Data protection, the fight against terrorism & EU external relationsData protection, the fight against terrorism & EU external relations

Data protection, the fight against terrorism & EU Data protection, the fight against terrorism & EU external relationsexternal relations

Paul De Hert (Tilburg & Brussels) Paul De Hert (Tilburg & Brussels)

Brussels, 7 November Brussels, 7 November 20072007

Table of contentTable of content

What is data protection?What is data protection? Why was is necessary?Why was is necessary? Beginnings of Data ProtectionBeginnings of Data Protection Development of International Data ProtectionDevelopment of International Data Protection Data Protection under the Third PillarData Protection under the Third Pillar External relations under First PillarExternal relations under First Pillar External relations under Third PillarExternal relations under Third Pillar

Preliminary remarkPreliminary remark

I relied for some of the conclusions on the I relied for some of the conclusions on the insights gained after having listened to Diana insights gained after having listened to Diana Alonso Blas, LL.M., Data Protection Alonso Blas, LL.M., Data Protection Officer,Eurojust, First Pillar and Third Pillar: Officer,Eurojust, First Pillar and Third Pillar: Need for a common approach? International Need for a common approach? International Conference “Reinventing Data Protection”, 12 Conference “Reinventing Data Protection”, 12 and 13 October 2007, Brusselsand 13 October 2007, Brussels

This is data protectionThis is data protection

Everyone has the right to the protection of personal Everyone has the right to the protection of personal data concerning him or her.data concerning him or her.

Such data must be processed fairly for specified Such data must be processed fairly for specified purposes and on the basis of the consent of the purposes and on the basis of the consent of the person concerned or some other legitimate basis laid person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data down by law. Everyone has the right of access to data that has been collected concerning him or her, and that has been collected concerning him or her, and the right to have it rectified. Compliance with these the right to have it rectified. Compliance with these rules shall be subject to control by an independent rules shall be subject to control by an independent authority.authority.

= Article 8 of the EU Fundamental rights Charter= Article 8 of the EU Fundamental rights Charter

Why data protection?Why data protection?

Article 8 ECHR does not apply to the private sector. Article 8 ECHR does not apply to the private sector. The right to a private life would not necessarily The right to a private life would not necessarily

include all personal data, and so there was the include all personal data, and so there was the question of whether a large proportion of data would question of whether a large proportion of data would be sufficiently safeguarded. be sufficiently safeguarded.

The right of access to data on oneself was not covered The right of access to data on oneself was not covered by the concept of the right to privacy as expressed in by the concept of the right to privacy as expressed in Article 8Article 8

Beginnings of data protectionBeginnings of data protection

1960s: USA, two major reasons: 1960s: USA, two major reasons:

1.) Technical progress based on the development of computers 1.) Technical progress based on the development of computers 2.) Socio-political reason, raising fear of governmental surveillance 2.) Socio-political reason, raising fear of governmental surveillance

“Big brother”“Big brother”

Similar development in EuropeSimilar development in Europe 1970 – 19811970 – 1981

1970: First law on data protection was enacted by the German 1970: First law on data protection was enacted by the German Federal State of Hessen (07.10.1970).Federal State of Hessen (07.10.1970).

Sweden (1973), Germany (1976), France (1978), Denmark (1978), Sweden (1973), Germany (1976), France (1978), Denmark (1978), Norway (1978), Austria (1978) and Luxembourg (1979) introduced Norway (1978), Austria (1978) and Luxembourg (1979) introduced national legislation on data protection national legislation on data protection

No role model as basis but had to be innovative in their No role model as basis but had to be innovative in their own rightown right

Beginnings of data protection (continuation)Beginnings of data protection (continuation)

1981 Council of Europe:1981 Council of Europe: Convention for the Protection of Individuals with regard to Convention for the Protection of Individuals with regard to automatic processing of personal data (entry into force 1985)automatic processing of personal data (entry into force 1985) First internationally binding instrument on data protection, important First internationally binding instrument on data protection, important

point of orientation for the subsequent national data protection laws point of orientation for the subsequent national data protection laws

