For the Pdf version please click here

First published by Review of International Law and Politics (RILP), Vol. 3, No: 12, 2007, pp. 99-118. RILP is an USAK publication. All rights reserved.

INTRODUCTION

After 9/11 attacks, the changes on both national and international security policies have become more evident. While these changes have been imminent for the US which was the primary target for the unprecedented attacks, the prominent changes have occurred at the European Union as well.

The increase in the number of terrorist attacks has led the EU to activate the third pillar of the Union (Justice and Home Affairs), which also means the ‘Europeanization’ of the national security concept. While in the past struggle against terrorism and cooperation against such a threat have been dealt with under the competencies of national sovereignty of EU member states, after 9/11 EU has changed its implementations.  In this sense, the EU began to work on legal arrangements at Union-level in the form of conventions, decisions, framework decisions and declarations. For instance, Declarations on Struggle against Terrorism dated 2004, aimed at making the nationals tie with the European legislation. Thereby, the EU has in theory settled up on the issues such as struggle against financing terrorism, strengthening the information sharing between security and executive authorities and increasing in police and judicial cooperation.

In the light of the aforementioned changes in the EU policies, several applications have put into practice by the EU, including mandating the application of the biometric passport for the control of the entrance and exit of the passengers to the EU countries. On these implementations, it is possible to state that to some extent they had positive contributions to the elimination of the security concerns. However, needless to say, they also resulted in raising some questions about their impact on the individual rights and freedoms. That is to say, there is always no direct correlation between the consolidation of the state security and the individual one. While the EU has tried to provide the security of the countries, due to some of its activities it has acted in the direction of limiting the individual rights which have been granted by the Convention for the Protection of Human Rights and Fundamental Freedoms.

 

The PNR Case (Passenger Name Records) which was brought to the European Court of Justice formed one of the examples among such decisions of the EU. This case has resulted from sharing passenger name records with the US authorities which has been claimed as the violation of the human rights. This study focuses on the EU counter-terrorism policies and their relation and impact on individual rights in light of a case study. In this sense, the study analyzes the PNR case which has been brought by the EU Parliament against the Commission and Council decision. Finally, the study examines the new PNR Agreement signed in July 2007 in terms of the ability of its commitments and undertakings to eliminate concerns of the previous agreement related to civil liberties and individual rights.

9/11 TURNING POINT: THE EUROPEAN RESPONSE

September 11, 2001 attacks in the US and also the ones following the 9/11 in the European countries such as Madrid and London bombings have caused the US and European countries to reevaluate threat assessments and their counterterrorism policies. Just after the 9/11 attacks, the EU responded with a European Council Meeting which convened extraordinarily on 21 September 2001. Undertaking the prominent support to the US, the European leaders put the fight against terrorism among their priority objectives on the EU level. They also called for enhanced cooperation within the EU countries as well as between the Union and third countries by emphasizing to fulfill the cooperation in reconciliation with respect for human rights.[1] In parallel with the undertakings pledged in the Council, the EU has taken several steps with the cooperation of the US in terms of fight against terrorism. These steps were mostly of the action plans, framework decisions and declarations taken in the Council meetings at different times and of diplomatic and economic initiatives as well as criminal and administrative ones.[2]

 

It seems that the logic behind the EU’s response to terrorism has served in two ways. While the first one involves in psychological aspects, the second one includes operational terms. Particularly after the attacks in London, the EU got the opportunity to re-stress the importance of carrying out a collective strategy against terrorism. The European security strategy has therefore evolved around the psychological expression of the promotion of solidarity among the member states by bringing the interior and justice ministers of the members together. The EU has then tried to extend its success in economy in terms of community level to the Union level which remain intergovernmental and mostly let the members act in individual manner. In operational terms, the EU has set to defensive and proactive political actions and following the EU Council declarations, in order to speed up the process it also engaged in a set of legislative initiatives.[3] 

 

In this framework, on the one hand while for the first time the EU has taken the steps which were effective and binding on the EU level; on the other hand, by envisaging the increased cooperation in the fields of police and judicial issues, the new agreements were signed between the Europol and US security units in 2001-2002, relating to information sharing at the strategic and technical levels. In this regard, it seems that the EU acted in a manner parallel to the global initiatives. During this period the consensus in the global arena started to shape in the way of construction of a global surveillance, which involved in fingerprinting and the collection and exchange of data. In the EU, therefore, new measures have remarkably increased in the use of biometric instruments and e-security initiatives, including the use of biometric passports and PNR data transfer. However, these measures brought the civil liberties and more specifically the ‘privacy’ concerns in question.

IMPLEMENTATION OF MEASURES: SECURITY VERSUS CIVIL LIBERTIES

In the aftermath of the 9/11, the US government has enacted several legislations, among which the PATRIOT Act was the most prominent. This law enabled the law enforcement agencies to start new software and applications, such as fingerprinting for  all entrants to the US with some exceptions, risk assessment for terrorist attacks and risk profile ratings for over all international travelers by ATS (Automated Targeting System), US-VISIT program and establishment of traveler redress procedures (TRIP).[4] These examples have been taken by the EU and also its member states individually, in particular by the UK.

