement between the European Uni on and the U.S. government on the transfer of PNR data.108 This new agreement resembled the 2004 agreements in the Commissions adequacy decision and the Counc ils decision on adequacy that were annulled by the European Court of Justice. As with the 2004 agreements, the Council and Commission cited the 2004 104 Id. at 67-70. 105 Id. at 63. 106 See supra at note 218. 107 Id. at 74. 108 Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 27.

PAGE 61

61 Undertakings as ensuring adequate levels of protection for the pr ivate data in PNRs.109 As in previous agreements, the Commission and Council reserved the right to withdraw from the agreement upon receipt of concerns from the Member States about EU citizens privacy.110 Finally, the Council and Commissi on both agreed that preventing terrorism and transnational crime were the basis for the agreement to transf er PNR data to the U.S. Customs and Border Protection, just as previous agreements had stated.111 The notable difference between the 2004 agr eements and the October 2006 agreement was the latters lack of allusions to the 1995 European Commission Data Directive. The October 2006 agreement instead used Article 6(2) of the Treaty on the European Union112 as the legal basis for respecting privacy as a fundamental right and in particular to the related right to the protection of personal data.113 Due to the fact that the Treaty on the European Union applies to all areas of Europe (not just the common economic market governed by the European Commission), the agreement appeared to satisfy the literal holding of the Court of Justices ruling that the PNR agreements dealt primarily with terrorism and law enforcement, not the welfare of the common economic market. Finally, the October 2006 agreement set a date of July 2007 for creating a new, permanent PNR agreem ent between the Commission and the U.S. Customs and Border Protection.114 109 Id. 110 Id. at 28-29. 111 Id. at 29. 112 See Treaty Establishing the European Community, Article 6, at 2. 2002 O.J. (C 325) 69. 113 Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of passenger name record (PNR) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 29. 114 Id.

PAGE 62

62 The Opinion of the Advocate General versus the Court of Justices Holding in the Passenger Name Record Case In its decision to annul the European Commission-U.S. Depa rtment of Homeland Security agreement, the European Court of Justice only addressed one of the European Parliaments concerns over the Passenger Name Record agre ement. The ECJ held that the PNR agreement infringed upon Article 3(2) of the 1995 Data Directiv e, namely that the Dire ctive only applies to protecting personal data in economic activities an d not security and law enforcement activities. Having found that the Directive wa s not an appropriate legal basi s for the PNR agreement, the ECJ annulled the agreement solely on these grounds. The Court of Justice refrained from even a ddressing Parliaments other arguments saying, it is not necessary to consider th e other pleas relied upon by Parliament115 in order to annul the agreement. By basing its ruling solely on one argu ment in the case, the Court failed to address these other important concerns over the agreement, concerns that may prove problematic for future PNR agreements. The Advocate General ex amined each of these pleas in his Opinion on the case, siding with the European Commission and the Council of the European Union on every count. The other pleas set forth by Parliament against the PNR agreements are that the PNR agreement infringed on fundamental rights, that the PNR agreement was overbroad, and that the Commission and Council overstepped their auth ority in the creation of the PNR agreement. The Parliaments pleas will be discussed in separate sections. An examination of the Advocate Generals response to th ese pleas provides valuable insi ght into potential problems with future PNR agreements. 115 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, at recital 70. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/judgement_ecj_30_05_06_pnr_en.pdf.

PAGE 63

63 Plea: the PNR agreement represented an in fringement of fundamental rights In its case, the European Parliament alleged that the PNR agreement between the U.S. and the E.U. failed to respect the basic human right of protecting personal data. The Parliament alleged that the system of accessing PNRs intr udes upon privacy and is overly broad in the information provided to the government.116 The Advocate General emphasized that, in Europe, privacy is a fundamental right affirmed in Article 8 of the European Convention on Human Rights and that any law seeking to limit this right cannot find acceptance in the [European Community].117 The PNR agreement, in the Advo cate Generals opinion, constituted an obviousyet justifiedintrusion on the right of privacy. In order to justify an intrusion on private life the Advocate General pointed out that such a law must meet three criteria: it must 1) be in accordance with existing law, 2) pursue a lawful and legitimate aim, 3) and be necessary for a democratic society.118 Whereas the Parliament contended that the PNR agreement was not in a ccordance to the law, Advocate General Lger said that the 2004 Department of Homeland Security Undertakings on the U.S. Passenger Name Records system ensured that the agreement was i ndeed in accordance with privacy law, the first of the three criteria.119 The Advocate General also stated hi s opinion that fighting terrorism is a legitimate governmental aim, cons istent with the second criterion.120 The third and final criterion for justifying an intrusion into private life is the issue of whether or not the interference is necessary in a democratic soci ety. In his analysis of this 116 Id. at recital 108. 117 Id. at recital 208. 118 Id. at recital 214. 119 Id. at recital 221. 120 Id. at recital 222.

