This is the first time the European Data Protection Supervisor has ever mounted such a challenge to the Council and the Commission as far as I know. That he should have raised the challenge through the courts is an indication that we are dealing with a potentially serious breach of the law here. That his complaint should be upheld by the ECJ is a solid vindication of his actions. That the Commission respond by saying ok we'll continue doing what we're doing but try and find an official, usable excuse is a further indictment of the Commission's and the Council's lack of respect for the legal process. The ECJ concluded:
"the Court (Grand Chamber) hereby:
1. Annuls Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection and Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States Bureau of Customs and Border Protection;
2. Preserves the effect of Decision 2004/535 until 30 September 2006, but not beyond the date upon which that Agreement comes to an end;
3. Orders the Council of the European Union to pay the costs in Case C-317/04;
4. Orders the Commission of the European Communities to pay the costs in Case C-318/04;
5. Orders the Commission of the European Communities to bear its own costs in Case C-317/04;
6. Orders the United Kingdom of Great Britain and Northern Ireland and the European Data Protection Supervisor to bear their own costs."The ruling follows the recommendation of the Adocate General Leger in the case made in November last year who stated that:
"I propose that the Court should:
– in Case C?318/04, annul Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States Bureau of Customs and Border Protection;
– in Case C-317/04, annul Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection."
The reponse of the EU authorities and the UK Home Office at the time was similarly dismissive.
Update: I've just been though the decision (Case C-317/04 Judgment 2006-05-30) quickly and the Court essentially orders the Commission and the Council to terminate the agreement with the US to hand over passenger data by 30 September 2006. The Parliament and the EDPS had challenged the Commission on six grounds and the Council on four. The court looked at the first point of dispute in each case and said that was good enough for them. No need to consider the others.
As usual it is a shame that it is only legal and technical geeks who will be really interested in this decision as the wide implications for privacy in the digital age are really quite profound, just as it is the case with the NSA surveillance and ID cards. But the mass surveillance monster rolls on undeterred, damaging both the potential of the security services to do their job more effectively and society more generally.
Update 2: Some EU officials are concerned about the ruling or possibly just spinning it by predicting chaos for air pasengers and the end of the EU "open skies" policy. Privacy Intenational and the ACLU recently raised concerns about the US apparent breach of the agreement with the EU whereby teh Dept for Homeland Security had reached an agreement to to share airline passenger data with the Centers for Disease Control and Prevention (CDC). Thanks to Ian for these links.
Update 3: Comment from EU law blog: "First, the grounds of annulment are very narrow and the reasoning given is brief to the point of being terse. The European Parliament raised a whole series of pleas (on proportionality, breach of fundamental rights etc) which the Court of Justice did not examine. So it is difficult to guess what will be the next practical step taken by the Council and Commission.
Second, the Court, aware of the practical difficulties in relation to transatlantic flights that the annulment will cause has limited the effect of the annulment in time: The current arrangements can continue in force until September 30th 2006 by which time the Council and Commission must have taken steps to comply with the judgment. That's the date the arrangements between the EU and US expire anyway. As a result, there is no need to interrupt the transfer of the data to the US authorities with all the unfortunate consequences that would entail.
Third - and this is the really odd thing - the Court does not refer to Article 13 of the Directive. "
"Given the choice, the IPKat would prefer to know his flight was terrorist-free,even if it meant him ending up on a mailing list which delivered him unwanted advertisements." That smart folks like IPKat should swallow the line that handing flight data to the US authorities automatically makes the flight safer concerns me. But then it is only the tech and legal/privacy geeks that are interested in this... though in fairness to Jeremy he does take a step back from this in the comments.
Update 4: Spy Blog has the list of data items that the airlines provide to the US authorities.