EU-US Data Sharing: Opinion of the EDPS

November 25, 2008

The USA’s insistence on the receipt of data about airline passengers became something of a running sore in 2007, poisoning relations between the EU and the USA. The USA gave the maximum priority to its fight against terrorism; the EU wanted to interpret that need for information in a way that met the basic data protection rights of its citizens. On 28 May 2008, it was announced that the EU-US High Level Contact Group on information sharing and privacy and personal data protection had finalised its report. This report was made public on 26 June 2008. The report aimed to identify common principles for privacy and data protection as a first step towards exchange of information with the USA to fight terrorism and serious transnational crime.

The EDPS has now published a number of important warnings about the proposed agreement between the EU and the USA. It is crucial in the view of the EDPS that the scope and the nature of any possible instrument arising from the HLCG report includes data protection principles which are clearly defined. Important questions which the EDPS considers must be answered are:
• who are the actors involved, within and outside the law enforcement area?
• what is intended by the use in the proposed agreement of the term ‘purpose of law enforcement’?
• how will the instrument fit in the perspective of a global transatlantic security area?

The definition of the nature of the agreement should, says the EDPS, clarify a number of matters, including whether the instrument will be binding on the EU and the US, whether it will have direct effect, in the sense that it contains rights and obligations for individuals that can be enforced before a judicial authority, whether the instrument itself will allow for the exchange of information or will set a minimum-standard for the exchange of information to be complemented by specific agreements.

In his conclusion, the EDPS calls for more clarity and concrete provisions especially on the following aspects:

  • clarification as to the nature of the instrument, which should be legally binding in order to provide sufficient legal certainty;

  • a thorough adequacy finding, based on essential requirements addressing the substance, specificity and oversight aspects of the scheme. The EDPS considers that the adequacy of the general instrument could only be acknowledged if combined with adequate specific agreements on a case by case basis;

  • a circumscribed scope of application, with a clear and common definition of law enforcement purposes at stake;

  • precision as to the modalities according to which private entities might be involved in data transfer schemes;

  • compliance with the proportionality principle, implying exchange of data on a case by case basis where there is a concrete need;

  • strong oversight mechanisms, and redress mechanisms available to data subjects, including administrative and judicial remedies;

  • effective measures guaranteeing the exercise of their rights to all data subjects, irrespective of their nationality;

  • involvement of independent data protection authorities, in relation especially to oversight and assistance to data subjects.

Peter Hustinx insists on the fact that any haste in the elaboration of the principles should be avoided as it would only lead to unsatisfactory solutions, with effects opposite to those intended in terms of data protection. He feels that the best way forward at this point would therefore be the development of a roadmap towards a possible agreement at a later stage.

The EDPS also calls for more transparency with regard to the process of elaboration of the data protection principles. Only with the involvement of all stakeholders, including the European Parliament, could the instrument benefit from a democratic debate and gain the necessary support and recognition.

The full response of the EDPS can be accessed here