Table of content What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection Data Protec

Similar documents
OPINION OF THE EUROPOL, EUROJUST, SCHENGEN AND CUSTOMS JOINT SUPERVISORY AUTHORITIES

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

EUROPEAN DATA PROTECTION SUPERVISOR

Chapter 6 Data protection in the third pillar: cautious pessimism

Cooperation between customs authorities and business organizations in combating drug trafficking

P6_TA-PROV(2007)0347 PNR Agreement

Spring Conference of the European Data Protection Authorities, Cyprus May 2007 DECLARATION

EUROPEAN DATA PROTECTION SUPERVISOR

ILO comments on the EU single permit directive and its discussions in the European Parliament and Council

Official Journal of the European Union DECISIONS

Statewatch Analysis. The Third Pillar acquis after the Treaty of Lisbon enters into force

THE LEGAL FRAMEWORK FOR THE PROTECTION OF PERSONAL DATA IN INTERNATIONAL POLICE AND JUDICIAL COOPERATION. Matko Pajčić *

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 July 2005 (28.07) (OR. nl) 10900/05 LIMITE CRIMORG 65 ENFOPOL 85 MIGR 30

INVESTING IN AN OPEN AND SECURE EUROPE Two Funds for the period

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 January /08 COPEN 1 EUROJUST 1 EJN 1

PE-CONS 71/1/15 REV 1 EN

Council of the European Union Brussels, 24 April 2018 (OR. en)

Recommendation for a COUNCIL DECISION

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to the opinion of the European Economic and Social Committee ( 1 ),

Relevant international legal instruments applicable to seasonal workers

Official Journal C 430

Delegations will find attached Commission document C(2008) 2976 final.

Supreme Court of the United States

SIS II 2014 Statistics. October 2015 (revision of the version published in March 2015)

Conference on THB: the European response to the vanishing of human beings

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

COMMISSION IMPLEMENTING DECISION. of establishing the list of supporting documents to be presented by visa applicants in Ireland

Proposal for a COUNCIL DECISION

JAI.1 EUROPEAN UNION. Brussels, 8 November 2018 (OR. en) 2016/0407 (COD) PE-CONS 34/18 SIRIS 69 MIGR 91 SCHENGEN 28 COMIX 333 CODEC 1123 JAI 829

Reference Title Dates Organiser(s) 00/2007 Train the Trainers Learning Seminar Step February 2007 Portugal 01/2007 Crime, Police and Justice in

SUMMARY OF THE IMPACT ASSESSMENT

C 276/8 Official Journal of the European Union

Report on access to the VIS and the exercise of data subjects' rights

ARTICLE 95 INSPECTION

9837/09 YV/ml 1 DG H 3B

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Statewatch Analysis. EU Reform Treaty Analysis no. 4: British and Irish opt-outs from EU Justice and Home Affairs (JHA) law

REPORT on access to the VIS and the exercise of data subjects' rights

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 78(3) thereof,

COMMISSION IMPLEMENTING DECISION. of

COMMISSION IMPLEMENTING DECISION. of

UNDER EMBARGO UNTIL 9 APRIL 2018, 15:00 HOURS PARIS TIME

11161/15 WST/NC/kp DGD 1

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

EUROPEAN DATA PROTECTION SUPERVISOR

Coordinated Supervision of Eurodac. Activity Report

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING DOCUMENT. Annex to the

The EU Passenger Name Record System and Human Rights

COMMISSION OF THE EUROPEAN COMMUNITIES

Proposal for a COUNCIL DECISION

1. Why do third-country audit entities have to register with authorities in Member States?

Police and judicial cooperation in criminal matters (slides)

6153/1/18 REV 1 VH/np 1 DGD2

13380/10 MM/GG/cr 1 DG H 1 A

4. Future of Schengen

PERSONAL DATA PROTECTION PRIVACY INFORMATION FOR THE CITIZENS ON THE RIGHT TO PERSONAL DATA PROTECTION

ACTIVITY REPORT

LEGISLATIVE ACTS AND OTHER INSTRUMENTS Subject : Council Directive on the obligation of carriers to communicate passenger data

EXECUTIVE SUMMARY. 3 P a g e

COMP Article 1. Article 1 Subject matter and objectives

2. The table in the Annex outlines the declarations received by the General Secretariat of the Council and their status to date.

What is The European Union?

