The office of the EDPS has said that the judgment has stripped EU citizens of data protection when it comes to criminal and security matters. The ruling had seemed a victory for data protection activists, but the principal legal basis of the decision creates a "loophole", according to the EDPS.
"The judgment seems to have created a loophole in the protection of European citizens whereby their data are used for law enforcement purposes," said European data Protection Supervisor Peter Hustinx.
In the aftermath of the 11th September 2001 terrorist attacks on the US, airport security in the US was tightened significantly. Airlines were required to hand over 34 pieces of data on each passenger travelling from Europe, initially apparently in breach of the 1995 EU Data Protection Directive.
In 2004, though, the European Commission agreed a deal that saw the information pass only to the US Bureau of Customs and Border Protection, having been satisfied that the 'adequate protection' of the data demanded by the Directive had been assured.
The ECJ has just ruled that though the Directive does apply to the transfer of data for commercial reasons, it does not apply to the transfer in the context of criminal offences or state security. The agreement, the ECJ ruled, was therefore illegal and must be re-framed before the end of September.
The EDPS argues that if the Directive does not apply in criminal or security contexts, then data is currently unprotected when it comes to police matters.
"It seems to create a loophole in the protection of the European citizen since it is no longer assured that data collected for commercial purposes but used by police are protected by the data protection directive," said an EDPS statement.
"Data is collected from you when buying a plane ticket. If that data is then passed to the US Bureau of Customs and Border Protection then the ruling now says that that does not fall within the protection of the Data Protection Directive," said a source in the EDPS office.
There is currently a proposal on a Framework for Data Protection in the Third Pillar, which will deal with justice and home affairs, but its implementation has not so far been agreed. "We would like to see it adopted as soon as possible," said the source in the EDPS office. "But it is not advancing very well in Council."