In the following years, data protection legislation was enacted In the following years, data protection legislation was enacted by by Finland (1987), The Netherlands (1988), Portugal (1991), Spain Finland (1987), The Netherlands (1988), Portugal (1991), Spain

(1992), Belgium (1992), Italy and Greece(1992), Belgium (1992), Italy and Greece

European Data Protection (general)European Data Protection (general)

Convention no. 108, January 28, 1981 Convention no. 108, January 28, 1981 Directive 95/46/EC of 24 October 1995 Directive 95/46/EC of 24 October 1995 Directive 97/66/EC and 2002/58/EC Directive 97/66/EC and 2002/58/EC Regulation (EC) No 45/2001 processing by Regulation (EC) No 45/2001 processing by

Community institutions of 18 December 2000Community institutions of 18 December 2000 Charter of Fundamental Rights of 7 December 2000 Charter of Fundamental Rights of 7 December 2000

of the European Union,of the European Union, Treaty establishing a Constitution for Europe (2002)Treaty establishing a Constitution for Europe (2002)

Right to data protection (Art. I-51)Right to data protection (Art. I-51)

International Data Protection (general)International Data Protection (general)

From 1948 privacy rights in various national and regional From 1948 privacy rights in various national and regional human rights billshuman rights bills

From 1970 on data protection laws at national levelFrom 1970 on data protection laws at national level

1980 OECD:1980 OECD: Guidelines on the Protection of Privacy and Guidelines on the Protection of Privacy and Transborder Flows of Personal DataTransborder Flows of Personal Data NoNon-binding, orientationn-binding, orientation

1990 UN:1990 UN: Guidelines concerning computerized personal Guidelines concerning computerized personal data.data. Guidelines for orientation, procedure left to the initiative of each state Guidelines for orientation, procedure left to the initiative of each state

Scope of European data protection re JHAScope of European data protection re JHA

1995 Directive 95/46/EC on the protection of individuals with 1995 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free regard to the processing of personal data and on the free movement of such datamovement of such data First and major First Pillar instrument regulating the processing of First and major First Pillar instrument regulating the processing of

personal datapersonal data Not applicable Not applicable to the processing of data in the course of an activity to the processing of data in the course of an activity

which falls outside the scope of Community law (Art. 3 (2)which falls outside the scope of Community law (Art. 3 (2) = => > Second and Second and Third PillarThird Pillar

applied by some MS, in some respects, to law enforcement as wellapplied by some MS, in some respects, to law enforcement as well ECJ view (PNR judgment 30-05-2006)ECJ view (PNR judgment 30-05-2006)

End of the world? End of the world?

Article 8 ECHR applies to processing by all public authorities, Article 8 ECHR applies to processing by all public authorities, incl JHAincl JHA

Council of Europe Convention 108 (1981), ratified presently Council of Europe Convention 108 (1981), ratified presently by 38 countries and signed by another 5 also applies to JHAby 38 countries and signed by another 5 also applies to JHA

Article 3 Convention 108: Article 3 Convention 108: The Parties undertake to apply this The Parties undertake to apply this convention to automated personal data files and automatic convention to automated personal data files and automatic processing of personal data in the public and private sectors.processing of personal data in the public and private sectors.

But, is Convention 108 enough?But, is Convention 108 enough?

Convention 108 is quite general: it contains principles, not Convention 108 is quite general: it contains principles, not detailed regulationdetailed regulation

1987 Council of Europe: 1987 Council of Europe: Recommendation No. R (87) 15 Recommendation No. R (87) 15 regulating the use of personal data in the police sectorregulating the use of personal data in the police sector Non-binding, orientation, very old and no willingness to renew themNon-binding, orientation, very old and no willingness to renew them

For 1For 1stst pillar the EU built on Convention to go further in pillar the EU built on Convention to go further in Directive 95/45/ECDirective 95/45/EC

Recital (11) of preamble: Recital (11) of preamble: Whereas the principles of the Whereas the principles of the protection of the rights and freedoms of individuals, notably protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, the right to privacy, which are contained in this Directive, give give substance to and amplifysubstance to and amplify those contained in the Council of those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Individuals with regard to Automatic Processing of Personal Data;Data;

