The European Data Protection Authorities, convened in the European Working Party (Article 29 Data Protection Working Party), have published an opinion on the transfer of EU airline passenger data to the US. The Working Party also published a US Customs document dated 22 May 2003 that refines the US wishes and demands towards PNR data transfer and which the Working Party' opinion is commenting on.
Since 5 March U.S. authorities have access to most European airlines’ passenger data bases after an agreement between the European Commission and US Customs. The transfer of the so-called Passenger Name Record (PNR) data has outraged the European Parliament, Data Commissioners and privacy groups. The scope of the original agreement between the European Commission and US Customs is wide. The agreement states that data can be stored as long as necessary and that the use of the data is not limited to combating terrorism but any "legitimate law enforcement purposes". Ongoing talks between the EU and the US need to result in a final agreement that gives the transfer a legal basis which it currently lacks.
The new 22 May list of US Customs defines more than 40 data fields that European airlines should transfer to the US such as all forms of payment information, billing address, email address, complete home address and home phone number of the passenger. The documents also state that data can be kept by the US for a 7 year period. PNR data that have not been manually accessed during that period of time, will be destroyed. PNR data that has been manually accessed during the initial seven year period will be transferred to a 'deleted record file', where they will remain for a period of eight years before it is destroyed.
The Working Party proposes a much shorter list of data fields than the one envisaged by the US Authorities, excluding unnecessary information and, in any case, sensitive data. The Woking Party also wants a much shorter retention period that should not exceed some weeks or even months following the entry to the US.
Regarding the method of transfer the Working Party favours the 'push' method – whereby the data are selected and transferred by airline companies to US authorities – rather than the 'pull' one – whereby US authorities have direct online access to airline and reservation systems databases.
The use of the PNR data by the US should be limited to fighting acts of terrorism without expanding their scope to other unspecified 'serious criminal offences'. The Working Party also wants effective enforcement of data subjects’ rights and independent third-party supervision.
Opinion 4/2003 of the Art. 29 Working Party (13.06.2003)
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp7...
Annex: Undertakings of the United States Bureau of Customs and Border Protection and the United States Transportation Security Administration (22.05.2003)
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp7...
European Commission / US Customs talk on Passenger Name Record (PNR) transmission (05.03.2003)
http://europa.eu.int/comm/external_relations/us/intro/pnr.htm
In a remarkably high-speed procedure, the EU Council plans to oblige all Member States of the Union to introduce chips containing biometric data on their passports within little less than a year. Allegedly, this step is taken to meet a U.S. deadline set on 26 October 2004. After that date, according to a law passed eight months after the 11 September attacks, the U.S will demand visas from all travellers entering the U.S. who don't have DNA code, fingerprints, or iris scans embedded in their travel documents.
It is an open secret however, that the filing of biometric features and their inclusion on personal documents have for a long time been on the wishlist of EU law enforcement officials, in particular those associated with the Schengen Information System (SIS). The EU itself plans to introduce biometric data on visas and residence permits for third country nationals, as part of its fight against illegal immigrants. These data will be stored in the SIS, apparently along with biometric data of EU citizens who have come into conflict with the law.
During the Thessaloniki meeting last month, the EU Heads of State also decided to allocate a further 140 million Euro to the development of these databases, which are already the biggest and most extended in Europe. Already they contain data on more than 800.000 persons, 98 percent of whom have merely been denied entrance at EU external borders.
No decision has been made so far as to which kind of data - DNA, fingerprints or iris scans, or any combination thereof - will be used in the EU passports, and how it will be stored - directly legible or on a chip, encrypted or not. On an earlier occasion, the UK finance minister Gordon Brown, a strong supporter of the plan, spoke out for a chip that might also contain any kind of other data. The Frankfurter Allgemeine Zeitung quotes a German Government spokesman, Daniel Höltgen, as saying "It basically depends on the United States and on which feature they require." And: "The interior minister is not worried about data protection at all. It's just a matter of believing in the German legal system."
Presidency Conclusions of the Thessaloniki European Council (19/20.06.2003)
http://ue.eu.int/pressData/en/ec/76279.pdf
EU Observer: EU to tighten visa and passport security
http://www.euobserver.com/index.phtml?sid=9&aid=11837
Translation of Frankfurter Allgemeine Article on biometrics in Germany
http://www.statewatch.org/news/2003/jun/27data.htm
(Contribution by Andreas Dietl, consultant on EU privacy issues)
The draft European Constitution was presented in May 2003. The proposed treaty contains a section on Fundamental Rights and Citizenship of the Union. The European Charter of Fundamental rights, which was adopted at the Nice summit, in 2000, will be an integral part of the treaty (section II, article 5, paragraph 1).
