9/11, a tragic event in the world of atom, introduced for the first time the problem of counter-terrorism in the world of BIT.
In the aftermath of this first massive attack – since the source of the threat was overseas – the US decided to tighten the mesh of its borders and intensify the surveillance of movement of passenger flows. One way through which the Land of Liberty implemented this mechanism of control was entering in the commercial sphere of airline operators. A faux pas in the US freedom landscape?
The above-mentioned resolution led to what would have been a long-lasting dispute: the quarrel on PNR data.
Passenger Name Record Data, also known as PNR data, are files containing all the information provided by passengers and required by the booking and participating airlines in order to enable the reservations of flights. The PNR data can encompass many personal and confidential data of the passengers, from the name, address, Email and credit card number to the number of luggage and even sensitive details as dietary requirements. Initially, the PNR Data were collected and used by the airline operators for a mere commercial and operational purpose. Later on, the airlines were increasingly obliged to communicate to the countries of destination the content of the PNR data – the main purpose of this trend being the prevention of terrorism and organised crimes.
In this light, the US decided to pass legislation in 2001, obligating air carriers to provide the US authority – the United States Department of Homeland Security – with all the data contained in their reservation and departure control systems. The US legislation was applicable to all the flights to, from and through the US, including flights from the EU. Therefore, in order to avoid heavy sanctions or the limitation of landing rights at US airports, European airlines had the obligation to comply with the legislation in question.
The EU started being sceptical and disturbed by the too invasive nature of the US legislation on privacy and personal data. Indeed, the compliance by the airlines to the PNR legislation is, in a way, in conflict with the values of the EU and especially with the Union and Member States’ data protection standards. However, a strict opposition to the PNR Agreement would have brought a restriction of access of the European airlines to the lucrative US market.
As a consequence, the Commission decided to communicate US authorities about these concerns, in particular by asking to postpone the entry into force of the legislation to EU companies and by starting negotiations in order to draft some standards for the transfer of PNR data. The main goal was to find a compromise between the US demand to ensure security and the EU data and privacy protection requirements. The long lasting negotiation undertaken between the US authorities and the EU resulted in an agreement adopted and entered into force on the 16 December 2003. As underlined by a report made by the EU in Brussels, besides determining a commonly acceptable solution to ensure the transfer of data contained in the PNR, the agreement provided a legal basis by virtue of which airlines would have been authorized to transfer the data of their passengers to US authorities.
Furthermore, in order to respect the adequacy principle enshrined in the Data Protection Directive, the Commission adopted a so-called “adequacy finding” in order to guarantee that the US “ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.”. [1]
In other words, both the parties to the agreement found a way to balance the need of combatting terrorism and the interest of guarantying the protection of citizen’s personal data and privacy.
Worthy to say that, the EU treated the matter as part of the 1st pillar and therefore as linked to the functioning of the internal market and not as part of the 3rd pillar, being a counter-terrorism measure. This has been a way to take into account the financial and practical consequences of the US legislation upon the air carriers companies and to permit the Commission to be at the centre of the negotiations and to act on the behalf of the entire community.
Even if the Agreement has been legally adopted, the EU voice was not unequivocal. Indeed, both the Article 29 Working Party and the European Parliament were reluctant and emanated respectively opinions and recommendations asking the Commission to withdraw the Agreement and pinpointing the lack of legal basis for the use of commercial PNR data in the field of national security. The Parliament went further by challenging the agreement in front of the Luxembourg Court of Justice and claiming the incompatibility of the PNR Agreement with the EC Treaty. The European Court of Justice annulled the agreement by ruling that it was based on an incorrect legal basis – the 1st Pillar – whereas the real purpose of the agreement was to enhance national security and fight against terrorism. In consequence, in 2006, the European Court decided to adopt a temporary agreement with the US. In 2007, a second permanent PNR Agreement has been adopted. This second agreement has been ratified on the basis of the 2nd and 3rd Pillar and therefore limited the role played by EU institutions. This highlighted the clash at the EU level where some Member States have preferred to enhance the security by following the US trend as lacking the necessary resources and as being restricted by their own legal system. In contrast, the EU Parliament tends to put pressure on the protection of personal data.
At the time the PNR saga was far from over as, in 2011, the Parliament had to vote for a new Agreement, that finally entered into force in 2012 by replacing the old 2007 one.
The 2011 agreement is more privacy-protective than the previous one but still source of debate and disagreement in the European landscape.
