An agreement sheltering airlines from European privacy laws, allowing them to hand over passenger data required by US authorities, expired on Saturday, leaving most European airlines in legal limbo.
No disruption to flights has been reported so far. However, if the legal void remains for more than a week or so, airlines face being sued by individuals or groups in Europe, said Chris Kuner, a data protection specialist with the law firm Hunton & Williams.
In the wake of the terrorist attacks on 11 September 2001, US authorities demanded that airlines hand over passenger information covered by EU (European Union) data protection legislation. Airlines faced prosecution in the EU if they delivered the data, or fines in the US if they didn't.
An agreement struck between the EU and US in 2003 protected airlines from being sued for sharing the information, which includes names, addresses and credit card details. However, Europe's top court overturned the agreement in May and said it would become legally void at the end of September.
Efforts to negotiate a replacement agreement intensified throughout the month, but despite assurances of progress from both sides, the talks ended in impasse on Saturday, as the deadline passed.
As talks broke up, US secretary for homeland security Michael Chertoff made a draft proposal that European officials said may be discussed at a meeting of European justice ministers in Luxembourg on Friday. The EC (European Commission) hopes an agreement will be reached that day.
British Airways said that an Air Navigation Order issued by the UK government protects it legally in the absence of a new agreement. "The order from the government supercedes European data protection laws," said spokesman Richard Goodfellow.
Air France SA spokeswoman Veronique Brachet said that although she was unaware of the French government issuing a similar order, her company would continue to supply the data to US authorities and foresaw no disruption to its transatlantic flights.
"The EC has said we can fly to the US, so I see no problem," she said.
Karim Retzer, a data protection specialist at the law firm Morrison & Foerster, said airlines are unlikely to be sued.
But Chris Kuner warned that if the legal situation isn't resolved swiftly, there is a danger that European data protection authorities will be forced to take action against the airlines.
"The EC will probably ask the national DPAs [data protection authorities] not to take action, and will assure them that a new agreement is imminent, but if they fail to secure a new agreement within a week or so, there is a very real risk that a privacy group or even an individual passenger may lodge a formal complaint. This would force the DPA to take action," Kuner said.
If a complaint was lodged then the DPA would order the airlines to withhold the information from US authorities. If the airline obeyed then it would face fines of up to $6,000 (about £3,200) per passenger in the US, and the possible withdrawal of landing rights there.
Kuner said he was surprised by the failure to renegotiate the original agreement in time for the deadline at the end of September. "We were given the impression that it was simply a matter of changing the legal basis of the first agreement, and that no attempts to change the substance of the deal would be made," he said.
However, last month Chertoff said the original agreement obstructed his efforts to maintain a high level of security. The agreement allowed for 34 categories of information to be handed over. The US has been pushing to increase this number during the negotiations over the past month.
"Chertoff is in a much stronger position to negotiate," Kuner said. "He doesn't face any legal issues in the US, so he doesn't feel the same pressure to reach an agreement that his European counterparts feel."