Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

The data retention directive

In 2002, the e-Privacy Directive had introduced the possibility for member states to pass laws mandating the retention of communications data for security purposes.1 In 2006, the EU amended the e-Privacy Directive by enacting the Data Retention Directive (Directive 2006/24/EC),2 which obliges member states to require communications providers to retain communications data for a period of between six months and two years. Member states had until September 2007 to transpose the requirements of the Directive into national laws, but were entitled to postpone implementation regarding Internet access, Internet telephony, and Internet email until March 2009. At the beginning of 2010, seven member states had not yet adopted relevant national legislation.3 Implementations of the Data Retention Directive vary per member state. The most remarkable differences concern the retention period, the data to retain, the types of crimes that would justify access to the data, and the methods for law enforcement to access the data. The European Commission has brought action against various member states for failing to satisfactorily transpose the Data Retention Directive into their legal frameworks, in some cases already resulting in judgments confirming the failure to duly transpose its provisions.4

At the time of its adoption, the WP29 issued an opinion on the Data Retention Directive in which it asserted that "[t]he decision to retain communication data for the purpose of combating serious crime is an unprecedented one with a historical dimension. It encroaches into the daily life of every citizen and may endanger the fundamental values and freedoms all European citizens enjoy and cherish".5 The WP29 further noted that the Directive lacked some adequate and specific safeguards as to the treatment of communication data and left room for diverging interpretation and implementation by the member states in this respect.

Ireland brought an action seeking the annulment of the Data Retention Directive directly before the ECJ,6 based on the argument that it had not been adopted on an appropriate legal basis. More than 40 civil liberties NGOs and professional associations based in different countries took the opportunity to submit a letter to the ECJ with a petition for the annulment of the Directive.7 In February 2009, the ECJ established that the Directive was adopted on the correct legal basis and, without further analysis on the issue of privacy, dismissed the action seeking annulment.8

At national level, different legal actions have attacked national laws transposing the Data Retention Directive. Digital Rights Ireland filed a lawsuit against the Irish Government to the High Court in September 2006.9 The case argues that the Irish data retention law breaches fundamental principles of human rights and is therefore contrary to the Irish Constitution as well as Irish and EU data protection laws.10 In Germany, 34,000 individual citizens challenged the German transposition of the Data Retention Directive at the German Federal Constitutional Court, making it the largest legal action before this court ever.11 The final judgment of the German Federal Constitutional Court was delivered on 2 March 2010.12 Additional relevant case law was pronounced by the Romanian Constitutional Court, on 8 October 2009,13 and by the Bulgarian Administrative Court on 11 December 2008.14 In accordance with the provisions of the Data Retention Directive,15 the European Commission has carried out an evaluation of its application and impact in autumn 2010.

The area of freedom, security and justice

The former "third pillar" of the EU generally covered cooperation in the fields of justice and home affairs. The protection of personal data processed in the context of activities in this area, which had been left unregulated by the Data Protection Directive, were addressed through a number of different EU data protection provisions. These were commonly adopted in relation with the many specific information systems or agencies set up in the area, creating a sort of legislative patchwork. Usually, these legal instruments refer to the Council of Europe's Convention No. 108 as the benchmark for their data protection provisions.

After many years of discussions on the possibility to establish a horizontal data protection instrument for the whole "third pillar",16 the Council Framework Decision 2008/977/JHA was adopted on 27 November 2008.17 The scope of application of this Framework Decision is however extremely limited. In fact, it is exclusively concerned with the protection of personal data exchanged between member states and not subject to any other EU-level data protection provisions. The innovations introduced by the Lisbon Treaty may eventually affect the existence of this Framework Decision.

Over the years, specific data protection instruments have been building up different structures for monitoring the implementation of data protection law in this area. For instance, for Europol, which is the EU criminal intelligence agency, data protection supervision is in the hands of the Europol Joint Supervisory Body.18 In the context of Eurojust, whose objective is to improve EU-wide investigations and prosecutions, data protection monitoring is the responsibility of the Eurojust Joint Supervisory Body.19