The right of every individual to the protection of his or her personal data will be stated twice in the treaty. In Article 36a, it says: "Everyone has the right to the protection of personal data concerning him or her", a phrase which is literally adopted from the European Charter of Fundamental Rights. Article 8 of the Charter adds: "Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority."
To those provisions, Article 36a of the Treaty adds an item stressing the EU Council and Parliament's obligation to pass the according legislation. It is worth mentioning, however, that current legislation allowing data protection to be lifted for a multitude of purposes, mainly in connection with so-called security issues, is not challenged by these provisions.
As the charter is specifically drafted to bind European Institutions, article 8 section 3 implies the need for a European Data Commissioner. The charter does not limit the protection offered by the European Convention for the Protection of Human Rights and Fundamental Freedoms. as article 52 sec. 3 specifies that any rights that correspond to those already articulated by the Human Rights Convention shall have the same meaning and scope. Article 5 paragraph 3 of the treaty states that the European Union may accede to the European Rights Convention. This is a new development as the European Court of Justice had earlier advised against accession.
The charter differs from the Human Rights Convention in that it separately protects data privacy from general privacy. As all EU members are party to the Human Rights Convention, the draft constitution does not present a radical change for the protection of privacy. However, the inclusion of a section on data protection, the possible accession to the Human Rights Convention, the explicit protection of data and the obligation on Commission and Parliament to adopt rules relating data protection could be an improvement for privacy protection as a whole.
Draft Constitutional Treaty for the European Union
http://www.europarl.eu.int/comparl/conv/documents/traite_en.pdf
(Contribution by Lodewijk Asscher, Dutch legal expert)
A German comedian was ordered to take down his parody website about the German Federal Chancellor (Bundeskanzler). The comedian, Joseph Pohl, operated the website for almost 5 years. Two weeks ago, he received an email from the Chancellors press office, accusing him of infringing on their trademark. Even though the site is as clear a parody as parodies come, with pictures of the comedian on his travels and software solutions for job unemployment, the Chancellors entourage is definitely not amused. They warn Pohl in this email not to undermine the dignity of the office with cheap sarcasm.
Pohls email with a request for mercy was answered by a fax threatening him with a court case. "The legal grounds are quite clear", according to this fax, since the Press Office also won an earlier court case, 3 years ago, about the domain name deutschland.de.
Parody website
http://www.bundes-kanzler.de/
German press agency article about the case (16.06.2003)
http://rhein-zeitung.de/on/03/06/16/topnews/kanzler-web.html?a
A proposal to hasten the plenary vote about the EU Software Patent directive was stopped just in time. The voting date now remains set at the 1st of September. The extra time seems extra important now that the public debate about the implications of this directive has only just taken of.
Last Monday, the French Social Democrat Michel Rocard, president of the EP Culture Committee and former prime minister of France, showed himself an avid opponent of the directive in an interview with the French Daily Liberation. In the interview, Rocard refers to the 'Petition for a Free Europe without Software Patents', signed by more 150.000 people, among which 2.000 IT company owners and chief executives and 25.000 developers and engineers from all sectors of the European information and telecommunication industries.
The rapporteur of the Directive, fellow Social Democrat Arlene McCarthy (UK Labour MEP) tried to rush the vote to June 30th, a mere twelve days after publication of the highly controversial report and ten days after the unexpected change of schedule.
Members of Parliament from all parties had complained that it was impossible to react adequately within a time frame of 10 days. Until Wednesday 25 June however, leaders of the two largest blocks, the socialists (PSE) and conservatives (PPE), seemed determined to follow the recommendations of their patent experts and go ahead with the vote quickly. They explained that there was no reason to wait, because all possible amendment proposals had already been submitted to the committees and translated to all languages, and there was no need for new amendments. This view however became increasingly difficult to uphold, as more and more MEPs in all parties became aware of the schedule change and pointed out that they wanted to prepare new amendments. Within the socialist group, a large opposition group, possibly the majority, gathered around Michel Rocard (FR), Luis Berenguer (ES), Evelyn Gebhardt (DE), Olga Zrihen (BE) and other MEPs who had played a prominent role in resisting software patentability. On 25 June, the climate change became apparent. More and more MEPs rumored that the schedule would not be upheld. Even Arlene McCarthy was quoted as saying that it might be too tight. A spokesman from the General Directorate for the Internal Market of the European Commission, that had been pushing for the directive together with Arlene McCarthy and other allies in the Parliament's Committee for Legal Affairs and the Internal Market (JURI), meanwhile told journalists: "Arlene McCarthy has tried hard to have the vote conducted on June 30th, but as things now stand, this looks rather unlikely." On 26 June the postponement became final, setting the vote back to the original date of the 1st of September. Parliament will be closed from 11 July until 25 August.
