It seems that the number of airlines and travel companies sharing passenger information with the Transportation Security Administration (TSA) for testing of the passenger screening program CAPPS II was more than was originally thought.

The EU parliament might like to throw that into the mix of their ECJ case against the Commission and Council of Ministers on the agreement to share EU passenger data with the US? No? Never mind. We saw how lively EU democracy is on software patents. Why should a little matter like handing over personal details of EU citizens to a foreign government (albeit a friendly one in this instance) give rise for concern? Well from my perspective the reason would be just to demonstrate a remote semblance of respectability of the institutions of the EU and their ability to answer basic questions related to the new constitution and its gaurantee of the charter of fundamental rights. Of course the agreement was concluded before the constitution (which, of course, may well fall apart depending on the results of national referenda). But even without the constitution the EU theoretically offers fundamental gaurantees on privacy which in the past have led to the brink of a trade war with the US, on the issue of how US companies would be required to handle data about European citizens flowing into the US.

In March 2000, after nearly two years of negotiations, the EU and the US reached a tentative agreement on the processing of personal data. The EU Data Protection Directive (Article 25) requires that personal data shall not be transferred to a country outside the EU unless that country "ensures an adequate level of protection." The Directive theoretically guarantees a high standard of personal data privacy for EU citizens. The US was considered by the EU to lack an adequate level of protection.

The negotiators were reportedly trying to work out a way for US companies to meet EU standards of privacy. The Europeans agreed to the Americans' proposed "safe harbour." US companies would sign up to this safe harbour by agreeing to follow certain restrictions on how they processed personal data. They would register with the US Department of Commerce and there would be "adequate enforcement" of the restrictions the companies agreed to. The US Commerce Secretary, William Daley, described the agreement as a "carefully constructed and well-implemented system of self-regulation" which could protect privacy rights.

Critics at the time accused the European negotiators of caving in, since self regulation by industry was what they were trying to avoid. Many EU nation states had not implemented the directive at the time of the negotiations, however. The US therefore had a legitimate complaint - how could they be expected to accept data flow restrictions required by EU law but not yet appropriately implemented there? The European Commission, at the time, was in the process of suing Germany, France, the Netherlands, Ireland and Luxembourg in the European court over their failure to implement the directive.

Critics of the agreement on transfer of passenger data have criticised Commissioner Bolkstein, not of caving in, but of deceit and underhand deals with the US in dark smoky rooms. On this occasion, I can understand the critics' point of view.