However, the problem has evolved around the balance between maintaining security and protecting civil liberties as well as democracy. The EU security agenda and the instruments such as biometric surveillance indicate a relatively increase toward maintaining security of the EU. Yet such an increase created challenges against the commitments of the EU to the principles of freedom, democracy and justice.

 

The focus of the EU on homeland security is being shaped within the perspective of working with the external partners and international organizations to promote a comprehensive global approach to the fight against terrorism. It seems that the global approach mostly includes the US on the one side and the EU on the other, especially as the external partner, whose approach on defeating terrorists is to limit terrorists’ movements between countries and to disable their worldwide networks. One of the proactive counterterrorism policies of the US is the use of name-based information. The Department of Homeland Security checks passenger manifests and crew lists, to screen travelers coming to the US. The main aim is to act upon threats before they can reach their shores. One of the comments published in Washington Post might be an important example to show how the US tries to justify this technique of surveillance: “If we learned anything from Sept. 11, 2001, it is that we need to be better at connecting the dots of the terrorist-related information. After September 11, we used credit cards and telephone records to identify those linked with hijackers. But wouldn’t it be better to identify such connections before a hijacker boards a plane?”[5]

 

José Manuel Barroso, the president of the Commission, states that they are making the fight against terrorism an integral part of the EU’s external relations. Also he emphasizes on their determination to balance security considerations with the protection of individual rights and freedoms, indicating the fact that the Charter of Fundamental Rights highlights the protection of civil liberties in the EU and these are the rights also threatened by terrorism.[6]

 

However, whereas the official authorities advocate the measures taken on behalf of ‘war on terrorism’ together with the respect on human rights, the efficiency and necessity of the measures became the subject for debates and have discussed by both American and European scholars. Many fundamental questions have remained unanswered, which mostly cause the increase in concerns simply because they put innocent passengers under government suspicion without justification and they threaten the term ‘privacy’ while undermining constitutional freedoms and international human rights.[7] For instance, questioning the balance between security and civil liberties, Hayes indicates that “it is not criminals or terrorists that threaten human rights or give them their significance, but the actual and potential breach of those rights by the state”. More specifically, Bunyan argues that most of the measures introduced have little to do with countering terrorism but rather they resulted in the increase in concerns; since they generally target the refugees, asylum seekers, the resident migrants and protestors.

 

Looking from the traditional perspective, it sounds sensible to claim that the security of individual is derived from the security of states. However, as Drulakova[8] indicates, strengthening of state does not necessarily result in strengthening of the human security. What is more, it might even contrarily amount to damage in civil liberties and human rights, eroding the security of the individuals as experienced in the case of European anti-terrorist measures. Therefore, the individuals might easily be in danger not directly owing to terrorism, but to the measures taken against terrorism instead. Once observed, the EU institutions and national governments of the EU member states, by and large, advocate that there is a balance between the rights and liberties of the people and the security expected by the individuals from the states. In this sense, the UK and France could be examples for those having such logic. Respectively, one of which makes emphasis on changing way of life and on the fact that European human rights law prevents coping with terrorist actions. While the other one regards terrorism essential which has to be countered to by all the means available.[9] The rational behind these cases overlaps with Sarkozy’s expression of French counter-terrorism as “zero-tolerance” policy.[10] Moreover, it is similar to the mentality in the case of ATS application in the US whose defenders’ answer to the question of “how much data the government should have access to” is “as much as it needs”.[11] However, what the term ‘need’ is not clear to provide balance between the measures and the liberties.

 

These kinds of implications bring the “proportionality” principle in question. Stating “any action by the Community shall not go beyond what is necessary to achieve the objectives of this Treaty”, article 5 of the EC Treaty under the title of proportionality indicates the main philosophy of the EU law, not just that of the first pillar actions and legislation. However, in contrast to the mentioned article which is supposed to be the backbone of the EU Law, it is not possible to see complete parallelism (disproportionality instead) between the aims and the means to be used to reach that aim when the statements of Barroso highlighting protection of civil liberties and those of Sarkozy’s are compared. In parallel with the disproportionality, it seems that there could become no effective balance in practice, particularly for the individuals apart from the EU nationals.

Suffice it to say refugees, asylum-seekers and third country residents in the EU would be the ones whose lives are changed dramatically. The striking reason is that, as Bunyan states, “all refugees have come to be viewed by the EU as potential terrorist, and if not terrorists then potential criminals”[12] and the introduced measures are planned by considering the worst scenarios. For instance, the decision taken in 2003 for third country nationals, resident in the EU included arrangements which could make the people at issue feel differentiated. Accordingly, these people living in the EU should be fingerprinted and given a biometric card on a national database.[13] As a result, thanks to these kinds of measures introduced by the EU, everybody is regarded as potential criminals or at least they are made to feel so. Another concern about the arrangements related to the biometric cards is feasible transfer of the data to other authorities. The likelihood of the personal data to change hands easily on account of excuse of security investigations overshadows the civil liberties. Furthermore, even if the measures and considered pressures seem to be useful in the short term, such kind of policy might lead to the rebellious reactions similar to that of France experienced in 2005 when the immigrants went on riots and demonstration against discriminatory policies. Therefore, it seems actually not logical for the EU, which has tried to prevent both internal and external threats, to make people feel second-class citizen and differentiated.[14]

