UPDATE: Transatlantic Turbulence – The European Union and United States Debate Over Passenger Data

Update by Sabrina Sondhi

Sabrina Sondhi is the Director of the H. Laddie Montague, Jr. Law Library at Penn State Dickinson Law. She received her J.D. from Cornell Law School and her M.L.I.S. from the University of Washington. She would like to thank her former research assistant Benjamin Sugarman (Cornell J.D. 2023) for his assistance editing this article.

Note: This article takes the form of an annotated outline and is intended to serve as a starting point for exploring the legal issues raised by the PNR debate (passenger flight manifests and other passenger data commonly referred to as PNR data). The guide includes references to the relevant statutory materials, government documentation, legal scholarship, and pertinent news.

Published May/June 2022

(Previously updated in March 2014 and September 2016)

See the Archive Version!

1. Introduction

The notion that the September 11, 2001 (“9/11”) terrorist attacks dramatically changed America is uncontestable. Years after the fall of the twin towers, the effects of the attacks (and more recent terror attacks in Europe) are prevalent in our daily lives: national security has proven to be a decisive issue in presidential elections,[1] and debates on immigration reform continue to dominate conversations.[2] More importantly, however, the attacks have forced citizens to barter civil liberties for increased domestic security.[3]

While these tradeoffs have been highly contentious, the period immediately following the attacks produced an environment of swelling national unity.[4] This newfound cooperative spirit facilitated the swift passage of broad, sweeping legislation to address the nation’s security concerns.[5] However, numerous critics voiced concerns at the breadth of the anti-terrorism legislation and argued that it posed a threat to civil liberties. The broadest and most controversial enactment of the post-9/11 era is the Uniting and Strengthening America by Providing Appropriate Tools Required to Obstruct Terrorism Act (“USA Patriot Act”).[6] The Patriot Act greatly expanded federal law enforcement agents’ power to combat terrorism. Specifically, the Act broadened federal agents’ authority to wiretap and seize personal documents including phone bills, emails, business files, and even library records. The Act was the primary battleground in the domestic order vs. liberty debate.[7] The Patriot Act expired in 2015 and was replaced a day later with the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (“USA FREEDOM Act of 2015”).[8] The USA FREEDOM Act reinstated several Patriot Act provisions and modified others.[9]

The Patriot Act, however, is only one of a series of laws enacted after the 9/11 attacks to bolster domestic security.[10] It is also, regrettably, not the only one that poses grave threats to civil liberties. Though the Patriot Act is rarely cited as an example of legislative restraint, it was signed into law almost two months after the attacks. Congress responded much more swiftly, however, with legislation aimed at revamping the federal aviation security legislative framework and protecting the tattered airline industry from further harm. A mere two weeks after the attacks, Congress enacted the Air Transportation Safety and System Stabilization Act (ATSSSA), and in the following months the Aviation and Transportation Security Act (ATSA) was signed into law.[11] The ATSSSA provided airlines with access to substantial short-term funding in the form of loans and grants and established a Victims Compensation Fund for individuals injured in the attacks and for the survivors of those who were killed.[12] The ATSA authorizes the creation of the Transportation and Security Administration and charges this new federal agency with developing new aviation security procedures and guidelines. The ATSA further mandates that airlines traveling to or from the United States provide passenger flight manifests and other passenger data (commonly referred to as PNR data) including passengers’ names, credit card information, and even meal preferences to the Bureau of Customs and Border Protection (CBP).[13]

Airlines failing to comply with the ATSA’s disclosure requirements face stiff monetary fines and the possibility of losing landing privileges at US airports.[14] Because Europeans are the largest single group of foreign travelers to the US, CBP focused on securing European airlines’ compliance with the new rules.[15] This proved to be more difficult than expected because the ATSA’s disclosure requirements squarely conflict with the European Union Directive 95/46 regarding data privacy and implementing laws of the member states.[16] Indeed, the EU representatives recognized and valued the underlying goals of the US’s anti-terrorism legislation, but nonetheless insisted on compatibility with European laws.[17] As such, the European Commission embarked on what would become a two-year negotiation with CPB officials to arrive at an agreement which would clarify the disclosure requirements for European airlines while ensuring compliance with EU law.[18] After close to two years of negotiations with the CBP, the European Commission arrived at a three-part resolution: a set of Undertakings adopted by CBP,[19] an adequacy determination by the Commission,[20] and the actual agreement between the Commission and CBP.[21] The Commission’s solution was not well received by European civil liberties groups.