First JHA option: specific data protection rulesFirst JHA option: specific data protection rules

1985 1985 Schengen AgreementSchengen Agreement and and 19901990 Convention implementing Convention implementing the Schengen Agreement of 14 June 1985the Schengen Agreement of 14 June 1985 Referring to the principles laid down in the 1981 Convention Referring to the principles laid down in the 1981 Convention

and 1987 Recommendation and solid data protection and 1987 Recommendation and solid data protection frameworkframework

Council Act of 26 July 1995 drawing up the Convention on the Council Act of 26 July 1995 drawing up the Convention on the establishment of a European Police Office (Europol establishment of a European Police Office (Europol Convention. The Europol Convention was ratified by all Convention. The Europol Convention was ratified by all Member States and came into force on 1 October 1998. Member States and came into force on 1 October 1998. Referring to the principles laid down in the 1981 Convention Referring to the principles laid down in the 1981 Convention

and 1987 Recommendation and solid data protection and 1987 Recommendation and solid data protection frameworkframework

Convention established by the Council in accordance with Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of Assistance in Criminal Matters between the Member States of the European Union, OJ C 197, 12.07.200: general context of the European Union, OJ C 197, 12.07.200: general context of judicial cooperation and some data protection (infra)judicial cooperation and some data protection (infra)

Option 1 (continuation)Option 1 (continuation)

Council Decision of 28 February 2002 setting up Eurojust with Council Decision of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crimea view to reinforcing the fight against serious crime. . Rules of Rules of procedure on the processing and protection of personal data, procedure on the processing and protection of personal data, adopted by Council on 24/2/2005 (containing main principles adopted by Council on 24/2/2005 (containing main principles Directive but also very detailed rules, tailored made to Directive but also very detailed rules, tailored made to Eurojust tasks and purposes)Eurojust tasks and purposes) Referring to the principles laid down in the 1981 Referring to the principles laid down in the 1981

Convention and 1987 Recommendation and solid data Convention and 1987 Recommendation and solid data protection frameworkprotection framework

May 2005: May 2005: Treaty of PrümTreaty of Prüm (Schengen III Agreement (Schengen III Agreement ) ) Extended information exchange outside the EU frameworkExtended information exchange outside the EU framework

Strength of option 1: Europol exampleStrength of option 1: Europol example

In Covention detailed rules on the use of data:In Covention detailed rules on the use of data: Clear understanding of intelligence risks to data protection lacking in Clear understanding of intelligence risks to data protection lacking in

Recommendation no (87) 15 by use of different information tools in particular Recommendation no (87) 15 by use of different information tools in particular distinction betweenn Europol Information System (IS), (distinction betweenn Europol Information System (IS), (Criminal Intelligence Criminal Intelligence database) database) and the Analysis Work Files (AWF) (and the Analysis Work Files (AWF) (Analysis of operational data)Analysis of operational data)

Mandate – restrictions & consultationMandate – restrictions & consultation OwnershipOwnership National Law to be respectedNational Law to be respected

Communication with third states and third bodiesCommunication with third states and third bodies Right of access limited in certain cases for non involved member statesRight of access limited in certain cases for non involved member states Correction / deletion of dataCorrection / deletion of data Time-limits storage / deletion of dataTime-limits storage / deletion of data SecuritySecurity Control mechanisms: see next slideControl mechanisms: see next slide

Control mechanisms in EuropolControl mechanisms in Europol

Europol internal auditEuropol internal audit National Supervisory Body (Art. 23 National Supervisory Body (Art. 23

Convention)Convention) Each MS - Designates an NSBEach MS - Designates an NSB

Monitors input independentlyMonitors input independently Personal dataPersonal data

