The recent decision of the European Court of Justice in the joined cases of European Parliament v Council of the European Union and European Parliament v Commission of the European Communities signals a victory for the European Parliament in their on-going skirmishes with the Commission and Council.
The background to the case is complex and concerns the implementation of certain security measures provided for in US legislation approved following the September 11 attacks. Essentially, this legislation allowed the US Government to request database access to all reservation systems of foreign air carriers to access the personal data on travellers to the US. Such actions would be unacceptable under EU data protection laws.
This was clearly problematic for airlines as failure to provide access to the information meant that the US Government could fine airlines up to $US3000 per passenger, whereas granting access to the information would breach data protections laws within the EU.
Therefore, the European Commission entered into negotiations with the US to reach a mutually acceptable arrangement. An agreement was reached in Spring 2004 and in May the Council and Commission took the necessary decisions to make the agreement effective within the EU. The first of these decisions required the Commission to accept that US body receiving personal data could ensure an adequate level of protection for data transferred from the Community under the agreement (the "adequacy decision"). The second decision required the Council to approve the conclusion of the agreement (the "conclusion decision"). The agreement was then signed by the appropriate representatives of the EU and the US to became effective at international law.
The European Parliament did not support the agreement and applied to the Court of Justice for annulment of the Commission and Council's decisions to enter into it. The substance of their case was that the adequacy decision was ultra vires, that Article 95 of the EC Treaty did not constitute an appropriate legal basis for the conclusion decision and, in both cases, that fundamental rights were infringed by the decision.
The Court of Justice annulled both decisions.
Essentially, this judgment turned on the nature of the agreement and whether it concerned matters related to the regulation of the internal market over which European institutions have legitimate authority or whether it related more to matters that were more properly within the remit of the individual states, for example security and foreign policy matters.
In relation to the adequacy decision, the Court held that as the text of the EU Data Protection Directive (enacted under the internal market rules of the EC Treaty) expressly did not cover “[data] processing operations concerning public security . . . and the activities of the State in areas of criminal law” (that is matters that more properly fall within the remit of the individual states) and since the agreement sought to cover “processing operations concerning public security and the activities of the State in areas of criminal law,” the Commission’s decision could not be based on the Data Protection Directive and was ultra vires.
Similarly, in relation to the conclusion decision, the Court found that Article 95 of the EC Treaty, read in conjunction with Article 25 of the Directive, could not be used to justify Community competence to conclude the agreement. This was because the agreement related to the same transfer of data as the decision on adequacy and therefore to data processing operations that were excluded from the scope of the Directive.
What is notable, however, in relation to the conclusion decision is what the Court did not say. In particular, the Court did not follow the opinion of the Advocate General, who held that Article 95 itself was not an appropriate legal basis for the Council decision at all. The Advocate General, in his opinion, highlighted that Article 95 concerns "the adoption by the Council of measures for the approximation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market." He was therefore of the view that the agreement, which had two main two objectives: the fight against terrorism and other serious crime and the protection of personal data, did not fall within the ambit of Article 95 at all.
So, what happens now? The judgment was delivered at the end of May this year, however, the Court delayed the effect of its decision until 30 September 2006. Until then, European airlines will be able to continue transferring passenger data in line with the US legislation without breaching EU Data Protection requirements. After that date, things could get messy.