Seemingly fueled by the outcry from privacy protection interest groups and Working Party 29’s adverse report on the Undertakings, the European Parliament challenged the legal validity of the agreement in a complaint filed with the European Court of Justice (ECJ). The Parliament’s protest about data protection inadequacy was somewhat sidestepped by the ECJ. The Court found, on somewhat of a technicality, that the Commission did not have the authority to come to an agreement regarding the transfer of PNR data.[22] The Court stated that though the agreement was based on the Data Protection Directive, under the EU’s First Pillar (which governs social and economic policies),[23] the agreement with the US should have fallen into the authority of the Third Pillar—which governs criminal matters.[24] The agreement was subsequently annulled. Attempts at renegotiation between the US and the EU regarding PNR data continued but failed to meet the October 1, 2006 deadline imposed by the ECJ to arrive at a new agreement.[25] However, days later on October 6, a “temporary arrangement” lasting until July 31, 2007 was agreed upon.[26] The new agreement already is not without much of the same criticism that inundated the previous agreement and will undoubtedly need further negotiations and revisions.[27] A new EU-US Passenger Name Record agreement was proposed in 2011 and adopted in 2012.[28] The United Kingdom opted into the EU-US PNR agreement in 2012.[29] In 2015, the European Council approved a compromised text with the European Parliament on an EU PNR directive.[30]

The revelation in 2013 that the National Security Agency (NSA) had conducted vast surveillance operations on foreign citizens and governments has impacted relations between the U.S. and several European countries.[31] This could have an effect on future data transfer agreements.[32]

2. EU Data Privacy

2.1. History and Background

Sources:

2.2. Organization for Economic Cooperation and Development's (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

The Organization for Economic Cooperation and Development is an international body whose mission is to coordinate and develop international economic, social, and environmental policies. The Guidelines were formulated to harmonize privacy legislation while ensuring the uninterrupted flow of data.

Sources:

2.3. Council of Europe's 1981 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data

The objective of the Convention is to strengthen legal protections of individuals with regard to their personal data. A modernized version of the Convention was adopted in 2018; see the text and a factsheet.

Sources:

2.4. Directive 95/46/EC

The EU Data Protection Directive became effective in 1998. Directives enact EU policy objectives. “They require member states to enact or change relevant national law to achieve those objectives while allowing enough flexibility to retain national legal traditions. Therefore, directives are the most prevalent form of EU law.” Nancy J. King & Brian J. King, Creating Incentives for Sustainable Buildings: A Comparative Law Approach Featuring the United States and the European Union, 23 Va. Envtl. L.J. 397 (2005). In 2012 the European Commission revealed a draft of a European Protection Regulation to replace the Data Protection Directive. In April 2016, the Council and Parliament adopted a new Regulation and Directive on Data Protection. The official texts were published on May 4, 2016.

Sources:

Effect on International Relations

2.5. Directive 2002/58/EC

The 2002 EU E-Privacy Directive seeks to protect the privacy rights of individuals with respect to personal data processing in the electronic communication sector. In April 2016, the European Commission launched a public consultation to evaluate and review the E-Privacy Directive.

Sources:

2.6. EU Directive on Passenger Name Record (PNR)

In April 2016, the European Union adopted an EU Passenger Name Record (PNR) directive first proposed in 2011. The 2011 EU PNR proposal was rejected in 2013. The proposal was debated again in 2014 but took on additional importance following several terror attacks in Europe. See the European Parliament, EU Passenger Name Record (PNR) Proposal: An Overview, European Parliament News (updated June 7, 2016) (Internet Archives, accessed June 2022). Similar to the US PNR data collection requirements, the EU PNR directive requires air carriers to provide member states with PNR data for flights entering or leaving the EU.

