Data protection authorities call for a strict EU-US privacy agreement

By EDRi · December 1, 2010

This article is also available in:
Deutsch: [WP29 fordert strenges EU-US Datenschutz-Abkommen | http://www.unwatched.org/node/2390]

As the European Commission prepares to conclude a deal with the US on the
protection of personal data exchanged in police and criminal justice
cooperation matters, the European privacy watchdogs call for a strict and
clear privacy agreement.

Article 29 Data Protection Working Party (WP) sent a letter on 18 November
2010 to the three European main institutions (Council, Commission and
Parliament) expressing its concerns for not having been consulted on the
development of the discussion within the Council and European Parliament
over the draft negotiation mandate presented by the European Commission on
25 May 2010, voicing certain concerns and giving its recommendations.

Referring to the agreement as “an umbrella agreement” that should cover all
existing and future deals between the EU and the US and any other state as
well as between EU member states, the WP emphasizes the fact that it should
comply with the EU data protection framework including the Charter of Human
Rights.

WP recommends that the agreement be widely applicable for a
“coherent and high level of data protection” and a clear purpose limitation
be imposed. “This means the agreement should be applicable to all
transfers of personal data to prevent, detect, investigate and prosecute
serious transnational crime and terrorist acts. This purpose should be
clearly defined by the agreement, preferably including a definition of ‘law
enforcement purposes'”.

In the WP’s opinion, a national security exception for the transfer of data
concerning “essential national security interests and specific intelligence
activities in the field of national security” should not be considered.

Furthermore, the WP urges the Commission to obtain the retroactive
application of the future agreement to cover “all existing multilateral and
bilateral agreements between the EU and/or its Member States and the US,
unless the current level of data protection is higher than the level of
protection offered by the EU-US general agreement.” A maximum 3-year
transition period could be acceptable.

Having in view the privacy issues raised by the TFTP II Agreement (so called
SWIFT) allowing the US to obtain access to information on international bank
transfers, the WP stresses the need for data protection safeguards in
the future agreement, including “full, effective and enforceable rights for
all individuals, including both administrative and judicial redress, and
limitations to bulk transfers.”

On 24 November, LIBE (Civil Liberties, Justice and Home Affairs) Committee
of the European Parliament Chairman also sent a letter to the EU Council on
the future EU-US agreement regarding the protection of personal data that
are transferred and processed in the framework of police and judicial
cooperation in criminal matters.

The letter reiterates the support of the European Parliament for the data
protection agreement draft mandate and reminds the urgent need of such an
agreement between the EU and US that should cover personal data exchanges as
well as an “early start to negotiations on enforceable data protection
rights” in compliance with the EU Charter of Fundamental Rights and EU Data
Protection Directive.

LIBE held on 25 October 2010 a public hearing on Data Protection in a
Transatlantic Perspective – Future EU-US data protection agreement in the
framework of police and judicial cooperation in criminal matters – with MEP
Sophia In’t Veld as chairperson.

While the US Ambassador to the EU assured that the US believed both parties
had to “safeguard their citizens’ security to the same degree to which they
protect their liberties” and there was “no need to sacrifice privacy for
security”, he showed concern that the proposed mandate might “jeopardize the
several hundred treaties, agreements, conventions, and arrangements
underpinning every facet of Europe’s and the United States’ robust
cooperation in justice and law enforcement” and believed that a
retrospective application of the mandate would create “confusion among the
law enforcement and legal authorities.”

One of the most important interventions was that of Mr Rotenberg’s from EPIC
(Electronic Privacy Information Center) who pointed out that in the US,
personal data is often “used for inappropriate purposes, there is no
transparency and rights are violated”. In his opinion, the US data
protection laws should be amended. The Privacy Act of 1974, which refers
to the collection of personal data by the US federal agencies, does not
include non-US citizens or non lawful permanent residents. Also the Patriot
Act “has reduced the privacy standards for US and non-US citizens limiting
at the same time the power of the courts’ authority in the matter.”

Rotenberg considers that the data protection agreement could bring global
benefits influencing other countries in adopting stronger privacy acts to
protect the transfer of personal data.

Dr. Patrick Breyer from the German Working Group on Data Retention was very
firm in stating that the transfer of personal data to the US created the
risk of a violation of human rights and that no agreement could eliminate
that risk. However, an international agreement with the US could improve the
present situation if applied “exclusively to the information sharing that is
taking place under existing agreements, thus reducing the amount of
information shared and providing for more safeguards”.

The negotiating mandate for the beginning of the talks between the European
Commission and the US is expected to be adopted at the Justice and Home
Affairs Council on 3 December 2010.

Article 29 Data protection working party – Data protection
authorities call for strict general privacy agreement with United States
(19.11.2010)
http://ec.europa.eu/justice/policies/privacy/news/docs/pr_19_11_10_en.pdf

Article 29 Data protection working party Letter to Vice-President Viviane
Reding Commissioner for Justice, Fundamental
Rights and Citizenship European Commission on EU-US General Agreement
(19.11.2010)
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/others/2010_11_19_letter_art29wp_commissioner_reding_agreement_eu_us_en.pdf

EP LIBE – Future EU-US data protection agreement in the framework of police
and judicial cooperation in criminal matters (25/10/2010)
http://www.statewatch.org/news/2010/nov/ep-report-on-eu-usa-data-transfer-hearing-25-10-10.pdf

Letter of the Committee of Civil Liberties, Justice and Home Affairs
Chairman on the future EU-US agreement on the protection of personal data to
Stefaan De Clerck of the EU Council (24.11.2010)
http://www.statewatch.org/news/2010/nov/ep-libe-eu-usa-agreement-letter-to-council.pdf