Data processing in the area of freedom, security and justice

In 2010, the European Commission issued an overview of the numerous EU measures in place, under implementation or under consideration regarding the collection, storage, or cross-border exchange of personal information for the purpose of law enforcement or migration management.20 The measures have been taken by EU institutions over the past years in relation both to security purposes, such as counterterrorism, and objectives linked to the creation of an area without internal borders (the "Schengen area"), and sometimes in relation to a blurred aim, somehow encompassing security targets and other concerns, such as immigration. In its 2010 overview, the European Commission conceded that two recently designed large-scale information systems, the Visa Information System (VIS), which is to store biometric data of visa applicants, and the Schengen Information System (SIS), as well as its upcoming successor, Schengen Information System II (SIS II), do not respect one of the most fundamental principles of EU data protection, namely the purpose limitation principle.21

Other existing EU large-scale information systems include Eurodac, established by Council Regulation 2725/2000,22 which is a database storing the fingerprints of asylum seekers (the system is supervised by the EDPS together with the competent national Data Protection Authorities (DPAs)).23 Among the EU initiatives that may be coming up in relation to the processing of individuals on the move, can be mentioned the creation of a so-called "Entry/Exit System" (EES),24 an information system that is expected to record the time and place of entry, as well as of length of authorised stay, of all third-country nationals entering the Schengen area for the purpose of immigration control, and an Electronic System of Travel Authorisation (ESTA) for the collection of data on third-country nationals not subject to visa requirements before their arrival at EU borders.25

The Custom Information System (CIS) was established in 1995 by the former third pillar Convention on the use of information technology for customs purposes.26 CIS's aim is to enable national customs services to exchange and disseminate information on smuggling activities and requests for action. Some of these information are personal data. A Joint Supervisory Authority consisting of member states' DPAs is responsible for supervising CIS.

In order to improve personal data sharing among EU and member states' law enforcement agencies, different efforts have been made in the recent years to create "interoperability" between databases.27 "Interoperability", i.e., the blurring of boundaries between databases established for different purposes, containing information on different categories of individuals, accessed by different types of authorities and operating with different methods, poses a serious threat to the well-established data protection principles of purpose limitation and proportionality.

EU institutions are also considering the creation of a new agency, possibly called Agency for the Operational Management of Large-Scale Information Technology (IT) Systems in the Area of Freedom, Security and Justice,28 to take care of the operational management of SIS II, VIS, Eurodac, and any other future large-scale IT system established in the area of freedom, security and justice.

Data processing exchanges in the EU additionally occur through channels that do not require the establishment of any new databases. In 2005, seven member states29 signed a treaty in Prüm to enhance cross-border police and judicial cooperation, especially with respect to the fight against terrorism, cross-border crime, and illegal migration. Under the Treaty, member states grant one another access rights to their automated DNA analysis files, automated fingerprint identification systems, and vehicle registration data. In 2006, Germany and Austria became the first countries in the world to match their DNA databases.30 The provisions of the Prüm Treaty have since then been integrated into the EU legal framework.31

Another EU legal instrument promoting the exchange of information between relevant law enforcement authorities is the Framework Decision 2006/960/JHA. The Framework Decision establishes a regulatory regime under which law enforcement authorities of the member states are allowed to exchange "effectively and quickly" between them (but also with Europol and Eurojust) "information and/or intelligence for the purposes of conducting criminal investigations or criminal intelligence operations.32

Efforts to boost the exchange of personal data in the contest of mutual legal assistance in criminal matters in the EU have also focused on facilitating the exchange of criminal records between national authorities. The recently adopted Framework Decision 2009/315/JHA on the exchange between member states of information extracted from their criminal records33 aims to define modalities in which a member state where a conviction is handed down against a national of another member state transmits the information on such a conviction to the member state of the convicted person's nationality. On the basis of the above-mentioned Framework decision, the Council adopted Decision 2009/316/JHA on the establishment of the European Criminal Records Information System (ECRIS).34 In its design, ECRIS is a decentralised information technology system based on the national criminal records databases. All criminal records data shall be stored solely in databases operated by the member states. member states shall take the necessary measures to comply with the provisions of both the above-mentioned legal instruments by April 2012.

In recent years EU institutions have been strongly supporting increased surveillance of the EU's physical borders. They have established Eurosur, a border surveillance technical framework targeting the improvement of border security through data exchange and coordination of activities,35 and of Frontex, the European Agency for the Management of Operational Cooperation at the External Borders, created36 to coordinate border-control surveillance operations. The possibility for Frontex to process personal data, and in particular to transmit it to Europol, is increasingly being discussed.

