An agreement sheltering airlines from European privacy laws, allowing them to hand over passenger data required by U.S. authorities, expired Saturday, leaving most European airlines in legal limbo.
No disruption to flights has been reported so far. However, if the legal void remains for more than a week or so, airlines face being sued by individuals or groups in Europe, said Chris Kuner, a data-protection specialist with the law firm Hunton & Williams.
In the wake of the terrorist attacks on Sept. 11, 2001, U.S. authorities demanded that airlines hand over passenger information covered by European Union data-protection legislation. Airlines faced prosecution in the union if they delivered the data, or fines in the United States if they don’t.
An agreement struck between the European Union and United States in 2003 protected airlines from being sued for sharing the information, which includes names, addresses and credit card details. However, Europe’s top court overturned the agreement in May and said it would become legally void at the end of last month.
Efforts to negotiate a replacement agreement intensified throughout September, but despite assurances of progress from both sides, the talks ended in impasse Saturday, as the deadline passed.
As talks broke up, U.S. Secretary for Homeland Security Michael Chertoff made a draft proposal that European officials said may be discussed at a meeting of European justice ministers in Luxembourg on Friday. The commission hopes an agreement will be reached that day.
British Airways said an Air Navigation Order issued by the U.K. government protects it legally in the absence of a new agreement. “The order from the government supersedes European data-protection laws,” said spokesman Richard Goodfellow.
Air France spokeswoman Veronique Brachet said that although she was unaware of the French government issuing a similar order, her company would continue to supply the data to U.S. authorities and foresaw no disruption to its trans-Atlantic flights.
“The European Commission has said we can fly to the United States, so I see no problem,” she said.
Karim Retzer, a data-protection specialist at the law firm Morrison & Foerster, said airlines are unlikely to be sued.
But Kuner, the lawyer with Hunton & Williams, warned that if the legal situation isn’t resolved swiftly, there is a danger that European data-protection authorities will be forced to take action against the airlines.
“The European Commission will probably ask the national data-protection authorities [DPAs] not to take action, and will assure them that a new agreement is imminent, but if they fail to secure a new agreement within a week or so, there is a very real risk that a privacy group or even an individual passenger may lodge a formal complaint. This would force the DPA to take action,” Kuner said.
If a complaint were lodged, the DPA would order the airlines to withhold the information from U.S. authorities. If the airline obeyed, it would face fines of up to $6,000 per passenger in the United States and the possible withdrawal of landing rights there, Kuner said.
Kuner said he was surprised by the failure to renegotiate the original agreement in time for the deadline at the end of September. “We were given the impression that it was simply a matter of changing the legal basis of the first agreement, and that no attempts to change the substance of the deal would be made,” he said.
However, Chertoff last month said the original agreement obstructed his efforts to maintain a high level of security. The agreement allowed for 34 categories of information to be handed over. The United States has been pushing to increase this number during the negotiations over the past month.
“Chertoff is in a much stronger position to negotiate,” Kuner said, adding, “He doesn’t face any legal issues in the U.S., so he doesn’t feel the same pressure to reach an agreement that his European counterparts feel.”
-Paul Meller, IDG News Service (Brussels Bureau)
Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.