Petition for a Free Europe without Software Patents
http://swpat.ffii.org/news/03/epet0622/index.en.html
Interview with Michel Rocard (Liberation, 20.06.2003)
http://www.libe.fr/page.php?Article=121303
English translation
http://www.aful.org/wws/arc/patents/2003-06/msg00221.html
Final draft report by Arlene McCarthy
http://www.europarl.eu.int/meetdocs/committees/juri/20030521/488980en....
On 26 June, the Finnish Ministry of Labour released a draft new version of the law protecting privacy at the workplace. The proposal would make it legal to read employees' email under certain circumstances. It also contains new regulations on camera surveillance (allowed as long as a single employee is not singled out) and drug testing (widely allowed at work, but not as part of job interviews).
The proposal was sternly criticised in the Finnish media for giving too much leeway to how companies can monitor their employees. Many people are especially concerned about the fact that employers will be allowed to check all kind of emails employees receive while they are sick or on holiday. The traffic data and information in the headers can easily reveal sensitive personal information that should fall under privacy protection. Secondly, even if the proposal categorically forbids employers to open private emails, it is not always possible to know beforehand whether email is private or work related. Emails often contain both kinds of material.
Tietosuoja ja työntekijän valvonta - työryhmä (no English material is
currently available)
http://www.mol.fi/julkaisut/tietosuojaraportti.pdf
(Contribution by Ville Oksanen, EFFI)
On the 100th anniversary of George Orwell, a UK police database with DNA-profiles of suspects reached the number of 2 million. According to an article in the English daily The Guardian, Home Secretary (minister of internal affairs) David Blunkett said the five-year-old database was well on the way to its target of holding 3 million profiles of people charged with offences by 2004. Mr. Blunkett also said the police force had 5.5 million sets of fingerprints.
Police powers to keep DNA samples have been strengthened considerably since 2001 when they were first allowed to keep the information indefinitely from suspects who were not convicted. Severely criticised by civil rights groups, the new Criminal Justice Bill now before Parliament extends this rule to people who are arrested but never charged.
Police DNA log now has 2m profiles (The Guardian, 26.06.2003)
http://www.guardian.co.uk/uk_news/story/0,3604,985006,00.html
DNA database being built by stealth, say civil rights groups (The
Telegraph, 26.06.2003)
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2003/06/26/ndna26...
Last Tuesday, a Dutch court ordered 21 foreign gambling websites to ban Dutch visitors. The sites are located in 10 different countries, from a well-known gambling paradise like Antigua to companies based in Canada and Australia.
The case was instigated by the national Dutch lottery (Lotto). This 100% state-owned company became very confident after winning a case in February against the international gambling firm Ladbrokes. Ladbrokes appealed. This appeal will serve on 28 July.
According to the preliminary verdict, the 21 gambling sites violate the Dutch Gambling Act because they are not licensed to offer online gambling in the Netherlands. Since Dutch people can directly access the sites, they are considered to operate within the Netherlands. And according to the law, only 1 party is licensed to do so, De Lotto. Plans to open up the online gambling market in the Netherlands have been debated in the Lower House since 2000, but have not even lead to a test with competitors yet.
Online gambling is one of the 4 exceptions not harmonised by the European E-Commerce Directive. Clearly, most EU member states have a high financial interest in enforcing the national gambling monopoly.
Verdict Arnhem Court (01.07.2003, in Dutch)
http://www.rechtspraak.nl/uitspraak/show_detail.asp?ui_id=48882
At the end of this year, Turkey will have its first digital civil rights group. Foundational work started in April 2003. Initiator is Dr. Yaman Akdeniz, the founder and director of Cyber-Rights and Cyber-Liberties (UK).
According to Akdeniz, the organisation aims to protect the interests of all honest, law-abiding Turkish Internet users with the aim of promoting free speech and privacy on the Internet in Turkey. The organisation will be actively involved with the Internet policy-making processes of the Turkish Government, the European Union, Council of Europe, OECD, and the United Nations. Turkish cyber-rights will co-operate as much as possible with other civil liberties and public interest organisations working in this field outside Turkey.
For further information contact Dr. Yaman Akdeniz lawya at cyber-rights.org
The Internet under Surveillance: Obstacles to the free flow of information
Second annual report of the Paris based organisation of international journalists (Reporters sans Frontieres) on the attitudes towards the internet in 60 countries, between spring 2001 and spring 2003. According to RSF "The Internet is the bane of all dictatorial regimes, but even in democracies such as the United States, Britain and France, new anti-terrorism laws have tightened government control of it and undermined the principle of protecting journalistic sources."
The internet under surveillance
http://www.rsf.org/IMG/pdf/doc-2236.pdf