Navigation path

Left navigation

Additional tools

CJE/06/46

30. May 2006

Press and Information

PRESS RELEASE No 46/06

30 May 2006

Judgment of the Court of Justice in Joined Cases C-317/04 and C-318/04

European Parliament v Council of the European Union
and European Parliament v Commission of the European Communities

The Court annuls the Council decision concerning the conclusion of an agreement between the European Community and the United States of America on the processing and transfer of personal data and the commission decision on the adequate protection of those data

Neither the Commission decision finding that the data are adequately protected by the United States nor the Council decision approving the conclusion of an agreement on their transfer to that country are founded on an appropriate legal basis

Following the terrorist attacks of 11 September 2001, the United States passed legislation providing that air carriers operating flights to, from or across United States territory have to provide the United States authorities with electronic access to the data contained in their reservation and departure control systems, called ‘Passenger Name Records’ (PNR).

Since the Commission considered that those provisions could come into conflict with Community legislation and that of the Member States on data protection, it entered into negotiations with the United States authorities. Following those negotiations the Commission adopted, on 14 May 2004, a decision[1] (the decision on adequacy) finding that the United States Bureau of Customs and Border Protection (CBP) ensures an adequate level of protection for PNR data transferred from the Community.

On 17 May 2004, the Council adopted a decision[2] approving the conclusion of an agreement between the European Community and the United States on the processing and transfer of PNR data by air carriers established in Member States of the Community to CBP. That agreement was signed in Washington on 28 May 2004 and entered into force on the same day.

The European Parliament applied to the Court of Justice of the European Communities for annulment of the Council decision (Case C-317/04) and of the decision on adequacy (Case C-318/04), contending, in particular, that adoption of the decision on adequacy was ultra vires, that Article 95 EC[3] does not constitute an appropriate legal basis for the decision approving the conclusion of the agreement and, in both cases, that fundamental rights have been infringed.

The European Data Protection Supervisor intervened in support of the Parliament in both cases, the first intervention before the Court by that authority since its establishment.

In today’s judgment, the Court has annulled both decisions.

The decision on adequacy

The Court examined, first of all, whether the Commission could validly adopt the decision on adequacy on the basis of Directive 95/46/EC[4]. It noted that Article 3(2) of the directive excludes from the directive’s scope the processing of personal data in the course of an activity which falls outside the scope of Community law and, under any circumstances, processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law.

According to the decision on adequacy, the requirements for the transfer of data are based on United States legislation concerning, amongst other matters, the enhancement of security, the Community is fully committed to supporting the United States in the fight against terrorism and PNR data will be used strictly for purposes of preventing and combating terrorism and related crimes, and other serious crimes, including organised crime. Therefore, the transfer of PNR data to CBP constitutes processing operations concerning public security and the activities of the State in areas of criminal law.

While the view may rightly be taken that PNR data are initially collected by airlines in the course of an activity which falls within the scope of Community law, namely sale of an aeroplane ticket which provides entitlement to a supply of services, the data processing which is taken into account in the decision on adequacy is, however, quite different in nature. That decision concerns not data processing necessary for a supply of services, but data processing regarded as necessary for safeguarding public security and for lawenforcement purposes.

The fact that the PNR data have been collected by private operators for commercial purposes and it is they who arrange for transfer of the data to a non-member State does not prevent that transfer from being regarded as data processing that is excluded from the directive’s scope. The transfer falls within a framework established by the public authorities that relates to public security.

The Court thus concluded that the decision on adequacy does not fall within the scope of the directive because it concerns processing of personal data that is excluded from the scope of the directive. Consequently, the Court annulled the decision on adequacy. The Court added that it was no longer necessary to consider the other pleas relied upon by the Parliament.

The Council decision

The Court found that Article 95 EC, read in conjunction with Article 25 of the directive[5], cannot justify Community competence to conclude the Agreement with the United States that is at issue. This agreement relates to the same transfer of data as the decision on adequacy and therefore to data processing operations which are excluded from the scope of the directive. Consequently, the Court annulled the Council decision approving the conclusion of the agreement and did not consider it necessary to consider the other pleas relied upon by the Parliament.

Limitation of the effects of the judgment

Since the agreement remains applicable for a period of 90 days from notification of its termination, the Court decided, for reasons of legal certainty and in order to protect the persons concerned, to preserve the effect of the decision on adequacy until 30 September 2006.

Unofficial document for media use, not binding on the Court of Justice.
Languages available: all
The full text of the judgment may be found on the Court’s internet site
http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=EN&Submit=rechercher&numaff=C-317/04
It can usually be consulted after midday (CET) on the day judgment is delivered.
For further information, please contact Christopher Fretwell
Tel: (00352) 4303 3355 Fax: (00352) 4303 2731
Pictures of the delivery of the judgment are available on EbS “Europe by Satellite”,
a service provided by the European Commission, Directorate-General Press and Communications,
L-2920 Luxembourg, Tel: (00352) 4301 35177 Fax: (00352) 4301 35249
or B-1049 Brussels, Tel: (0032) 2 2964106 Fax: (0032) 2 2965956


[1] Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States Bureau of Customs and Border Protection (OJ 2004 L 235, p. 11).
[2] Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (OJ 2004 L 183, p. 83, and corrigendum at OJ 2005 L 255, p. 168).
[3] This article relates to the adoption of measures for the harmonisation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market.
[4] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
[5] This article forms part of Chapter IV of the directive concerning the transfer of personal data to non-member States.


Side Bar