European Union Approves Passenger Name Record Agreement With US -- An Era Ends

So, now that Ben, Jack, and Bobby have officially given me a license to blog more broadly, I wanted to expand my attention (and that of Lawfare readers) to important legal issues involving homeland security and counter-terrorism – issues squarely within the ambit of this blog but with a slight twist away from its traditional focus on military and intelligence matters. Today provides a good opportunity.  Earlier this week, by a vote of 409 in favor to 226 opposed, the European Parliament approved an agreement between the European Union and the United States regarding the use of Passenger Name Records (PNR).  In doing so, the Parliament brought an end to nearly a decade of contention and dispute over the issue. PNR is the data and information collected by airlines when they sell you a ticket.  It includes, naturally enough, your name, and your flight information.  For international flights it, of course, includes your passport information.  PNR also includes a host of other personal information about a traveler – address, cell phone number, credit card number, frequent flier number and the like. Beginning in 1996, the US government requested that airlines flying commercial jets to the United States provide it with this PNR information.  At the time the data was mostly used for customs enforcement and potentially to identify criminals in transit.  When we speak of “failing to connect the dots” during the 9/11 attacks we mostly are talking about the failure to match existing watch list information to PNR data that might have been collected. And so, in 2002 the Aviation Transportation Safety Act mandated that the Customs and Border Protection (CBP) begin collecting PNR data for all travelers arriving on international flights in the United States.  CBP has since developed sophisticated targeting mechanism that use this data to assess risk and allocate inspection resources accordingly. But the collection of this personal data was perceived by the EU as a potential threat to the privacy and civil liberties of Europeans.  They had concerns about how much was being collected; how long the data would be retained; and the uses to which it would be put.  At the risk of simplifying a very complex topic, the US favored broad collection for any lawful criminal or counter-terrorism purpose and a lengthy period of data retention, while the EU took the opposite tack.  Another perennial bone of contention was the lack, in the US, of any judicial remedy for Europeans who felt themselves aggrieved by the process (our Privacy Act has a right of action but it does not apply to foreign nationals).  And so, the EU argued that its privacy laws were paramount and that they operated to prohibit airlines from transferring PNR data on flights originating in Europe to the US. This put the airlines in a bind – obliged by US law to provide information that EU law prohibited them to provide.  At their urging, in 2003 the US and EU entered into an agreement that (at least from my perspective) gave the EU much of what they wanted – reasonably narrow limits on collection and use of PNR data and a short data retention period.  Some in the EU Parliament (which, at the time, was an advisory body with no authority over the subject) did not think the EU had gotten a good enough deal and they went to court over it – the European Court of Justice. In one of those, be careful what you wish for moments, the law suit backfired.  Instead of holding that the European Commission had violated European privacy law by entering into the 2003 agreement, the ECJ instead held that the Commission lacked the competence to conduct the negotiations in the first place – in effect what Americans would call acting ultra vires.   The two parties were forced to go back to the drawing board. This time, however, the US stance was strengthened by intervening events (most notably the London air plots of 2006) that had demonstrated the importance of PNR and also by a stronger vision of the utility of PNR at DHS.  After a provisional agreement was struck in 2006 (right after the court decision) the parties entered into contentious, extensive negotiations that concluded in 2007 with significant improvements in the agreement from the American perspective (and, of course, greater disappointment for the Europeans). The European Commission approved the agreement in 2007 and submitted it for ratification by the 27 member states.  Unfortunately, on December 1, 2009, when the Lisbon Treaty took effect, only 24 of the countries had ratified the agreement.  But the Lisbon Treaty changed how the EU would address counter-terrorism issues like PNR.  Now the European Parliament would have to approve the agreement – and it still had members who thought that the first agreement in 2003 was not protective of EU privacy interests, much less the 2007 agreement.  And so in 2010 the Parliament directed the Commission to, again, resume PNR negotiations with the United States. It was, to many, like Groundhog Day.  The US and the EU have been arguing, tirelessly and tiresomely over the same issues (purpose, use, data retention, etc.) since 2003 and they were forced to resume the negotiations again.  And so, at the end, we come to the 2011 agreement, signed in November 2011.  It is more privacy-protective than the 2007 agreement and represents a success for the EU in clawing back some of the concessions it had made in 2007.  And yet even so a number of the Parliamentarians had doubts about the bill and they mustered a significant, though ultimately unsuccessful, effort to defeat it.  And with that failure, an era ends, 10 years of dispute are finished, and PNR peace will reign – at least it will for the 7 year term of the agreement, when the dispute may resume.  For now, however, the US and the EU will have to find something else to fight about – and that’s a good thing.