PAGE 64

64 question, Advocate General Lger stated that th e European Court of Hu man Rights has defined the term necessary as a pressi ng social need that should be proportionate to the legitimate aim pursued.121 The Advocate General stated that the European courts have sought to balance the general interest and the interest of the individual in an effort to limit laws from being broadly infringing on fundamental rights,122 but that the courts have traditionally allowed European Member States a wide margin of appreciation, or a great deal of latitude, in laws seeking to maintain national security and combat terrorism.123 The PNR case, he said, is an area where the courts should allow the Commi ssion and the Council a wide ma rgin of appreciation because the case is focused mainly on maintaining national security and combating terrorism.124 Plea: the Commission and Council went beyond their authority in creating the U.S. PNR agreement. Advocate General Lger then sought to dete rmine whether or not the Commission and the Council exceeded the scope of thei r wide margin in the Passenge r Name Record agreement with the U.S.125 He then systematically addressed Parliament s arguments aimed at proving this plea. The Parliament argued that the list of 34 personal data items in the PNRs126 transferred to the Department of Homeland Security, overstepped the margin of appreciation granted to the Commission and Council. However, Advocate Ge neral Lger said that the amount of data 121 Id. at recital 226. 122 Id. at recital 228. 123 Id. at recital 230. 124 Id. at recital 231. 125 Id. at recital 234. 126 See supra at 17.

PAGE 65

65 requested is necessary for combating terrorism and therefore was within the margin of appreciation in this case.127 The Parliament also contended that the PNR agreement overstepped the margin of appreciation because the U.S. authorities woul d hold the PNR data for a long period, up to three years and six months for most records and up to eleven years and six months for data on passengers deemed as posing a high risk to U.S. national security.128 Addressing this concern, Advocate General Lger stated that the length of time for the data storage did not necessarily infringe on the right to respect of privacy. He sa id that although it is in principle desirable that personal data should be kept for a short period, it is necessary, in this case, to consider the period of storage of data from PNR in light of thei r usefulness, not only for purposes of preventing terrorism but, more widely, for law-enforcement purposes.129 In other words, the Advocate General felt that the long pe riod of data storage in the PN R agreement did not overstep the considerable latitude granted to laws aimed at combating terrorism and crime.130 The Parliament also argued that the PNR agr eements did not allow for any judicial review of the PNR program by U.S. authorities, meanin g that the U.S. court system could not impose safeguards on the U.S. governments use of PNR data.131 Advocate General Lger stated that the safeguards for protecting the PNR data from abuse in the U.S. government were adequate in protecting personal privacy while usi ng the data to combat terrorism.132 The Advocate General 127 Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, at recital 238. 128 Id. at recital 240. 129 Id. at recital 242. 130 Id. at recital 243. 131 Id. at recital 244. 132 Id. at recital 246.

PAGE 66

66 said that the PNR agreement allowed for an i ndividual to access his or her PNR data and to correct any errors contained therein,133 and guaranteed that the Chief Privacy Officer at the Department of Homeland Security would pursue any complaints about the misuse of PNR data from the EU Member States on an expedited basis.134 In his opinion, the safeguards for the PNR program kept the agreement within the wid e margin of appreciation in this case.135 Plea: the U.S. PNR agreement was overbroad Finally, the Parliament also argued that th e PNR agreement was overbroad in that it permitted the U.S. Customs and Border Protection to transfer PNR data to other U.S. government agencies and to foreign governments.136 Again, Advocate General Lger disagreed with the Parliament on this issue. He st ated that safeguards in the DHS Undertakings were sufficient to protect PNR data from abuse in tr ansfers to other governmental bodies.137 The Advocate General said that the Customs and Border Protection would only transfer PNR data to other government bodies if the data was needed to pursue law enforcement ac tivities and that the governmental body receiving the PNR data would ha ve to have written permission from the CBP to use the PNR data.138 Summary of the Advocate Genera ls Opinion on the PNR case Following his reasoning in each of the issues mentioned above, Advocate General Lger dismissed the Parliaments plea alleging that the Passenger Name Record agreement infringed 133 Id. at recital 249. 134 Id. at recital 251. 135 Id. at recital 254. 136 Id. at recital 255. 137 Id. at recital 258. 138 Id. at recitals 259-260.

PAGE 67

67 upon the right of protection of personal data.139 The Advocate General recommended that the Court of Justice annul the PNR case because the Commission had ina ppropriately based the agreement on the 1995 Data Privacy Directive; however, the Advocate Ge neral disagreed with the Parliament on every other plea. The fact th at the Advocate General sided with the European Commission and the Council of the European Uni on on all but one of the Parliaments pleas is potentially important for future PNR agreemen ts. The potential significance of the Advocate Generals Opinion will be addressed in Chapter 4. Conclusion The Passenger Name Records disputes be tween the European Union and the U.S. government provide a revealing l ook at how Europe has attempte d to enforce the third country adequate levels of protection fo r private data requirements in the 1995 Data Directive. Despite substantially different approaches to privacy law, the U.S. and Europe have worked to try and find a balance between sharing data to combat terrorism and protecting individual privacy. The questions remain as to how Europe will apply its Directive to continued PNR agreements with the U.S. and Australia, as we ll as how these PNR agreement might affect the future of how the European Commission enforces the Data Directive to enforce data privacy protection in non-PNR cases. 139 Id. at recital 262.