In the EU the collection, analysis and sharing of personal information for law enforcement and security purposes also involves activities by the private sector. The so called "privatisation of law enforcement activities" consists of calling on private entities (companies or professions) to cooperate with State authorities in the prevention or fight of criminal activities like terrorism. This cooperation takes different forms: retention of communications data,37 sharing of passenger name records,38 and the collection of information by financial and other kind of private entities for anti money-laundering purposes. With regard to this form of cooperation, Directive 2005/60/EC aims to prevent the use of the financial system for the purpose of money laundering and terrorist financing.39 It applies to financial and credit institutions, as well as to certain legal and natural persons working in the financial sector. These entities are required to identify the customer and verify his/her identity, obtain information on the purpose and intended nature of the business relationship. Furthermore, they must file a suspicious transaction report when there is suspicion of money laundering or terrorist financing, regardless of any exemption or threshold.40 These suspicious transaction reports are transmitted to and processed by Financial Intelligence Units usually placed either within law enforcement agencies or administrative bodies reporting to Ministries of Finance. These reports can then be transmitted to competent authorities, including law enforcement agencies and Foreign FIUs. On that basis criminal investigations might be launched if necessary.

These forms of surveillance that make use of information held in the private sector involves the gathering, storing, and sharing with national authorities of a vast category of personal data generated by the individual in his/her ordinary and everyday life, and mostly in carrying out legitimate activities.

The Stockholm Programme,41 the policy document orientating the development of the AFSJ for the period 2010-2014, confirms the trend towards reinforced data processing practices, while addressing the interplay between privacy intrusive techniques and the need to protect the right to private life and data protection.42 The Programme notably calls for the development of an Internal Security Strategy (with its own external dimension), which makes extensive use of information management and exchanges, based on an Information Management Strategy underpinned by the principle of availability43 and that of interoperability,44 i.e., the technical possibility to conflate databases.

Among others, the Stockholm Programme suggests to restore the project for an EU-wide Passenger Name Record (PNR) system for law enforcement purposes.45 This system would allow for the collection of data registered during the purchase of airline tickets ("PNR data")46 of international flights passengers from the air carriers by national authorities designated by the member states, called Passenger Information Units (PIUs). The PIUs would use the PNR data, inter alia, for "carrying out a risk assessment of the passengers in order to identify the persons requiring further examination".47 The EU Fundamental Rights Agency (FRA),48 the EDPS,49 and the WP2950 have issued critical opinions on the possible establishment of this system.

EU-US data transfers

The Stockholm Programme also supports the proposal for an agreement of information sharing for law enforcement purposes with the United States (US). The agreement would be based on the work carried out by the informal High Level Contact Group (HLCG), which was established in 2006 in order to study how to bridge the differences between the EU and the US data protection regimes to foster data sharing for law enforcement purposes across the Atlantic. In fact, transatlantic information exchanges, and more precisely, unidirectional data transfers from the EU to the US, have been growing exponentially in the last decade. EU data protection laws, however, has been regularly portrayed as an obstacle to these data flows.

The activities of the HLCG finished in 2009 with the adoption of an Addendum to the Final Report of the HLCG.51 Its work was devoted to identify principles shared between the EU and the US52 and, when possible, to reach common definitions for the principles.53 As for the choice of the most adequate form for the discussed instrument, the HLCG strongly supported the adoption of a binding international agreement.

Both the EU and the US have subsequently endorsed the idea of working towards an international binding agreement on data protection and data sharing.54 In January 2010, the European Commission launched a public consultation to collect opinions with a view to the future EU-US international agreement on personal data protection and information sharing for law enforcement purposes,55 setting in motion the institutional debate on the issue at EU level.

One of the main challenges emerging from these developments is the level of equivalency between the institutional frameworks of the EU and US. Another key challenge is how this agreement will govern other and future EU-US data exchange mechanisms, such as thoserelated to the processing for security purposes in the US of data originally collected in the EU by private entities, in the context of unrelated activities -- for instance in the context of the PNR or the so-called SWIFT data transfers.56

The PNR data exchange agreements[111]

In 2001 the US Government began demanding access to the reservation systems of foreign carriers in order to gain access to Passenger Name Records, i.e., detailed biographical and intelligence information on travellers.57 Compliance with the request would require that airlines would be in breach of EU data protection law, whereas non-compliance could have led to economic sanctions from the US Government. Following the intervention of the European Commission, negotiations between the EU and the US were launched on how to resolve the two legal systems.58

A first agreement59 was finalised and signed in May 2004, accompanied by a Council Decision concerning the conclusion of an agreement on the processing and transfer of personal data60 and, based on CBP's Undertakings,61 an European Commission Decision on the adequate protection of those data.62 Hence the US was allowed to access directly the airline companies' reservation systems to "pull" the data needed. The agreement was reached amidst the doubts and criticism of the privacy community, especially the Article 29 Working Party of European privacy regulators,63 and, for different reasons, the airline companies.