 

In addition to the “proportionality” concern, there is one more issue which leads confusion among people about the application of strict measures damaging the civil liberties and human rights on the account of the fight against terrorism. This is the term what is called “policy laundering” which means pushing authoritarian measures at the EU level and then, once they are adopted, telling parliament and the public that it has no choice but to implement these measures to meet the government’s obligations under international law.[15] In other words, this establishes an implicit link between the arrangements in one member state with those of taken at the EU level. The national governments therefore easily find a way of clearing their policies in front of their publics via the common policies of the Union.

 

In terms of the measures introduced under the war on terrorism, what will be the role of the EU Parliament who is considered as the spokesman of the Union’s nationals? To what extent the measures reflect the opinion or approval of the EU Parliament? As known, in the current democracies in the world, it is generally approved that the most efficient way of participation in the determination of the state policies is through the parliaments and it is the parliament where the opinions of the different segments of the public find ground to be reflected upon the decisions taken in the pluralist structure. Despite the EU has a parliament in its structure, within the scope of third pillar it is difficult to see this parliament’s active role in terms of the anti-terrorism policies. Nearly all decisions taken in terms of Justice and Home Affairs are shaped by the monopoly of the Council mostly ignoring the opinion of both Parliament and NGOs.[16] This is mostly because the member states are jealous about sharing their competencies on the subject of Justice and Home Affairs with a supranational institution. Moreover, it is debatable to what extent these decisions include democratic measures, which are deprived from the democratic bases. The “Action Plan” revised after the Madrid bombings by ‘Statewatch’. The revision revealed that the articles 27 of 57 introduced in the Action Plan were less relevant to or, more importantly, have no relevance with the subject of fight against terrorism.[17] This is why the concern about “policy laundering” raises together with the question whether both the EU and member states try to increase their power on surveillance and control under the guise of war on terrorism. For that reason, the necessity of the measures introduced in terms of the fight against terrorism is dealt with the debates in the cases of legitimacy, proportionality, accountability and efficiency.

 

The last but not the least, the excuse of “exceptionalism” can possibly be indicated as the reason eroding the public accountability to the measures. This means that the anti-terrorist measures find the basis in the logic that these are the initiatives to be engaged in ‘exceptional’ circumstances. The rational behind the introduction of biometric and other measures is the justification of counter-terrorism on the grounds of exceptional situation. However, the term ‘exceptionalism’ turns to be the norm in time, which severely disturbs the public. Thus, ‘exceptionalism’ stirs up distrust and exacerbates the trust deficit in the EU in which there is already lack of trust in political processes by and large.[18] In addition, as a result of the weaker political trust, as Lodge emphasizes, where the loyalty of the citizens is fragile, the EU would likely face an added danger of decrease in support to supranational structure and increase in alienation to the EU structure parallel with the decrease in feeling of security.[19]

 

In the light of the aforementioned issues indicating security versus civil liberties, the following parts of this study will focus on the controversial Passenger Name Records (PNR) Agreement whose parties are the US and EU and which formed the subject of one of the judgments of the European Court of Justice (ECJ), called PNR Case[20].  In this sense, the following section of the study focuses on the deficiencies of the earlier agreement annulled by the Court. Furthermore next section makes a comparison between the earlier agreement and the new-born PNR Agreement related to the changes brought by the new agreement in terms of its position toward being more favorable to civil liberties and privacy issue or not.

 LEGAL REPERCUSSIONS: THE SAMPLE OF PNR CASE

In terms of legislation, the counterterrorism policies of the US have had implications not only in the North American region but also it had impact on transatlantic relations. The PNR agreement signed between the US and the EU resulted in a case taken before the ECJ.  The PNR agreement, which became the subject of an annulment, gave authorization to the EU airlines to share the passenger records with the US authorities for the flights which would go to, from or fly through the US territory. Thereby, it is provided that reserved passenger names and 34 different data would be shared with the US authorities just 15 minutes before the departure of the transatlantic planes.  In this context, the European Parliament (EP) brought the suit before the ECJ against the EU Council and the Commission because of the reasons, respectively, signing the agreement without waiting the EP’s opinion and exceeding its competencies because of its ‘adequacy decision’.

 

Upon the application of the EP, the adequacy decision and the Council decision both annulled on the basis that the personal data processing at issue was outside the scope of the Data Protection Directive, which recognized the US as providing an adequate level of protection for transfer of PNR data, instead it was an issue falling within the areas of criminal law. The EU then concluded a new interim agreement with the US under third pillar, for which the Data Protection Directive cannot be applied, and which was expired in July 2007. Before the expiration date of the interim agreement during the first half of 2007, by emphasizing its strategic importance of the continuation of long-term transatlantic relations, the EU engaged in series of negotiations with the US authorities in order to rearrange a new agreement. In the end, the parties agreed on a new agreement at the end of June 2007 which still remains previous concerns applicable; however, it kept the previous critics more concerned while concluding the agreement.