Joint Supervisory Body (Art. 24 Convention)Joint Supervisory Body (Art. 24 Convention) Ensures individual rights are not violated by data Ensures individual rights are not violated by data

stored at Europolstored at Europol

Risks of option 1: the Prum exampleRisks of option 1: the Prum example

Signed in Prüm & Ratified by the national parliaments of the Signed in Prüm & Ratified by the national parliaments of the seven participating states - Germany, Spain, France, seven participating states - Germany, Spain, France, Luxembourg, Netherlands, Austria and Belgium and now Luxembourg, Netherlands, Austria and Belgium and now extended to all EU MSextended to all EU MS

Not part of the Schengen treaty nor the Schengen acquis Not part of the Schengen treaty nor the Schengen acquis Integration is planned to take place, at the latest, three years after Integration is planned to take place, at the latest, three years after

the entry into force of the the entry into force of the Based on so-called "principle of availability" : the right of access Based on so-called "principle of availability" : the right of access

to the databases/registers of the participating states and gives the to the databases/registers of the participating states and gives the requesting state the possibility to ask for more requesting state the possibility to ask for more information/intelligence.information/intelligence.

Data exchange (Article 1-16) see next slideData exchange (Article 1-16) see next slide Sky marshals (Article 17-18)Sky marshals (Article 17-18) Fighting illegal migration (Chapter 4)Fighting illegal migration (Chapter 4) Joint Interventions (Chapter 5)Joint Interventions (Chapter 5)

Data exchange in PrümData exchange in Prüm

DNA profiles DNA profiles All participating states have to set up DNA profile databanks and All participating states have to set up DNA profile databanks and exchange dna profilesexchange dna profiles

Fingerprint data Fingerprint data The treaty allows, where a specific person is identified, access to The treaty allows, where a specific person is identified, access to the finger-print databases of the participating states and the automatic comparison the finger-print databases of the participating states and the automatic comparison of fingerprints, not only for reasons of criminal prosecution but also for of fingerprints, not only for reasons of criminal prosecution but also for "prevention". Same hit system for additional information "prevention". Same hit system for additional information

Vehicle databases Vehicle databases can be accessed for criminal prosecutions and for reasons of can be accessed for criminal prosecutions and for reasons of preventing dangers for public security and order, ie including supposed threats to preventing dangers for public security and order, ie including supposed threats to public order . Online access will be carried out according to the law of the public order . Online access will be carried out according to the law of the requesting state.requesting state.

Political demonstrations and other mass events (Articles 13-15) Political demonstrations and other mass events (Articles 13-15) For reasons of For reasons of prosecution and prevention of offences and for the prevention of dangers to public prosecution and prevention of offences and for the prevention of dangers to public security and order, personal and non personal data can be passed on - following a security and order, personal and non personal data can be passed on - following a request or without request, ie. at the own initiative of a state. request or without request, ie. at the own initiative of a state.

Information exchange to prevent terrorist attacks (art. 16) Information exchange to prevent terrorist attacks (art. 16) Data and Data and intelligence: names and further personal identity plus the reason will; be sent out intelligence: names and further personal identity plus the reason will; be sent out across the network, with or without a prior request.across the network, with or without a prior request.

Institutional and Data protection problems with PrümInstitutional and Data protection problems with Prüm

OK: purposes are definied; competent authorities are OK: purposes are definied; competent authorities are defined; duty to see that data is correct and up to defined; duty to see that data is correct and up to date;technical safeguards to guarantee secrecy; rights date;technical safeguards to guarantee secrecy; rights for the persons concernedfor the persons concerned

Not OK: making terrorism, organised crime and Not OK: making terrorism, organised crime and illegal immigrants one affair; broad categories: why?; illegal immigrants one affair; broad categories: why?; creating more power by centralising data; creating more power by centralising data;

Certainly not OK: no supranational supervision: need Certainly not OK: no supranational supervision: need for a FD data protection: Court of Justice, 31 January for a FD data protection: Court of Justice, 31 January 2006 (c-503/03)2006 (c-503/03)

Reason 1 for other (second) JHA option: general data Reason 1 for other (second) JHA option: general data protection rules: new needs for JHA cooperationprotection rules: new needs for JHA cooperation

Cooperation in police and judicial criminal Cooperation in police and judicial criminal matters increases and is gradually build on matters increases and is gradually build on new concepts that challenge data protectionnew concepts that challenge data protection

