Main data protection concerns with the EU policy developments in 2007

By EDRi · January 30, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The Lisbon Treaty was signed in December 2007. Notwithstanding the
many critics raised by this Treaty, the text, when ratified by all
member States, will bring two major improvements to the EU and its
citizens. First, the Charter of Fundamental Rights of the European
Union will become part of the Community acquis, including its
articles 7 (Respect for private and family life) and 8 (Protection of
personal data). Secondly, the Treaty will allow the accession of the EU
to the European Convention on Human Rights and, hence, will give EU
citizens the possibility of being protected against abuses of their
human rights by EU institutions. This improvement would be much
welcome, especially – though not exclusively – considering the
current inadequacy of data protection under third pillar (justice and
home affairs). But 2007 has also brought its share of concerns
regarding privacy and personal data protection developments at the EU
level. Besides the SWIFT scandal allowing the access by the USA to
the European financial transactions, the case of the Google-
Doubleclick merger currently under investigation by the European
Commission (although mainly regarding competition issues), the
continuous concerns related to data retention by search engines, most
notably Google, even though the company announced a slight reduction
of the data retention duration, and the development of RFID chips,
main concerns with the European Union policy in 2007 are related to
PNR data, biometric and genetic data sharing and the still inadequate
level of data protection under third pillar.

“All governments have the duty to protect their citizens from the
terrorist threat, but the response should be lawful, intelligent and
effective”, the Secretary General of the Council of Europe stated, on
the occasion of the Data Protection Day. “I am concerned that some of
the recent arrangements for data exchange, which were introduced at
the insistence of the US Government, fail to meet these criteria”, he
opportunely added.

a. Passengers name records (PNR)

In June 2007, a final agreement was reached between EU and USA on
European PNR (Passengers Name Records) data, 4 years after the USA
and the EC – illegally – agreed to give the US custom officials
direct access to the personal data of passengers flying to, from and
through the United States. It took a lot of protest campaigns, like
the one initiated by EDRI in May 2003, fierce criticism from the
European Parliament and the Article 29 Group, and an annulment by the
European Court of Justice, to finally get to this point. The
agreement reduced the dataset from 34 to 19 pieces including name,
contact information, payment details, travel agency, itinerary and
baggage information, but excluding sensitive data such as ethnicity.
The data may be kept during a total period of 15 years. It was
claimed that for the first time, EU citizens will also be covered by
the US Privacy Act which means they can enforce their rights in US
courts. However, only 3 months after this agreement, the US
government announced some changes in its Privacy Act that give
exemptions from responding to requests for personal information held
to DHS (Department of Homeland Security) and ATS (Automated Targeting
System). The agreement received harsh criticism from the EU Parliament,
Article 29 Working Group, and the European data protection supervisor

Later in the year, the EU announced its project of creating its own
European PNR system. The plan, put forward in November by the EC, is
similar to the EU-US agreement. The EU will have to collect 19 pieces
of personal data on air passengers coming into and leaving the EU
space, including phone number, e-mail address, travel agent, full
itinerary, billing data and baggage information. The information will
be collected in analysis units that will make a “risk assessment” of
the traveller, which could lead to the questioning or even refusal of
the entry. The data is to be kept for five years and then another
eight years in a “dormant” database. This plan has already been
criticized by the Parliament, the Article 29 Group and the EDPS, but
will certainly see major developments in 2008. Some member States
have already adopted such measures at national level.

b. Biometric and genetic data sharing

The European Visa Information System (VIS) will probably be the
biggest biometric database in the world. VIS will store data on up to
70 million people concerning visas for visits to or transit through
the Schengen area. This data will include biometrics (photographs and
fingerprints) and written information such as the name, address and
occupation of the applicant, date and place of the application, and
any decision taken by the Member State responsible to issue, refuse,
annul, revoke or extend the visa. Citizens of more than 100 countries
need a visa to enter the EU. Latest discussions of end 2007 were only
debating issues related to maximum age at which children should be exempted
from having their 10 fingerprints taken: the Parliament says 12, the Council
wants 5.

But the EU also wants to store and share biometric data of EU
citizens and residents, beyond the data to be gathered through
biometric passports and ID cards. In June 2007, it has been agreed
that the Prüm Treaty, originally signed by 7 EU countries in May
2005, will be included in EU legislation with very little
modifications. The decision creates the largest pan-European network
of police databases, sharing DNA profiles, fingerprints and other
personal and non personal data. The agreement has not taken into
account the advice from the EDPS, who published in December 2007 an
opinion on the implementation of this agreement.

c. Inadequate data protection under third pillar

As the data processed and shared by police and judicial authorities
increase, the need for adequate personal data protection rules under
third pillar becomes more and more urgent. A draft Council Framework
Decision on the protection of personal data processed in the
framework of police and judicial co-operation in criminal matters has
been proposed by the EC since October 2005, but is still pending,
despite the numerous EDPS opinions in this regard. According to the
EDPS, the current draft of December 2007 provides only minimal
harmonization and guarantees, and would only be applicable to
personal data exchanged with other Member States and not to the
domestic data processing.

EDRI page on biometrics

EDRI page on PNR

EDRI page on privacy

EDPS Opinions

Article 29 Working Group

(Contribution by Meryem Marzouki, EDRI member IRIS – France)