ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

Transcription

1 ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE JOINT CONTRIBUTION OF THE EUROPEAN DATA PROTECTION AUTHORITIES AS REPRESENTED IN THE WORKING PARTY ON POLICE AND JUSTICE AND THE ARTICLE 29 WORKING PARTY 1. What should be the purpose(s) of the agreement? Should the agreement only establish data protection standards for EU-US law enforcement cooperation? Or should it address also wider issues related to the processing and transfer of personal data in the context of transatlantic law enforcement cooperation, e.g. reciprocal information transfer or impact on relations with other third countries? It should be the purpose of the agreement to establish binding data protection rules which guarantee a high data protection standard in the area of law enforcement cooperation between the EU and the US. Those binding data protection rules shall be incorporated in every future EU-US agreement providing for the transfer/exchange of data for law enforcement and judicial cooperation in criminal matters. The purpose of the agreement should not be to directly entitle any of the parties to operate a specific transfer of data. It should be left to further agreements to provide for additional tailormade rules, in relation to the particularities of each agreement. legally entitling the parties to transfer data on a case by case basis Clarification is required in respect of the exact meaning of law enforcement and law enforcement co-operation in this context. In our view, there is no need to address issues additional to the purpose of setting a high data protection level. With respect to reciprocity, the concluded principles would, of course, be binding (and enforceable) on both parties. There should be reciprocity in the way personal data are protected. If the question aims at a principle according to which e.g. information should only be provided by one side if the other side gives similar information in return, we believe that this issue should be dealt with in an additional, more specific agreement and in light of the national rules already in place. From a data protection point of view, the principle of data minimization should also be taken into account: No country shall be forced to receive data it does not believe to have a need for. This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate D (Fundamental Rights and Citizenship) of the European Commission, Directorate General Justice, Freedom and Security, B-1049 Brussels, Belgium, Office No LX-46 01/190. Website: justice_home/fsj/privacy/index_en.htm The Working Party on Police and Justice was set up as a working group of the Conference of the European Data Protection Autorities. It is mandated to monitor and examine the developments in the area of police and law enforcement to face the growing challenges for the protection of individuals with regard to the processing of their personal data.

2 There can be no doubt that an agreement between the EU and the US in the area of law enforcement will have a strong impact on relations with third countries complemented by the additional rules referred to above- in that it will serve as a model for most if not all other international agreements to be concluded in the area of law enforcement in the future. We hope that outlook will inspire the European Commission and the future EU negotiators to make the agreement data protection compliant, consistent with the public declarations and the reference made in the Stockholm Programme to the need for ensuring a high level of data protection also in the area of freedom, security and justice. As for the principle of onward transfers which also touches upon the impact on relations with third countries, it will be dealt with under question no Should the agreement cover personal data protection when information is transferred that pertains to police cooperation in the area of freedom, security and justice (Title V chapter 5 of the Treaty on the Functioning of the European Union (TFEU)? Yes. As police cooperation is a core element of transatlantic cooperation for law enforcement purposes, any future EU-US agreement on data protection (minimum) standards should apply to this area of cooperation. Should it also cover personal data protection when information is transferred in the course of judicial cooperation in criminal matters (Title V chapter 4 TFEU)? Yes. The agreement should also cover personal data protection in the area of judicial cooperation in criminal matters between EU and US authorities. It must be ensured that the agreement does not lower the standards of personal data protection measures that are already laid down in existing agreements, e.g. in the Agreements on Extradition and on Mutual Legal Assistance between the European Union and the United States of America of Should it also be applicable to the transfer of personal data in the context of other Union policies within the area of freedom, justice and security, i.e. the security elements of immigration, visa, asylum and civil law cooperation? Recalling that the purpose of the agreement should be to define a set of minimum standards of personal data protection and not to serve as legal basis for information sharing and the exchange of personal data, it would, under these preconditions, be preferable to have a wider material scope of application of the agreement providing for legal certainty as to the conditions of application of data protection principles. Should the agreement apply to personal data collected in connection with Union policies in the area of freedom, security and justice, such as immigration, visa and asylum (Title V, chapter 2, TFEU), this should happen in strict compliance with the purpose limitation principle. This means that such data could be covered only insofar as security elements of those policies are concerned. 2