PAGE 68

68 CHAPTER 4 CONCLUSION: HOW THE PNR CASE AFFECTS THE DATA DIRECTIVE The study conducted in this thes is seeks to answer three f undamental questions about the 1995 European Commission Data Privacy Di rective. These questions are: R1: How has the EC defined adequate data pr otection laws for third countries and how has it applied this definition to third countries thus far? R2: What does the Passenger Name Records dispute between the US and the EC show about the Directives third country requirements? R3: How might the European Court of Justi ce annulment of the Pa ssenger Name Records agreements potentially affect the Directive, especially its third country requirement? This concluding chapter will constitute a summary of the issues, systematic answers to these research questions, and some concluding remarks. Summary of the Issues Since passage of the 1995 European Commissi on Directive on the protection of personal data, the European Union has required that gover nments and businesses of its Member States may only transfer private data to a third country if that country a ssures an adequate level of data privacy protection. As of the time of writing, the European Commissi on has granted national adequacy rulings to Switzerland, Canada, Arge ntina, Guernsey, and Isle of Man. The Commission has also worked with the United St ates to ensure that businesses can provide adequate levels of protection for privat e data through the Safe Harbor program.1 Through these agreements, the European Commission has consiste ntly analyzed the laws of these nations in order to determine if that nation provi des an adequate level of protection. A recent and controversial effect of the Eur opean Commissions requirements that third countries provide adequate levels of protection for private data has been the challenges to the United States post-9/11 laws requiring that co mmercial airlines provide U.S. Customs and Border Protection with Passenger Name Record data. Although the Commission reached a PNR 1 See supra at note 112.

PAGE 69

69 agreement with Australia in January 2004, that ag reement met no controversy in Europe. In the United States however, the amount of personal data in each PNR, obtained in an effort to combat terrorism and aid law enforcement measures, ha s caused European concerns over both the uses of the data and the security of transferring such data to the U.S. government. At the time of the 2004 PNR agreement, the Commission and the U.S. government seemed to have reached a satisfactory agreement to share this data, but the European Parliament challenged this PNR agreement in the European C ourt of Justice. The ECJ then proceeded to annul the agreement, stating th at the Commission could not base its PNR agreements on the 1995 Data Directive because the Commission does not oversee national security and terrorism activities. The European Commission, whose mission is to oversee the European common economic market, had inappropriately used a di rective focused on ensuring the protection of private data in commercial activities to an agr eement aimed at protecting private data used for security purposes. How Has the EC Defined Adequate Data Protection Laws for Third Countries and How Has the EC Applied This Definition to Third Countries Thus Far? Although the Data Directive neve r specifically defines adequ acy, an analysis of the Directive provides a list of five elements of data prot ection that the European Commission examines in determining adequacy: The lawfulness of the processing of personal data The special protection of sensitive data The rights of the data subjects The security of the act ual processing of data The existence of control and enforcement measures.2 2 See Alexander Zinser, International Data Transfer Out of the European Union: the Adequate Level of Data Protection According to Article 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, 559 (2003).

PAGE 70

70 Using this definition of adequacy, the European Commission has been fa irly consistent in determining whether or not a thir d country provides ade quate levels of data privacy protection. As discussed in Chapter 2, the Commission systematically studied the privacy laws of Switzerland, Canada, Argentina, Guernsey, and Isle of Man. In each decision, the Commission found that the laws of these nations adequately protect data privacy acco rding to the five-part definition from the 1995 Data Privacy Directive. In the case of the United States, the Eur opean Commission has sought to compromise in order to continue trans-Atlantic commerce while protecting private data. In negotiating a Safe Harbor agreement, the Commission found a way fo r U.S. businesses to meet the definition of adequacy from the 1995 Data Directive and thereby to continue the practice of transferring data. Apart from the Safe Harbor agreement, the Eu ropean Commission has worked to negotiate an agreement with the United States government to transfer the Passenge r Name Records of all travelers on flights landing in or l eaving from the U.S. As with the Safe Harbor agreement, the Commission has sought to apply th e principles of adequacy in the 1995 Data Privacy Directive and protect the transfer of data to a specifi c destination, the U.S. Department of Homeland Security. Overall, the European Commission has consis tently used the 1995 Data Privacy Directive as a legal framework for determining the adequacy of the handful of countries that have sought adequacy determinations from the Commission. The consistent use of the adequacy definition has created precedence for future adequacy determin ations concerning the transfer of private data to a third country government or business.

