Data protection the fight against terrorism EU external

Data protection, the fight against terrorism & EU external relations Paul De Hert (Tilburg & Brussels) Brussels, 7 November 2007

Table of content n n n n What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection under the Third Pillar External relations under First Pillar External relations under Third Pillar

Preliminary remark n I relied for some of the conclusions on the insights gained after having listened to Diana Alonso Blas, LL. M. , Data Protection Officer, Eurojust, First Pillar and Third Pillar: Need for a common approach? International Conference “Reinventing Data Protection”, 12 and 13 October 2007, Brussels

This is data protection n n Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data that has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority. = Article 8 of the EU Fundamental rights Charter

Why data protection? n n n Article 8 ECHR does not apply to the private sector. The right to a private life would not necessarily include all personal data, and so there was the question of whether a large proportion of data would be sufficiently safeguarded. The right of access to data on oneself was not covered by the concept of the right to privacy as expressed in Article 8

Beginnings of data protection n 1960 s: USA, two major reasons: 1. ) Technical progress based on the development of computers 2. ) Socio-political reason, raising fear of governmental surveillance “Big brother” Similar development in Europe n 1970 – 1981 n n 1970: First law on data protection was enacted by the German Federal State of Hessen (07. 10. 1970). Sweden (1973), Germany (1976), France (1978), Denmark (1978), Norway (1978), Austria (1978) and Luxembourg (1979) introduced national legislation on data protection No role model as basis but had to be innovative in their own right

Beginnings of data protection (continuation) n 1981 Council of Europe: Convention for the Protection of Individuals with regard to automatic processing of personal data (entry into force 1985) n n First internationally binding instrument on data protection, important point of orientation for the subsequent national data protection laws In the following years, data protection legislation was enacted by n Finland (1987), The Netherlands (1988), Portugal (1991), Spain (1992), Belgium (1992), Italy and Greece

European Data Protection (general) n n n Convention no. 108, January 28, 1981 Directive 95/46/EC of 24 October 1995 Directive 97/66/EC and 2002/58/EC Regulation (EC) No 45/2001 processing by Community institutions of 18 December 2000 Charter of Fundamental Rights of 7 December 2000 of the European Union, Treaty establishing a Constitution for Europe (2002) n Right to data protection (Art. I-51)

International Data Protection (general) n From 1948 privacy rights in various national and regional human rights bills n From 1970 on data protection laws at national level n 1980 OECD: Guidelines on the Protection of Privacy and Transborder Flows of Personal Data n Non-binding, orientation n 1990 UN: Guidelines concerning computerized personal data. n Guidelines for orientation, procedure left to the initiative of each state

Scope of European data protection re JHA n 1995 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data n n First and major First Pillar instrument regulating the processing of personal data Not applicable to the processing of data in the course of an activity which falls outside the scope of Community law (Art. 3 (2) => Second and Third Pillar applied by some MS, in some respects, to law enforcement as well ECJ view (PNR judgment 30 -05 -2006)

End of the world? n n n Article 8 ECHR applies to processing by all public authorities, incl JHA Council of Europe Convention 108 (1981), ratified presently by 38 countries and signed by another 5 also applies to JHA Article 3 Convention 108: The Parties undertake to apply this convention to automated personal data files and automatic processing of personal data in the public and private sectors.

But, is Convention 108 enough? n n Convention 108 is quite general: it contains principles, not detailed regulation 1987 Council of Europe: Recommendation No. R (87) 15 regulating the use of personal data in the police sector Non-binding, orientation, very old and no willingness to renew them n For 1 st pillar the EU built on Convention to go further n n in Directive 95/45/EC Recital (11) of preamble: Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data;

