Strange how this fight turned out, considering the position of the EU authorities:
The European Parliament argued that the US did not guarantee adequate levels of data protection and that handing over the data violated passengers’ privacy.
It asked the European Court of Justice to annul the deal.
However, the court did not consider the privacy argument in its ruling, and confined itself to examing the legal basis of the data transfer.
It said the EU Data Protection Directive, on which the Council of the European Union and the European Commission based their actions did not apply to data collected for security purposes.
Really? Does that mean if you are an official entity collecting EU citizen data for “security purposes” you can handle it as you wish, without need to prove reasonable controls are in place? This seems highly counterintuitive. Must be something missing in the report that details of the ruling would clarify.