One of the most contentious issues in data protection law since the adoption of the 1995 Directive has been the debate over the transfer of airline passenger data from the European Union (EU) to the US authorities. Following the terrorist attacks of 9/11, the US introduced the Aviation and Transportation Security Act, which obliged airlines to provide the US Bureau of Customs and Border Protection (CBP) with electronic access to passenger data contained in the airlines' Passenger Name Record (PNR) for flights to or from the US.

Airlines had no real choice in the matter, but the data to be transferred was potentially extensive, and there was no obvious way in which the transfer would be lawful under European data protection legislation.

The general rule (under Article 25 of the Directive) is that personal data may only be transferred to a state outside of the European Economic Area which "ensures an adequate level of protection" for the data. The US does not; although it has various statutes dealing with aspects of privacy, it has no general data protection legislation.

The European authorities began discussing data protection concerns with their US counterparts shortly after the Aviation and Transportation Security Act was passed and, in the hope of concluding an early agreement on the matter, the US authorities allowed airlines 18 months' grace before fully implementing the provisions of the Act in relation to data of European origin. Unfortunately for the European Commission (EC), there was significant opposition from many interested parties in Europe.

One of the principal reasons for the opposition was the large amount of information contained in PNR data. PNR fields vary from one airline to another, but the negotiations between the EC and the US ultimately concentrated on 34 data elements. In addition to data recording name, address and telephone numbers, the data elements include all travel information held by the airline, together with information concerning payment details, accompanying passengers and less specific items such as "general remarks".

Under Article 25(6) of the Data Protection Directive, the EC has the power to make a finding that a third country ensures adequate protection for personal data by reason of its domestic law or its international commitments. The EC obtained a series of undertakings from the CBP which it hoped to use as the basis for a finding of adequacy under Article 25(6), but it faced opposition from the Article 29 Working Party and the European Parliament.

Despite the lack of co-operation from the Parliament, the EC came to a decision to the effect that there was adequate protection for PNR data transferred to the CBP and the Council approved the conclusion of an agreement between the EC and the US, which was signed on 28 May, 2004.

The Parliament, supported by the European Data Protection Supervisor (EDPS), sought an annulment of the decision of the Commission and the Council. They were opposed by the EC, which was in turn supported by the Government of the UK. The Parliament ultimately won, and the decision was annulled, but it was perhaps a pyrrhic victory.

The Parliament and the EDPS had argued that the Commission decision was ultra vires because the Data Protection Directive stated explicitly in Article 3(2) that it did not apply to processing operations concerning security or defence. The European Court agreed, concluding that since the ultimate basis for the transfer was US legislation concerning public security, the transfer of PNR data to the CBP was a processing operation concerning public security. There was thus no basis for a finding under Article 25(6).

The petitioners had several other arguments, including claims that the decision was contrary to Article 8 of the Convention on Human Rights, in that it was an unreasonable interference in private life and allowed the transfer of a disproportionate quantity of PNR data which were to be held for an excessive length of time. However, the court felt no need to consider these arguments.

The EDPS was clearly not happy with the judgment. The Supervisor felt that it created a 'loophole' in the protection of European citizens, because it now seemed that data collected for commercial purposes, but then used by security authorities, would not be protected by data protection law.

The court preserved the operation of the EC-US agreement until 30 September, 2006, in order to give time for a replacement, although it did not specify what legal form any replacement could take.

There is no unanimity as to the solution, although the EC has recommended that a replacement agreement be negotiated without any change on the basis of Articles 24 and 38 of the Treaty on EU, rather than on the basis of Article 95 of the EC Treaty which was declared unlawful by the court.

Because no changes to the content of the agreement are proposed, the wishes of the Parliament and the EDPS remain unsatisfied, and we will continue to be in the potentially unsatisfactory position that data requested by security authorities will not be protected by the legislation even where the data are also collected for commercial ends.

Quentin Archer is a partner in the technology, media and telecommunications practice at Lovells.