The European Parliament voiced its criticism by adopting a resolution, and by filing two actions for annulment before the ECJ64 against the Council and Commission's Decisions allowing the adoption of the Agreement.65 The ECJ did not consider all of the European Parliament's pleas, but annulled the two Decisions on the grounds that they had been adopted on the wrong legal basis. Since they pursued an aim falling within the scope of "public security and the activities of the State in areas of criminal law", the choice of a "first pillar" legal basis was incorrect.66 The ECJ therefore set a deadline (September 2006) for the adoption of a new agreement.

Given the tight deadline set by the Court, the parties entered into negotiations for an Interim Agreement,67 signed in October 2006.68 The new text69 did not differ substantially from the first one and was met with renewed criticism and increased awareness.

A third Agreement was finalised within the time limits established by the sunset clause of the Interim Agreement.70 It consisted of an international agreement71 signed by both parties, and two letters, whose legal relation with the agreement was not clarified.72 Although the new text addressed some of the substantial concerns raised by EU's different bodies since the beginning of the data exchanges,73 it was not immune from criticism.74 Since the entry into force of the Lisbon Treaty there have been strong demands to adopt a new agreement.

It should be noted that the EU has also signed PNR data exchange agreements with other countries, such as Australia.75

Terrorist financing tracking programme

In 2006, the New York Times unveiled76 the access of the US Treasury Department authorities to financial records held by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), based in Belgium. Under the Terrorist Financing Tracking Programme (TFTP), US authorities accessed, through the US branch of the company and by subpoenas, financial records of both US and foreign citizens, including EU citizens, for the purposes of identifying, tracking, and pursuing terrorists. The issue caused strong criticism among the privacy community,77 already sensitised by the PNR affaire. EU authorities entered into transatlantic negotiations to regulate the access to and processing of EU citizens' banking data. As a result, EU member states too could access the result of the processing activities by US authorities.

Pending an international agreement, SWIFT adhered to the Safe Harbour Agreement and adopted a new "distributed architecture", allowing intra-European messages to be processed and stored in the European data centres. In addition, the US Treasury clarified issues concerning its access and processing of data obtained by SWIFT and offered assurances. As a result, an interim agreement was signed in November 200978 with the explicit intention of negotiating a proper agreement after the entry into force of the Lisbon Treaty.79

The European Parliament, which has been granted by the Lisbon Treaty new powers in relation with international agreements, voted down the agreement in February 201080 on grounds of insufficient data protection, a concern also expressed by the EDPS.81 Consequently, new negotiations started, and a Draft Council Decision was submitted in June 2010.82 Although recognising the improvements made, the Council had failed to convince its critics, including the EDPS,83 the WP29 together with the Working Party on Police and Justice84 and some MEPs.85 In spite of this, the EP found that the final agreement in combination with the legally binding commitments in the Council Decision met most of its demands, and therefore gave consent to the conclusion of the agreement on 5 July 2010.86