June 2004:June 2004: Draft Framework Decision on simplifying Draft Framework Decision on simplifying the exchange of information and intelligence between the exchange of information and intelligence between law enforcement agencies of the member states of the law enforcement agencies of the member states of the EU, in particular as regards serious offences EU, in particular as regards serious offences including terrorist acts including terrorist acts ((Swedish Initiative)Swedish Initiative) Setting time limits to answer requests of information Setting time limits to answer requests of information Removing discrimination between national and intra-EU Removing discrimination between national and intra-EU

exchange of data accessible by police in at least one exchange of data accessible by police in at least one Member StateMember State

new needs for JHA cooperation (continuation)new needs for JHA cooperation (continuation)

January 2005:January 2005: White Paper on exchanges of information on White Paper on exchanges of information on convictions and the effect of such convictions in the EUconvictions and the effect of such convictions in the EU Nov. 2005: Nov. 2005: Council Decision on the exchange of information extracted Council Decision on the exchange of information extracted

from the criminal recordfrom the criminal record Dec. 2005: Dec. 2005: Proposal for a Framework Decision on the organisation Proposal for a Framework Decision on the organisation

and content of the exchange of information extracted from criminal and content of the exchange of information extracted from criminal records between Member States records between Member States

October 2005October 2005: Proposal for a Council Framework Decision : Proposal for a Council Framework Decision on the exchange of information under the principle of on the exchange of information under the principle of availabilityavailability Information available to law enforcement authorities in one Member Information available to law enforcement authorities in one Member

State be made accessible for equivalent authorities in other Member State be made accessible for equivalent authorities in other Member StatesStates

Reason 2Reason 2

Difficulties of determining whether the processing and transfering of Difficulties of determining whether the processing and transfering of personal data falls under the First or Third pillar, e.g. personal data falls under the First or Third pillar, e.g. US demand for Passenger Name RecordsUS demand for Passenger Name Records to private air companies to private air companies

Commission acts on basis of first pillarCommission acts on basis of first pillar Commission: Regulation for transfer of passenger data by private Commission: Regulation for transfer of passenger data by private

airlines = rules for harmonisation of the Internal Market airlines = rules for harmonisation of the Internal Market EP problem with privacy and problem with choice of pillarEP problem with privacy and problem with choice of pillar

ECJ 30 May 2006 ECJ 30 May 2006 Data transfer motivated by concerns of public safety and Data transfer motivated by concerns of public safety and = Third Pillar = Third Pillar Institutional consequences? Data protection consequences?Institutional consequences? Data protection consequences?

Council Decision 2007/551/CFSP/JHA. of 23 July 2007 on the signing, on Council Decision 2007/551/CFSP/JHA. of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)Department of Homeland Security (DHS) (2007 PNR Agreement)

Swift?Swift?

A second JHA option: general data protection rulesA second JHA option: general data protection rules

October 2005:October 2005: Proposal for a Council Framework Decision on Proposal for a Council Framework Decision on the protection of personal data processed in the framework of the protection of personal data processed in the framework of police and judicial cooperation in criminal matterspolice and judicial cooperation in criminal matters

Clear gap in data protection regulation at EU Third Pillar levelClear gap in data protection regulation at EU Third Pillar level Directive 95/46/EC is not applicable andDirective 95/46/EC is not applicable and Neither the 95/46/EC Directive nor the 1981Convention take Neither the 95/46/EC Directive nor the 1981Convention take

account of the specific characteristics of the exchange of data by account of the specific characteristics of the exchange of data by police and judicial authorities police and judicial authorities

But data protection of fundamental significance But data protection of fundamental significance To redress this imbalance, the Commission adopted a To redress this imbalance, the Commission adopted a

complementary Proposal for a Council Framework Decision complementary Proposal for a Council Framework Decision Intends to provide a comprehensive protection scheme for Intends to provide a comprehensive protection scheme for

personal data in the in the field of Justice and Home Affairs. It personal data in the in the field of Justice and Home Affairs. It also supplements multilateral efforts like the Treaty of Prüm. also supplements multilateral efforts like the Treaty of Prüm.