Sources:

2.7. General Data Protection Regulation (GDPR)

Originally proposed in 2012, the General Data Protection Regulation entered into force on May 25, 2018 and governs the collection, processing, and erasure of personal data. The law officially replaces the EU’s Data Protection Directive and aims to create a more unified data protection regime. Advocates of the GDPR view it as strengthening citizens’ control over their personal data and further empowering member-state supervisory authorities.

Sources

3. Data Privacy in the United States

3.1. History and Background of Data Privacy

3.2. Freedom of Information Act of 1966

The Freedom of Information Act (FOIA) is a federal statute that provides that individuals with the right to request access to federal agency records. The FOIA was amended by the Electronic Freedom of Information Act Amendments of 1996 (E-FOIA). E-FOIA grants the public access to government documents via computer communications.

Sources

3.3. Privacy Act of 1974

The Privacy Act attempts to “regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies.”

Sources

4. The US Anti-Terror Legislation and the Resulting PNR Debate

4.1. Domestic Security

Homeland Security Act of 2002: The Homeland Security Act (HSA) of 2002 consolidated many of the federal agencies responsible for border and transportation security into a single department, the Department of Homeland Security (DHS). The principal sub-departments of DHS include: the Transportation Security Agency (TSA), and Immigration, Customs Enforcement (ICE), and Bureau of Customs and Border Protection (CBP). The CPB, in turn, includes the inspections service of the former Immigration and Naturalization Services (INS), the U.S. Border Patrol, the inspections service of the U.S. Customs Service, and the border-related inspection programs of the Animal and Plant Health Inspection Service (APHIS).

Sources

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001: The USA Patriot Act was enacted shortly after the September 11, 2001 terrorist attacks to provide the federal government with increased authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes. The Act empowers the US Secretary of Treasury to investigate and prosecute U.S. financial institutions for foreign money laundering. The Act creates new crimes, penalties, and provides for more efficient procedures to combat terrorist threats. The Act has been widely criticized by civil rights groups and has been welcomed and appreciated by law enforcement. See George Anastaplo, September Eleventh, the ABC'S of a Citizen’s Responses: Explorations, 29 Okla. City U. L. Rev. 165, 342 (2004).

Sources

Legislative History: The USA Patriot Act has a short legislative history. It was introduced shortly after the September 11, 2001 terrorist attacks and was signed into law on October 26, 2001.

Support for the Patriot Act

Critiques of the Patriot Act

Enhanced Border Security and Visa Entry Reform Act of 2002: The Act was passed to improve the federal government’s ability to screen aliens seeking to enter the U.S., facilitate the sharing of border-related information among U.S. agencies, and improve efforts to keep track of foreign students and foreign exchange visitors in the United States.

Sources:

Maritime Transportation Security Act of 2002: “Requires vessels and port facilities to conduct vulnerability assessments and develop security plans that may include passenger, vehicle and baggage screening procedures; security patrols; establishing restricted areas; personnel identification procedures; access control measures; and/or installation of surveillance equipment. By creating a consistent security program for all our nation’s ports, we are better able to identify and deter threats.”

“Also required the establishment of committees in all the nation’s ports to coordinate the activities of all port stakeholders, including other federal, local and state agencies, industry and the boating public. These groups, called Area Maritime Security Committees, are tasked with collaborating on plans to secure their ports so that the resources of an area can be best used to deter, prevent and respond to terror threats.” Maritime Transportation Security Act of 2002, Pub. L. No. 107-295 (Nov. 25, 2002).

Sources

Information Awareness Office: The Information Awareness Office was established by the Defense Advanced Research Projects Agency (DARPA) in January 2002, and began funding the development of the now defunct Total Information Awareness program, subsequently renamed the Terrorism Information Awareness program. The TIA program researched tracking and storing personal information of millions of Americans to identify potential terrorists. The prospect of mass “dataveillance” brought about criticisms and concerns that the TIA violated civil liberties and the right to privacy.