Footnotes

  • 1. Art. 15(1) of Directive 2002/58/EC.
  • 2. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L 105, 13.4.2006, pp. 54-63.
  • 3. Austria, Belgium, Greece, Ireland, Luxembourg, Poland, and Sweden. Cfr. The Article 29 Data Protection Working Party, Report 01/2010 on the second joint enforcement action: compliance at national level of Telecom Providers and ISPs with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the e-Privacy Directive, WP 172, 13 July 2010, Brussels.
  • 4. See, notably: ECJ, Case C-189/09, European Commission v Republic of Austria, Judgment of 29 July 2010; Case C-185/09, European Commission v Kingdom of Sweden, Judgment of 4 February 2010; Case C-202/09, European Commission v Ireland, Judgment of 26 November 2009; Case C-211/09, European Commission v Hellenic Republic, Judgment of 26 November 2009; Case C-394/10, European Commission v Grand Duchy of Luxembourg, action brought on 4 August 2010.
  • 5. The Article 29 Working Party, Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, WP 119, 25 March 2006, Brussels, at 2.
  • 6. ECJ, Case C-301/06, Ireland v Council of the European Union, European Parliament, available from http://curia.europa.eu/.
  • 7. Arbeitskreis Vorratsdatenspeicherung, "European NGOs Ask Court to Annul Data Retention Directive", 8 April 2008, available at http://www.vorratsdatenspeicherung.de/content/view/216/79/lang,en/#_note-0.
  • 8. ECJ, Case C-301/06, Ireland v European Parliament, Council of the European Union, Judgment of 10 February 2009.
  • 9. Digital Rights Ireland, "DRI Brings Legal Action over Mass Surveillance," 14 September 2006, available at http://www.digitalrights.ie/2006/09/14/dri-brings-legal-action-over-mass....
  • 10. Id.
  • 11. Arbeitskreis Vorratsdatenspeicherung, "Constitutional Complaint Filed against German Telecomms Data Retention Act," 31 December 2007 available at http://www.vorratsdatenspeicherung.de/content/view/184/79/lang,en/.
  • 12. Vorratsdatenspeicherung(Data retention) BVerfG 2 March 2010, 1 BvR 256/08, available at http://www.bundesverfassungsgericht.de/entscheidungen/rs20100302_1bvr025....
  • 13. Decision No. 1258, Romanian Constitutional Court, 8 October 2009, published in the Romanian Official Monitor, No. 789, 23 November 2009.
  • 14. Decision No. 13627, Bulgarian Supreme Administrative Court (Върховния административен съд), 11 December 2008.
  • 15. Directive 2006/24/EC, supra at Art. 14.
  • 16. The EDPS issued three Opinions on the subject: EDPS, Third opinion of 27 April 2007 on the proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters, OJ C 139, 23 June 2007, at 1; Second Opinion of 29 November 2006 on the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters, OJ C 91, 26 April 2007, at 9; Opinion of 19 December 2005 on the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters(COM (2005)475 final), OJ C 47, 25 February 2006, at 27.
  • 17. Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. OJ 350, 30 December 2008, at 60-71.
  • 18. See Europol Joint Supervisory Body's homepage at http://europoljsb.consilium.europa.eu/default.asp?lang=EN.
  • 19. Compare Rules of Procedure on the Processing and Protection of Personal Data at Eurojust (2005), OJ C 68/1, available at http://www.eurojust.europa.eu/official_documents/eju_dp_rules.htm.
  • 20. European Commission, Communication from the Commission to the European Parliament and the Council: Overview of information management in the area of freedom, security and justice, COM(2010) 385 final, 20 July 2010, Brussels.
  • 21. Id., at 22.
  • 22. Council Regulation (EC) No. 2725/2000 of 11 December 2000 concerning the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of the Dublin Convention, OJ L 316, 15 December 2000.
  • 23. Council Regulation (EC) No. 407/2002 of 28 February 2002 laying down certain rules to implement Regulation (EC) No 2725/2000 concerning the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of the Dublin Convention, OJ L 62, 5 March 2002, at 1-5.
  • 24. European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Preparing the next steps in border management in the European Union, COM(2008) 69 final, 13 February 2008, Brussels, at 7.
  • 25. Id., at 5.
  • 26. Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on the use of information technology for customs purposes, OJ C 316, 27 November 1995, at 34-47. In 1997, Council Regulation (EC) No. 515/97 of 13 March 1997 also established the CIS for the purposes of mutual assistance in respect of customs and agricultural matters. See OJ, L 082, 22 March 1997, at 1-16.
  • 27. According to the Communication from the Commission to the Council and the European Parliament on improved effectiveness, enhanced interoperability and synergies among European databases in the area of Justice and Home Affairs (COM/2005/0597 final), Brussels, 24 November 2005, "interoperability" is the "ability of IT systems and of the business processes they support to exchange data and to enable the sharing of information and knowledge". Regrettably the commission considered "Interoperability" a "technical rather than a legal or political concept. This is disconnected from the question of whether the data exchange is legally or politically possible or required".