However: many controversiesHowever: many controversies

re the scope of the Framework Decisionre the scope of the Framework Decision security v privacy and its consequence for the security v privacy and its consequence for the

data protection principlesdata protection principles limitations to the principle of availability limitations to the principle of availability

within and outside the EUwithin and outside the EU Schengen JSA, Europol JSB, the Eurojust Schengen JSA, Europol JSB, the Eurojust

JSA and the CIS JSAJSA and the CIS JSA

The March 2007 German Presidency’s Proposal The March 2007 German Presidency’s Proposal

general rules on the lawfulness of processing of personal data, general rules on the lawfulness of processing of personal data, provisions concerning specific forms of processing, rights of provisions concerning specific forms of processing, rights of the data subject, confidentiality and security of processing, the data subject, confidentiality and security of processing, judicial remedies, liability, sanctions, national supervisory judicial remedies, liability, sanctions, national supervisory authorities, and the transfer to third states. authorities, and the transfer to third states.

exchange of data between Member States, thus excluding data exchange of data between Member States, thus excluding data processing at a domestic levelprocessing at a domestic level

applies to Europol, Eurojust and the Third Pillar Customs applies to Europol, Eurojust and the Third Pillar Customs Information System whereas authorities or other offices Information System whereas authorities or other offices dealing specifically with matters of national security are dealing specifically with matters of national security are explicitly excluded from its scope (Article 3 II), explicitly excluded from its scope (Article 3 II),

continuationcontinuation

Fusing of Schengen JSA, Europol JSB, CIS JSA intoFusing of Schengen JSA, Europol JSB, CIS JSA into a single data a single data

protection supervisory authority, merging with it the advisory protection supervisory authority, merging with it the advisory working party provided for in the earlier draft. working party provided for in the earlier draft.

exchange of data with third states. exchange of data with third states. FD is without prejudice to any obligations and commitments FD is without prejudice to any obligations and commitments

incumbent upon Member States or upon the European Union incumbent upon Member States or upon the European Union by virtue of bilateral and/or multilateral agreements with third by virtue of bilateral and/or multilateral agreements with third States.States.

personal data received from or made available by the competent personal data received from or made available by the competent authority of another Member State may be transferred to third authority of another Member State may be transferred to third States or international bodies only if the competent authority States or international bodies only if the competent authority of the Member States which transmitted the data has given its of the Member States which transmitted the data has given its consent to transfer in compliance with its national law.consent to transfer in compliance with its national law.

Where are we now?Where are we now?

Discussion on FD on DP in 3Discussion on FD on DP in 3rdrd pillar shows little willingness of Member pillar shows little willingness of Member States to achieve a harmonised level of DP going further than CoE States to achieve a harmonised level of DP going further than CoE Convention. Convention.

In fact:In fact: Text under discussion is “agreement of minimums” (lower common Text under discussion is “agreement of minimums” (lower common

denominator), partly because of unanimity requirement denominator), partly because of unanimity requirement Scope reduced to cross-border exchange of personal data (and does not Scope reduced to cross-border exchange of personal data (and does not

affect existing bilateral agreements…)affect existing bilateral agreements…) Many exceptions included and some important issues missingMany exceptions included and some important issues missing Doubts as to whether the text is even compliant with Convention 108 Doubts as to whether the text is even compliant with Convention 108

and additional protocol (see also EDPS opinions + press release of and additional protocol (see also EDPS opinions + press release of 20/9/07)20/9/07)

Eurojust/Europol/Schengen DP rules go much further than proposed Eurojust/Europol/Schengen DP rules go much further than proposed text (after several formal motivated requests, happily excluded from text (after several formal motivated requests, happily excluded from scope of application)scope of application)

Diana Alonso Blas (Brussels)Diana Alonso Blas (Brussels)

Convention 108 offers a basic common approach that Convention 108 offers a basic common approach that needs to be fully respectedneeds to be fully respected

Any new instrument should respect CoE convention Any new instrument should respect CoE convention + basic principles Directive+ basic principles Directive

Not in favour of Not in favour of detaileddetailed overall instrument covering overall instrument covering all pillars, not even the whole third pillar. all pillars, not even the whole third pillar. Specificities of police and judicial work need to be Specificities of police and judicial work need to be taken into account (need for very clear and specific taken into account (need for very clear and specific tailored made rules for the diverse third pillar areas). tailored made rules for the diverse third pillar areas).

