The Black Knight of Strasbourg

The US and the EU have negotiated over travel reservation data three times in the last six years.  A US law enacted after 9/11 requires that airlines transporting travelers to the US provide information from the airline reservation about those travelers.  Europeans have been antsy about that requirement since 2003, and they’ve initiated three rounds of talks to impose restrictions on what the US does with that information.  Each time, the same issues have been rehashed.  I led two of those negotiations, and in each of them, the EU had to give ground to get any agreement at all.  That’s partly because DHS was convinced of the value of travel reservation data.  It was also because the EU took the astonishing position that European privacy law required that the US rebuild a wall between agencies, essentially ignoring how badly such a wall had crippled our effort to find the hijackers before 9/11.

The European Parliament itself forced one of those negotiations – the round in which the EU lost the most – by filing suit in the European Court of Justice.  Now it’s asking for a fourth round of talks. These talks aren’t likely to end any better for the Europeans, assuming that the new leadership of DHS shows the same spine as the last one, and so far all the signs are that this administration values travel data even more than the last one.  But the European Parliament isn’t getting the hint.  It’s insisting that the talks be reopened, giving DHS as chance to take even more out of the agreement – or repudiate it altogether.  If the European Parliament ever needs a rallying cry for its negotiators, I suggest this:  “Come back here and take what’s coming to you! I’ll bite your legs off!”

I tell the story of the last couple of negotiations in Skating on Stilts, and I’ve now posted Creative Commons versions of those two chapters on the site.  This post includes an excerpt from the book for data protection lawyers to whack away at.  Data protection law is at the heart of the dispute, because the EU doesn’t actually control travel reservation data about Europeans.  Instead, it claimed that European airlines would be held liable if they transferred data to the United States to comply with US law.  In order to avoid imposing such liability on the airlines, the EU argued, the US should bring its own data processing practices into line with European standards.  Only then would US law be adequate under EU law, allowing airlines to justify their transfers.  The Europeans were essentially taking their airlines hostage and requiring the US to change its law enforcement procedures as part of the ransom.

I thought then, and I think now, that Europe was bluffing.  Part of the reason for that conclusion was my understanding of European data protection law, which I excerpt here for other lawyers to take a whack at.  As you’ll see, I thought the Europeans were bluffing when they claimed they would punish their airlines for obeying US law.  Was I right?

From everything I knew, the EU’s claim that its airlines needed an “adequacy” agreement before they could give us data was claptrap. Diplomatically convenient claptrap, but claptrap all the same.

The airlines had at least five good defenses against liability. For example, the directive allows the processing of data “in the public interest or in the exercise of official authority.” This is the provision that allows companies to cooperate when the government asks for information, and there was no footnote in the directive saying that American government requests weren’t “official.”

The second defense was even better; the directive expressly allows transfers of data even to “inadequate” jurisdictions if “the transfer is necessary for the performance of a contract.” That was squarely on point, I thought. An airline ticket is a contract, and the airline could not perform the contract if it didn’t comply with U.S. law, including our requirement to deliver reservation data.

A third strong defense was provided by the directive’s language allowing transfers of data that are “necessary or legally required on important public interest grounds.” DHS’s legal requirement was meant to keep terrorists off planes, and that surely qualified as an “important public interest.”

That gave rise to the fourth good defense. We figured that keeping terrorists off planes would be good for the other travelers on those planes, and the directive also exempts transfers that are “necessary in order to protect the vital interests” of the person providing the data.

Finally, a fifth defense was independent of all the others. The directive allows transfers of personal data to an “inadequate” jurisdiction when the data concerns someone who “has given his consent unambiguously to the proposed transfer.”  So if push came to shove, the airlines could simply tell customers that their information was required by the U.S. government and get their consent. Most of them would give it willingly; those who did not could take their vacations elsewhere.

Those were a lot of defenses. And even if they all failed, the worst that could happen to an airline was that it might lose a case and face a fine. Since it could also be fined for not complying with U.S. law, the airline would be faced with two inconsistent orders from two different governments.

That’s not good, but it wasn’t necessarily a reason for the United States to back down. The Europeans wouldn’t want to put their airlines in that pickle either. Yet somehow DHS had been persuaded to rebuild the wall just to avoid the possibility that some day an airline would face such a choice.

It sounded like a bad deal to me.

“You know,” I broke in, “you shouldn’t push your luck. If I’d been here last year, DHS never would have signed that agreement.”

The room went silent. This wasn’t in the script.

But Faull did not back off. On he went, dwelling on our minor failings and demanding assurances that seemed to go beyond what the agreement required. The longer he talked, the deeper my conviction grew.

This was a bad deal. We needed to get out.

But why spend time on this issue now? I wondered. I don’t like the deal, but it’s done. It still has years to run. The Europeans should put it in the win column, I thought, and move on.

The Europeans, it turned out, couldn’t let it go because they didn’t see it as a win. Indeed, the European Commission’s negotiator had been reassigned (some said fired) because the European side thought that the final deal was too easy on the United States. The whole arrangement was still under fire in Brussels. It had become tied up in Brussels’s institutional politics. Traditionally, the EU has been run by the European Commission, Europe’s executive branch. In fact, for years there was no legislative branch at all. The institution was not taken seriously until the late 1990s, when a revolt in Parliament forced the resignation of an entire commission.

Now the European Parliament was flexing its muscles, and the airline reservation conflict was tailor-made for legislative grandstanding. The European Parliament had played no part in the negotiations, so the parliament found it easy to say that the commission could have gotten a better deal. That view was shared by a committee of the European Union’s data protection commissioners—the continent’s top privacy bureaucrats. They too were sure that the commission could have extracted more concessions from the United States.

If the best deals are the ones where everyone ends up unhappy, the negotiators of this one had done a superb job. DHS’s leadership abhorred it; we couldn’t wait for it to expire.

And most of Brussels held the same view.

Both sides thought they could do better if they tore up the agreement and started again from scratch. If the European Court of Justice ruled against the deal, we were going to get our wish.

We couldn’t both be right, of course. One of us had miscalculated. Badly.