Sources

4.2. US Aviation Legislation

Air Commerce Act: The Air Commerce Act of 1926 was some of the earliest federal legislation designed to ensure aviation safety.

Sources

Federal Aviation Act: The Federal Aviation Act was created in 1958 and established the Federal Aviation Administration to centralize governance of air transport.

Sources

Aviation and Transportation Security Act: “Establishes the Transportation Security Administration (TSA) and allows for enhanced security screening at U.S. airports, as well as the authority to place federal air marshals on U.S. flights.” See Aviation and Transportation Security Act of 2001, Pub. L. No. 107-71 (Nov. 19, 2001).

Sources

Air Transportation Safety and System Stabilization Act: Provides airlines up to $10 billion in loans and $5 billion in grants to compensate for losses due to the attacks on September 11, 2001. Establishes an Air Transportation Stabilization Board to administer loans. Establishes compensation program for individuals who were killed or injured from the attacks on September 11, 2001, and their survivors.

Sources

Computer Assisted Passenger Screening (CAPS): CAPS, a now defunct security system, was an automated procedure that analyzed information contained in airline passenger records to determine whether passengers posed a security threat. The system assessed data contained in passenger records based on criteria developed by the FAA Office of Civil Aviation Security Intelligence. CAPS separated airline passengers into two groups, high risk and low risk. Most of the profile criteria were never disclosed. However, many of the criteria the system used were determined through analysis of public records. “It is likely that CAPS profiles take at least some of the following factors into account: passenger's address; method of ticket purchase; when the ticket was purchased; travel companions; rental car status; departure date; flight destination and origin; passenger destination; and the round trip or one-way nature of the ticket. The carry-on and checked bags of high-risk passengers (called selectees in airline security parlance) are subjected to additional security measures. Northwest Airlines began the development of the CAPS system in 1994. Development efforts intensified after a TWA flight mysteriously crashed; investigators’ initial (erroneous) belief that a bomb was involved spurred a renewed focus on developing the CAPS system. Armed with a grant from the FAA, Northwest Airlines completed the initial development of CAPS in 1996. The FAA then modified CAPS into CAPPS and, in 1997, CAPPS technology was offered to airlines by the FAA for voluntary adoption” (Nat’l Materials Advisory Bd., Comm’n on Eng’g & Technical Sys., & Nat’l Research Council, Assessment of Technologies Deployed to Improve Aviation Security: First Report, National Academy Press 1999) [free PDF download].

Computer-Assisted Passenger Prescreening System (CAPPS II): After the September 11, 2001 terrorist attacks the national focus on aviation security dramatically increased. As such, congress passed the Aviation and Transportation Security Act and the Air Transportation Safety and System Stabilization Act both of which brought airport screening services under federal control. In early 2003, under the authority of §136 of the ATSA, the TSA mandated the creation and implementation of CAPPS II. CAPS II was designed to replace the then current, limited CAPS system which was not widely used; in the cases it was being used it was limited to checked luggage screening instead of a grounds upon which aviation security officials could subject travelers to questioning and personal searches. See Paul Rosenzweig, Civil Liberty and the Response to Terrorism, 42 Duq. L. Rev. 663 (2004).

“CAPPS II was designed to match a passenger’s identity with a databases record to provide a real time risk assessment. If it had been implemented as originally designed, CAPPS II would place travelers in one of three categories: (1) Green which indicated a low risk passenger; (2) Yellow, because the passenger is ‘potentially untrustworthy’ or they may be a risk, further investigation is required wherein, depending on the outcome of the investigation, either they would be allowed to board the aircraft or precluded from flying. (3) Red denoted the passenger is ‘untrustworthy’ and therefore a risk to the aircraft, wherein law enforcement would be notified and the person would be detained or arrested.” See Stephen W. Dummer, Comment, Secure Flight and Data Veillance, a New Type of Civil Liberties Erosion: Stripping Your Rights When You Don't Even Know It, 75 Miss. L.J. 583 (2006).