An overall instrument would have to be relatively An overall instrument would have to be relatively general but, if it has to have any added-value, it general but, if it has to have any added-value, it should go further than CoE convention.should go further than CoE convention.

Future: (Draft) Reform TreatyFuture: (Draft) Reform Treaty

End of pillar structure End of pillar structure But this does not imply automatic application But this does not imply automatic application

of Directive to everythingof Directive to everything Sectoral declaration on DP in police and Sectoral declaration on DP in police and

judicial cooperation in criminal matters judicial cooperation in criminal matters foreseenforeseen

Data protection & External relations under First PillarData protection & External relations under First Pillar

Member States shall provide that the transfer to a Member States shall provide that the transfer to a third country of personal data only if, the third third country of personal data only if, the third country in question ensures an adequate level of country in question ensures an adequate level of protectionprotection” (Art. 25.1 Directive 95/46/EC) . ” (Art. 25.1 Directive 95/46/EC) .

Article 25 also contains the procedure to determine Article 25 also contains the procedure to determine whether there is an adequate regime.whether there is an adequate regime.

Commission, not the Member States, has the last say Commission, not the Member States, has the last say in the procedurein the procedure

Data protection & External relations under Third PillarData protection & External relations under Third Pillar

Discussion: need to copy adequacy idea in JHA?Discussion: need to copy adequacy idea in JHA? 2001 Additional Protocol to the 1981 Council of 2001 Additional Protocol to the 1981 Council of

Europe Convention introduces principle re transfer of Europe Convention introduces principle re transfer of data across national borders: “data across national borders: “Each Party shall Each Party shall provide for the transfer of personal data to a provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention or organisation that is not Party to the Convention only if that State or organisation ensures an adequate only if that State or organisation ensures an adequate level of protection for the intended data transferlevel of protection for the intended data transfer” ” (Additional Protocol, Article 2.1). (Additional Protocol, Article 2.1).

How is it happening now?How is it happening now?

This could be answered discussing the following This could be answered discussing the following examplesexamples

Eu 2000 Convention on Mutual Assistance in Eu 2000 Convention on Mutual Assistance in Criminal MattersCriminal Matters

EuropolEuropol Pnr Pnr Swift Swift

Article 23 EU 2000 Convention on Mutual Assistance in Article 23 EU 2000 Convention on Mutual Assistance in Criminal MattersCriminal Matters

first supranational rules establishing data protection requirements first supranational rules establishing data protection requirements for the judiciary in their cross border activities – even though they for the judiciary in their cross border activities – even though they are very flexible and have clearly not the purpose of limiting the are very flexible and have clearly not the purpose of limiting the work of the judiciary. work of the judiciary.

No requirement of adequacyNo requirement of adequacy According to Article 23, personal data communicated under the According to Article 23, personal data communicated under the

Convention may be used by the Member State to which they have Convention may be used by the Member State to which they have been transferred:been transferred:

(a) for the purpose of proceedings to which the Convention applies; (a) for the purpose of proceedings to which the Convention applies; (b) for other judicial and administrative proceedings directly related (b) for other judicial and administrative proceedings directly related

to them; to them; (c) for preventing an immediate and serious threat to public security; (c) for preventing an immediate and serious threat to public security; (d) for any other purpose, only with the prior consent of the (d) for any other purpose, only with the prior consent of the

communicating Member State, unless the Member State concerned communicating Member State, unless the Member State concerned has obtained the consent of the data subjecthas obtained the consent of the data subject

Europol co-operation with third partiesEuropol co-operation with third parties

Types of agreements:Types of agreements: Operational agreementOperational agreement

