EU
The “principle of availability” takes over from the “notion of privacy”: what price data protection?


The Hague Programme adopted at the EU Summit on 5 November 2004 says that from 1 January 2008 the "principle of availability" - which simply means if data is held then it can be shared between law enforcement agencies - will become the guiding light for access to personal data held by national law enforcement agencies in other EU member states.

The European Commission is charged with preparing a proposal to implement "the principles of availability" including the following key conditions:

1) exchange of data can only take place so that "legal tasks may be performed" - "legal tasks" is extremely broad definition and is clearly intended to extend beyond gathering evidence for presentation in a specified court case, eg: investigations and surveillance;

2) "the need to protect source of information";

3) "individuals must be protected from abuse of data and have the right to seek correction of incorrect data"

But how will individuals be able to correct law enforcement agencies' files unless they are given full access to them and know who has accessed their data and how it has been used?

The Hague Programme says that "new technology" must be fully employed and the means of "exchange" of personal data between agencies could be through:

a) "reciprocal access to... national databases"

b) "the interoperability of... national databases" (all agencies have access to each others data)

c) "direct online access.. to existing central EU databases such as the SIS"

European Data Protection Commissioners

On 14 September 2004 the European Data Protection Commissioners met in Wroclaw, Poland and adopted a Resolution to set up a "joint EU forum on data protection in police and judicial cooperation matters (data protection in the third pillar)". The Resolution says that in contrast to the "first pillar" (economic and social issues) where the Article 29 Working Party is in place, there is no equivalent to cover the "third pillar". The three joint supervisory bodies covering Europol, Schengen and Eurojust have specific mandates and "a broader approach is required to secure a uniform level of data protection safeguards for the whole area of police and judicial cooperation".

The creation of a parallel group to the Article 29 Working Group covering the "third pillar" would fill a gap in the role of data protection commissioners. However, it is only part of the answer as the Opinions of the Article 29 Working Party are often simply ignored by the Council and Commission. European Parliament reports do take notice of the Working Party's Opinions but at present their views on "third pillar" issues are also routinely ignored.

The three supervisory bodies (Europol, Eurojust and Schengen) have submitted evidence to the UK House of Lords Select Committee on the European Union's inquiry into EU counter-terrorism activities. They say that "large quantities of personal data for intelligence and law enforcement agencies" are being processed "in the fight against terrorism and serious crime". Recent proposals involve the:

"processing of personal data from different sources on an unprecedented scale"

The retention of communications data and the passing of passenger data to the USA are examples they say of a:

"new trend involving the collection of information on individuals (and not only suspects)".

The EU supervisory bodies say that the gathering of data on individuals is not isolated to one or two agencies but "involves a huge number of agencies throughout the EU". Their experience in trying to assess the Europol-USA agreement showed that trying to limit the number of agencies who have access to personal data is difficult if not impossible:

"in the USA some 1,500 authorities on Federal, State and community level are involved in dealing with criminal offences including terrorism"

The exchange of data on the scale proposed: "often involving processing of information on those who are not suspected of any crime" requires, they say, "purpose restriction" (ie: that data collected for one purpose cannot be use for another) and supervision to ensure compliance with legal instruments. These limitations do not exist at present.

They conclude that a "specific set of data protection rules for police and intelligence authorities" has to be put in place. There needs to be a common legal basis in every member state - as existing national data protection authorities "have different competencies in the field of law enforcement" - and sufficient funds and staff to ensure they have the capacity to do their work.

How will the Council and Commission respond?

The Council of the European Union (then 15 governments) set up a working party on data protection in the "third pillar" in May 1998. The "Action Plan of the Council and the Commission on how best to implement the provisions of Amsterdam establishing an area of freedom, security and justice" (13844/98) said that data protection issues in the "third pillar" should be: "developed within a two year period" (IV.47(a)). Not until August 2000 was a draft Resolution drawn up by the Working Party, this was revised five times, the last being on 12 April 2001 under the Swedish Presidency of the EU (6316/2/01) when agreement appeared to have been reached and the Article 36 Committee was asked to address outstanding reservations. From this
point on there has been silence - and the Working Party was abolished in 2001 when the Council was restructured to “streamline” decision-making.

The European Commission has produced a Communication on "enhancing access to information by law enforcement agencies" (COM (2004) 429) - this was presented to the full Commission meeting (14.5.04) with the addition to the title of "and related data protection issues" which was dropped. The Communication says a Framework Decision will be presented to establish common standards for Title VI (TEU, "third pillar") but these will be not to establish the rights of individuals but to:

"empower access to all relevant law enforcement data by police and judicial authorities.. for the purpose of cooperation to prevent, detect, investigate and prosecute crime and threats to security"

and to:

"reduce the practical difficulties in information exchange between Member States on the one hand and Member States and third countries on the other"

All this is to be "in accordance with fundamental rights" - which on the evidence of measures taken since 11 September 2001 is an empty promise.

Mr Franco Frattini, the new Commissioner for "Justice, Freedom and Security" (the new Commission euphemism for the "Area of Security, Freedom and Justice"), addressed the issue at a meeting on the EU Joint Supervisory authorities at a meeting in Brussels on 21 December. He said the Commission was committed to safeguarding "the commitments" to data protection in the Charter and the Treaty and "cooperation with the agencies safeguarding these rights" - and asks the question: "What new balances will it be necessary to find between privacy and security?"

He agreed with the authorities that a new framework was needed, taking "account of the times we are living in". The current lack of "coherence" had led to:

"some of the supposed obstacles thrown up by the notion of privacy"

Mr Frattini went on to say that the Tampere Summit (1999) stressed the need for "coherent action to promote access to available databases and information sharing between the authorities concerned" and now the "Hague Programme" had introduced "the principle of availability".

The questions to be tackled include:

1) "adapting the principles to the objectives pursued, for example, in the case of information sharing the principle set out in the Hague Programme" (ie: availability)

2) "developing special rules governing the transfer of data to third countries and other bodies, incorporating the principle that information received may be passed on with the prior consent of the party forwarding it"


This would mean, under the "principles of availability", that any agency in the EU could agree with the USA that it can pass data on to all the agencies it wants (some 1,500) to use for their own purposes. The "principle of availability" and the "principle that information received may be passed on" utterly undermines any concept of data protection which requires that data can only be collected for a specific, stated, purpose and cannot be used or added to for any other purpose. Once this principle is breached the rights of the individual (and of privacy) disappear because there is no way to track who has data on them and how it has been used or amended.

Hundreds of measures have been put in place under the "third pillar" since 1976 - the Trevi acquis (1976-1993), then the Maastricht acquis (1993-1999) and currently the Amsterdam acquis (1999 ongoing, which also incorporates the Schengen acquis) - and still there are no data protection provisions or meaningful supervision. Now new measures are on the table to enact the so-called "principle of availability" (Hague programme) and the "principle that information received may be passed on" (Commission, Mr Frattini).

Tony Bunyan, Statewatch editor, comments:

"When the Commission and the Council finally get around to "data protection" it will be tailored to ensure the smooth-running of the powers, practices, databases and "data exchanges" of security and law enforcement agencies not those of the individual. In the "times we are living in" will data protection become a meaningless concept?"

This article first appeared in Statewatch bulletin, vol 14 no 6


Statewatch News online | Join Statewatch news e-mail list | Search Statewatch database

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.