CAPPS II faced arguably more opposition than the original CAPS program. As a result, the White House cancelled the program and ultimately replaced it with Secure Flight.

Sources Critical of CAPPS II

Sources Supporting CAPPS II and Passenger Profiling

4.3. PNR (Passenger Name Record) Dispute

One of the areas in which the conflict between the Department of Homeland Security and the European Privacy Directive is most obvious is in the handling of PNR data. The U.S. Customs and Border Protection Bureau requires airlines to transfer passenger data in order to prevent terrorism. However, the EU does not believe that the United States has the “adequate level of protection” as outlined in Directive 95/45/EC for handling personal data. An updated Agreement Between the United States of America and the European Union on the Use and Transfer of Passenger Name Records to the United States Department of Homeland Security was signed in 2011.

Sources

US Perspective on Collection of PNR Data

EU Perspective on US Privacy Standards

5. Parliament’s Challenge and the Resulting ECJ Decision

The European Parliament strongly objected to the transfer of Passenger Name Record (PNR) data to U.S. Customs claiming that it infringed on the rights to privacy of European citizens and that the US did not have adequate data protection standards. The ECJ found for the Parliament and annulled the agreement, but not based on privacy concerns. Instead, the ECJ held that the Commission did not legally have the authority to come to the PNR agreement in the first place.

Sources

6. Potential Models for a Global Agreement on Data Privacy

A fundamental question posed in developing global agreements on data privacy is the issue of whether the issue is most efficiently negotiated and resolved using a large multilateral agreement or if a series of tailored bilateral agreements are a more appropriate solution. A thorough analysis of this threshold issue is vital to developing a form of agreement that has longevity, acceptance, and effectiveness. Evaluating potential structures in which a data privacy agreement could be implemented is facilitated by reviewing the success and shortcomings of structures used in the past.

Sources

6.1. Multilateral Models

6.2. Bilateral Models: Tax, Investment, and Anti-Trust Agreements


[1] See, e.g., Marc Sandalow, Both Parties Make North Korea Policy an Issue, San Francisco Chronicle, Oct. 11, 2006, at A1, https://www.sfchronicle.com/politics/article/Both-parties-make-North-Korea-policy-an-issue-2486129.php (noting that the presidential candidates’ stances on national security will prove to be a significant issue in the 2008 election). Peter Nicholas & Beth Reinhard, The Attacks in Paris: Tragedy Could Shake 2016 Race, Wall Street Journal, Nov. 16, 2015, at A.12 (noting terrorist attacks in Europe could make national security an issue in the US presidential race). Elena Moore, Trump’s And Biden’s Plans for National Security, NPR (Oct. 16, 2020, 8:00 AM), https://www.npr.org/2020/10/16/921662762/trumps-and-biden-s-plans-for-national-security.

[2] See, e.g., Jenna Johnson & David Weigel, Donald Trump calls for ‘total’ ban on Muslims entering United States, The Washington Post, Dec. 8, 2015, https://www.washingtonpost.com/politics/2015/12/07/e56266f6-9d2b-11e5-8728-1af6af208198_story.html (observing that immigration and anti-Muslim sentiment is playing a key role in the presidential election after recent terror attacks in Europe).

[3] See e.g., David Cole, Enemy Aliens, 54 Stan. L. Rev. 953, 955 (2002) (noting that "[i]n the wake of September 11, we plainly need to rethink the balance between liberty and security.") (2005); Mathieu Deflem & Shannon McDonough, The Fear of Counterterrorism: Surveillance and Civil Liberties Since 9/11, 52 Society 70 (2015), https://link.springer.com/article/10.1007/s12115-014-9855-1.

[4] See, e.g., Governor George Pataki, How We Should Remember September 11, Time, Sept. 6, 2006, available at http://content.time.com/time/nation/article/0,8599,1533418,00.html (recalling the atmosphere of togetherness following the September 11th attacks).