  • 28. European Commission, Amended Proposal for a Regulation (EU) No ... / ... of the European Parliament and of the Council on establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, COM(2010) 93 final, 19 March 2010, Brussels.
  • 29. Austria, Belgium, France, Germany, Luxembourg, Spain, and the Netherlands.
  • 30. "The Treaty of Prm Makes Europe Safer - EU Police Forces Share Data," German Ministry of the Interior, 15 March 2007, at http://www.eu2007.bmi.bund.de/nn_1059824/EU2007/EN/DomesticPolicyGoals/N....
  • 31. See Council Decision 2008/615/JHA of 23 June 2008on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime, OJ L 210, 6 August 2008, at 1-11; See also Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA, OJ L 210, 6 August 2008, at 12-72.
  • 32. Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the member states of the European Union, OJ L 386 29 December 2006, at 89-100.
  • 33. Council Framework Decision 2009/315/JHA of 26 February 2009on the organisation and content of the exchange of information extracted from the criminal record between member states, OJ L 93, 7 April 2009, at 2332.
  • 34. Council decision 2009/316/JHA of 6 April 2009 on the establishment of the European Criminal Records Information System (ECRIS) in application of Article 11 of Framework Decision 2009/315/JHA, OJ L93, 7 April 2009, at 33-47.
  • 35. European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Examining the creation of a European border surveillance system (EUROSUR),COM(2008) 68 final, 13 February 2008, Brussels.
  • 36. Council Regulation (EC) No. 2007/2004 of 26 October 2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, OJ L 349, 25 November 2004, at 1-11.
  • 37. Cfr. Section "The data retention Directive," supra.
  • 38. Cfr. infra this Section and Section "The PNR data exchange Agreements".
  • 39. Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, OJ L 309, 25 November 2005, at 15-36. See also Council Decision of 17 October 2000 concerning arrangements for cooperation between financial intelligence units of the member states in respect of exchanging information, OJ L 271, 24 October 2000, at 4-6.
  • 40. Id.
  • 41. The Stockholm Programme -- An open and secure Europe serving and protecting citizens, OJ C 115, 4 May 2010. The Programme was issued in November 2009.
  • 42. Id., at 18.
  • 43. See The Hague Programme, OJ C 53, 3 March 2005, at 1. See also EDPS, Opinion on the Proposal for a Council Framework Decision on the exchange of information under the principle of availability (COM (2005)490 final), 28 February 2006, OJ C 116, 17 May 2006, at 8. The principle of availability refers to the possibility for law enforcement officers in one member state to obtain information from law enforcement agencies of another member state in the same conditions as law enforcement officers of the latter member state.
  • 44. See supra in the text.
  • 45. The idea was initially advanced in conjunction with the beginning of the negotiations with the United States to conclude the first PNR data exchange Agreement (see below) (European Commission, Communication from the Commission to the Council and the Parliament: Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach, COM(2003) 826, 16 December 2003). Nonetheless, a concrete proposal was only presented four years later (European Commission, Proposal for a Council framework decision on the use of Passenger Name Record (PNR) for law enforcement purposes {SEC(2007) 1422} {SEC(2007) 1453} /* COM/2007/0654 final).
  • 46. PNRs are different from Advanced Passengers Information (API) data, which is the information contained in the machine-readable zone (MRZ) of the passports. PNR data can contain up to 60 fields, partially overlapping with but exceeding Advanced Passengers' Information data, and are not official, verified data.
  • 47. European Commission, Proposal for a Council framework decision on the use of Passenger Name Record (PNR) for law enforcement purposes, supra at Art. 3.3.
  • 48. Opinion of the European Union Agency for Fundamental Rights on the proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes, 28 October 2008.
  • 49. EDPS, Opinion on the Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes, 20 December 2007, OJ C 110, 01 May 2008, at 1.
  • 50. The Article 29 Data Protection Working Party and the Working Party on Police and Justice, Joint opinion on the proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes, presented by the Commission on 6 November 2007, WP 145, 05 December 2007, Brussels.
  • 51. Reports by the High Level Contact Group (HLCG) on information sharing and privacy and personal data protection, 23 November 2009, Brussels, available at http://register.consilium.europa.eu/pdf/en/09/st15/st15851.en09.pdf. The EDPS issued an Opinion on the Final Report: EDPS, Opinion on the Final Report by the EU-US High Level Contact Group on information sharing and privacy and personal data protection, 11 November 2008, OJ C 128, 06. June 2009, at 1. The Addendum addressed a series of issues previously described as pending. In particular: 1) Consistency in private entities' obligations during data transfers; 2) Equivalent and reciprocal application of privacy and personal data protection law; 3) Preventing undue impact on relations with third countries; and 4) Specific agreements regulating information exchanges and privacy and personal data protection.
