Justice and home affairs ministers today (9 October) reached an agreement on the EU data protection directive in a meeting in Luxembourg. The directive will frame how law enforcement agencies in Europe share personal data across borders but negotiations with the European Parliament will be hard-fought.
The Council of Ministers approval of the data protection directive gives a push to the broader EU data protection reform, which negotiators have said they want to finish by the end of this year. Trialogue talks on the data protection regulation, which affects commercial use and privacy safeguards for personal data, started this summer.
Felix Braz, Luxembourg’s minister of justice and president of the Justice and Home Affairs Council, said that first trialogue talks on the data protection directive are set to start soon with the European Commission and Parliament.
The directive has been overshadowed by other ongoing EU privacy legislation; the much-lobbied data protection regulation and this week’s bombshell ECJ decision to drop the Safe Harbour EU-US data sharing agreement.
Data transfers between law enforcement agencies in Europe and between authorities in the EU and abroad will be covered by the directive. The Council and Commission have billed the legislation as giving a boost to cross-border cooperation between police.
The directive will also set out a framework for how national authorities in Europe should process personal data in their own countries, and includes an exception for data relating to national security.
“Imagine you are a witness, suspect or victim of crime, how can you ensure that the details you provide to the police are duly protected?” EU Justice Commissioner Vera Jourova said during a press conference following the meeting.
German MEP Jan Philipp Albrecht (Green), rapporteur on the data protection regulation, criticised the Council’s text for not providing enough privacy safeguards or provisions on citizens’ right to access information about themselves.
“There will be very hard negotiations between Parliament and Council on this. The current proposal by the Council wouldn’t be accepted by the Parliament, I think that’s very clear for the majority in Parliament,” Albrecht told EurActiv.
At today’s press conference on the data protection directive, this week’s European Court of Justice (ECJ) decision ruling Safe Harbour illegal took centre stage. Jourova and Braz were at pains to emphasise their commitment to privacy rights.
Jourova said she spoke to US Secretary of Commerce Penny Pritzker yesterday and will travel to Washington DC in November.
Braz commented on the new responsibility given to national data protection authorities to rule on privacy complaint cases, “We need a common, coordinated and speedy response from the data authorities.”
National data authorities met yesterday (8 October) in Brussels following the ECJ decision and will convene again next week for a plenary session regarding their role in privacy complaint cases.
The Safe Harbour decision focused on the US intelligence agencies’ access to EU citizens data, which the ECJ said posed a threat to EU citizens’ fundamental right to privacy. Following the decision, complainant Max Schrems called the verdict a “milestone for constitutional challenges against similar surveillance conducted by EU member states.”
But Albrecht insisted it’s hypocritical to move ahead with the data protection directive and ease data sharing between Europe’s law enforcement agencies when there aren’t sufficient safeguards against intelligence activity carried out by European governments.
“EU governments wilfully show the problems in US law as disproportionately intruding in privacy rights, which is right, but on the other hand they change nothing and say nothing about intrusions into privacy rights in the EU,” Albrecht said.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.