a. The Scope & Exemptions of Directive 95/46/EC
Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing and free movement of personal data (‘the Directive’) explicitly exempts (Art. 3(2)) from its scope all activities falling outside the range of EU Law. Such activities were traditionally classified under the former 2nd and 3rd EU Pillars (Craig & De Burca, 2003, pp. 44-52). At any case, they included data processing for the purposes of public order, defense, state security and criminal action. After Lisbon Treaty entering into force in Dec. 2009, such actions are still left virtually to their entirety to State regulation (Van Raepenbusch, 2008, pp. 461-463).
In the cases C-317/04 & C-318/04 (‘the PNR cases’), the European Court of Justice (‘ECJ’) ruled that the transfer of airline Passenger Name Records (PNRs) by airline carriers to the US Customs and Borders Control for the purposes of state security and crime prevention cannot be considered as an internal-market affair (thus not classified under the former First Pillar) but may fall under the exemption of Art. 3(2) of the Directive (pp. 54-59). The PNR cases encompass a strong political flair (De Leon, 2006, pp. 327-328) due to the important role assigned to the European Parliament in the decision-making yet provocatively set aside, in the end. The exemption of PNR data transfer from the level of data protection provided by the Directive creates precedent in favor of protecting state security (Sotiropoulos, 2006, p. 949).
Thus, member-states retain the power to regulate if and how the level of data protection provided by the Directive will be enforced in these sensitive areas of state action. Such discretion is in accordance with the notion and the economically-oriented purposes of the European legislator. Nevertheless, it leaves space for possible arbitrariness by the national legislator as well as it leads to the creation of heterogeneous data protection levels in the European area of security (Sicilianos, 2001, pp. 123-141). This may be pointed as one of the Directive’s main weaknesses (Robinson et al., 2009, pp. 36-38) since it leaves the member-states the freedom to regulate this field ad hoc boundlessly, while it extends its protective shield exclusively to internal market affairs. Greece did not adopt the above solution, but rather subjected the complete spectrum of personal data processing to the protective level provided by the Directive (Alivizatos, 2007), even in areas not originally covered by it.