  • 52. The principles identified were:1) Purpose Specification/Purpose Limitation; 2) Integrity/Data Quality; 3) Relevant and Necessary/Proportionality; 4) Information Security; 5) Special Categories of Personal Information (sensitive data); 6) Accountability; 7) Independent and Effective Oversight; 8) Individual Access and Rectification; 9) Transparency and Notice; 10) Redress; 11) Automated Individual Decisions; and 12) Restrictions on Onward Transfers to Third Countries.
  • 53. Common definitions were identified for nine out of twelve principles. A common definition of "redress" could not be reached; it was only possible to agree that any redress process should result in effective remedy; the definition of "independent and effective oversight" incorporated the structural differences of the two regimes, and, finally, the definition of "transparency and notice" only clarified the type of information to be made available to data subjects.
  • 54. EU-US Statement on "Enhancing transatlantic cooperation in the area of Justice, Freedom, and Security", adopted in Washington D.C. on 28 October 2009, at 6, available at http://register.consilium.europa.eu/pdf/en/09/st15/st15184.en09.pdf.
  • 55. The result of the consultation is available at http://ec.europa.eu/homeaffairs/news/consulting_public/consulting_0005_e....
  • 56. Another related issue is the relation between the agreement and agreements negotiated between the US and EU member states.
  • 57. More concretely, by Section 115 of the US Aviation and Transportation Security Act (ATSA) (The United States of America, Congress, Transportation and Aviation Security Act, 19 November 2001). In 2001, the Customs and Border Protection Bureau started demanding international air carriers operating flights to or from, or across the US territory, grant access to their automated reservation and departure control systems' data to obtain PNR data.
  • 58. European Commission, Communication from the Commission to the Council and the Parliament: Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach, COM(2003) 826, 16 June 2003, Brussels.
  • 59. Agreement between the European Community and the United States of America on the processing and transfer of PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, OJ L 183, 20 May.2004, at 84-85.
  • 60. Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, OJ L 183, 20 May 2004, at. 83-85.
  • 61. Letter from Commissioner Bolkestein to US Secretary Tom Ridge, Department of Homeland Security, 18 December 2003.
  • 62. Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States' Bureau of Customs and Border Protection (notified under document number C(2004) 1914), OJ L 235, 6 July 2004, at 11-22.
  • 63. The Article 29 Data Protection Working Party, Opinion 6/2002 on transmission of Passenger Manifest Information and other data from Airlines to the United States, 24 October 2002, WP 66; Opinion 4/2003 of the Art. 29 Working Party, 13 June 2003, WP 78; Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection (US CBP), WP 87; Opinion 6/2004 on the implementation of the Commission decision of 14-V-2004 on the adequate protection of personal data contained in the Passenger Name Records of air passengers transferred to the United States' Bureau of Customs and Border Protection, and of the Agreement between the European Community and the United States of America on the processing and transfer of PNR data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 22 June 2004, WP 95 2 February 2004; Opinion 8/2004 on the information for passengers concerning the transfer of PNR data on flights between the European Union and the United States of America, WP 97, 30 September 2004. The criticism of WP29 regarding the first agreement revolved around the proportionality of the measure as opposed to its purposes, the challenges to the principles of data protection, the technical features of the exchanges (in particular, it considered that the information sharing should happen by means of a "push" instead of a "pull", i.e. by asking the airline companies to send the US the requested data, instead of allowing the US to extract the needed data (which reduces consistently the possibility of oversight)) and the choice of the legal framework for the exchange.
  • 64. ECJ GCh (Grand Chamber), Joined cases C-317/04 and C-318/04, European Parliament v Council of the European Union (C-317/04) and Commission of the European Communities (C-318/04), Judgment of 30 May 2006.
  • 65. In particular, in Case C-317/04, the European Parliament entered six pleas for annulment: the incorrect choice of Article 95 EC as legal basis for Decision 2004/496/EC and breach of, respectively, the second subparagraph of Article 300(3) EC, Article 8 of the ECHR, the principle of proportionality, the requirement to state reasons and the principle of cooperation in good faith. In Case 318/04, the European Parliament introduced four pleas for annulment, namely ultravires action, breach of the fundamental principles of the Directive 95/46/EC, breach of fundamental rights, and breach of the principle of proportionality.
