Air data ruling could affect data retention law dispute
The legal verdict against Brussels' competencies on the transfer of passenger data to the US is likely to boost opponents of another contentious issue – the bloc's disputed data retention issue.
The European Court of Justice (ECJ) on Tuesday (30 May) announced that an EU-US agreement from 2004 regulating the handover of air passenger data to US security authorities lacked an "appropriate legal basis."
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
The top court ruled that the handing over such information falls under member states' criminal law legislation, and not under EU scope.
The verdict comes only a week after Dublin announced that Ireland had started a legal challenge to test the judicial bearing of the recent EU data retention directive, which also concerns the processing of possibly sensitive personal data.
An EU official in Brussels told the EUobserver that although Dublin had not publicly made a link between the two EU data deals, a lot of people believe there is a strong thread linking them.
"It would be hard to deny that there is connection between the two," the official said.
The data retention directive aims at harmonising law in all 25 EU member states to help police keep tabs on criminals and terrorists via phone and internet records, obliging member states to store internet and telephone data for six to 24 months.
The directive was opposed by Ireland and Slovakia when it was adopted by member states in February, with Dublin contesting the law on legal grounds similar to Tuesday's ruling - that national security is a matter for member states and not the EU.
Both laws were passed by a procedure whereby member states acted on a proposal by the European Commission under the so-called "first pillar" of EU decision making - a practice rejected by the court on air passengers.
First pillar decisions are made by majority voting between member state governments, with a necessary consent by a majority of the European Parliament, but security-related justice decisions are usually made under the so-called third pillar, where unanimous consent by member states is necessary and parliament can only issue an opinion.
Civil rights activists bide their time
Tuesday's air data transfer verdict may also serve claims that the data processing practice is violating EU basic privacy rights.
Liberal MEP and member of the parliament's civil liberties committee Alexander Alvaro told EUobserver that although the cases were "similar but not identical", it would most probably be used to set a precedent on future court decisions where the judicial bearing is unclear.
"We are now waiting for the member states implementation of the (data) directive, meaning national courts may also challenge the legislation, with the German high court likely to question very strongly if this is in line with its constitution," the German MEP said.
The European Data Protection Supervisor (EDPS), which earlier supported civil rights advocates within the parliament, said Tuesday's judgment was important as it addresses the scope of the data protection directive, notably when it comes to interaction with law enforcement.
The EDPS said, however, that the civil rights aspect of the agreement should have been dealt with by the court, not only on whose table the law should lie.
"The judgment seems to have created a loophole in the protection of European citizens whereby their data are used for law enforcement purposes," Peter Hustinx of the EDPS said.
A commission spokesperson said that the air data ruling had moved the matter from a first pillar decision back to the third pillar- where member states have a veto.
"This ruling may confirm the commission's intention to apply the "passerelle" (footbridge to transfer powers from member states to Brussels) and shift policies in the area of police and criminal justice cooperation," the spokesperson said.