Data Protection in Justice and Home Affairs: An Opportunity for Transatlantic Dialogue

The paper looks at the issues that may hamper a more uniform application of data protection rules across the enlarged EU as well as in data exchange between the EU and the US.

Data protection is a very sensitive matter both in the enlarging European Union (EU) as well as in the United States. Issues arising from a lack of trust and differences in implementation and operationality need to be resolved within the EU as well as between the EU and US. What are the opportunities and what are the frictions and strains that may hamper a more uniform application of data protection rules across the enlarged EU as well as in data exchange between the EU and the US?

The new single farm payments will be linked to environmental, food safety and animal welfare standards rather than just to production. A single farm payment will replace most of the premia under different Common Market Organisations. Consequently, the vast majority of the EU direct payments will no longer be linked to production. Severing the link between subsidies and production will make EU farmers more competitive and market orientated, while the single farm payment will provide the necessary income stability. More money will be made available to all farmers for environmental, quality or animal welfare programmes. However, the receipt of the full single farm payment will also depend on the agricultural practice applied by each individual farmer, which will serve as a tool to encourage marginal farmers to stay on the land.

At the international level, following the tragic events of September 11th, one major source of concern remains the exchange of airline data on passengers flying – a counter-terrorism step envisaged as one of several common measures between the EU and the US as well other third countries.

On 13 March 2003, The European Parliament adopted a comprehensive resolution expressing disappointment at the joint US-EU declaration of 19 February 2003 which allows European airlines to transfer data to US Customs personnel on passengers flying to the EU.

Concerns include:

• Problems with the reversal of the presumption of innocence by the CAPPS-II proposal (Computer-Assisted Passenger Prescreening System). This concern needs also to be borne in mind in view of the development of the SIS II (Schengen Information System II) in the Schengen zone.
• Long-term retention of data, such as passengers’ records.
• Data-sharing about passengers with private groups and government agencies (which could affect employment decisions or granting of government and welfare benefits). The data protection office of the newly created Department of Homeland Security needs to be granted full effective independence from other government bodies.
• No oversight and no reporting requirements: without transparency and proper rules of access to personal data requirements, the system could be abused.
• An absence of safeguards to prevent guard passenger data held by the CAPPS-II system being used later for purposes different from those for which the data had been originally collected.

The EP’s opinion was that this joint declaration would infringe EU Directive 95/46/EC (see brief background note at the end of this commentary). In addition, because the EP was not informed at all about the talks with US officials, it has called on the Commission to suspend the joint declaration. Moreover, the EP as well as the European Commission are very concerned that within the EU itself, on the other hand, there are still delays in implementation by some member states of the date protection Directive and there is a particular lack of quality in some transposed laws which shows clearly that some member states still need to amend their protection laws.

What is becoming increasingly apparent is that there is mounting concern that measures (especially those designed to improve surveillance and intelligence gathering) taken in the wake of the terrorist attacks of 11th September are not proportionate, and that they are excessively intrusive, compromise human rights and civil liberties. One does no t collect data for no reason. It must be evaluated and have some operational implications. The transmission of such data to non-EU agencies poses particular problems and conflicts with the EU’s commitment to uphold individual liberty. Moreover, these issues exacerbate the problem of weak or minimal accountability and democratic control in respect of security and especially internal security matters: democratic accountability is negligible; the EP’s and parliamentary controls over the expanding remit of agencies like Europol remain totally inadequate.

Inadequate internal control coupled with the possibility that third countries have access and powers over individual data means that the democratic credentials and public trust in the EU will be undermined. The EP’s concern was echoed in a strongly worded report by the EU’s Article 29 Data Protection Working Party with regard to divulging passengers’ personal data to third countries. The report of the Working Party reiterates the basis of EU law and policies on data protection in the 95/46/EC directive, Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental Rights and comments that: “The legitimate requirements of internal security in the US (and other third counties) may not interfere with these fundamental principles”.

It is not clear that the current proposals and measures envisaged by the US would be reciprocal or that the US data protection rules on airline passenger movements would be sufficient to guarantee EU civil liberties for EU citizens. The operational implications of data collected and analysed by intelligence agencies remain vague to say the least. Safeguards seem to be weak if not non-existent. This compounds a series of concerns within the EU about openness and transparency, access to documents, their classification, vetting of official assess to materials involving security and confidentiality, the proposed Commission initiatives in the fight against the financing of terrorism, money laundering etc., the implications of EU-US judicial cooperation and joint investigative teams, and overall misgivings about their compatibility with the Charter of Fundamental Rights (Art. 1 on the right to life). Finally, the inseparability of internal and external security issues and the fundamental issues raised by the civilianisation of an external agenda and a militarisation of a domestic agenda pose vast questions as to the democratic ethos and ethics of an EU enlarging to states where those values (including respect for the rule of law and public trust in the agencies of government) are weak or under severe strain in sometimes corrupt judiciaries and law and enforcement agencies. Data-sharing within the EU is problematic (e.g. there are still problems in the transposition of Directive 95/46/EC in some member states), and it does not follow that more data-sharing will means greater success in combating terrorism. The opposite could occur. There are grounds, therefore, for a healthy dose of scepticism.

It is nevertheless hoped that, since both the EU and US systems on data protection are currently under review, more dialogue could take place so that each party’s concerns are taken well into account and that prior to finalisation the two systems are more closely aligned with each other to meet mutual standards to ensure the highest level of safeguards of privacy of citizens on both sides of the Atlantic.

Note on EU data protection legislation

The main overarching legal instruments in EC law on data protection is the 24th October 1995 Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on free movement of such. Data protection is a fundamental right that forms part of European Citizenship and Directive 95/46/EC has decisively contributed in this regard. However, delays in implementation by Member States and differences in the ways the directive has b een applied at national level have caused concern. The main problems are particularly in the lack of quality of some transposition laws and it is clear that some member states still need to amend their protection laws. Also what is still missing is a more uniform interpretation and application of national provisions. By means of co-operation, in particular in the framework of the activities of the Article 29 Working Party (Member States’ data protection supervisory authorities), all possible efforts need to be undertaken to achieve more uniform practices and simplified procedures (e.g. less burdensome notification requirements or a more flexible environment for international data transfers). Overall, citizens’ awareness of data protection issues remains low; and operators’ compliance remains low.

The European Commission intends to proceed by means of bilateral discussions in 2003 but it will not hesitate to open infringement proceedings should this constructive dialogue fail to achieve the intended results. Also, the Commission intends to review the results of the work programme in 2005 and then to submit proposals which may amend, if felt necessary, the current Directive 95/46/EC.

For more analyses from the Centre for European Policy Studies visit the

CEPS website.