  • 66. The Article 29 Data Protection Working Party, Opinion 5/2006 on the ruling by the European Court of Justice of 30 May 2006 in Joined Cases C-317/04 and C-318/04 on the transmission of Passenger Name Records to the United States, 14 June 2006, WP 122; Opinion 7/2006 on the ruling by the European Court of Justice of 30 May 2006 in Joined Cases C-317/04 and C-318/04 on the transmission of Passenger Name Records to the United States and the urgent need for a new agreement, 27 September 2006, WP 124.
  • 67. Council Decision 2006/729/CFSP/JHA of 16 October 2006 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, OJ L 298, 27 October 2006, at 27-28.
  • 68. Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, OJ L 298, 27 October 2006, at 29-31.
  • 69. Which contained a sunset clause and was accompanied by two letters (Letter from the "US Department of Homeland Security" (PNR interpretations); Reply by the Council Presidency and the Commission to the letter from the USA's Department of Homeland Security).
  • 70. Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), OJ L 204, 4 August 2007, at 16-17.
  • 71. Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement) OJ L 204, 4 August 2007, at 18-25.
  • 72. The first one explained how the United States Department of Homeland Security (DHS) handles the collection, use, and storage of PNR data, and the second one acknowledged its receipt.
  • 73. The Article 29 Data Protection Working Party, A common EU approach to the use of Passenger Name Record (PNR) data for law enforcement purposes, 31 January 2007; Opinion 2/2007 on information to passengers about transfer of PNR data to US authorities, 15 February 2007, WP 132 and its Annex: Short notice for travel between the European Union and the United States; Workshop on EU approach towards a new passenger data agreement. This Workshop brought together national data protection authorities and other interested parties and was not a meeting of the Article 29 Working Party, 26 March 2007, Report.
  • 74. The Article 29 Data Protection Working Party, Opinion No. 5/2007 on the follow-up agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security concluded in July 2007, 17 August 2007, WP 138; Opinion 2/2007 on information to passengers about the transfer of PNR data to US authorities, Adopted on 15 February 2007 and revised and updated on 24 June 2008, 24 June 2008, WP 151.
  • 75. Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian customs service, OJ L 213, 8 August 2008, at 49-57.
  • 76. Eric Lichtblau and James Risen, "Bank Data Is Sifted by U.S. in Secret to Block Terror," The New York Times, 23 June 2006, available at http://www.nytimes.com/2006/06/23/washington/23intel.html
  • 77. EDPS, Opinion on the role of the European Central Bank in the SWIFT case, 1 February 2007, available at http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Su... ; the Article 29 Data Protection Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), WP 128, 22 November 2006.
  • 78. Simon Taylor, "EU Agrees New Bank Data Deal with US," European Voice, 30 November 2009 available at http://www.europeanvoice.com/article/2009/11/eu-agrees-new-bank-data-dea....
  • 79. Council Decision 2010/16/CFSP/JHA of 30 November 2009 on the signing, on behalf of the European Union, of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Programme, OJ L 8, 13 January 2010, at 9-10.
  • 80. European Parliament Press Release, SWIFT: European Parliament votes down agreement with the US, Justice and home affairs,11 February 2010, available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+IM-PRES....
  • 81. EDPS, Comments on different international agreements, notably the EU-US and EU-AUS PNR agreements, the EU-US TFTP agreement, and the need of a comprehensive approach to international data exchange agreements, 25 January 2010.
  • 82. Proposal for a Council Decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Programme (TFTP II), 28 June 2010, available at http://register.consilium.europa.eu/servlet/driver?page=Result&lang=EN&s....
  • 83. EDPS, Opinion of 22 June 2010 on the Proposal for a Council Decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Programme (TFTP II).
  • 84. Article 29 Data Protection Working Party and the Working Party on Police and Justice, Letter from Mr. Jacob Kohnstamm, Chairman of the Art. 29 Working Party and Mr. Francesco Pizzetti, Chairman of the Working Party on Police and Justice addressed to Mr. Juan Fernando Lpez Aguilar, Chairman of the LIBE Committee regarding EU-US Terrorist Finance Tracking Programme Agreement (TFTP II Agreement), 25 June 2010.
  • 85. See the Recommendation on the draft Council decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programme (11222/1/2010/REV 1 and COR 1 C7-0158/2010 -- 2010/0178(NLE)) Committee on Civil Liberties, Justice and Home Affairs, Minority Resolution, at 10-11.
  • 86. Id., Draft European Parliament Legislative Resolution on the draft Council decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programme (11222/1/2010/REV 1 and COR 1 -- C7-0158/2010 -- 2010/0178 (NLE)), at 5-9.