Today the highest court in the European Union ruled (summary, full decision) for the second time, that US law does not provide an “adequate” level of protection for personal information transfered from the EU to companies or servers in the US.
What does this mean for Passenger Name Records (PNRs) or other records of our travels?
Understanding the implications of today’s decision — especially with respect to airline reservations and other information about when, where, how, and with whom we have traveled — requires some review of the background:
The case decided today by the Court of Justice of the European Union (CJEU), Schrems v. Facebook (“Schrems II”), has the same parties as the “Schrems I” decision in 2015. Both cases were brought by an Austrian citizen, Max Schrems, against Facebook Ireland, the Facebook subsidiary nominally responsible for Facebook’s contractual relationships with all Facebook users worldwide except in the US. In both cases, Mr. Schrems challenged the transfer — without his consent — of personal information about him, collected in the EU, to Facebook servers in the US. Once in the US, that data is vulnerable to being passed on to US government agencies, without notice to, or consent of, data subjects such as Mr. Schrems, and with no judicial oversight or means of redress under US law.
In general, EU law prohibits nonconsensual transfers of personal data to countries that do not provide an adequate level of legal protection for personal data comparable to that in the EU. (EU data protection law is rarely enforced, but that’s another matter.)
In Schrems I, the CJEU upheld Mr. Schrems complaint and found that US data protection law (or, more precisely, the lack of such law in many areas) is inadequate to insure protection of rights recognized as fundamental in the EU.
In an effort by supporters (both in the US and in the EU) of US corporate and government mass surveillance to avoid bringing US data protection law into compliance with EU norms of adequacy, the US responded to the Schrems I decision by enacting a patently inadequate and mislabeled “Judicial Redress Act”, and the EU made a patently unjustified new “finding” that US data protection law is now magically “adequate”.
To nobody’s surprise, Mr. Schrems challenged that new finding by the EU. To nobody’s surprise, the CJEU ruled today in Schrems II that US data protection law is still “inadequate” by EU standards of fundamental rights. Once data is transferred to the US, it is still subject to essentially uncontrolled extrajudicial access by US government agencies.
Contracts, such as those between Facebook Ireland and Facebook Inc. in the US, can bind those companies. The CJEU recognized, however, that by their nature contracts between private entities cannot bind the US or other governments which are not party to those contracts.
The CJEU concluded:
[European] Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the [European] Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.
Immediately after his inauguration, President Trump issued an Executive Order further narrowing the application of the Judicial Redress Act. But the CJEU didn’t need to refer to that Executive Order to reach its decision in Schrems II that US data protection is inadequate.
Mr. Schrems’ case against Facebook will now be taken up again by the Irish courts and data protection authorities for further action in light of the judgement by the CJEU.
Where does this leave the legal status of government access to airline reservations?
Transfers of PNR data from airlines in the EU to the US government are governed by a separate “adequacy” finding, specific to these data transfers, ratified by the European Parliament in 2012. That finding rests on similar illogic to the findings invalidated by the CJEU in both Schrems I and Schrems II. But the adequacy finding with respect to transfers of PNR data is legally independent, and will remain in force unless and until it is rescinded or separately challenged in court.
Meanwhile, access by European governments to PNR data puruant to an EU PNR directive modeled on US mass surveillnace of travelers has also been challenged in several European countries. These lawsuits raise different issues than the Schrems I and Schrems II cases, which relate to transfers of data to the US. Legal cases against airlines in Belgium and Germany are currently pending before the CJEU, while a case in Austria has been stayed until the CJEU rules on the Belgian and German cases.