PAGE 71

71 What Does the Passenger Name Records Dis pute Between the US and the EC Show about the Directives Third Country Requirements? The Court of Justices opinion in the PNR agr eement seemed to refocus, for the European Commission, the scope of the 1995 Data Directive to purely economic matters. In agreements based on securing the protection of private da ta in business matters, the Commission has consistently applied its definition of adequ acy. With the PNR dispute, the European Commission was forced to negotiate with the United States to provide ade quate levels of data privacy protection for the PNR data of European ci tizens. But, the Court of Justice ruled in the PNR case, the Directive could not serve as a legal foundation for an agreement whose primary focus is national security and combating terrorism. Through the PNR cases, the Court of Justice that the Data Privacy Directive can only serve as a legal foundation for protecting privacy in the common economic market. Although this concept seemed clear from the Directives creati on in 1995 because it originated in the European Commissionoverseers of the European common economic marketthe PNR case has served as a tool for judging when an agreement falls ou tside of the common mark et. As discussed in Chapter 3, the PNR agreements concerned the transf er of data from commercial airlines to the Australian and U.S. governments. Because the agreements dealt with the commercial airlines, the European Commission claimed that the underlying purpose of the PNR agreement with the U.S. was to protect European citizens private data in an economic setting (the commercial airlines). Both the Advocate General of the Cour t of Justice and the Eur opean Court of Justice itself disagreed with the Comm issions claim and instead f ound that the language of the agreements clearly indicated that the primar y purpose behind the PNR agreements was fighting terrorism and crime.3 3 See supra at note 218.

PAGE 72

72 The result of the PNR dispute is that only those agreements with the fundamental purpose of protecting privacy in the common economic ma rket can use the 1995 Data Privacy Directive as a legal foundation. For matters such as the c ontinuation of trans-Atlan tic business covered by the U.S.-EU Safe Harbor agreement, the Data Priv acy Directive stands in full force, strengthened through the adequacy decisions with multiple countries. How Might the European Court of Justice Annulment of the Passenger Name Records Agreements Potentially Affect the Directive, Especially Its Third Country Requirement? The question remains as to how the PNR case may affect the use of the 1995 Data Directive and how the European Union will seek to protect private data that falls outside the scope of the Data Directive. An analysis of the Advocate Generals Op inion on the European CommissionU.S. government, as well as a look at a 2004 Passe nger Name Record agreement between the Commission and Australia, provide important in dicators as to how the Passenger Name Records cases might affect the efficacy of the Data Di rective to require third countries to provide adequate levels of prot ection for private data. The Advocate Generals Opinion versus th e European Court of Justices Ruling As discussed in Chapter 3, the European Cour t of Justice followed the opinion issued by Advocate General Lger and annulled both the European Commissions decision on adequacy and the Council of the European Unions decision to form the Passenger Name Record agreement with the U.S. government. The ECJ base d its decision solely on the fact that the 1995 Data Directive was an inappropria te legal foundation for a law dea ling with national security and law enforcement. The Court failed to rule on the European Parliaments other concerns, the issues that the Advocate Genera l addressed in his opinion. As discussed in Chapter 3, the Parliament alleged that the 2004 PNR agreement infringed upon fundament al rights; that the

PAGE 73

73 Council and Commission overstepped their legal authority in th e agreement; and, that the PNR agreement was overbroad.4 The Courts failure to specifical ly address these issues leaves the possibility that the Parliament could dispute fu ture PNR agreements with these same unanswered pleas. The temporary Passenger Name Record Agreem ent between Europe and the U.S. from October 2006 did not use the 1995 European Commi ssion Data Directive as its legal foundation, but instead based its foundation in the European Convention on Human Rights (ECHR) and its requirement to protect private data as a human right.5 The ECHR applies to all aspects of European government including s ecurity and the economic market. If the European Parliament challenged the 2006 or future PNR agreements, it w ould not be able to ch allenge the use of the ECHR as the legal foundation for the new agreemen t because the ECHR covers privacy rights in both the economic and national security domains. In the October 2006 PNR agreement, the Commission and the Council held that the U.S. provided adequate levels of da ta protection for the PNR data based on the 2004 Undertakings by the Department of Homeland Security.6 In the Advocate Genera ls Opinion on the 2004 PNR agreements, he relied upon these same Undertaki ngs to dismiss each of the Parliaments pleas related to infringement of the human right of privacy. According to pr ecedence, the Court of Justice would likely follow the Advocate Genera ls reasoning and rule in favor of a PNR agreement based on the legal foundation of the ECHR and the PNR system designed in the 2004 Undertakings. The expected July 2007 PN R agreement mandated by the October 2006 4 See supra at page 54. 5 See supra at note 236 6 For an overview of the Undertakings, see supra at page 41.

PAGE 74

74 temporary PNR agreement7 will likely use the 2004 Undertakings as a foundation for determining adequate levels of data privacy prot ection just as the previ ous PNR agreements have done. The Passenger Name Record controversy began as a question of determining the adequacy of data privacy protection based on the 1995 Data Directive but the Europ ean Court of Justices 2004 ruling effectively changed the legal f oundation for such agreements. Although the European Commission is still the body charged with determining whether the laws of third countries (the U.S. in this case) provide adequa te protection for private data, the Commission can only require that a third country meets the Data Privacy Directives definition of adequacy in cases based on promoting the common economic market. Without the legal framework of the Data Directive in determining adequacy in th e special cases of Passenger Name Records, the question remains how the Commission will determine adequacy and if there will be consistent application of such determinations in future PNR deals. If the Commission sticks to an economic rational for agreements with third c ountries, the Commission can base the agreement on the Data Privacy Directive and apply its definition of adequacy to the third country in the agreement. If the Commission tries again to fo rm a PNR agreement based on the Data Directive, it is likely to fail because the fundamental purpos es for obtaining Passenger Name Records are to combat terrorism and fight crime. Although the Passenger Name Record agreement between the EU and the U.S. has sparked controversy since its inception, this PNR agreem ent is not the only one reached between Europe and a third country. As discu ssed in Chapter 3, the European Commission also formed an 7 See supra at page 53.