ACTS ADOPTED UNDER TITLE VI OF THE EU TREATY

COMMISSION IMPLEMENTING DECISION. of

COMMUNICATION FROM THE COMMISSION TO THE COUNCIL, THE EUROPEAN PARLIAMENT, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Opinion of the European Data Protection Supervisor

Opinion of the Joint Supervisory Body of Eurojust regarding data protection in the proposed new Eurojust legal framework

Council of the European Union Brussels, 27 February 2015 (OR. en)

EU update (including the Green Paper on the Presumption of Innocence) ECBA Conference, Edinburgh April 2006


The EU Visa Code will apply from 5 April 2010

COMMISSION IMPLEMENTING DECISION. of

Statewatch briefing on the European Evidence Warrant to the European Parliament

ARTICLE 29 Data Protection Working Party

The Right to Data Protection and the Commissions Adequacy Decision

COMMISSION STAFF WORKING DOCUMENT

8193/11 GL/mkl 1 DG C I

Table of contents United Nations... 17

ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

Data protection and privacy aspects of cross-border access to electronic evidence

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 78(3) thereof,

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

HIGH-LEVEL DECLARATION

Council of the European Union Brussels, 8 February 2016 (OR. en)

The Rights of Notification after Surveillance is over: Ready for Recognition?

NOTE from : Governing Board of the European Police College Article 36 Committee/COREPER/Council Subject : CEPOL annual work programme for 2002

Lead Department Ref. Date of Publication Decision Ministry of 14722/09 20/10/2009 Did not opt in: Link to Written Ministerial Statement

Identification of the respondent: Fields marked with * are mandatory.

Transitional Measures concerning the Schengen acquis for the states of the last accession: the cases of Bulgaria and Romania.

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Introduction. The European Arrest Warrant Act 2003 The European Arrest Warrant Act 2003 came into operation on 1 January 2004.

Council of the European Union Brussels, 13 November 2017 (OR. en)

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

The European Union Agency for Fundamental Rights (FRA)

6310/1/16 REV 1 BM/cr 1 DG D 1 A

RESTREINT UE. COMMISSION EUROPÉENNE Secrétariat général COM(2010) 252/2 Annexe au document COM(2010) 252 PO/2010/3091 RESTREINT UE

DGD 1 EUROPEAN UNION. Brussels, 22 February 2017 (OR. en) 2015/0307 (COD) PE-CONS 55/16 FRONT 484 VISA 393 SIRIS 169 COMIX 815 CODEC 1854

Transcription:

Data protection, the fight against terrorism & EU external relations Data protection, the fight against terrorism & EU external relations Paul De Hert (Tilburg & Brussels) Brussels, 7 November 2007

Table of content What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection Data Protection under the Third Pillar External relations under First Pillar External relations under Third Pillar

Preliminary remark I relied for some of the conclusions on the insights gained after having listened to Diana Alonso Blas, LL.M., Data Protection Officer,Eurojust, First Pillar and Third Pillar: Need for a common approach? International Conference Reinventing Data Protection, 12 and 13 October 2007, Brussels

This is data protection Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data that has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority. = Article 8 of the EU Fundamental rights Charter

Why data protection? Article 8 ECHR does not apply to the private sector. The right to a private life would not necessarily include all personal data, and so there was the question of whether a large proportion of data would be sufficiently safeguarded. The right of access to data on oneself was not covered by the concept of the right to privacy as expressed in Article 8

Beginnings of data protection 1960s: USA, two major reasons: 1.) Technical progress based on the development of computers 2.) Socio-political reason, raising fear of governmental surveillance Big brother Similar development in Europe 1970 1981 1970: First law on data protection was enacted by the German Federal State of Hessen (07.10.1970). Sweden (1973), Germany (1976), France (1978), Denmark (1978), Norway (1978), Austria (1978) and Luxembourg (1979) introduced national legislation on data protection No role model as basis but had to be innovative in their own right

Beginnings of data protection (continuation) 1981 Council of Europe: Convention for the Protection of Individuals with regard to automatic processing of personal data (entry into force 1985) First internationally binding instrument on data protection, important point of orientation for the subsequent national data protection laws In the following years, data protection legislation was enacted by Finland (1987), The Netherlands (1988), Portugal (1991), Spain (1992), Belgium (1992), Italy and Greece