First JHA option: specific data protection rules n n n 1985 Schengen Agreement and 1990 Convention implementing the Schengen Agreement of 14 June 1985 n Referring to the principles laid down in the 1981 Convention and 1987 Recommendation and solid data protection framework Council Act of 26 July 1995 drawing up the Convention on the establishment of a European Police Office (Europol Convention. The Europol Convention was ratified by all Member States and came into force on 1 October 1998. n Referring to the principles laid down in the 1981 Convention and 1987 Recommendation and solid data protection framework Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union, OJ C 197, 12. 07. 200: general context of judicial cooperation and some data protection (infra)

Option 1 (continuation) n Council Decision of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crime. Rules of procedure on the processing and protection of personal data, adopted by Council on 24/2/2005 (containing main principles Directive but also very detailed rules, tailored made to Eurojust tasks and purposes) n Referring to the principles laid down in the 1981 Convention and 1987 Recommendation and solid data protection framework n May 2005: Treaty of Prüm (Schengen III Agreement ) n Extended information exchange outside the EU framework

Strength of option 1: Europol example In Covention detailed rules on the use of data: n n Clear understanding of intelligence risks to data protection lacking in Recommendation no (87) 15 by use of different information tools in particular distinction betweenn Europol Information System (IS), (Criminal Intelligence database) and the Analysis Work Files (AWF) (Analysis of operational data) Mandate – restrictions & consultation n n n n Ownership National Law to be respected Communication with third states and third bodies Right of access limited in certain cases for non involved member states Correction / deletion of data Time-limits storage / deletion of data Security Control mechanisms: see next slide

Control mechanisms in Europol internal audit n National Supervisory Body (Art. 23 Convention) n n Each MS - Designates an NSB n Monitors input independently n Personal data n Joint Supervisory Body (Art. 24 Convention) n Ensures individual rights are not violated by data stored at Europol

Risks of option 1: the Prum example n n n n Signed in Prüm & Ratified by the national parliaments of the seven participating states - Germany, Spain, France, Luxembourg, Netherlands, Austria and Belgium and now extended to all EU MS Not part of the Schengen treaty nor the Schengen acquis Integration is planned to take place, at the latest, three years after the entry into force of the Based on so-called "principle of availability" : the right of access to the databases/registers of the participating states and gives the requesting state the possibility to ask for more information/intelligence. Data exchange (Article 1 -16) see next slide Sky marshals (Article 17 -18) Fighting illegal migration (Chapter 4) Joint Interventions (Chapter 5)

Data exchange in Prüm n n n DNA profiles All participating states have to set up DNA profile databanks and exchange dna profiles Fingerprint data The treaty allows, where a specific person is identified, access to the finger-print databases of the participating states and the automatic comparison of fingerprints, not only for reasons of criminal prosecution but also for "prevention". Same hit system for additional information Vehicle databases can be accessed for criminal prosecutions and for reasons of preventing dangers for public security and order, ie including supposed threats to public order. Online access will be carried out according to the law of the requesting state. Political demonstrations and other mass events (Articles 13 -15) For reasons of prosecution and prevention of offences and for the prevention of dangers to public security and order, personal and non personal data can be passed on - following a request or without request, ie. at the own initiative of a state. Information exchange to prevent terrorist attacks (art. 16) Data and intelligence: names and further personal identity plus the reason will; be sent out across the network, with or without a prior request.

Institutional and Data protection problems with Prüm n n n OK: purposes are definied; competent authorities are defined; duty to see that data is correct and up to date; technical safeguards to guarantee secrecy; rights for the persons concerned Not OK: making terrorism, organised crime and illegal immigrants one affair; broad categories: why? ; creating more power by centralising data; Certainly not OK: no supranational supervision: need for a FD data protection: Court of Justice, 31 January 2006 (c-503/03)