PAGE 75

75 agreement with the Australian government in 2004 to transfer PNR data to Australian Customs. The details of the PNR system in Australia differ significantly from the U.S. system. The Australian PNR Agreement versus the U.S. PNR agreement Unlike the situation between the U.S. and the EU, neither governments nor private organizations have challenged the Europ ean Commissions opinion on the adequacy of Australias PNR system. Being consistent to a national legal precedence of protecting the privacy of personal data, the Australian government required specific proc edures to ensure, in the Commissions opinion, high levels of protecti on for the private data transferred in PNRs. In the Article 29 Working Partys8 Opinion on the transfer of PNRs to Australia, the Working Party noted that the Australian system of PNR retention presents an important and fundamental difference compared to the US approach.9 For example, where the U.S. Department of Homeland Security requires all PNR data to be processed a nd stored in separate databases for a long amount of time, the Australian laws only require that the PNR data of .05%.1% of passengers be processed and stored in one database for a case specific very short period of time.10 Even though the EU-U.S. agreement and the EU-A ustralian are different in some ways, the two documents are similar in two important ways First, the scope of these agreements is narrowly focused on the question of Passenger Na me Records. Whereas Switzerland, Canada, and the few other countries mentioned in Chap ter 2 have received full status for providing 8 As explained in Chapter 2, the Article 29 Working Party consists of privacy commissioners from the Member States. Among other responsibilities, the Working Party is charged with analyzing the la ws of third countries and reporting its findings to the European Commission. See supra at note 123. 9 Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85) at 7. 10 Id.

PAGE 76

76 adequate levels of protection for personal data at a national level, the PNR agreements focus only on the question of adequacy in protecting PNR data. The second, and perhaps most important, simila rity between the Australian and U.S. PNR agreements with the Commission is that both agreements cite national security and law enforcement as the reasons for requiring the air lines to provide governme nts with the Passenger Name Record information. Citing security and law enforcement as the reasons for the agreements, both agreements use the 1995 Europ ean Commission Data Directive as their legal foundation. As explained in Chapter 3, the Eu ropean Court of Jus tice annulled the U.S.European PNR agreements of 2004 on grounds that the 1995 Data Directive cannot apply to national security and law enforcement because those activities fall outside of the scope of European Commission law.11 The annulment of the PNR agreement has forced the Commission and the United States to base the new PNR agreement on the European Convention on Human Rights. As Australia and the Commission review their 2004 agreement to transfer PNR data, in mid 2007, the Commission might need to follo w the lead of the October 2006 EU-U.S. agreement and change the lega l foundation for the agreement. Just as there are similarities between the U.S. and Australian Passenger Name Records agreements, there are also notable differences betw een them that help to understand why the U.S. deal has drawn criticism from Europeans. On e major difference is the issue of PNR data retention. As discussed in Chapter 3, the U.S. system requires the retention of PNR data for a minimum of three years and six months and grants the U.S. government the right to extend that retention period by eight years.12 The Australian PNR system mandates that PNR data be 11 See supra at note 118. 12 See supra at page 56.

PAGE 77

77 retained for only 24-48 hours afte r the flight, except in the ca ses of travelers accused or convicted of breaking Australian customs laws. Even though the Advocate General ruled in the U.S. case that these practices were legal, leng thy periods of data rete ntion and an open book to transfer the personal data in Passenger Na me Records has caused concern among European citizens. Another difference between the two agreements is the question of tran sferring PNR data to other foreign governments. The U.S. PNR syst em specifically permits Customs and Border Protection to transfer PNR data to other U.S. gove rnment agencies, or to foreign countries, in order to combat terrorism and fight international crime. The Australian agreement permits Customs to transfer a small amount of PNR data to other Australian government agencies, but there is no provision for passing th is data to foreign governments.13 The fact that Australian PNR system contains a higher level of data privacy protection than the U.S. system might explain why the U.S. PNR agreement has drawn controversy while the Australian PNR agreement has met no documented opposition. Following the Advocate Generals 2004 Opinion though, both the U.S. and Au stralian agreements would likely stand as long as they choose a different legal framework from the Data Directive. Resolving the Current PNR Agreement The October 2006 temporary Passenger Name Records agreement between the U.S. and the European Commission set a July 2007 date for forging a new PNR agreement. As previously discussed, this agreement will likely use the 2004 Department of Homeland Security Undertakings analyzed in Chapter 3 and Artic le 8(2) of the European Convention on Human 13 See supra at note 138.