[5] See Frederic Block, Civil Liberties During National Emergencies: The Interactions Between the Three Branches of Government in Coping with Past and Current Threats to the Nation's Security, 29 N.Y.U. Rev. L. & Soc. Change 459, 476-77 (2005), https://socialchangenyu.com/wp-content/uploads/2017/12/FREDERIC-BLOCK_RLSC_29.3.pdf (noting that the post-September 11 political climate facilitated the enactment of a wide array of anti-terrorism measures). See generally Richard P. Campbell, America Acts: Swift Legislative Responses to the September 11 Attacks, 69 Def. Couns. J. 139 (2002), https://law-journals-books.vlex.com/vid/swift-responses-stabilize-strengthen-54481268 (documenting legislative efforts to protect the airline industry from economic and legal harm).

[6] See Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) of 2001, Pub. L. No. 107-56, 115 Stat. 272 (codified in various, separate sections of the U.S.C.).

[7] See generally Erwin Chemerinsky, Civil Liberties and the War on Terrorism, Washburn L.J. (criticizing the executive and legislative responses to the September 11th terrorist attacks. See also Stephen J. Schulhofer, Rethinking the Patriot Act: Keeping America Safe and Free (2005) (arguing that several of the Patriot Act’s provisions do not supply adequate safeguards for civil liberties); Kevin Bankston & Megan E. Gray, Government Surveillance and Data Privacy Issues: Foundations and Developments, 3 NO. 8 PRIVACY & INFO. L. REP. 1 (asserting that the legislature was hasty in enacting the Patriot Act and did not provide sufficient protections for civil liberties).

[8] Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act of 2015), Pub.L. No. 114-23, 129 Stat. 268.

[9] Julian Hattem, Obama Signs NSA Bill, Renewing Patriot Act Powers, The Hill (June 2, 2015)

[10] See e.g., Homeland Security Act of 2002 (provides for the federalization of the agencies responsible for border and transportation security into a single department, the Department of Homeland Security (DHS). The principal sub-departments of DHS include: Transportation Security Agency (TSA), and Immigration, Customs Enforcement (ICE), and Bureau of Customs and Border Protection (CBP)); Enhanced Border Security and Visa Entry Reform Act of 2002 – Pub. L. No. 107-173, 116 Stat. 543 (passed to improve the government’s ability to screen aliens seeking to enter US, improve cooperation and information sharing between US agencies, and to improve monitoring of foreign students and foreign exchange visitors in the United States; Maritime Transportation Security Act of 2002 (created a consistent security plan for domestic ports).

[11] Air Transportation Safety and System Stabilization Act, Pub. L. No. 107-42, 115 Stat. 230 (2001) (codified as amended in scattered sections of 49 U.S.C.; Aviation and Transportation Security Act, Pub. L. No. 107-71, 115 Stat. 597 (2001) codified as amended in scattered sections of 49 U.S.C.). See Campbell, supra note 5 (analyzing the provisions of the ATSSA and the ATSA).

[12] See Pub. L. No. 107-42, §101, §401.

[13] See 49 U.S.C.A. §44909(c) (2001) (requiring airlines to disclosure of passenger and crew names, date of birth, citizenship, gender, passport number and country of issuance, and other information that is “reasonably necessary to ensure aviation security”); 19 C.F.R. §12249b(a) (2003) (defining and interpreting terms of 49 U.S.C.A. §44909).

[14] See 19 C.F.R. §122.14(d)(4), 122.161.

[15] See Give us Those Data, The Economist, June 3, 2006 (observing that because Europeans form the biggest group of travelers to the United States, European compliance with the ATSA’s requirements was CBP’s primary focus).

[16] See generally Council Directive 95/46 EC, 1995 O.J. (L 281) 31.

[17] See Letter from Stefano Rodotà, Chairman, Article 29 Working Party, to Mr. Jorge Salvador Hernandez Mollar, Chairman Committee on Citizens' Freedoms and Rights, Justice and Home Affairs European Parliament (March 3, 2003), available at http://www.statewatch.org/news/2003/mar/art29ch.pdf (underscoring importance of counter terrorism legislation but emphasizing the need to ensure compliance with European laws).