European Data Protection (general) Convention no. 108, January 28, 1981 Directive 95/46/EC of 24 October 1995 Directive 97/66/EC and 2002/58/EC Regulation (EC) No 45/2001 processing by Community institutions of 18 December 2000 Charter of Fundamental Rights of 7 December 2000 of the European Union, Treaty establishing a Constitution for Europe (2002) Right to data protection (Art. I-51)

International Data Protection (general) From 1948 privacy rights in various national and regional human rights bills From 1970 on data protection laws at national level 1980 OECD: Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Non-binding, orientation 1990 UN: Guidelines concerning computerized personal data. Guidelines for orientation, procedure left to the initiative of each state

Scope of European data protection re JHA 1995 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data First and major First Pillar instrument regulating the processing of personal data Not applicable to the processing of data in the course of an activity which falls outside the scope of Community law (Art. 3 (2) => Second and Third Pillar applied by some MS, in some respects, to law enforcement as well ECJ view (PNR judgment 30-05 05-2006)

End of the world? Article 8 ECHR applies to processing by all public authorities, incl JHA Council of Europe Convention 108 (1981), ratified presently by 38 countries and signed by another 5 also applies to JHA Article 3 Convention 108: The Parties undertake to apply this convention to automated personal data files and automatic processing of personal data in the public and private sectors.

But, is Convention 108 enough? Convention 108 is quite general: it contains principles, not detailed regulation 1987 Council of Europe: Recommendation No. R (87) 15 regulating the use of personal data in the police sector Non-binding, orientation, very old and no willingness to renew them For 1 st pillar the EU built on Convention to go further in Directive 95/45/EC Recital (11) of preamble: Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data;

First JHA option: specific data protection rules 1985 Schengen Agreement and 1990 Convention implementing the Schengen Agreement of 14 June 1985 Referring to the principles laid down in the 1981 Convention and 1987 Recommendation and solid data protection framework Council Act of 26 July 1995 drawing up the Convention on the establishment of a European Police Office (Europol Convention. The Europol Convention was ratified by all Member States and came into force on 1 October 1998. Referring to the principles laid down in the 1981 Convention and 1987 Recommendation and solid data protection framework Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union, OJ C 197, 12.07.200: general context of judicial cooperation and some data protection (infra)

Option 1 (continuation) Council Decision of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crime. Rules of procedure on the processing and protection of personal data, adopted by Council on 24/2/2005 (containing main principles Directive but also very detailed rules, tailored made to Eurojust tasks and purposes) Referring to the principles laid down in the 1981 Convention and 1987 Recommendation and solid data protection framework May 2005: Treaty of Prüm (Schengen III Agreement ) Extended information exchange outside the EU framework

Strength of option 1: Europol example In Covention detailed rules on the use of data: Clear understanding of intelligence risks to data protection lacking in Recommendation no (87) 15 by use of different information tools in particular distinction betweenn Europol Information System (IS), (Criminal Intelligence database) and the Analysis Work Files (AWF) (Analysis of operational data) Mandate restrictions & consultation Ownership National Law to be respected Communication with third states and third bodies Right of access limited in certain cases for non involved member states Correction / deletion of data Time-limits storage / deletion of data Security Control mechanisms: see next slide

Control mechanisms in Europol Europol internal audit National Supervisory Body (Art. 23 Convention) Each MS - Designates an NSB Monitors input independently Personal data Joint Supervisory Body (Art. 24 Convention) Ensures individual rights are not violated by data stored at Europol

Risks of option 1: the Prum example Signed in Prüm & Ratified by the national parliaments of the seven participating states - Germany, Spain, France, Luxembourg, Netherlands, Austria and Belgium and now extended to all EU MS Not part of the Schengen treaty nor the Schengen acquis Integration is planned to take place, at the latest, three years after the entry into force of the Based on so-called "principle of availability" : the right of access to the databases/registers of the participating states and gives the requesting state the possibility to ask for more information/intelligence. Data exchange (Article 1-16) 16) see next slide Sky marshals (Article 17-18) 18) Fighting illegal migration (Chapter 4) Joint Interventions (Chapter 5)

Data exchange in Prüm DNA profiles All participating states have to set up DNA profile databanks and exchange dna profiles Fingerprint data The treaty allows, where a specific person is identified, access to the finger-print databases of the participating states and the automatic comparison of fingerprints, not only for reasons of criminal prosecution but also for "prevention". Same hit system for additional information Vehicle databases can be accessed for criminal prosecutions and for reasons of preventing dangers for public security and order, ie including supposed threats to public order. Online access will be carried out according to the law of the requesting state. Political demonstrations and other mass events (Articles 13-15) 15) For reasons of prosecution and prevention of offences and for the prevention of dangers to public security and order, personal and non personal data can be passed on - following a request or without request, ie. at the own initiative of a state. Information exchange to prevent terrorist attacks (art. 16) Data and intelligence: names and further personal identity plus the reason will; be sent out across the network, with or without a prior request.