Includes the exchange of personal dataIncludes the exchange of personal data

(secure link in place)(secure link in place)

Strategic / Technical agreementStrategic / Technical agreement

Does not allow exchange of personal dataDoes not allow exchange of personal data

Europol Operational Agreements Europol Operational Agreements

Includes the exchange of personal dataIncludes the exchange of personal data NorwayNorway IcelandIceland SwitzerlandSwitzerland Bulgaria RomaniaBulgaria Romania Croatia Croatia Canada Canada USAUSA Federal Bureau of Investigation (FBI) & United Federal Bureau of Investigation (FBI) & United

States Secret Service (USSSStates Secret Service (USSS Eurojust Eurojust InterpolInterpol

Europol Strategic / Technical AgreementsEuropol Strategic / Technical Agreements

Does not allow exchange of personal dataDoes not allow exchange of personal data European Commission (EC)European Commission (EC) European Central Bank (ECB)European Central Bank (ECB) European Monitoring Centre for Drugs and Drug AddictionEuropean Monitoring Centre for Drugs and Drug Addiction European Anti-Fraud Office (OLAF)European Anti-Fraud Office (OLAF) United Nations Office on Drugs and Crime (UNODC)United Nations Office on Drugs and Crime (UNODC) World Customs Organisation (WCO)World Customs Organisation (WCO) ColombiaColombia RussiaRussia TurkeyTurkey

External relation in the FD data protection?External relation in the FD data protection?

Commission October 2005 proposal sets up Commission October 2005 proposal sets up system similar to Directive 95/45system similar to Directive 95/45

German Presidency Draft march 2007: German Presidency Draft march 2007: nothing!nothing!

Preamble “Preamble “personal data are transferred from personal data are transferred from a Member State of the European Union to a Member State of the European Union to third countries or international bodies, these third countries or international bodies, these data should, in principle, benefit from an data should, in principle, benefit from an adequate level of protectionadequate level of protection””

Conclusion Conclusion

Pros and Contras option 1 or 2 re data protection are hard to assess, But:Pros and Contras option 1 or 2 re data protection are hard to assess, But: Whereas a European approach, based on the adequacy principle, is followed in the Whereas a European approach, based on the adequacy principle, is followed in the

First Pillar, this is not the case for the Third Pillar. Though there may be arguments First Pillar, this is not the case for the Third Pillar. Though there may be arguments against such a European approach in the area of JHA my examples, including the against such a European approach in the area of JHA my examples, including the Europol, PNR and Swift cases, learn that the absence of such a European approach Europol, PNR and Swift cases, learn that the absence of such a European approach can cause problems. can cause problems.

Without ignoring the benefits and arguments in favour of tailor-made regulations, I Without ignoring the benefits and arguments in favour of tailor-made regulations, I conclude that the example of Europol dealing with third countries, and of PNR and conclude that the example of Europol dealing with third countries, and of PNR and Swift, in part illustrated the lack of credibility of the current EU data protection Swift, in part illustrated the lack of credibility of the current EU data protection system. Having to deal with externalities such as powerful third countries (in system. Having to deal with externalities such as powerful third countries (in particular the U.S.) that do not always consult the EU officials when collecting particular the U.S.) that do not always consult the EU officials when collecting ‘European’ data or data in (some) EU Member States, it would be beneficial to ‘European’ data or data in (some) EU Member States, it would be beneficial to develop a general framework for data protection in the Third Pillar and for transfers develop a general framework for data protection in the Third Pillar and for transfers of data to Third Parties with clear rules and responsibilities and a well-defined role of data to Third Parties with clear rules and responsibilities and a well-defined role for the EU institutions that live up to the European dimension behind cases such as for the EU institutions that live up to the European dimension behind cases such as PNR and Swift. Contrary to Blas, I agree with Poullet that a uniform set of data PNR and Swift. Contrary to Blas, I agree with Poullet that a uniform set of data protection standards applicable to all pillars would be desirableprotection standards applicable to all pillars would be desirable

Thank you for your attention!Thank you for your attention!