The main reason that led to this continuous flow of concerns during the PNR saga may, in part, be connected to the different conceptions that the rights to privacy and data protection have in the European Union and the United States.
The prominent divergence is mainly related to the constitutional protection afforded to these rights. On the EU side, the data protection and privacy rights are sculptured in a way typical of all European fundamental rights: a structure shaped through several judgements of the Strasbourg Court, further developed through European secondary law (Directive 46/1995 which now is going to be replaced by a brand new data protection package) and, most important, through the Treaty on the Functioning of the European Union and the European Charter.
The turning point of the constitutional protection of these rights has been the Lisbon Treaty, which contributed to the strengthening and the effective recognition of the protection of personal data; especially by introducing article 16 TFUE.
Besides the recognition of the above-mentioned rights, the article considers also their legislative procedure and the control that the Independent Authorities have on them.
Furthermore, article 8 of the European Charter requires an additional step by stating that data “must be processed fairly, for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”.
Together, these rules give the right to privacy an autonomous position, a certain importance and the possibility to be ruled by common rules through the ordinary legislative process.
A constitutional structure is instead almost absent in the US system.
Despite the existence of the Fourth Amendment to the Constitution, which encompasses the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”, the constitutional cover remains weak as it may be subject to several restrictions and as the categories of persons protected is not wide as in Europe. Indeed, the norm only applies when the individuals have a “legitimate expectation of privacy”, which leads to the exclusion of cases where individuals voluntarily handed information to third parties, such as banks or telephone service providers (the so-called “Third Party Doctrine”).
Moreover, the Fourth Amendment does not apply to non-US persons.
It is already clear how much this non-comprehensive approach is distant from the European conception.
In the European field, the restriction of the right to privacy is counterbalanced – always having the proportionality principle in mind – by several general principles such as the purpose limitation, the rules on data transfer to third states, the time limits for data retention, the independent supervision, the right to access and to an effective judicial review (principles strongly reaffirmed by the ECJ in the Digital Rights Ireland Case [2]). On the US side, only some of the above-mentioned principles are taken into account while others are not considered at all or differently conceived.
For instance, while the supervision principle can be found in both jurisdictions, according to EU rules the supervisor agency should be independent, whereas in the US national security sector, internal supervisory mechanisms are common.
Regarding data sharing, whilst under EU law every transfer of data to other agencies is considered as an interference to fundamental rights and requires specific justification, the US seem agreeing on the unrestricted data sharing mechanism between law enforcement authorities and the intelligence community. However, worthy to say that some improvements have been reached in the US through the recent FREEDOM Act [3], introducing more restrictive criteria for the identification of specific persons, entities or accounts during surveillance.
Notwithstanding these improvements, other legislations [4] still allow in a certain way a mass access to content that would be in violation with EU fundamental rights [5].
Even if the European philosophy on data protection seems almost opposed to the US one, the reality is far from quiet. Indeed, as long as many EU member states are facing more and more the consequences of international terrorism, they tend to tip the balance toward national security to the expense of privacy and data protection. This trend is enhanced by the fact that the EU protection, despite being strong at a constitutional level, still remains vague and out-dated at a secondary level.
The Charlie Hebdo episode pushed France to put at the table of the EU Commission the matter, by asking, for instance, to remove the barriers on the share of PNR data also within the Schengen area – a European project that has been stuck at the Parliament for many years.
The recent events occurred in Paris, during the last November, shocked the entire European Union and enhanced again the emergent need of a faster approval of a EU PNR Directive. The compelling need for security is now looking for something more than what was asked during the former PNR saga: a control on internal EU flight.
Furthermore, Great Britain, France and Belgium clearly declared that they would go ahead with their own national system on the matter, by not following the protective EU trend.
Notwithstanding many Member States stress for a review of the actual landscape, some experts of the sector are confident that the European balance in the trade-off between protection of data and counter-terrorism will remain the same.
[1] Article 25.6, Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
[2] Joined Cases C-293/12 and C-594/12 (Grand Chamber), Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General, and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and Others, 8 April 2014;
[3] Uniting And Strengthening America By Fulfilling Rights And Ensuring Effective Discipline Over Monitoring Act Of 2015 (Freedom Act);
[4] Section 702 of the FISA (Foreign Intelligence Surveillance Act) Amendment Act;
[5] Cf. joined Cases C-293/12 and C-594/12 (supra) and Case C-362/14 (Grand Chamber), Maximillian Schrems v Data Protection Commissioner, 6 October 2015.