Institutional and Data protection problems with Prüm OK: purposes are definied; competent authorities are defined; duty to see that data is correct and up to date;technical safeguards to guarantee secrecy; rights for the persons concerned Not OK: making terrorism, organised crime and illegal immigrants one affair; broad categories: why?; creating more power by centralising data; Certainly not OK: no supranational supervision: need for a FD data protection: Court of Justice, 31 January 2006 (c-503/03)

Reason 1 for other (second) JHA option: general data protection rules: new needs for JHA cooperation Cooperation in police and judicial criminal matters increases and is gradually build on new concepts that challenge data protection June 2004: Draft Framework Decision on simplifying the exchange of information and intelligence between law enforcement agencies of the member states of the EU, in particular as regards serious offences including terrorist acts (Swedish Initiative) Setting time limits to answer requests of information Removing discrimination between national and intra-eu exchange of data accessible by police in at least one Member State

new needs for JHA cooperation (continuation) January 2005: White Paper on exchanges of information on convictions and the effect of such convictions in the EU Nov. 2005: Council Decision on the exchange of information extracted from the criminal record Dec. 2005: Proposal for a Framework Decision on the organisation and content of the exchange of information extracted from criminal records between Member States October 2005: : Proposal for a Council Framework Decision on the exchange of information under the principle of availability Information available to law enforcement authorities in one Member State be made accessible for equivalent authorities in other Member States

Reason 2 Difficulties of determining whether the processing and transfering of personal data falls under the First or Third pillar, e.g. US demand for Passenger Name Records to private air companies Commission acts on basis of first pillar Commission: Regulation for transfer of passenger data by private airlines = rules for harmonisation of the Internal Market EP problem with privacy and problem with choice of pillar ECJ 30 May 2006 Data transfer motivated by concerns of public safety and = Third Pillar Institutional consequences? Data protection consequences? Council Decision 2007/551/CFSP/JHA. of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement) Swift?

A second JHA option: general data protection rules October 2005: Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters Clear gap in data protection regulation at EU Third Pillar level Directive 95/46/EC is not applicable and Neither the 95/46/EC Directive nor the 1981Convention take account of the specific characteristics of the exchange of data by police and judicial authorities But data protection of fundamental significance To redress this imbalance, the Commission adopted a complementary Proposal for a Council Framework Decision Intends to provide a comprehensive protection scheme for personal data in the in the field of Justice and Home Affairs. It also supplements multilateral efforts like the Treaty of Prüm.

However: many controversies re the scope of the Framework Decision security v privacy and its consequence for the data protection principles limitations to the principle of availability within and outside the EU Schengen JSA, Europol JSB, the Eurojust JSA and the CIS JSA

The March 2007 German Presidency s Proposal general rules on the lawfulness of processing of personal data, provisions concerning specific forms of processing, rights of the data subject, confidentiality and security of processing, judicial remedies, liability, sanctions, national supervisory authorities, and the transfer to third states. exchange of data between Member States, thus excluding data processing at a domestic level applies to Europol, Eurojust and the Third Pillar Customs Information System whereas authorities or other offices dealing specifically with matters of national security are explicitly excluded from its scope (Article 3 II),

continuation Fusing of Schengen JSA, Europol JSB, CIS JSA into a single data protection supervisory authority, merging with it the advisory working party provided for in the earlier draft. exchange of data with third states. FD is without prejudice to any obligations and commitments incumbent upon Member States or upon the European Union by virtue of bilateral and/or multilateral agreements with third States. personal data received from or made available by the competent authority of another Member State may be transferred to third States or international bodies only if the competent authority of the Member States which transmitted the data has given its consent to transfer in compliance with its national law.

