Commission prepares for US data-sharing talks

On both sides of the Atlantic there is a desire to set out the principles for data protection when sharing data, but finding common ground could be an arduous task.

At the end of this month, the European Commission is going to adopt a mandate for negotiations with the United States on a new framework agreement on data sharing. The move, linked to a common desire to boost law enforcement, is a response to the Stockholm programme on justice, freedom and security, which invited the Commission to make proposals on an agreement on data protection and, where necessary, data sharing. 

Predictions vary widely about how fast an agreement will emerge. Just a few months, say those who see that both sides are eager to conclude the agreement and that the principles to be enshrined in the document are settled. Lengthy and difficult discussions, say those who believe that that a rushed deal could be worse than no deal.

The agreement will set out principles of data protection that are to apply to all data shared between bodies in the EU and the US for the purpose of law enforcement – but that is where the trouble begins.

Unworkable solutions?

“I see a lot of problems developing from a lack of rigour in defining the term ‘law enforcement’,” says Peter Hustinx, the European data protection supervisor: “If we do not define what the stakes are, then we end up with unworkable solutions.”

If the agreement applies to all exchanges of data in the field of freedom, security and justice, it would guarantee the application of sound protection principles in this wide area that also includes customs, immigration and intelligence. The danger that Hustinx points to, however, is that a variety of agencies could gain access to large databases, such as Eurodac, an EU-wide system containing the fingerprints of asylum-seekers, without a clearly defined purpose.

PNR and SWIFT

Another difficulty is that the framework agreement will need to be consistent with the principles governing the exchange of passenger name records (PNR) and bank-transfer data (SWIFT), even though agreements on these two issues are likely to be approved long before the framework agreement can be concluded. This carries the risk that the SWIFT agreement will lay down principles for information exchange before the implications for other areas of transatlantic (and, indeed, international) co-operation have been properly assessed.

Fact File

THE 12 EU-US PRINCIPLES

Purpose specification/purpose limitation
Integrity/data quality
Relevant and necessary/proportionality
Information security
Special categories of personal information (sensitive data)
Accountability
Independent and effective oversight
Individual access and rectification
Transparency and notice
Redress
Automated individual decisions
Restrictions on onward transfers to third countries

Click Here: cheap Cowboys jersey

“In order to ensure legal certainty, the principles enshrined in a binding agreement should apply not only to all future agreements, but also to existing agreements, including bilateral agreements between member states and the US,” Hustinx wrote in his contribution to a consultation on the framework agreement in March.

MEPs are advocating a twin-track approach, to get the SWIFT agreement concluded as quickly as possible, so that the data flow to the US can resume, but to revisit and re-adjust the arrangements, if necessary, once the framework agreement has been adopted.

The negotiations come at a time when the EU is also overhauling its data protection architecture to make it more responsive to the challenges posed by new technologies and to adapt it to the requirements of the Lisbon treaty. “For a long time, there have been discussions about the United States not meeting EU standards,” Hustinx says. “I have my worries about EU standards remaining relevant.”

High-level contact group

The idea of a framework agreement to lay down a common privacy framework for information-sharing emerged from the work of a high-level contact group tasked with finding common ground between the privacy traditions and legal protections on both sides of the Atlantic.

In May 2008, it issued its final report, but continued work on the question of redress, which had remained unresolved since the US does not provide unlimited judicial redress to an individual independently of that person’s nationality or place of residence. Last October, the group concluded its work with a text outlining the commonalities on redress, bringing to 12 the number of principles on which broad agreement exists (see box). The issue of redress is, however, likely to prove tricky in the negotiations. In early April, after Viviane Reding, the European commissioner for justie, met US officials in Madrid to discuss data-sharing, she said that they understood “fully” the concerns of citizens and MEPs regarding data protection and the need to provide access to judicial redress.

The coming months will show whether that understanding translates into a willingness to find a compromise. Recent comments by Janet Napolitano, the US secretary for homeland security, were not totally reassuring on that count. “Our priorities should be substantive outcomes rather than specific procedural protections,” Napolitano said. This will worry many Europeans, who believe that the specific procedural protections ought to be at the heart of the framework agreement.