3 In our understanding, security elements in this context means that the principles of the agreement should be applicable in those cases where an EU or US authority requests data for the prevention or prosecution of crimes in individual cases. Besides, the necessity and proportionality of such transfer should be demonstrated. It should in any case be avoided that migrants or asylum seekers see their data processed in a repressive context by nature and in a systematic way. In this context, it is important to distinguish the question on the scope of the agreement from those dealing with access to data and the right to transfer it; or more precisely whether the requested authorities have access to the requested data which in case of visa, immigration, and asylum was collected for a different purpose and whether the requested authority is allowed to transfer that data to the requesting authority. Clear limitations on the conditions according to which such data could be processed should be clearly indicated in the agreement, in compliance with the conditions applicable at EU and national level. According to our understanding, civil law cooperation (Title V, chapter 3, TFEU) as the cooperation of bodies dealing with subjects of civil law, should not be included in the material scope of the agreement. Their work is commonly not understood to be part of law enforcement. 2.2 Should the agreement only cover government-to-government transfers of information? Or should it also be applicable to transatlantic transfers of personal data from private entities to law enforcement authorities? If so, should the conditions on private public data transfers be in any way different from the government-to-government transfers? Although the purpose of the future agreement should be to lay down a high standard of data protection, for the co-operation between the competent authorities of the signatory parties and thus in principle not include the transfer of personal data between private and public sector, we believe that the agreement should also be applicable to transatlantic transfers of personal data involving private entities. This should not legitimise as a rule the direct transfer from a private entity in country A to the law enforcement authorities of country B. It has been a trend in the past years to extend the access of law enforcement authorities to data collected by private entities (see the API/PNR data and financial data cases) and private companies will likely continue to play a role within the strategy of law enforcement agencies, even though this development has been and will continue to be firmly criticized by the European Data Protection authorities.. It follows that the high level of data protection, as outlined in these answers and other contributions by the national DPAs as well as the EDPS, should equally apply to data collected by private entities where a transfer of personal data has been considered necessary and admissible. Particular issues related to private-public data transfers can more adequately, as we believe, be dealt with in the more specific agreements taking into account the concrete circumstances of the data collection. 3

4 3. Should the agreement include a provision to the effect that EU and US law enforcement authorities may request from each other the same types/categories of information and personal data (reciprocity)? There should be reciprocity in the way personal data are protected. If the question aims at a principle according to which e.g. information should only be provided by one side if the other side gives similar information in return, we believe that this issue should be dealt with in an additional, more specific agreement and in light of the national rules already in place. See also answer provided under Question Data Protection Principles 4.1 Accountability Should the agreement provide for modalities and consequences of "accountability", e.g. internal and external review procedures? Should the agreement notably provide for a joint review mechanism? - It is unclear, at present, whether the concept of accountability would appear to be specifically appropriate in the context of the data protection agreement between EU and USA. There is nevertheless a clear need to provide for appropriate internal and external mechanisms to ensure, measuring and demonstrate compliance. - The agreement, being general in nature and scope, should lay down the general framework for the establishment and functioning of a joint review mechanism as for the external dimension. The procedural steps applying to such joint review mechanism will have to be developed in the separate instruments regulating specific data transfers (See point 1) - Regarding the internal dimension, audit procedures should be developed as well. - From the point of view of the European DPAs, it must be ensured that the competent data protection authorities are firmly integrated in the external - and where appropriate internal - review procedures. A clear allocation of responsibilities to the individual stakeholders will be paramount in any case. - The European DPAs would also like to draw attention to the experience gathered by the Europol, the Schengen JSBs and the coordinated supervision with the EDPS in carrying out in-depth inquiries and audits into compliance with data protection obligations. 4

5 4.2. Individual Access Should the agreement spell out the conditions for the right to access one's own personal data? If there is no possibility to directly access one's own personal data for justified reasons, should the agreement provide for the possibility of indirect verification through an independent authority responsible for the oversight of the processing in the sending or recipient country? We would like to reply to the two sub-questions jointly as they are mutually related. - The right of access (inter alia, to check that the processing is performed lawfully) cannot exist without the obligation on data controllers part to ensure transparency and notice to data subjects. This is actually one of the principles agreed upon in the report of the HLCG, and will have to be included in the text of the future agreement. - To better safeguard the rights of data subjects, the agreement should clearly state that the data subject is empowered to exercise the right to access, rectify, and expunge his/her personal data in a simple and effective way. According to EU or national laws the right of access can be exercised either directly vis-à-vis the data controller or indirectly.. - Indirect access mechanisms should be envisaged involving the competent data protection authorities in the EU and/or a competent authority ( contact point?) in the US. We would like to stress that these authorities need to be able to act independently; they may not be subjected to the instruction of another authority. This is obviously related to question 4.3 below, i.e. to the overall procedural and organisational framework resulting from the possible agreement. - It will have to be clarified in the agreement that any limitations on the aforementioned rights may only derive from specific provisions as set forth in US and/or European laws, perhaps by including wording similar to the one contained in Article 8 ECHR; such limitations may include fulfilment of the specific tasks conferred on the law enforcement authorities holding the data at issue. - The data subject s right to be assisted in his claim by the competent DPA should also be laid down (e.g. as for language issues) (see question 4.3 below). - Individual access to data must be granted to everyone, regardless of nationality or country of residence Single contact points Should the agreement provide for a single contact point in the US in case of data protection concerns related to data transferred from the EU? Should the agreement provide for a single contact point in the EU in case of data protection concerns related to data transferred from the US? 5

6 Should the modalities for transparency and assistance to data subjects by US and EU data protection supervisory authorities be spelled out in the agreement? - We believe that at this stage the agreement should only require the implementation of mechanisms to facilitate exercise of data subjects rights. It would appear to be difficult currently to clarify whether this should be done by way of a single contact point, as much will depend on the ultimate scope of the agreement. - In any case, although the principle should be stated in the general agreement, it would seem that the features of such a contact point should be detailed in the future separate data sharing agreements between the EU and the US in this area. - Nevertheless, as mentioned in the reply to point 4.2, transparency and information requirements should be also laid down clearly in the agreement; in this context, the agreement should stipulate that the information to be provided by law enforcement authorities should include at least the items mentioned in the HLCG report (purpose of processing, data controller, applicable laws, third party recipients, any other information that is necessary to ensure fairness including rights and remedies available to data subjects) plus obvious though it may seem the categories of personal information that are processed Judicial redress Should the agreement lay down provisions for effective access to courts for data subjects that believe that their data protection rights have not been respected? How could this be achieved? Should laws which discriminate in respect of access to the courts on grounds of nationality or residence be amended? - The agreement should provide for effective administrative and judicial mechanisms to ensure redress. We would like to recall, in this context, the differences recognised in the HLCG Report (see p. 15 thereof) as to the mechanisms for judicial redress in the US and EU (which remain applicable in spite of the commonalities identified via the HLCG s work). - The agreement should clearly stipulate that the data protection rights of EU citizens will be enforceable in full vis-à-vis all judicial authorities in the US, irrespective of nationality and/or residence considerations. The specific mechanisms will have to be discussed further in the course of the future negotiations. 5. Any other comment You may introduce here any other comment you would like to make on the future European Union (EU) - United States of America (US) international agreement on personal data protection and information sharing for law enforcement purposes. 6

7 The principles of the agreement should be binding on the parties to the agreement and, additionally, on all EU Member States, also when concluding bilateral agreements with the US or sharing data with the US under national law. Evidently, the agreement must be applicable to all agreements that will be made in the future. In addition, we believe that the agreement should also affect all existing agreements. It is of great importance to have a strict principle in place regulating onward transfers. It must be ensured that any onward transfer to third countries shall, in principle, only be authorized after prior express and written approval of the country of origin by respecting the purpose for which the data were originally transmitted, and provided the third country affords an adequate level of protection. Only if the data are essential for the prevention of an immediate and serious threat to public security may an onward transfer be permissible on a case by case basis without prior consent, subject to further safeguards. A principle as set forth in the Report of the High Level Contact Group is too wide-ranging and therefore not acceptable. As already mentioned in the answer to question 4.1 the effectiveness of such an agreement is subject to the possibility of scrutinizing the procedures in place, the exchange of information and the purposes for which the exchanged data is used. the agreement should ensure the competency of supervisory Data Protection Authorities/ Bodies to scrutinize/ audit/ inspect both parties' compliance to the agreed data protection principles applied/ incorporated in future bilateral EU - US agreements providing for the transfer/ exchange of data. The agreement should provide that the Parties, additional to the obligation to rectify data where necessary, are also obliged to erase data or to block them if their storage were unlawful. The Parties shall ensure that data are kept for no longer than necessary with a view to the purposes for which they are transmitted and erased or made anonymous thereafter. Time limits should be laid down subject to evaluation of the need for further storage. Retention periods shall be proportionate and not excessive in relation to the purpose for which they were collected and/or further processed. Possibilities to make use of privacy enhancing technologies or privacy friendly alternatives should be checked in regular intervals, also with a view to ensure the principle of data minimization. In case that data about persons are stored who are no suspects, joint reviews should regularly assess if further storage is still necessary or already prohibited under the proportionality principle. 7

8 All transmissions and receptions of personal data are to be logged or otherwise documented; the audit logs should be kept at the disposal of the competent supervisory authorities/data protection bodies. The agreement shall provide for compensation for any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the principles laid down in the agreement. Since the agreement aims at bringing legal certainty on standards in data protection in future agreements between the EU and US, an evaluation process should be made possible on a regular basis. 8