Reason 1 for other (second) JHA option: general data protection rules: new needs for JHA cooperation n Cooperation in police and judicial criminal matters increases and is gradually build on new concepts that challenge data protection n June 2004: Draft Framework Decision on simplifying the exchange of information and intelligence between law enforcement agencies of the member states of the EU, in particular as regards serious offences including terrorist acts (Swedish Initiative) n n Setting time limits to answer requests of information Removing discrimination between national and intra-EU exchange of data accessible by police in at least one Member State

new needs for JHA cooperation (continuation) n January 2005: White Paper on exchanges of information on convictions and the effect of such convictions in the EU n n n Nov. 2005: Council Decision on the exchange of information extracted from the criminal record Dec. 2005: Proposal for a Framework Decision on the organisation and content of the exchange of information extracted from criminal records between Member States October 2005: Proposal for a Council Framework Decision on the exchange of information under the principle of availability n Information available to law enforcement authorities in one Member State be made accessible for equivalent authorities in other Member States

Reason 2 n n Difficulties of determining whether the processing and transfering of personal data falls under the First or Third pillar, e. g. US demand for Passenger Name Records to private air companies Commission acts on basis of first pillar Commission: Regulation for transfer of passenger data by private airlines = rules for harmonisation of the Internal Market EP problem with privacy and problem with choice of pillar ECJ 30 May 2006 Data transfer motivated by concerns of public safety and = Third Pillar Institutional consequences? Data protection consequences? Council Decision 2007/551/CFSP/JHA. of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement) Swift?

A second JHA option: general data protection rules n October 2005: Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters n n n Clear gap in data protection regulation at EU Third Pillar level Directive 95/46/EC is not applicable and Neither the 95/46/EC Directive nor the 1981 Convention take account of the specific characteristics of the exchange of data by police and judicial authorities But data protection of fundamental significance To redress this imbalance, the Commission adopted a complementary Proposal for a Council Framework Decision Intends to provide a comprehensive protection scheme for personal data in the field of Justice and Home Affairs. It also supplements multilateral efforts like the Treaty of Prüm.

However: many controversies re the scope of the Framework Decision n security v privacy and its consequence for the data protection principles n limitations to the principle of availability within and outside the EU n Schengen JSA, Europol JSB, the Eurojust JSA and the CIS JSA n

The March 2007 German Presidency’s Proposal n n n general rules on the lawfulness of processing of personal data, provisions concerning specific forms of processing, rights of the data subject, confidentiality and security of processing, judicial remedies, liability, sanctions, national supervisory authorities, and the transfer to third states. exchange of data between Member States, thus excluding data processing at a domestic level applies to Europol, Eurojust and the Third Pillar Customs Information System whereas authorities or other offices dealing specifically with matters of national security are explicitly excluded from its scope (Article 3 II),

continuation Fusing of Schengen JSA, Europol JSB, CIS JSA into a single data protection supervisory authority, merging with it the advisory working party provided for in the earlier draft. n exchange of data with third states. FD is without prejudice to any obligations and commitments incumbent upon Member States or upon the European Union by virtue of bilateral and/or multilateral agreements with third States. personal data received from or made available by the competent authority of another Member State may be transferred to third States or international bodies only if the competent authority of the Member States which transmitted the data has given its consent to transfer in compliance with its national law. n

Where are we now? n n Discussion on FD on DP in 3 rd pillar shows little willingness of Member States to achieve a harmonised level of DP going further than Co. E Convention. In fact: n Text under discussion is “agreement of minimums” (lower common denominator), partly because of unanimity requirement n Scope reduced to cross-border exchange of personal data (and does not affect existing bilateral agreements…) n Many exceptions included and some important issues missing n Doubts as to whether the text is even compliant with Convention 108 and additional protocol (see also EDPS opinions + press release of 20/9/07) n Eurojust/Europol/Schengen DP rules go much further than proposed text (after several formal motivated requests, happily excluded from scope of application)

Diana Alonso Blas (Brussels) n n Convention 108 offers a basic common approach that needs to be fully respected Any new instrument should respect Co. E convention + basic principles Directive Not in favour of detailed overall instrument covering all pillars, not even the whole third pillar. Specificities of police and judicial work need to be taken into account (need for very clear and specific tailored made rules for the diverse third pillar areas). An overall instrument would have to be relatively general but, if it has to have any added-value, it should go further than Co. E convention.