Where are we now? Discussion on FD on DP in 3 rd pillar shows little willingness of Member States to achieve a harmonised level of DP going further than CoE Convention. In fact: Text under discussion is agreement of minimums (lower common denominator), partly because of unanimity requirement Scope reduced to cross-border exchange of personal data (and does not affect existing bilateral agreements ) Many exceptions included and some important issues missing Doubts as to whether the text is even compliant with Convention 108 and additional protocol (see also EDPS opinions + press release of 20/9/07) Eurojust/Europol/Schengen DP rules go much further than proposed text (after several formal motivated requests, happily excluded from scope of application)

Diana Alonso Blas (Brussels) Convention 108 offers a basic common approach that needs to be fully respected Any new instrument should respect CoE convention + basic principles Directive Not in favour of detailed overall instrument covering all pillars, not even the whole third pillar. Specificities of police and judicial work need to be taken into account (need for very clear and specific tailored made rules for the diverse third pillar areas). An overall instrument would have to be relatively general but, if it has to have any added-value, it should go further than CoE convention.

Future: (Draft) Reform Treaty End of pillar structure But this does not imply automatic application of Directive to everything Sectoral declaration on DP in police and judicial cooperation in criminal matters foreseen

Data protection & External relations under First Pillar Member States shall provide that the transfer to a third country of personal data only if, the third country in question ensures an adequate level of protection (Art. 25.1 Directive 95/46/EC). Article 25 also contains the procedure to determine whether there is an adequate regime. Commission, not the Member States, has the last say in the procedure

Data protection & External relations under Third Pillar Discussion: need to copy adequacy idea in JHA? 2001 Additional Protocol to the 1981 Council of Europe Convention introduces principle re transfer of data across national borders: Each Party shall provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer (Additional Protocol, Article 2.1).

How is it happening now? This could be answered discussing the following examples Eu 2000 Convention on Mutual Assistance in Criminal Matters Europol Pnr Swift

Article 23 EU 2000 Convention on Mutual Assistance in Criminal Matters first supranational rules establishing data protection requirements for the judiciary in their cross border activities even though they are very flexible and have clearly not the purpose of limiting the work of the judiciary. No requirement of adequacy According to Article 23, personal data communicated under the Convention may be used by the Member State to which they have been transferred: (a) for the purpose of proceedings to which the Convention applies; (b) for other judicial and administrative proceedings directly related to them; (c) for preventing an immediate and serious threat to public security; (d) for any other purpose, only with the prior consent of the communicating Member State, unless the Member State concerned has obtained the consent of the data subject

Europol co-operation operation with third parties Types of agreements: Operational agreement Includes the exchange of personal data (secure link in place) Strategic / Technical agreement Does not allow exchange of personal data

Europol Operational Agreements Includes the exchange of personal data Norway Iceland Switzerland Bulgaria Romania Croatia Canada USA Federal Bureau of Investigation (FBI) & United States Secret Service (USSS Eurojust Interpol

Europol Strategic / Technical Agreements Does not allow exchange of personal data European Commission (EC) European Central Bank (ECB) European Monitoring Centre for Drugs and Drug Addiction European Anti-Fraud Office (OLAF) United Nations Office on Drugs and Crime (UNODC) World Customs Organisation (WCO) Colombia Russia Turkey

External relation in the FD data protection? Commission October 2005 proposal sets up system similar to Directive 95/45 German Presidency Draft march 2007: nothing! Preamble personal data are transferred from a Member State of the European Union to third countries or international bodies, these data should, in principle, benefit from an adequate level of protection

Conclusion Pros and Contras option 1 or 2 re data protection are hard to assess, But: Whereas a European approach, based on the adequacy principle, is followed in the First Pillar, this is not the case for the Third Pillar. Though there may be arguments against such a European approach in the area of JHA my examples, including the Europol, PNR and Swift cases, learn that the absence of such a European approach can cause problems. Without ignoring the benefits and arguments in favour of tailor-made regulations, I conclude that the example of Europol dealing with third countries, and of PNR and Swift, in part illustrated the lack of credibility of the current EU data protection system. Having to deal with externalities such as powerful third countries (in particular the U.S.) that do not always consult the EU officials when collecting European data or data in (some) EU Member States, it would be beneficial to develop a general framework for data protection in the Third Pillar and for transfers of data to Third Parties with clear rules and responsibilities and a well-defined role for the EU institutions that live up to the European dimension behind cases such as PNR and Swift. Contrary to Blas, I agree with Poullet that a uniform set of data protection standards applicable to all pillars would be desirable

Thank you for your attention!

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback