Data chief attacks transatlantic police plan

EUROPE'S DATA chief has told Washington and Brussels to put the brakes on a plan to share police and other government data across the Atlantic.

The "unprecedented" US/EU plans are being thrown together so hastily that they risk giving police and government agencies carte blanche to share whatever and as much data as they liked, in disregard of human rights, and even drawing on private sector databases, said Peter Hustinx, the European Data Protection Supervisor (EDPS), in an official report yesterday.

"The EDPS calls for more transparency", he said in the report, and "any haste in the elaboration of the principles should be avoided as it would only lead to unsatisfactory solutions".

The proposals, laid out in June by the High Level Contact Group on information sharing and privacy, fall short of the minimum standard of data protection already established in European human rights law.

Hustinx called for "more clarity and concrete provisions" because the scope of the plan was vague, it left no room for oversight, did not ensure that data given to US authorities would be treated with adequate care, and gave insufficient recourse for European's to challenge US abuses of their data in a court of law.

This was particularly problematic because police and government data sharing plans were developing too fast: "The request of enforcement authorities of third countries for personal information is constantly widening, and... also extends from traditional government databases to other types of files, in particular files of data collected by the private sector," he said.

At least the authorities were discussing data protection, said Hustinx, but they should give it greater credence: "[It] could legitimise massive data transfers in a field - law enforcement - where the impact on individuals is particularly serious, and where strict and reliable safeguards and guarantees are all the more needed".

He called on the High Level Contact Group (HLCG) to carefully define the scope - the limits - of its data sharing plans so that police and government agencies do not use it for data transfers in breach of people's human rights.

He wanted any agreement to specify precisely who would be able to share data, what data they would share and for what purposes. The authorities must also come clean about the wider context of the proposals, known as the "global transatlantic security area", which is a US initiative to create a common electronic border system with allies such as the EU, Australia and Canada that could be used for security, immigration control, public health and other unspecified functions.

The fact that the plans were so loosely defined made it possible for them to grow through function creep: "Is it also meant to allow for the exchange of data for other public interests such as possibly public health risks?" asked Hustinx.

Hustinx, the official responsible for ensuring that public authorities' data systems do not abuse human rights, said transatlantic data sharing should only be allowed between countries when it is "absolutely necessary for a specific purpose" decided "on a case by case basis".

"The EDPS recommends to restrict the purpose to precisely identified data processing, and to justify the policy choices leading to such definition of purpose," he said, adding a plea for a loophole that would allow the "transfer of personal data between private and public parties" to be closed.

The plans would give US police and government authorities such wide remit to access EU data that Hustinx even had to ask whether they would have access to " other databases such as tax databases".

Would spooks get access too, he asked. Were they seeking free access? And, he warned, US demands under the agreement would lead to copy cat demands between EU member states, as it had for airline passenger data. US access to details of the world's financial transactions, held by the EU-based Swift, would be legitimised by the agreement and that might prompt EU authorities to seek such routine access themselves.

To make matters worse, EU law wasn't even prepared for such proposals. " Halt," he said, "and prepare the ground first". He proposed the HLCG wait until the EU Lisbon Treaty came into force, though that is not even certain. But he feared that the plan would be slipped in under a coming law that provided weak protections for data transfers to third countries (data protection in the third pillar legal framework, to be introduced imminently).

Preparing the ground first would give people basic protections from abuse by the state - protections that had not been provided in the proposals. The agreement should be binding on authorities, rather than casual as similar such agreements have been. In particular, the US should be held to account by EU standards of civil rights.

Basically, the HLCG had proposed an all-encompassing data protection regime that would provide inadequate protection but would be applied to all transatlantic data transfers, said Hustinx. The group should rather implement some protections as a minimum standard, and then, taking each instance of official data sharing on a case by case basis, design specific protections for each.

The authorities should be held to account for their data sharing, he said. The current proposals would not enforce that as they stood.

L'Inqs

Opinion of the European Data Protection Supervisor on the Final Report by the EU-US High Level Contact Group on information sharing and privacy and personal data protection (18-page pdf)

Final Report by EU-US High Level Contact Group on information sharing and privacy and personal data protection (Preparatory report submitted by European Council to Commission - 28 May 2008)

Freedom, Security, Privacy - European Home Affairs in an open world - Report of the Informal High-Level Advisory Group on the Future of European Home Affairs Policy ("The Future Group") (Full 77-page report - 9 July 2008)

Freedom, Security, Privacy - European Home Affairs in an open world - Report of the Informal High-Level Advisory Group on the Future of European Home Affairs Policy ("The Future Group") (Alternative 53-page version held by Statewatch - 28 June 2008)

Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (Data protection in the third pillar framework)

Three million Afghans pegged for Interpol database

Foreign cops ask for UK identity data

Peer-to-peer police database baffles regulators

Mi litary industry signs deal to target UK civilians

Europlod plan to share DNA and biometic data comes under fire

US goes cloud cuckoo with PNR again Cyber-terrorism becomes national priority

Police swamped by dragnet booty demand more dosh DNA database built on deceit