PAGE 78

78 Rights as legal framework for the deal.14 Taking into considerati on the competing needs of fighting international crime and protecting pr ivate data, the following discussion lays a framework for a deal that, in the opinion of this author, what would constitute the appropriate accommodations between U.S. and European interests in the PNR agreement. Components of a PNR Agreement with Ap propriate Accommodations for Europe For the Europeans, appropriate accommodations would include the guarantees in place from the 2004 Undertakings that the U.S. PNR sy stem meet Data Privacy Directives definition of adequacy.15 The European Commission, the Counc il of the European Union, and the Advocate General of the Court of Justice have all judged the Undertakings to provide an adequate level of priv ate data protection. Through the Undertakings, the Department of Homeland Security promises that the data will be used only for combating terrorism and for law enforcement purposes. The DHS also promises that sensitive data, such as racial background and re ligious/philosophical background, will not be transferred from the airlines to the Customs and Border Protection. The DHS Undertakings also permit indi viduals, whether U.S. citizen or not, to request their own PNR files and to correct any wrong information therein. As discussed in Chap ter 3, the Undertakings contain a provision wherein the DHS can deny an individuals request to access his or her PNR file;16 however, the DHS said that such a denial w ould be rare. To appr opriately accommodate European interests, a PNR agreement with th e U.S. would also gran t the individual whose 14 See supra at note 236. 15 As discussed throughout this thesis the Data Privacy Directive focuses on five key elements in determining adequacy: the lawfulness of the processing of data; speci al protection of sensitive data; rights of the data subject; security of the actual processing of data; and, th e existence of control and enforcement measures. See supra at note 260. 16 See supra at note 180.

PAGE 79

79 request for access to his or her PN R data has been denied an ave nue for petition, whether that be through the Chief Privacy Officer at the Department of Home land Security or through the European Commission. The guarantee of an avenue of redress for Europeans would help to ease European concerns over the rights of data subjects and the existence of enforcement and control measures under the U.S. PNR agreement. Continuing the question of appropriate accommod ations for Europe, the DHS promises in the Undertakings that PNR transfers will occur under secure circumstances, meaning that the DHS will use technology to protect the processi ng of PNR data. If followed through, this will this satisfy the adequacy component of securing the data processing. To ensure appropriate accommodations for Eur opean interests, the Undertakings, as well as the 2004 and 2006 PNR agreements, mandate th at the U.S. and the European Commission perform annual reviews of the PNR program. Th e Undertakings and PNR agreements also allow for the agreements to be void at any moment if the Commission discovers U.S. abuses of PNR data. The final appropriate accommodation for Europ ean interests is a promise found in the 2004 and 2006 PNR agreements that says the U.S. will not hinder any PNR data from transfer to Europe if the European government were to pass a PNR law as well. This guarantee of reciprocity would help to accommodate Eu ropean interests in a PNR agreement. Components of a PNR Agreement with Ap propriate Accommodations for the U.S. For a PNR agreement to satisfy U.S. intere sts, there are severa l accommodations that should be guaranteed. As outlined in the 2004 Undertakings and as agreed to by the Commission, the Council, and the Advocate General, the U.S. should be allowed to keep the PNR data of high-risk passengers for over 11 year s. This will allow the U.S. to access the

PAGE 80

80 valuable private data in PNRs throughout the co urse of potentially lengthy terrorism and crime investigations. To appropriately accommodate U.S. interests, a PNR agreement should also continue to allow the Customs and Border Protection the author ity to transfer PNR data to both domestic and foreign government agencies, as outlined in th e 2004 Undertakings. This accommodation should enable the U.S. to enlist the aid of other gove rnments in combating terrorism and international crime. In addition to the aut hority to transfer PNR data to other areas of government, the PNR agreement should also grant the U.S. the accommoda tions of continued Eur opean participation in PNR sharing and the right of the DHS to deny a re quest for an individuals PNR data if granting the request would hinder a law enforcement operation, accommodations already part of the 2004 Undertakings. This proposed list of appropriate accommodati ons for both European and U.S. interests would create a PNR deal that could satisfy both sides of the Atlantic. Resolving Future PNR Agreements and Decisions on Adequacy In the Advocate Generals Opinion on the 2004 PNR agreement, he reasoned that although the Passenger Name Record agreements infringe upon the right to personal data privacy, the need to use the PNR data to combat terrorism made the infringement legal. Following the Opinion of the Advocate General, it is likely that the European Court of Justice would rule in favor of the Commission and the Council of the European Union if the European Parliament were to allege that the PNR agreement infringes on the right to personal privacy. The Commission will continue to use the 1995 European Commission Data Directive as a legal framework for adequacy determinations fo cused on a third countrys privacy protections. If more countries follow the European model for protecting privacy and seek to have an adequacy determination from the Commissi on, as Canada and Argentina have done,