Background

After 9/11 attacks, the United States passed the Aviation and Transportation Security Act in November 2001, which mandates air carriers operating flights to, from or through the US territory to provide the US custom authorities with electronic access to the data contained in their automated reservation and departure control systems, known as Passenger Name Records (PNR). Claiming that this data is necessary for struggling against terrorism, the US threatened the non-complying airlines to withdraw of their landing authorization. If they fail to do so, they can be fined a considerable amount of money for passenger whose data was not transferred properly.

 

The European Commission informed the US authorities in June 2002 that the provisions of the agreement could conflict with the EU national laws and Community legislation, including especially EC Directive 95/46/EC. In such situation, the airlines faced with a dilemma in which either it would comply with the US requests to avoid any fine or it would refuse to transfer data not to violate the EU legislation and undergo the penalties of the US. Upon the request of the Commission, at first, the US postponed the starting date for new arrangements; but finally the US Customs (the Customs and Border Protection (CBP)) refused to extend the delay beyond 5 March 2003. Entering into negotiations with the US authorities, the Commission adopted an adequacy decision[21] on the basis of Article 25(6) of the EC Directive on data protection. Grounding on this decision, the Commission expressed that the US would guarantee an adequate level of data protection. By the way, while the negotiations of the Commission were carried on with the US authorities, the Working Party on the Protection of Individuals, which is set up by art. 29 of the Directive expressed its doubts about protection level of data. Besides, expressing their concerns about the legitimacy of the PNR demand, national parliaments were also involved in the discussions as well as the EP which had already stated its doubts on whether the data would be protected in an adequate level.

         

Despite the fact that the EU authorities seemed not to be convinced with the adequate level of data protection and civil liberties concerns, the Commission adopted a decision[22] on adequacy about data protection on 14 May 2004. By this adequacy decision, the Commission stated its conviction that the US authorities would ensure an adequate level of data protection, thereby which the Commission tried to balance the privacy concerns and urgent demands of the US. This decision enabled a facilitated base for the Council of the EU to sign an agreement between the US and EU. Therefore, in a short while, the Council adopted the decision 2004/496/EC[23] on the international agreement on 17 May, obliging EU air carriers to provide US authorities with PNR data. Both the Commission and Council decisions were taken without considering the EP’s opinion and its call for waiting for the Court’s decision on the matter for review of the legality of the planned international agreement. The subject on which the Parliament particularly insisted to refer to the Court was also the compatibility of the agreement regarding the protection of the right to privacy. However, after the adoption of the Commission and Council decisions, the Parliament decided to withdraw its request for an opinion from the Court; it brought, instead, the decisions of the Commission and Council before the Court with the request of their annulment, which are respectively the subjects of Case C-318/04 and Case C-317/04.

 

Upon the application of the Parliament for action for annulment on 9 July 2004, the ECJ decided to hold two applications in a joined case and then made its decision in favor of the EP’s request on 30 May 2006.

Concerns about the PNR Data Collection

The Parliament, in the case of 2004 Agreement, requested the Court to deal with several pleas for annulment, claiming ultravires action for the Commission decision, incorrect legal bases, breach of the fundamental rights, breach of the principle of proportionality and breach of cooperation in good faith. If considered, Parliament’s claims are mostly about the main principles parallel with the civil rights and liberties. This is why the initial reactions to the debate began to come long before the signature of the agreement by those who regard the issue as potentially serious violation of their right to privacy and of protection of their personal data.

 

The level of protection of the personal data which are transferred to the US authorities has extensively been a great concern in Europe. The crucial ones of the overall concerns are focused on the possibility that data will be used for the purposes that are unrelated to airline security, on possible errors that would affect innocent passengers and on the method that the agreement envisaged for transfer of data. The issue of proportionality related to the amount of data to be shared and length of data storage are among other concerns indicated by Working Party, some NGOs and scholars all together.

 

Firstly, electronic access to PNR data includes a broad list of 34 data ranging from payment information, e-mail address and frequent-flyer information to meal preferences and special health requirements. So the PNR data gives a lot of information about the individual, his/her special needs, the method of payment, country of destination and so on, which means much more than a required relevant information flow for countering terrorism. Addressing the purpose of data collection, the Working Party stated its opinion,[24] adopted in 2003 that the amount of data to be transferred goes beyond what could be considered adequate, relevant and not excessive. Instead of 34 data to be transferred, the Working Party then recommended a list of 19 items in a limited grounds directly related terrorism. Similarly, in a resolution[25], the EP supposed that the amount of items of data requested seems excessive and not proportional to its aim, which makes the objective for the data shared and stored remain unclear and irrelevant to fighting against terrorism to great extent. Therefore, the issue of proportionality is of the crucial point in discussions about data to be transferred in order to make a reasonable link between purposes of war on terrorism and the use of data. However, the information included in PNR seems comprehensive enough to cause serious violations of individuals’ privacy rights, if it is transferred without adequate safeguards as Morozova[26] discussed. In a resolution adopted by the Trans Atlantic Consumer Dialogue (TACD), it was also expressed in June 2004 that it had strong concerns about how the disclosure of personal data in airline reservations for flights from the EU to the US would affect travelers’ privacy rights.[27] In its resolution, TACD stated its belief that passenger profiling and monitoring programs, such as the US CAPS II system, present risks for the privacy of passengers flying from the EU and should therefore be subject to the strongest privacy safeguards. Morozova also backed up such a finding with adequacy level of CAPS II system in the US about which the US General Accounting Office has reached some conclusions. Accordingly, seven out of eight privacy and data protection criteria have not been met.[28]

