On August 10, 2006, London police successfully stopped a group of terrorists plotting to use liquid explosives to bomb nine planes flying from the United Kingdom to the United States.1 The plotters had hoped to set off these explosives mid-flight, killing an estimated 2,700 passengers.2 Several weeks after the arrests, U.S. Department of Homeland Security Secretary Michael Chertoff wrote an op-ed in the Washington Post in which he claimed that these terrorist plots failed "precisely because of timely, actionable intelligence, properly shared and acted upon before the terrorists could carry out their plans."3 He noted that one investigative resource essential to continued success in this area was passenger name record (PNR) data, information, gathered by airlines and travel agencies, which include such valuable clues as "travel itineraries and payment details."4 Chertoff then lamented that despite agreements with European partners, the United States remained "handcuffed in our ability to use all available resources to identify threats and stop terrorists."5
Chertoff s comments were well-timed since only two months earlier the European Court of Justice (ECJ) had struck down the 2004 agreement between the European Union and the United States regarding the processing and transfer of passenger name record data (2004 PNR Agreement) .6 While Chertoff sought a new agreement that would free the U.S. Department of Homeland Security (DHS) from bothersome data privacy protections, his E.U. counterparts confronted very different concerns regarding the new accord. These concerns were due in part to the increasing outcry among European citizens over the United States' perceived mishandling of personal data. Such concerns about privacy, however, paled in comparison to the more fundamental questions of structural authority that arose out of the ECJ's decision to invalidate the agreement.
Signed in 1992, the Treaty on European Union (TEU) established the legal framework of the European Union as it exists today.7 This framework grants the European Union authority to act in three distinct areas of competence, or "pillars."8 Each pillar delineates a set of policy areas over which the European Union has authority, and each creates a unique set of procedures for governmental action. The First Pillar grants the European Union authority to regulate commercial and economic affairs.9 The Second Pillar enables member states to cooperate in the area of foreign and security policy.10 The Third Pillar authorizes "common action among the Member States in the fields of police and judicial cooperation in criminal matters."11
As the institution charged with approving international agreements between the European Union and third countries, the Council of Europe claimed that the First Pillar - the pillar governing commercial and economic matters - granted them the authority to conclude the 2004 PNR Agreement.12 The Council's rival institution within the E.U. governmental structure, the European Parliament, felt that the agreement was inadequate, both procedurally and substantively, and, in response, brought an action in the ECJ challenging the 2004 PNR Agreement on four grounds, including that the Council lacked the authority under the First Pillar to make the agreement, and that the agreement infringed on fundamental rights of privacy.13 On May 30, 2006, the ECJ announced its decision to invalidate the 2004 PNR Agreement.14 Surprisingly, its opinion ignored the issue of privacy rights altogether, and instead focused on the more fundamental issue of the European Union's authority to enter into such an agreement in the first place. In its opinion, the ECJ held that the European Union's power to regulate commercial affairs did not enable it to make such agreements.15 Essentially, the ECJ said that if E. U. officials wanted to enter into a valid PNR agreement with the United States, they would have to find another source of authority. …