Data Protection and Justice and Home Affairs The United States - Member States counterterrorism cooperation and the European data protection standards Prof. Paul De Hert, LSTS - VRIJE UNIVERSITEIT BRUSSEL January 14, 2019
1. CoE data protection law Article 8 ECHR Convention No. 108 and its Additional Protocol Recommendation No. R (87) 15 Regulating the Use of Personal Data in the Police Sector January 14, 2019
1. Article 8 ECHR 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. The ECHR does not explicitly mention the protection of personal data. However The ECtHR case law recognises that the right to data protection is encompassed in Art. 8 ECHR: Z v. Finland, M.S. v. Sweden (1987): “The protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by article 8 ECHR”. January 14, 2019
2. Convention No. 108 and its Additional Protocol First data protection text Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981 (“Convention 108”) Data Protection Principles Lawfulness Purposes limitation Proportionality Accurate, update Data retention Individuals rights and data collector duties the confidentiality of sensitive data, information of the data subject, his/her right to access, rectification, etc. Additional protocol 2001 adds the “adequacy requirement” for Transborder dataflow between Contracting Party to the Convention and third countries January 14, 2019
3. Recommendation No. R (87) 15 regulating the Use of Personal Data in the Police Sector Scope: balance between the prevention and suppression of criminal offences, the maintenance of public order (state interest) and the respect of the privacy of citizens (individual interest) Soft Law - Guidelines for states: “Each country should establish an independent supervisory body outside the police sector.” “The collection of personal data for police purposes should be limited to such as is necessary for the prevention of a real danger or the suppression of a specific criminal offence” . The process of sensitive data by the police is allowed if the collection is "absolutely necessary for the purposes of a particular inquiry". January 14, 2019
2. EU Primary Law Standards Pre-Lisbon: the Protection to the personal data right and its delayed in the police and judicial cooperation policies The new Article 16 TFEU The inclusion of the Judicial and Police Cooperation in the TFEU January 14, 2019
1. Pre-Lisbon Maastricht Treaty: pillar division structure First pillar: European Community (EC) Legal Basis: Art. 95 and 286 ECT Co-decision procedure (Plmt&Council) Data protection text: Directive 95/46/EC Second pillar: Common Foreign and Security Policy (CFSP) No legal basis and no DP text Third pillar: Police and Judicial Cooperation in Criminal matter (PJCC) Legal basis: Art. 30.1.b TEU intergovernmental cooperation method (EU Plmt is only consulted) Data Protection text: Decision Framework 2008/977/JHA January 14, 2019
The new Article 16 TFEU (Lisbon) Abolition of former pillars and entry of the personal data protection within the Union’s competences: Art.16 TFEU “Everyone has the right to the protection of personal data concerning them”. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. = The recognition of data protection as an autonomous fundamental right with full legal validity as part of primary EU law = An unique legal basis for former first pillar (community matters) and third pillar (police and judicial cooperation in criminal matters) co-decision procedure January 14, 2019
The inclusion of the Judicial and Police Cooperation in the TFEU Activities of the former third pillar, the Police Cooperation and the Judicial Cooperation pass under the Title V. Area of Freedom, Security and Justice in the TFEU Article 16 TFEU applies Co-decision procedure (Plmt&Council) full judicial review of the ECJ Article 218(6): the adoption of international cooperation agreements dealing with personal data protection (Data Sharing Agreements with third States) are subjected to the consent of the Parliament. January 14, 2019
3. The Framework Directive 2008/977/JHA Adoption, purpose and scope Adopted under 2nd pillar after 9/11 = pro-security context The data protection reference text for the judicial and police cooperation area in criminal matter (// Dir.95/46 general and commercial matter) Apply to European and International cross-border data contexts Do not apply: to domestic processing and domestic transfers to already existing agreements between Member States or between the EU and third States to law enforcement authorities (Europol, Eurojust) and exchange systems (CIS, SIS) already governed by specific-sector instruments January 14, 2019
3. The Framework Directive 2008/977/JHA The principles governing Data Transfers to third States and International bodies Processing = General Data Protection Principles (lawfulness, purposes limitation, proportionality, accurate and update) + Transfer = Article 13§1: Member States must assess the data protection legal framework of the third state and verify that it provides an adequate level of protection compared to the European Data Protection standards = ADEQUACY PRINCIPLE Adequate third state may send data Not adequate third state must adopt additional DP safeguards Transfer must be necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; The receiving authority must be a law enforcement authority The Member State from which the data were obtained has given its consent to transfer January 14, 2019
4.The Proposal for Directive Scope Applies to both purely domestic and cross-border data processing operated in the context of police and judicial cooperation Applies to existing legal instruments between EU Member States they shall be renegotiated and amended if they do not include appropriate safeguards Transfer to third states The adequacy principle Commission may make “some adequacy determinations” = common interpretation about which are the adequate third states A system of direct verification by independent authorities Effective and dissuasive sanctions January 14, 2019
5. Transatlantic relations & data sharing cooperation US-EU Post 9/11: counterterrorism measures conclusion of bilateral and multilateral data sharing agreements allowing the transfer of massive personal data about the 508 000 EU citizen’s towards the US via law enforcement (Europol, Eurojust, FBI, Interpol) and intelligence agencies (CIA, NSA) channels US-EU Mutual legal assistance Agreement US-EU Agreement on Extradition US-Europol US-Eurojust PNR Agreements SWIFT Agreement Main Criticism: in their negotiation, the EU and EU institutions did not live up to impose their own European data protection principles agreements not in compliance with EU DP standards January 14, 2019
6. The Visa Waiver Program (VWP) and the data sharing agreements to Prevent and Combat Serious Crime (PCSC) US-MS VWP: allows nationals of 37 designated countries, including 23 EU Member States, to travel to the United States without having a visa (only a valid Electronic System for Travel Authorization (ESTA)) for business, transit or travel purposes for up to 90 days. Creates economic and political benefits between US and “VWP states” After 9/11 US government decides to impose new requirements to be part or remain VWP States: amongst them, the conclusion of a Preventing and Combating Serious Crime Agreement (PCSC) January 14, 2019
7. The PCSC or “Prüm-like Treaties” PCSC or “Prum like Treaties” Objective: “sharing agreements aiming to fight against terrorism and serious cross-border crime” Content Similar to the Prüm Treaty but with less safeguards and with a non–EU State (not subjected to the same DP legal standards) Vague and broad concepts (ex: National contact point) categories of sensitive data may be transferred to the other Party if it is relevant to the purpose of the agreement (strictly necessity requirement ?) NO independent supervisory data protection Member States have pushed aside their own data protection standards January 14, 2019
8. EU-US General Data Protection Agreement: Solution? Under the suggestion of the High Level Contact Group (manage the discussions on privacy and personal data protection between the EU and the US in the context of the exchange of information), the EU Plmt & EU Com include in the reform DP package a General data Protection Transatlantic Agreement Umbrella agreement: a lex generalis for all future bilateral or multilateral data sharing agreements signed between the US and the EU institutions, its agencies, bodies, and Member States based on 12 “common principles” a list of the incompatibility points has been dressed and will serve to draft the future agreement EU Com and Art 29WP supports the introduction of a Retroactivity Principle existing (multilateral and bilateral) data sharing agreements applicable in criminal matters such as the US-EU institutions agreements and PCSC agreements will be re-examined in the light of the new data protection standards encompassed in the general agreement.
Thank you January 14, 2019