The changes are contained in a framework decision proposed by
the Presidency to the European Commission designed to outline the
protections citizens can expect when their personal data is handled
by police and judicial authorities. The agreement augments the Data
Protection Directive 95/46/EC and deals with the so called "third
pillar", which relates to law and order matters.
The suggested framework decision proposes greater police
cooperation on data sharing and the legalisation of more sharing of
information on individuals between national forces and between
those forces and Europol.
"Common action in the field of police cooperation and common
action on judicial cooperation in criminal matters [both under the
Treaty on European Union] imply the necessity of the processing of
relevant information which should be subject to appropriate
provisions on the protection of personal data," says the proposed
framework decision.
The proposal suggests allowing personal data gathered in one
state and shared with another to be transferable to a third EU
Member State, or even outside of the EU. "Personal data received
from or made available by the competent authority of another Member
State may be transferred to third States or international bodies
only if the competent authority of the Member States which
transmitted the data has given its consent to transfer in
compliance with its national law," it said.
The
proposal does not extend to national security matters which have
always been seen as the prerogative of member states. This is made
clear in the document. In section 4 of Article 1 of the proposal,
it states: "authorities or other offices dealing specifically with
matters of national security do not fall within the scope of this
Framework Decision."
The document also proposes centralising regulatory power in
Europe, with a new body taking on oversight duties currently
handled by a number of bodies. "The Framework Decision aims to
combine the existing data protection supervisory bodies, which have
hitherto been established separately for the Schengen Information
System, Europol, Eurojust, and the third-pillar Customs Information
System, into a single data protection supervisory authority," said
the document. "A single supervisory authority should be created,
which could, where appropriate, also act in an advisory capacity. A
single supervisory authority allows the improvement in third-pillar
data protection to be taken a decisive step further."
"This step is to be welcomed because there are a diverse number
of data protection authorities for each system, each with their own
data protection foibles," said Dr Chris Pounder, a privacy
specialist at Pinsent Masons, the law firm behind OUT-LAW.
"Unification of the approach is long overdue".
The document gives citizens rights of access to personal data
held and transferred on them, though it also says that information
about surveillance or data transfer can be withheld if telling the
individual concerned would undermine the purpose behind the
transfer in the first place.
"It seems the German Presidency is adopting a twin track
approach," said Pounder. "First in the short term it is pursuing
the Prüm Treaty which is allowing Germany, France and the Benelux
counties to share criminal, DNA and vehicle data without waiting
for agreement on the framework decision. Second it is pursuing the
framework agreement as a longer term objective of trying to
make Europe's police forces to agree to binding data
sharing".
Meanwhile US authorities have been reprimanded by oversight body
the Government Accountability Office (GAO) for not taking enough
account of privacy when conducting investigations.
"As it develops and participates in important homeland security
activities, the Department of Homeland Security (DHS) faces
challenges in ensuring that privacy concerns are addressed early,
are reassessed when key programmatic changes are made, and are
thoroughly reflected in guidance on emerging technologies and uses
of personal data," said a GAO report.
"GAO’s reviews of DHS programs have identified cases where these
challenges were not fully met. For example, increased use by
federal agencies of data mining – the analysis of large amounts of
data to uncover hidden patterns and relationships – has been
accompanied by uncertainty regarding privacy requirements and
oversight of such systems."
The body also found some privacy failures in relation to an
airline passenger screening system called SecureFlight. "GAO
reported that TSA had not fully disclosed uses of personal
information during testing of Secure Flight, as required by the
Privacy Act of 1974," it said.
"One of the problems facing the Americans is that most of
Europe's Data Protection Commissioners are worried about the
standard of privacy protection in the USA," said Pounder. "The fact
that two GAO reports suggest that the USA authorities are having
difficulties with respect to basic privacy obligations does not
engender confidence in the USA's approach to privacy."