 

Privacy issue of the requested PNR data have then led to increase in concerns about lack of adequate safeguard to prevent passengers’ data from unjustifiable disclosures and potential abuses. The TACD Resolution on PNR again emphasized a fact that there have been recent and widespread disclosures of travel data between US private sector entities and by them to US law enforcement authorities without legal authority.[29] Hayes also draws attention to a similar fact that providing the US with PNR data would form a breach of EU data protection law mainly because “once transmitted the data will be shared with other federal agencies and no longer specifically protected”.[30] The possibility that data could be transferred to unrelated agencies for unrelated reasons lead increase in concerns about privacy violations. Additionally, there is a possibility that data would be used for the purposes unrelated to airline security. Morozova summarizes this concern with an example that the US could use data to refuse entry of the individuals with undesirable political backgrounds or to identify and arrest individuals wanted for minor crimes unrelated to terrorism.[31] Also, possible errors which could lead to legal difficulties for innocent travelers are other issues to be considered. This is actually because PNR only goes through probabilities, not information on actual terrorism. Then it increases the likelihood for innocent people to be unjustly treated like criminals. EU Committee report of the House of Lords explains what can go wrong with the PNR data collection via a frequently given example. This example is that of Senator Edward Kennedy who was once forbidden to land in the US because he shared a name with an individual on a watch list.[32] It then explains concerns on inaccurate PNR data which can produce a false identification and so attribute to an individual conduct and behavior which is not his. Another case the Committee report pointed out a risk of error in using PNR data which might arise from the erroneous interpretation of the data. Even if the data is accurate and there is no doubt about the quality of data, it might carry the risk of false interpretation which results in the use of right data for the wrongly reasons.

 

Regarding the method of data transfer, the US could access 34 PNR data under a “pull system” whereby US authorities have direct access to the airline database and could take whatever information they want without any filtering system. This system received a lot of criticism because it is regarded that the only acceptable method of transfer is the “push system”. This means that the data is first selected and then transferred by airline companies to US authorities, instead of allowing the US to have direct access. The data protection authorities, in their adopted opinion[33], called for the adoption of push method as soon as possible in order to ensure liability rules provided by the EU law in terms of data control. TACD, in its resolution, similarly calls people’s attention to the method of data transfer by stating “push system” as the sole acceptable one. This is why it took an initiative during that period to urge the US and EU “to suspend the implementation of the EU-US PNR agreement until the technical mechanisms to put in place a “push” system of data transfer are available”.[34]

 

Last but not the least, in reference to length of data storage or their retention by the US authorities, concerns centered on proposed time in the agreement which envisaged 3.5 years. This time frame is considered as unjustified, when compared with the idea that personal data should be kept no longer than it is necessary for the purpose of collection. The Working Party, once again, expressed its opinion in direction that data should only be kept for a short period of time.[35] Proportionality issue is, then, once again in question in terms of PNR data collection beside to the number of data and their privacy matter.             

 

All concerns in discussion have brought the PNR issue beyond the legal perspective to the political agenda. Whereas on one hand the legal fallacies of the EU-US PNR agreement became the case before the ECJ, on the other hand compatibility of the agreement with European understanding of human rights and civil liberties in terms of EU policies on fight against terrorism has been dealt in political perspectives. This is the reason why the PNR collection and sharing has gone beyond an annulled agreement just due to lack of legal bases.    

ECJ Judgment under Examination

In its judgment of 30 May 2006, the ECJ annulled the Commission’s adequate decision by stating that the transferred data was being used for security reasons which fall within the scope of criminal law, relating third pillar; therefore there is a fallacy for the basis (EC Data Protection Directive 95/46) for the Commission’s adequacy decision. The Court also ruled out that Article 95 did not provide an adequate legal base for the Council decision. Accordingly, it gave its decision in favor of Parliament’s application for annulment of both decisions. The Court considered the Parliament’s other pleas as unnecessary. In its judgment, even though the Court gave its decision in the direction of an annulment, it preserved the effect of the adequacy decision until 30 September 2006 whereby it let the agreement to remain in force until a new agreement is concluded. This was actually because the Court ruled out that transfer of data and activities of the authorities are operations concerning public security which are in the area of criminal law. Thus, they are not first-pillar activities within the transport sector. In this sense, the ground on which the adequacy decision based is difficult to reconcile with first pillar competencies. This is why the Court allowed effect of the agreement to continue until a third pillar agreement to be negotiated.

