Update: Bignami has now posted on the ECJ’s airline records decision.
In a recent guest post at Concurring Opinions, privacy expert Francesca Bignami argued that the NSA’s obtention of domestic telephone records would not be allowed under European privacy law. In addition to being an interesting comparative law analysis, Bignami pointed out another consequence of her conclusion:
There is also a more pragmatic reason for taking European privacy law seriously. The National Security Agency might want information on the calls made by Europeans, in Europe. But because the way it handles private data is so out-of-line with European law, it is increasingly unlikely that the NSA will be able to get call information– or any other private information for that matter–from European governments. … In some European countries, private data cannot be transferred to countries without “adequate” privacy safeguards, even if that data is requested for national security purposes.
Lo and behold, the accuracy of this prediction is confirmed by yesterday’s decision in the European Court of Justice, which voided a May 2004 negotiated arrangement under which airlines flying from Europe to the U.S. turn over data about their passengers to the U.S. government. (See coverage by the New York Times [reg req'd] and BBC News). Under the program, the airlines send the data as planes take off, and presumably our government checks it before they land.
Technically, the ECJ decision was not grounded in privacy law. The Court ruled that the bodies that negotiated the deal, the European Commission and the Council
of Europe [correction based on comment], lacked the authority to do so, as had been contended by the European Parliament. On privacy, the court said nothing one way or the other. But the political motivations behind the case (including Parliament’s decision to bring the challenge) certainly were privacy-related.
While a new agreement may be negotiated, this decision again shows the disjuncture between American and European perspectives on data privacy (which the Europeans tend to call “data protection” — already demonstrating their different attitude). Given a political climate in Europe increasingly suspicious of U.S. counter-terrorism policy, I think we will see increasing refusals by Europeans to share data, on the grounds that their law prohibits it. Will this encourage the U.S. to agree to more privacy-sensitive data handling practices? Could it even lead to a situation where foreigners’ data is handled with more attention to privacy than Americans’ data? (Just the reverse of the Bush Administration’s repeated assurances that the NSA listens to the contents of international telephone calls without a warrant but not domestic ones…)
In any event, we can expect continued, or increased, tension between EU and U.S. law in all areas related to transfers of personal information — including counter-terrorism.