[18] See Joint Statement, European Commission/U.S. Customs, Talks on PNR Transmission, (Brussels, Feb. 17-18, 2003) available at https://ec.europa.eu/justice/article-29/press-material/press-release/art29_press_material/2003/declaration_en.pdf (recording European Commission and CBP’s intention to negotiate a framework for European airlines to comply with both ATSA’s requirements and the EU’s privacy directive)

[19] See 69 Fed. Reg. 131 (July 9, 2004) (outlining proposed uses of PNR data in compliance with EU law).

[20] Commission Decision, 2004/535/EC, 2004 O.J. (L 235) 11, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004D0535:EN:HTML (last visited Dec. 6, 2021) (concluding that the Undertakings provide an adequate level of protection).

[21] Council Decision 2004/496/EC, 2004 O.J. (L 183) 83, available at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004D0496:EN:HTML (last visited Dec. 6, 2021) (formalizing a bilateral agreement between the European Union and the US under which CBP would be permitted to access PNR data in accordance with its Undertakings).

[22] Francesca Bignami, European Court of Justice Strikes EU-US Agreement on PNR Data, May 31, 2006, available at https://web.archive.org/web/20060626101312/http:/www.concurringopinions.com/archives/2006/05/european_court.html.

[23] Id.

[24] EurLex, Treaty of Maastricht on European Union (Describing the Three Pillars of the European Union, namely: the Community pillar, corresponding to the three Communities: the European Community, the European Atomic Energy Community (Euratom) and the former European Coal and Steel Community (ECSC) (first pillar); the pillar devoted to the common foreign and security policy, which comes under Title V of the EU Treaty (second pillar); the pillar devoted to police and judicial cooperation in criminal matters, which comes under Title VI of the EU Treaty (third pillar)).

[25] Press Release, European Union: Delegation of the European Commission to the USA, Airline Passenger Data: European Commission Statement on Negotiations With the United States (Oct. 1, 2006), available at https://ec.europa.eu/commission/presscorner/detail/en/memo_06_360.

[26] Electronic Privacy Information Center, EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html. See Agreement Between the European Union and the United States of America on the Procession and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the United States Department of Homeland Security, 2006 O.J. (L 298) 29, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2006:298:FULL&from=SL.

[27] See, e.g., Letter from Sophie in ‘t Veld, Rapporteur for the EU-U.S. Agreement on PNR, to Franco Frattini, European Union Vice-President and Commissioner (Oct. 10, 2006), available at https://www.statewatch.org/media/documents/news/2006/oct/eu-us-pnr-letter-to-commission.pdf (criticizing many aspects of the new agreement and highlighting inadequate review and research); EU-USA PNR Agreement Renegotiated to Meet US Demands - When the Law changes in the USA So Too Does Access to Data and How it is Processed, Statewatch News, available at http://www.statewatch.org/news/2006/oct/05eu-us-pnr-oct-0htm (criticizing the implicit lack of control of the new agreement that has no caveats for renegotiation if US law changes).

[28] Agreement between the United States of America and the European Union on the Use and Transfer of Passenger Name Records to the United States Department of Homeland Security, signed December 14, 2011, available at https://www.dhs.gov/sites/default/files/publications/privacy/Reports/dhsprivacy_PNR%20Agreement_12_14_2011.pdf.

[29] See Written Statement to Parliament, UK’s Opt-in to the EU PNR Agreement with the US available at https://www.gov.uk/government/speeches/uks-opt-in-to-the-eu-pnr-agreement-with-the-us.

[30] Proposal for a Directive of the Council and the European Parliament on the use of Passenger Name Record Data for the Prevention, Detection, Investigation, and Prosecution of Terrorist Offences and Serious Crime, 2011/0023 (COD).

[31] Nick Bryant, The Snowden Effect on US Diplomacy, BBC News, October 24, 2013, http://www.bbc.com/news/world-us-canada-24664045.

[32] Press Release, European Commission Calls on the U.S. to Restore Trust in EU-U.S. Data Flows, IP/13/1166 (November 27, 2013) available at https://ec.europa.eu/commission/presscorner/detail/en/IP_13_1166.