In tension situations, such as after the London bombings, lawmakers should refrain from rushing into privacy-invasive measures, says Peter Hustinx, the European Data Protection Supervisor, in an exclusive interview with EurActiv.
As we are talking it is five days since the London bombings. The media is brimming with far-reaching new law enforcement and surveillance proposals from the UK presidency.
This was a terrible drama, but it does not show beyond any doubt that we should hurry forward in giving away the very freedoms that were at stake. That would be close to making ourselves accomplices to terrorism. We should continue to think soberly about the issues at stake, that is: What is necessary? How could we provide the appropriate measure? How could we then implement the appropriate safeguards? I think there is a trap here that emotions could drive decision-making, but Parliament, Council and Commission are political professionals so I think they will recognise it. Thus we will be watching them and supporting them where we can.
In some media there were comments saying that if communication data had been retained the London bombings could have been avoided. If such were the case, would data-retention be justified?
That’s an ‘if-if-if’ question, which I don’t want to answer. It would seem to me very, very unlikely and in fact in the case of New York it was discovered that perhaps things could have been avoided had law enforcement done their work properly. This is not a case for new powers; whatever power is needed must be demonstrated as needed, appropriate and then with appropriate safeguards. We should refrain from easy, slippery, emotional decision-making, I think that would be a disservice to a free society. Security should have freedom and privacy integrated; otherwise we will not be secure, but will be creating a new security problem. That is, I think, something we should avoid at all costs.
The EU itself doesn’t have data protection rules on the so-called ‘third pillar’ issues, that is, among other things, on all policing issues. How can it advise member states on what they should be doing?
What we need in the EU is a third pillar framework – a joint legal framework for co-operation on law-enforcement in Europe. Such a framework is long overdue and has been promised by Commissioner Frattini before the end of this year. I think that is necessary to enable law enforcement to co-operate better. We need that cooperation – a level playing field for data protection in Europe would help this course forward.
At what stage is preparatory work for this legal framework?
We know that the Commission is working very hard to prepare a draft, but I want them to continue on this path and I then want the Council to adopt it. We need to make progress, enabling law-enforcement bodies to co-operate and we need to integrate data protection safeguards.
On the transfer of Passenger-Name Record (PNR) data to the US, there is an agreement in place that has to be reviewed every year. The first review is due soon; What are your views on this agreement and how should it look in the future?
The review is likely to take place in a few months time; it’s somewhat too late, but the progress is welcome. The agreement itself is not a very good one. It has been challenged by Parliament and currently there are two cases before the European Court of Justice [ECJ]. I have intervened in that case in support of the Parliament, so the case is before the court to decide. We’ve recently analysed a similar agreement with Canada that was a lot better, and illustrates that Passenger Name Record Data can be processed in an acceptable fashion. There are many differences, so I would recommend the Canadian approach rather than the US approach. We look forward to both the results of the review and the case in court – and maybe the Americans learn.
What is the difference between the agreements with Canada and with the US?
One very visible difference is that the US agreement provides for ‘pull’ – that is, the US authorities can enter the EU observation systems and collect the data themselves, whereas the Canadian system provides for ‘push’. The list of data is more limited, and another big difference is that the Canadian system is built on a much more developed legal framework. There is a Canadian Privacy Act, there is a Canadian Privacy Commissioner, the agreement is much more balanced, it is binding; all of that was not the case in the US.
When the report on setting up your office was being discussed in the Parliament, there was a strong argument that it was difficult to find a balance between privacy and transparency. Now you are publishing a report on exactly the issue of how to balance the two; why are you not making your case for the protection of data very much stronger?
This is a very strong signal that European citizens have the right to both: a right to data protection and to transparency. We do a disservice to those fundamental rights if we curtail the rights. Let me add that we have been in close contact with the European Ombudsman on this report, we will be co-operating together. We believe that by bringing this message we avoid lack of balance in data protection, we avoid the misunderstanding that data protection is against transparency. We are very keen to bring data protection forward, to give safeguards where necessary, but when misunderstandings hamper this message it is not helpful.
Isn’t it for EU officials, who have to deal with these issues in their everyday work, extremely complicated to decide how to deal with data? Just think of an official who organises a hearing and then has to decide whether to publish a list of the participants or not, and which kind of data to publish or not.
The report has a checklist and many examples to help those who need to decide. Within the Commission and other institutions such decisions are centralised, so there are specialists dealing with them. We are helping them, this report is to support them in taking the right decision. We have already raised awareness and found considerable support. We will be working on this and I think they will welcome this message. We will spread it wide in the course of the next few months.
Looking back at practice over the last few years, have there been any major problems concerning this?
The major problem within the institutions is that data protection is new to them, whereas it has been a long-standing practice in the member states. They have to catch up, and we are checking on all existing systems. That’s one thing. The second big issue is that we are advising on new legislation, some of which is dealing with very far-reaching data protection problems like the third-pillar data protection issues, data retention, etc. We have not come across any great scandal yet, but don’t hold your breath. But I hate to discuss scandals, we want to see this as a positive message which is a condition for the agenda of the Commission. So far they are reacting well to our message and I am quite hopeful.
You did not mention the Council…
The Council is an institution which is bound by data protection safeguards, and I am quite pleased with the way they do this. I realise that the Council is also active in the decision-making for new legislation. There we have a problem because some of the proposals do not look good. But we have not reached the end yet and I will be looking forward to any further initiatives of the Commission on data retention, which will then be subject to co-decision by Parliament and Council. And the present initiative in the Council is not likely to be accepted in the end, not even by the Council itself.