 

However, the choice of third pillar for the new PNR agreement was not considered a sole remedy for the elimination of the concerns. For some, in the third pillar, the EP has less voice than in the first pillar; the EP would therefore be cut out of the picture if compared with the present situation.[36] Mendez also brought a parallel comment on the issue that “if a third pillar agreement rather than Data Protection Directive were viewed as the applicable framework, the EP and Commission would see their roles reduced and ECJ’s jurisdiction curtailed”.[37] This situation, as known, is because of the intergovernmental nature of the third pillar, in which the EP has very limited role on decisions and so does the Commission and ECJ. Similarly, the ECJ judgment seemed to be disappointing “because in its judgment the ECJ on one hand concluded that PNR data collection by airline falls within the scope of the Community law and on the other hand it seemed to accept that if the same data are to be transferred for public security reasons they are no longer in need of the protection of EC Data Protection Directive”.[38] It is possible to interpret such a decision that as long as data transfer to third countries is intended for public security reasons or use, this transfer would get away from the application of Data Protection Directive. Guild and Brouwer give Visa and Schengen Information systems as potential examples for such conclusion. For that reasons, the consequences of the Court judgment has been criticized for creating of a loophole in the protection of citizens.[39]               

        

Then it is possible to state that whereas, on one hand, the provisions of the PNR agreement became the focal point of long-lasting arguments, the attribution of the Court’s judgment led to many discussions as well. This is generally because in neither case the ECJ saw any necessity to consider all pleas of the Parliament. The Court neither ruled on the content of the agreement nor questioned the level of data protection of the Commission decision. Actually, the pleas of the EP had a broad range of issues including breach of fundamental and civil rights.  However, by just shaping its decision on the legal ground, the ECJ chose to hold the case on a limited ground. It never dealt with the privacy issue and civil rights on the discussion whether the PNR agreement has resulted in breach or not. The valuable contribution of the Court on the development of fundamental rights in EC law thanks to its case-laws is well-known. Even, the Court has sometimes become the subject of criticism because it goes beyond its judicial function and performs as if having a quasi-legislative role.

Contrary to its general activism in the field of fundamental rights, it seems that the Court avoided applying such a way for PNR case even if the issue has direct link with civil rights and liberties. If put in this way, for a debatable case including privacy issue, the Court ruled out in favor of civil liberties but just in a limited ground by preferring to be careful not to stir up dilemma. It then avoided holding the case by dealing with the whole points. The attitude of the Court in the PNR case is likely to be explained through Tridimas’ argument about the ECJ and its judicial activism. Tridimas argues that it is not easy to identify with certainty periods of self-restraint and periods of activism in the case law of the Court. Accordingly, it is not always clear when a decision ceases to be passive and becomes active. In addition, it is not accurate that the Court pursues a consistent policy, that of furthering European federalism, and not always favor the Community at the expense of the member states. With an analysis, Trimidas states that the approach of the Court is characterized by pragmatism rather than principle. Moreover, it is inevitable that some of the Court’s decisions display political repercussions. This might be because the financial interests are at stake or because loss of sovereignty is the outcome in certain areas for member states. And it might be also because the issue, on which the Court will rule out, is a sensitive issue in some member states, such as abortion in Ireland and language in Belgium. In such case, the Court may prefer to adopt a proactive approach or less active one.[40] Consequently, it seems that keeping away from taking an active approach in terms of PNR data transactions; it is possibly considered a period which the ECJ retreated to observe following reactions of both the EU member states and individuals whose rights and liberties are at stake. After 9/11 attacks, for a situation in which the security became the most vital interests, the ECJ seemed not to ignore the sensitivity of the members and also the airlines which would face possible US fines if they fail to share the data with US authorities.

 

However, the privacy issue about the PNR data transaction is not a case only the ECJ would shape by its case law. The PNR problem is one of the examples of the complicated structure under which the EU currently operates, as Guild and Brouwer indicated.[41] This is why there have been proposals to remove the pillared-structure of the Union and insert the fundamental rights into the EU structure. 

The New-born Agreement

The ECJ judgment allowed the parties to terminate the agreement within 90 days which means the agreement to be in force until 30 September 2006. The EU therefore engaged with negotiation for a new agreement in less than three months. During the negotiation process for the interim agreement, the debate continued to take place on the dilemma between fight against terrorism and privacy issue. On the US side, information sharing and intelligence gathering were considered as some of their most important tools in the global war on terrorism. To back up this approach, Chertoff, US Homeland Security Secretary, expressed the need to increase the US ability to get information by stating “imagine that our troops in Afghanistan raided an al-Qaeda safe house and captured a computer containing the cell phone numbers of operatives in Europe. Wouldn’t it be important to know whether one of those cell phone numbers was used to book a transatlantic flight? Unfortunately, today our ability to make that connection remains limited.”[42] He then added “(…) But despite the strong links we have forged with our European partners to protect our nations, we still remain handcuffed in our ability to use all available sources to identify threats and stop terrorists. To defeat terrorists, we must know their movement between countries and disable their worldwide networks by targeting our investigative sources. (…) One way is by using more of the detailed information collected by airlines and travel agencies when an individual books a flight.”[43] Afterwards, Chertoff, stated European security concerns have recently limited the ability of counterterrorism officials to gain broad access to data. However, European resistance to such measures has remained similar that of previous ones to some extent. Civil liberties groups continued to argue that the US fight against terrorism is violating basic rights in Europe.

