(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The Lisbon Treaty was signed in December 2007. Notwithstanding the many critics raised by this Treaty, the text, when ratified by all member States, will bring two major improvements to the EU and its citizens. First, the Charter of Fundamental Rights of the European Union will become part of the Community acquis, including its articles 7 (Respect for private and family life) and 8 (Protection of personal data). Secondly, the Treaty will allow the accession of the EU to the European Convention on Human Rights and, hence, will give EU citizens the possibility of being protected against abuses of their human rights by EU institutions. This improvement would be much welcome, especially - though not exclusively - considering the current inadequacy of data protection under third pillar (justice and home affairs). But 2007 has also brought its share of concerns regarding privacy and personal data protection developments at the EU level. Besides the SWIFT scandal allowing the access by the USA to the European financial transactions, the case of the Google- Doubleclick merger currently under investigation by the European Commission (although mainly regarding competition issues), the continuous concerns related to data retention by search engines, most notably Google, even though the company announced a slight reduction of the data retention duration, and the development of RFID chips, main concerns with the European Union policy in 2007 are related to PNR data, biometric and genetic data sharing and the still inadequate level of data protection under third pillar.
"All governments have the duty to protect their citizens from the terrorist threat, but the response should be lawful, intelligent and effective", the Secretary General of the Council of Europe stated, on the occasion of the Data Protection Day. "I am concerned that some of the recent arrangements for data exchange, which were introduced at the insistence of the US Government, fail to meet these criteria", he opportunely added.
a. Passengers name records (PNR)
In June 2007, a final agreement was reached between EU and USA on European PNR (Passengers Name Records) data, 4 years after the USA and the EC - illegally - agreed to give the US custom officials direct access to the personal data of passengers flying to, from and through the United States. It took a lot of protest campaigns, like the one initiated by EDRI in May 2003, fierce criticism from the European Parliament and the Article 29 Group, and an annulment by the European Court of Justice, to finally get to this point. The agreement reduced the dataset from 34 to 19 pieces including name, contact information, payment details, travel agency, itinerary and baggage information, but excluding sensitive data such as ethnicity. The data may be kept during a total period of 15 years. It was claimed that for the first time, EU citizens will also be covered by the US Privacy Act which means they can enforce their rights in US courts. However, only 3 months after this agreement, the US government announced some changes in its Privacy Act that give exemptions from responding to requests for personal information held to DHS (Department of Homeland Security) and ATS (Automated Targeting System). The agreement received harsh criticism from the EU Parliament, Article 29 Working Group, and the European data protection supervisor (EDPS).
Later in the year, the EU announced its project of creating its own European PNR system. The plan, put forward in November by the EC, is similar to the EU-US agreement. The EU will have to collect 19 pieces of personal data on air passengers coming into and leaving the EU space, including phone number, e-mail address, travel agent, full itinerary, billing data and baggage information. The information will be collected in analysis units that will make a "risk assessment" of the traveller, which could lead to the questioning or even refusal of the entry. The data is to be kept for five years and then another eight years in a "dormant" database. This plan has already been criticized by the Parliament, the Article 29 Group and the EDPS, but will certainly see major developments in 2008. Some member States have already adopted such measures at national level.
b. Biometric and genetic data sharing
The European Visa Information System (VIS) will probably be the biggest biometric database in the world. VIS will store data on up to 70 million people concerning visas for visits to or transit through the Schengen area. This data will include biometrics (photographs and fingerprints) and written information such as the name, address and occupation of the applicant, date and place of the application, and any decision taken by the Member State responsible to issue, refuse, annul, revoke or extend the visa. Citizens of more than 100 countries need a visa to enter the EU. Latest discussions of end 2007 were only debating issues related to maximum age at which children should be exempted from having their 10 fingerprints taken: the Parliament says 12, the Council wants 5.
But the EU also wants to store and share biometric data of EU citizens and residents, beyond the data to be gathered through biometric passports and ID cards. In June 2007, it has been agreed that the Prüm Treaty, originally signed by 7 EU countries in May 2005, will be included in EU legislation with very little modifications. The decision creates the largest pan-European network of police databases, sharing DNA profiles, fingerprints and other personal and non personal data. The agreement has not taken into account the advice from the EDPS, who published in December 2007 an opinion on the implementation of this agreement.
c. Inadequate data protection under third pillar
As the data processed and shared by police and judicial authorities increase, the need for adequate personal data protection rules under third pillar becomes more and more urgent. A draft Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters has been proposed by the EC since October 2005, but is still pending, despite the numerous EDPS opinions in this regard. According to the EDPS, the current draft of December 2007 provides only minimal harmonization and guarantees, and would only be applicable to personal data exchanged with other Member States and not to the domestic data processing.
EDRI page on biometrics
http://www.edri.org/issues/technology/biometrics
EDRI page on PNR
http://www.edri.org/issues/privacy/pnr
EDRI page on privacy
http://www.edri.org/issues/privacy
EDPS Opinions
http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/25
Article 29 Working Group
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm
(Contribution by Meryem Marzouki, EDRI member IRIS - France)