Future: (Draft) Reform Treaty End of pillar structure n But this does not imply automatic application of Directive to everything n Sectoral declaration on DP in police and judicial cooperation in criminal matters foreseen n

Data protection & External relations under First Pillar n n n Member States shall provide that the transfer to a third country of personal data only if, the third country in question ensures an adequate level of protection” (Art. 25. 1 Directive 95/46/EC). Article 25 also contains the procedure to determine whethere is an adequate regime. Commission, not the Member States, has the last say in the procedure

Data protection & External relations under Third Pillar n n Discussion: need to copy adequacy idea in JHA? 2001 Additional Protocol to the 1981 Council of Europe Convention introduces principle re transfer of data across national borders: “Each Party shall provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer” (Additional Protocol, Article 2. 1).

How is it happening now? This could be answered discussing the following examples n Eu 2000 Convention on Mutual Assistance in Criminal Matters n Europol n Pnr n Swift

Article 23 EU 2000 Convention on Mutual Assistance in Criminal Matters first supranational rules establishing data protection requirements for the judiciary in their cross border activities – even though they are very flexible and have clearly not the purpose of limiting the work of the judiciary. n No requirement of adequacy n According to Article 23, personal data communicated under the Convention may be used by the Member State to which they have been transferred: (a) for the purpose of proceedings to which the Convention applies; (b) for other judicial and administrative proceedings directly related to them; (c) for preventing an immediate and serious threat to public security; (d) for any other purpose, only with the prior consent of the communicating Member State, unless the Member State concerned has obtained the consent of the data subject n

Europol co-operation with third parties Types of agreements: n Operational agreement Includes the exchange of personal data (secure link in place) n Strategic / Technical agreement Does not allow exchange of personal data

Europol Operational Agreements Includes the exchange of personal data n Norway n Iceland n Switzerland n Bulgaria Romania n Croatia n Canada n USA Federal Bureau of Investigation (FBI) & United States Secret Service (USSS n Eurojust n Interpol

Europol Strategic / Technical Agreements Does not allow exchange of personal data n European Commission (EC) n European Central Bank (ECB) n European Monitoring Centre for Drugs and Drug Addiction n European Anti-Fraud Office (OLAF) n United Nations Office on Drugs and Crime (UNODC) n World Customs Organisation (WCO) n Colombia n Russia n Turkey

External relation in the FD data protection? Commission October 2005 proposal sets up system similar to Directive 95/45 n German Presidency Draft march 2007: nothing! n Preamble “personal data are transferred from a Member State of the European Union to third countries or international bodies, these data should, in principle, benefit from an adequate level of protection” n

Conclusion n Pros and Contras option 1 or 2 re data protection are hard to assess, But: Whereas a European approach, based on the adequacy principle, is followed in the First Pillar, this is not the case for the Third Pillar. Though there may be arguments against such a European approach in the area of JHA my examples, including the Europol, PNR and Swift cases, learn that the absence of such a European approach can cause problems. Without ignoring the benefits and arguments in favour of tailor-made regulations, I conclude that the example of Europol dealing with third countries, and of PNR and Swift, in part illustrated the lack of credibility of the current EU data protection system. Having to deal with externalities such as powerful third countries (in particular the U. S. ) that do not always consult the EU officials when collecting ‘European’ data or data in (some) EU Member States, it would be beneficial to develop a general framework for data protection in the Third Pillar and for transfers of data to Third Parties with clear rules and responsibilities and a well-defined role for the EU institutions that live up to the European dimension behind cases such as PNR and Swift. Contrary to Blas, I agree with Poullet that a uniform set of data protection standards applicable to all pillars would be desirable

Thank you for your attention!