An agreement sheltering airlines from European privacy laws, allowing them to hand over passenger data required by U.S. authorities, expired Saturday, leaving most European airlines in legal limbo.
No disruption to flights has been reported so far. However, if the legal void remains for more than a week or so, airlines face being sued by individuals or groups in Europe, said Chris Kuner, a data protection specialist with the law firm Hunton & Williams.
In the wake of the terrorist attacks on Sept. 11, 2001, U.S. authorities demanded that airlines hand over passenger information covered by European Union data protection legislation. Airlines faced prosecution in the EU if they delivered the data, or fines in the U.S. if they don’t.
An agreement struck between the EU and U.S. in 2003 protected airlines from being sued for sharing the information, which includes names, addresses and credit card details. However, Europe’s top court overturned the agreement in May and said it would become legally void at the end of last month.
Efforts to negotiate a replacement agreement intensified throughout September, but despite assurances of progress from both sides, the talks ended in impasse Saturday, as the deadline passed.
As talks broke up, U.S. Secretary for Homeland Security Michael Chertoff made a draft proposal that European officials said may be discussed at a meeting of European justice ministers in Luxembourg on Friday. The Commission hopes an agreement will be reached that day.
British Airways PLC said that a Air Navigation Order issued by the U.K. government protects it legally in the absence of a new agreement. “The order from the government supercedes European data protection laws,” said spokesman Richard Goodfellow.
Air France SA spokeswoman Veronique Brachet said that although she was unaware of the French government issuing a similar order, her company would continue to supply the data to U.S. authorities and foresaw no disruption to its transatlantic flights.
“The European Commission has said we can fly to the United States, so I see no problem,” she said.
Karim Retzer, a data protection specialist at the law firm Morrison & Foerster said airlines are unlikely to be sued.
But Kuner, the lawyer with Hunton & Williams, warned that if the legal situation isn’t resolved swiftly there is a danger that European data protection authorities will be forced to take action against the airlines.
“The European Commission will probably ask the national data protection authorities (DPAs) not to take action, and will assure them that a new agreement is imminent, but if they fail to secure a new agreement within a week or so, there is a very real risk that a privacy group or even an individual passenger may lodge a formal complaint. This would force the DPA to take action,” Kuner said.
If a complaint was lodged then the DPA would order the airlines to withhold the information from U.S. authorities. If the airline obeyed then it would face fines of up to $6000 per passenger in the U.S., and the possible withdrawal of landing rights there, Kuner said.
Kuner said he was surprised by the failure to renegotiate the original agreement in time for the deadline at the end of September. “We were given the impression that it was simply a matter of changing the legal basis of the first agreement, and that no attempts to change the substance of the deal would be made,” he said.
However, last month Chertoff said the original agreement obstructed his efforts to maintain a high level of security. The agreement allowed for 34 categories of information to be handed over. The U.S. has been pushing to increase this number during the negotiations over the past month.
“Chertoff is in a much stronger position to negotiate,” Kuner said, adding: “He doesn’t face any legal issues in the U.S., so he doesn’t feel the same pressure to reach an agreement that his European counterparts feel.”