PAGE 81

81 precedence17 shows that the Commission will examine th at countrys privacy laws in comparison to the definition of adequacy in the Data Directiv e. What remains to be seen is a case where the European Commission determines that a coun try or business does not provide adequate protection for private data and is unable to reach a compromise as it has done with the United States. As discussed previously, scholar Kevin Bloss noted that if the Eur opean Commission were unable to reach a deal with a th ird country on the transf er of private data, a third country could bring a challenge to the Data Directiv e before the World Trade Organization.18 Under the General Agreement on Tariffs and Trade (GATT) rules, a third country could ask the WTO to mediate between the third count ry and the European Union.19 This scenario is plausible and would likely hinge on how much the European Uni on and the third country in the dispute would have demonstrated a willingness to work w ith governments and businesses to ensure both continued data transfers and th e protection of private data. Conclusion With the creation of the 1995 Data Privacy Dire ctive, the European Union sought to unify the data protection laws of its Me mber States and to ensure an adequate level of data privacy protection in all European data transfers. Sin ce its passage, a handful of nations have followed Europes lead and have been granted the status of countries that adequately protect private data. The European Commission has been consistent in applying the Data Privacy Directives definition of adequacy to deal with third countries so far. The Commission has also shown its 17 In this case, the precedence being that the European Commission has cons istently applied the definition of adequacy in its third country assessments thus far. See Chapter 2. 18 Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy, 9 MINN. J. GLOBAL TRADE 645 (2000). 19 Id. at 655.

PAGE 82

82 willingness to work with the Australian government on a PNR agreement and the U.S. government on the Safe Harbor and PNR agreements. Thus far, the biggest challenges to the Europ ean Data Privacy Directive have come from negotiating the protection of privat e data with the United States gove rnment and U.S. businesses. The cases of the Safe Harbor and the Passenger Name Records have shown how the scope of the Directive is limited to protecting private data in matters concerning the European common economic market. The PNR cases have also re vealed how the European Commission is willing to balance the protection of Eur opeans individual privacy with the Australian and U.S. needs to combat terrorism and fight inte rnational crime. Although the controversy over the EuropeanU.S. PNR case continues and Europeans citizens continue to feel threatened by the U.S. governments use of their private data in Passenger Name Records,20 the PNR dispute has shown that Europe is willing to negotiate with third countries in an effort to protect the uses and transfers of European citizens private data in PNR programs desi gned to combat terrorism. The challenge for Europe is how it is going to bala nce its commitment to privacy with the fight against terrorism. It is possible that in the current situation where terrorism is a global concern, more third countries will enact legislation requiring the transfer of Passenger Name Records to that countrys government. If this is the case, it is likely that the European Commission will seek to negotiate a PNR agreement with that nation in an effort to protect the privacy of Europeans private data. It is also probable that, with time, more nations will enact other legislation protecting the distri bution of personal information between businesses and governments that will require negotiations with the European Commissi on due to the Data Privacy Directives third 20 See supra at note 47.

PAGE 83

83 country requirement. As of the time of this thesis in June 2007, the European Commission has not announced any inquiries into e ither the Passenger Name Record s or national privacy laws of any third countries. Despite the continued development of intern ational agreements and European case law surrounding the 1995 Data Directive, another challenge to the effec tiveness of the Directive is perhaps its enforcement inside Europe. The Di rective only functions as it should when the individual EU Member States, and the businesse s in them, discover that a third country or a business in a third country does not maintain adequa te levels of data privacy protection and then lodges a complaint. Unless a Member State or Eu ropean business goes through this process, or a third country voluntarily seeks a Commission study on that country s level of protection for private data, the Directive fails to ensure that th e private data of European citizens is adequately protected by third country governments and businesses. The challenge of tryi ng to ensure that all data transfers are secure from a EU Memb er State to a third country is daunting. A dual challenge to the effectiveness of the Da ta Privacy Directive is the practical question of whether or not the governments and businesses of the Member States themselves protect the data of European citizens. The Europ ean Commission has previously studied the implementation of the Data Privacy Directive into the individual Member States in an effort to see how they were doing at prot ecting Europeans private data.21 As explained in Chapter 1, Directives are enacted at the European Union leve l, then adapted into the laws of the individual Member States by a given date.22 The subject of how each Me mber State has specifically implemented the provisions of the Data Privacy Directive merits a co mprehensive study of its 21 See European Commissions Status of implementation of Directive 95/46 at Freedom, Security, and Justice website, available at http://ec.europa.eu/justice_home/fsj/privacy/law/implementation_en.htm. 22 See supra at note 7.

PAGE 84

84 own and should be the subject of future research. Understandi ng how the Member States are protecting data privacy within may shed light on the practicality of enforcing the Data Directive in third countries as well. Further research should focus on several important questions surrounding the 1995 Data Privacy Directive. As mentioned above, research should explore the issue of the implementation of the Data Privacy Directive into the individual Member States. Further research should also address the difficult question of w hy so few of Europes trade part ners have sought an adequacy ruling or been the subject of a privacy concern by European citizens. Further research should also focus on how the U.S. is actually using the PNR data and if it is following the principles set forth in the 2004 Undertakings of the PNR system. Additionally, further research should attempt to find out what nations other than the United States and Australia are doing with Passenger Name Records. These important research subjects fell outside of the scope of this thesis, yet they must be addressed in order to continue to understand the effec tiveness of the 1995 Data Privacy Directive.