 

Completing the negotiations in October 2006, the parties signed a new agreement with some changes, hereafter referred as the “Interim Agreement”. The terms of the original 2004 agreement, were not substantially changed. In summary, one of the main changes is that the US intelligence and law enforcement agencies, including CIA and FBI, got their demand to share and study the European information more easily. So, it provided sharing of PNR with other agencies that has counterterrorism functions. Welcoming new development, Homeland Security Secretary Chertoff said in a statement that “Under the agreement, US Customs and Border Protection will have new flexibility to share PNR data with other counterterrorism agencies within the US government.[44] If recalled, there have been widespread disclosures of travel data between US authorities without legal base, as one of the concerns. Due to the change in provision, giving access of PNR data to other agencies became legalized. On the other hand, the EU won a bid to make US authorities request data specifically, rather than receiving it automatically. What remained the same despite criticism is time of retention of current data. 3.5 year became a compromise once again until mutually acceptable arrangement will be concluded before the expiration of the undertakings. And there was no change in the number of data collected. The parties had then took time to renegotiate a more comprehensive and sensible agreement which would apply after the expiration of the Interim Agreement, 31 July 2007.

 

After the agreement Franco Frattini, the EU Justice and Home Affairs Commissioner, expressed that each American agency would have access to the data only if it was rigorous in protecting privacy.[45] However, although the undertakings of the Interim Agreement pleased the EU officials that the new deal would guarantee legal certainty in a very sensitive matter, data-protection practitioners and legal experts criticized the Commission’s lack of standing in negotiations with the US over the advance of transfer of personal data. With regards to the new agreement pending under negotiation, during the first half of 2007, members of the EP and privacy experts explained their critics on the first two agreement and their concerns on the following one. In this sense, the EP organized seminars to discuss the Interim Agreement and the new one with the participation of the Working Party and national data protection officers.  The chairman of the Working Party, Peter Schaar, expressed his concern that “also the new agreement will not respect European data protection requirements” and he added “there must be proof that practices meet the requirements, including the requirement that they are necessary, not just useful for the US side”.[46] There were also concerns about the amount of data as well as about the unclear purposes for which they will be used. Moreover, data-protection expert Simitis stated his concern that “Undefined terms like ‘terrorism’ and ‘public interest’ are completely counterproductive and inadmissible for any functioning data-protection rules”.[47] In the negotiation period, the House of Lords Report also pulled the attention to the EP’s role in the issue. It pointed out the fact that “the European Parliament no longer has a formal role to play is not a reason why the views of its members should be disregarded. On the contrary, in a Union of democracies special attention must be paid to the views of representatives, since they are well placed to balance the public good against private rights”.[48] Regarding the discussions and concern going on about the PNR issue, the points that the Commission would look at was determined. Jonathan Faull, head of the Directorate-General for Freedom, Security and Justice, listed the points as the number of PNR data to be retained, duration of their retention, whether the DHS can more freely pass on European PNR data to other agencies and how to strengthen personal privacy.[49]

 

In light of proceeding discussions, a political deal was reached in principle at the end of a conference on June 27, 2007 between the EU Justice and Home Affairs Commissioner Franco Frattini, the US Homeland Security Secretary Michael Chertoff and the Interior Minister of Germany, holding the EU term-presidency at that time. The agreement was approved by the foreign ministers of the 27 member states on 29 June which replaced the Interim Agreement, expiring at the end of July. New agreement was officially signed on July 23, 2007 by the US and the EU, being recognized that “information sharing is an essential component in the fight against terrorism and recognized that US and European privacy law and policy share a common basis and that any differences in the implementation of these principles should not present an obstacle to cooperation between the US and the EU”.[50]

 

Under the terms of new agreement, the number of data categories was reduced to 19; however, the amount of time that US authorities can retain was extended to a maximum 15 years from the previous limit of 3.5 years. Accordingly, DHS retains the EU PNR data in an active database for seven years, after then the data will be moved to a non-operational status. This dormant or non-operational status was determined as 8 years. It remains as DHS’s intention to review the effect of the retention rules on operations and investigations based on its experience over the next seven years. It is decided that discussion of the results of this review will be with the EU; however, it has a margin for US authorities to extend the length of retention period of the PNR data. Still, reduction in amount of data was welcomed by the EU authorities. For instance, the Working Party said the old list of 34 data items was too long, so the EU may welcome the fact that it was shortened.[51]      

 

