A few months after the rejection by the European Parliament of the Interim Agreement on TFTP between the European Union and the United States of America, a new agreement is under way, after it was signed on 28 June 2010 and will most probably be voted during the plenary in July (5-8).
The new text addresses some of the concerns of the European Parliament. In particular:
- It provides higher data protection standards: right to access to data; exclusion of SEPA data; rectification; erasure; administrative and judicial redress, link to the negotiations with the US on general transatlantic data protection framework
- It clarify the definition of terrorism: Article 2 of the proposal builds on the definition of terrorism on the approach of Article 1 of Council Framework Decision 2002/475/JHA
- It progresses on limitation in the transfer of bulk data: criteria for requesting and providing data.
- It narrows down the procedures for onward transfers of personal data to third countries: prior consent of the Member State (of the nationality of the data subject) will be required, except for emergency situations
- It foresees the possibility to look again the retention period for transferred but non extracted data: 5 years but after 3 years the issue will be looked at again to look for a shorter period
- It introduces a statement on the right to redress: statement to ensure that any redress does not discriminate between EU and US citizens.
- It foresees the possibility to develop an EU TFTP
- It establishes a review mechanism: 6 months after entry into force, then every year there will be ad hoc reviews, reports to Council and European Parliament. The agreement will already contain list of subjects including data protection for the review; review team will include experts on security and data protection.
- It foresees the possibility to suspend the agreement: it kept a clause for suspension of the agreement if breach happens. No reason is required if a 6 months notice is made in advance.
- It introduces the examination of US subpoena: examination of the proportionality of the US Subpoena will be done by Europol
- It also clarifies the territorial application.
Despite these improvements, the agreement keeps a series of contested aspects (see Working Party 29, EDPS opinion, EDRI article), mainly derived from the social and cultural differences between Europe and the USA in their approach to privacy.
From a European perspective, the Treaty of Lisbon and the European secondary legislation establish stringent safeguards in regard to the rights of data subjects. Although according to the European legislation it is possible to use data initially collected for commercial aims for law enforcement purposes, a series of principles such as purpose limitation should be respected. Purpose limitation is interlinked with the principle of adequacy, which is put into charge by independent authorities responsible to ensure the respect of such principles.
At the European level, data protection against public authorities aims at guaranteeing the freedom of the individual in absolute terms, with justified exceptions. On the contrary, in the United States, this level of freedom does not apply in relation to the public authorities since what the US law establishes is that privacy should be reasonably protected but not in absolute terms.
Specifically, when it comes to the exchange of data for law enforcement purposes, such freedom is limited due to the very nature of TFTP, dominated by its national security component. Indeed, the TFTP builds upon three legislations: the Executive Order 13224, the International Emergency Economic Powers Act and the Patriot Act. It mainly serves the interest of intelligence agencies (CIA) and remains based on the principle of exceptionality where the fight against terrorism prevails over the rights of individuals.
The European Parliament clearly saw this risk and in its resolution it introduced a series of data protection safeguards clearly re-stating the necessity to respect the principles of purpose limitation, effective supervision and redress mechanisms.
Taking into account these criteria, the new TFTP agreement introduces the monitoring and oversight by independent overseers (Article 12).
It has to be reminded that the USA do not have any supervisory authority for enforcing data protection in US territory. However, the American administration had to come to a compromise with the Europeans in this respect, also in relation to the future general EU-US agreement, which will set forth general principles valid for all specific transfer agreements.
This represents the most important novelty of the second TFTP. It is a first brick necessary to build a bridge between the EU and the US models. Indeed, the introduction of independent authorities will contribute to the establishment of a legally binding and enforceable personal data protection standards that will ensure the protection of individuals’ fundamental rights and freedoms in a EU-US framework.
Under the Commission’ proposal the transfer or processing of personal data by EU or US authorities would only be permitted for specified, explicit, legitimate purposes in the framework of the fight against terrorism and will include the right to redress, to correct or erase inaccurate data.
Keeping these elements in mind, which model prevails?
At first sight, the American one. Indeed, the US privacy act does not apply to the TFTP agreement. Furthermore, the US Privacy Act court clauses only apply to US citizens and residents. Therefore no right of judicial review for foreign citizens and residents apply under the US law.
However, the agreement contains some interesting elements which represent a step forward compared to the previous system. For example it puts into place an independent data protection authority to guarantee the enforcement of the necessary safeguards to ensure an effective data protection.
Furthermore, the discussions over the general EU-USA data protection agreement provide the opportunity to:
– include in all future agreements a reference to authorities competent for the data protection enforcement;
– introduce mechanisms for an effective right to redress;
– introduce a mechanism to ensure compliance with the principles established.
It remains to be seen whether such progresses will then lead to a change in the US approach to individuals’ rights, now limited by the fact that all individuals are considered alleged suspects. Although ambitious, this is a necessary step to bridge the two different EU-US data protection and privacy systems. Otherwise, it may well represents only an attempt to limit the damage.