PAGE 85

85 REFERENCE LIST Agreement between the European Community and the United States of America on the processing and transfer of PNR data by air carr iers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, si gned in Washington on 28.5.2004 at 4. 2004 O.J. (L 183) 83. Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) da ta by air carriers to the United States Department of Homeland Security, 2006 O.J. (L 298) 29. Aviation and Transportation Security Ac t of 2001, Pub. L. No. 107--71, 115 Stat. 597. Francesca Bignami, Transgovernmental Networks vs. Democracy: the Case of the European Information Privacy Network 26 MICH J. INTL L. 807 (2005). Kevin Bloss, Raising or Razing the e-Curtain?: The EU Directive on the Protection of Data Privacy 9 MINN. J. GLOBAL TRADE 645 (2000). Border Security Legislation Amendmen t (Terrorism) Act, 2002, c. 64 (Austl.). David A. Castor, Note: Treading Water in the Data Privacy Age: An Analysis of Safe Harbors First Year 12 IND. INT'L & COMP. L. REV. 265; 2002. Commission Decision, 2000/520/EC, 2000 O.J. (L 215) 7. Commission Decision 2003/1731/EC, 2003 O.J. (L 168), 3. Commission Decision 2003/821/EC, 2003 O.J. (L 308). 5 Commission Decision 2004/ 411/EC, 2004 OJ (L 151). Commission Directive 95/46/EC, Directive of the European Par liament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1995 O.J. (L 281). Commonwealth Privacy Act, 1988, c. 118 (Austl.). Council Decision of 17 May 2004 on the conclusion of an agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Depart ment of Homeland Security, Bureau of Customs and Border Protection (2004/496/EC). Council Decision on the signing of an Agreement between the EU and the US on the processing and transfer of passenger name record (PNR ) data by air carriers to the US Dept. of Homeland Security, 2006 O.J. (L 298) 27.

PAGE 86

86 European Commissions Status of implementati on of Directive 95/46 at Freedom, Security, and Justice website, accessed March 14, 2006, available at http://ec.europa.eu/justice_home/ fsj/privacy/law/implementation_en.htm Griswold v. Connecticut 381 U.S. 479, 483 (1965). How does the EU work? The decision-m aking triangle, accessed June 12, 2007, available at http://europa.eu/abc/12less ons/lesson_4/index_en.htm. Joined Cases C-317/04 & C-318/04, Eur. Parl. v. Eur. Commn and Council of the Eur. Union, 2006 May 30, accessed July 31, 2007 available at http://ec.europa.eu/ju stice_home/fsj/privacy. Letter from Frits Bolkenstein, Member of European Commissi on, to Tom Ridge, Director of Homeland Security (Dec. 18, 2003), March 14, 2006, available at http://ec.europa.eu/ju stice_home/fsj/privacy. Office of the Privacy Commissioner of Canada website accessed March 14, 2006, available at http://www.privcom.gc.ca/aboutUs/index_e.asp. Opinion of Advocate General [English translation], delivered to the European Court of Justice on 22 November 2005, July 31, 2007, available at http://curia.eu.int. Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (10031/03/WP 85). Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the Unite d States' Bureau of Customs and Border Protection (10019/04/WP 87). Opinion 8/2004 on the information for passengers c oncerning the transfer of PNR data on flights between the European Union and the Un ited States of America (Sep. 30, 2004). Privacy Act of 1974, 5 U.S.C. 552a. Joel Reidenberg, E-Commerce and Privacy Institute for Inte llectual Property & Information Law Symposium: E-Commerce and Trans-Atlantic Privacy 38 HOUS. L. REV. 717 (2001). Paul Schwartz, Data Protection Law and the European Uni ons Directive: the Challenge for the United States: European Data Protection La w and Restrictions on International Data Flows 80 IOWA L. REV. 471 (1995). The 2005 CIA World Factbook, accessed March 14, 2006, available at http://ww.cia.gov. The Personal Data Protection Act No. 25.326 of 4 October 2000 (Arg.). Treaty Establishing the European Community art. 249, accessed March 14, 2006, available at http://eur-lex.europa.eu/en/index.htm.

PAGE 87

87 Undertakings of the DHS Customs and Border Protection Regarding the Handling of Passenger Name Record Data, 69 Fed. Reg. 41,543, 41,547 (July 9, 2004). U.S. CONST. amend. IV. U.S. Dept. of Commerce website, accessed March 14, 2006, http://www.export.gov/s afeHarbor/index.html. Alexander Zinser; European Data Protection Directive: the Determination of the Adequacy Requirement in International Data Transfers 6 TUL. J. TECH. & INTELL. PROP. 171 (2004). Alexander Zinser, International Data Transfer Out of th e European Union: the Adequate Level of Data Protection According to Arti cle 25 of the European Data Directive 21 J. MARSHALL J. COMPUTER & INFO. L. 547, (2003).

PAGE 88

88 BIOGRAPHICAL SKETCH Jonathan Mason received a Bachelor of Ar ts in communications from Brigham Young University in 2005. Following his undergradu ate education, he entered the College of Journalism and Communications at the University of Florida in the media law program, studying with Dr. Bill Chamberlin. During his undergradu ate studies, Jonathan spent 2 years in France and western Switzerland as missiona ry, where he gained great inte rest in European culture, history, and politics.