In reference to the method of data transfer, transition to a push system by air carriers was decided to be no longer than January 1, 2008. For those air carriers which do not implement such a system, the current systems is decided to remain in effect until they implement a system complying with the required technical arrangements. Therefore, the EU once again gave time to US authorities to go on using the pull system to use. Actually, similar commitment had been given by the US three years ago to move a push system. Moreover, under normal circumstances DHS will receive an initial transmission of PNR data 72 hours before the scheduled departure. Comparing with 2004 agreement, it is seen that duration to receive the data before the departure is extended because in the previous agreement it was just 15 minutes before the departure. The DHS, in exercising this discretion, is planning to act judicially and with proportionality according to their statement.[52] Sharing of PNR data with third countries as well as the other domestic authorities in the US is another issue on which the agreement has provision. It provides exchange of EU PNR data with other government authorities in third countries, but only after consideration of the recipient’s intended use and ability to protect the information.[53] Once recalled the privacy concerns, it actually puts the provision under a serious discussion. The one-way flow of data from east to west across the Atlantic is still point at issue in the new agreement. It is stated “the EU will ensure that air carriers operating passenger flights in foreign air transportation to or from USA will make available PNR data contained in their reservation systems as required by DHS”.[54]  

 

Consequently, it seems so that the EU did not sign an agreement with US authorities, as expected to eliminate whole concerns and as proposed in many discussion platforms[55], by encouraging all authorities involved in the PNR discussion to consult with consumer protection groups, as well as the representatives of consumer organizations and data protection authorities in discussions. The result was interpreted in some newspaper as the flexibility given to the US in certain areas which were the key demands of the US during the course of negotiations for the agreement.[56]

 

Members of the EP expressed their disappointment that the EU had apparently acquiesced to pressure from Washington.[57] Even after the political deal of June, before the official signature of the agreement in July, in adopting a resolution on the Agreement, the EP concluded that the deal fails to offer an adequate level of data protection.[58] In their resolution the EP members expressed their concern that “the EU-US agreement was substantially flawed in particular by open and vague definitions and multiple possibilities for exception”. Even though the EP members seems to welcome for some developments, they agreed on the fact that there was still much more to be improved in the issues in question, such as the use, purpose, retention period, sensitive data, access and sharing with third countries. The EP strongly opposes the fact that third countries in general may be given access to PNR data if they meet the conditions. Similarly, Peter Hustinx, the European data protection supervisor, in a letter before the signature of the agreement, expressed once again his concern that “European governments were in danger of sacrificing too much of their citizens’ privacy in the fight against terrorism”.[59] It shows that the messages on the guarantee of the protection of rights and liberties besides to the security did not satisfy the whole parties and actors which are interested in the issue. Stating “I very much challenge that view and stress that there should be no doubt that effective anti-terror measures can be framed within the boundaries of data protection”, Hustinx acted as a spokesman of the ones who handle the issue in privacy concerns.  

       

Therefore it seems that the only point that the individuals and agencies welcomed about the new provisions of the PNR agreement is the decreased in the number of data to be shared with US authorities.

 CONCLUSION

In the global era, security threats have become increasingly transnational in nature. Particularly after September 11, 2001, this led most of the states to put more emphasis on new forms of security issues. Conversely this approach has brought the discussions whether it is possible to protect fundamental rights and freedoms while maintaining security at difficult times. However the controversy emerges from the fact that the balance of the scales tends to lean more on the side on security rather than protecting freedoms.

 

In terms of fight against terrorism, initiatives and measures taken by the EU similarly have two contradictory dimensions – one is facilitating the struggle in force and the other is limiting the area of civil liberties for certain groups in society (i.e. in particular third-country nationals living in the EU). However, the case of PNR data transfer is one of the striking examples of the EU’s dilemma in dealing with counter-terrorism. Sharing passenger records with the US authorities became the subject of the case in terms of the contradiction to the human rights. Essentially, initiatives at EU-level are of great importance in strengthening the ‘Union’ notion and for a smooth change in the existing intergovernmental cooperation so that the EU could enhance its supranational structure in counter-terrorism. Moreover, it is important to form a model in terms of international fight against terrorism. Yet, an aspiration of forming a joint approach at EU-level in terms of combating terrorism should not be in contradiction with civil liberties. In the field of counter-terrorism which is in tendency of ‘Europeanization’ process; a challenging security perception which results in regarding people as potential criminal may lead creating the Union’s own enemies due to quick and reactive responses. Instead, the EU should consider long-term solutions in counter-terrorism. The expectation from the EU is to set forth a safeguard-oriented approach in measures at EU-level with all institutions including the Court.

 

Consequently, swinging of the EU up and down between security and liberties leads to creation of a dilemma for the Union. This dilemma then results in the loss of confidence in the EU’s commitments to ensure a balance for its adoption of counter-terrorism policies. However, societal confidence towards the EU is actually basis for one of the main components of the EU’s legitimacy. This is why it is the EU’s task to balance two contradictory terms on the institutional level. However, fundamental rights and freedoms are the values whereby the EU conducts its foreign policy, particularly in the third world and neighboring countries.