|
< Viewpoints
< 2008
“Strong data protection rules are needed to prevent the emergence
of a surveillance society”
[26/05/08] Surveillance technology
is developing with breath-taking speed. This creates new instruments in
the struggle against terrorism and organised crime, but also raises fundamental
questions on the right to privacy for everyone. Individuals should be protected
from intrusions into their private life and from the improper collecting,
storing, sharing and use of data about them. Terrorism and organised crime
must be combated - but not with means which undermine basic human rights.
Nowadays there are technologies to monitor, screen and analyse billions
of telephone and email communications simultaneously; to use virtually undetectable
listening and tracing devices; and to install ‘spyware’ surreptitiously
on someone’s computer which can secretly monitor the online activities and
emails of the user and even turn on the computer’s camera and microphone.
It is sometimes said that only those who have something to hide should be
fearful about these new measures. However, the notion that if you have nothing
to hide you have nothing to fear puts the onus in the wrong place – it should
be for States to justify precisely the interferences they seek to make on
privacy rights, not for individuals to justify their concern about interferences
with their basic human rights.
The use of such new facilities and expanded competencies for the police
and security services requires enhanced democratic and judicial control.
Already, the storing of enormous amounts of personal data in social security-,
medical- and police databases(1) is a matter of concern. The recent loss, in
the United Kingdom, of a disk with millions of such confidential data sets
illustrates some of the risks.
Banks, insurance companies and other business enterprises also develop databases
on clients and their transactions. Understandably, there is widespread concern
that these various databases can be combined and the question is raised
whether there is sufficient protection against such inter-linking.
Those who travel are today encountering the modern security measures in
very concrete ways. Fingerprinting and other biometric identity control
methods are being introduced widely. The EU has agreed to US demands that
airlines going to the US should provide 19 pieces of personal data on all
their passengers, including names, phone numbers, email addresses, credit
card numbers and billing addresses.
This information is to be stored for 13 years and will be available to the
US security services. Preparations are underway to introduce a similar system
for travelers to and from EU countries.
Police and secret services already have a massive amount of data available
to them through these methods. The intention when they process this information
is not only to find previously identified culprits of crime. Increasingly
they seek persons who match pre-determined ‘profiles’ of persons who allegedly
are more likely be a terrorist.
Obviously, it is essential that data protection rules also cover the police,
the judiciary and the security services. One of the shortcomings in the
proposed EU Council Framework Decision on the Protection of Personal
Data is that it would apply neither to domestic data processing relating
to European police and judicial cooperation, nor to any processing of personal
data by the security services, or indeed by the police when they act in
relation to national security. Individuals should be provided an effective
legal remedy to challenge the information, its storage and use to judicial
scrutiny as laid down in Segerstedt-Wiberg and Others v. Sweden before
the European Court.
As terrorists and other organised criminals increasingly act across borders,
cooperation between law enforcement forces in various countries has become
more urgent. A principle of ‘availability’ is being established within the
European Union, to promote unhindered sharing of information. The idea is
that the national law enforcement agencies in any one EU country should
in principle have full and prompt access, with little or no “bureaucratic
obstacles”, to all the data held by any other such agencies in any other
Member State.
This means that every piece of information in any national law enforcement
database will be available in large parts of Europe - and possibly in other
countries as well, notably the USA, which in turn can disseminate it to
other collaborating states. This will facilitate police work. On the other
hand, any mistake or misreporting will have a potentially much deeper negative
impact on the individual. This calls for a developed data protection regime
within the Union, based on accepted common, high standards.
If the ‘availability’ process is opened for authorities in other countries
as well, including the US, it becomes necessary to ensure that they genuinely
respect standards of data protection. Europe should not compromise on these
important rules in order to please US counterparts.
The European data protection authorities have stressed the need for a stronger
data protection regime.
In a joint declaration last year they stated:
‘In view of the increasing use of availability of information as a concept
for improving the fight against serious crime and the use of this concept
on both national level and between Member States, the lack of harmonised
and high level of data protection regime in the Union creates a situation
in which the fundamental right of protection of personal data is not sufficiently
guaranteed any more.’(2)
This was a serious warning from official expert watchdogs on the national
level in Europe. It is important to listen to them, as these problems are
very complex and it is not easy for ordinary people, or even politicians,
to fully grasp the implications of changes proposed or already decided.
Trust in privacy- and data protection has been badly undermined during the
‘war on terror’, in which previously accepted safeguards have been undermined
by governments themselves. In the United States, not even library records
have been protected. Also, the fact that extensive telephone surveillance
was approved by the President but kept secret even from Congress, did not
enhance confidence.
In Europe, as well, there is a need for a deeper discussion on the balance
between methods of preventing terrorism and other crimes and the protection
of everyone’s private life. In recent years, the human rights requirements
have not been given sufficient emphasis. Intrusive methods have turned out
to be ineffective, but thorough debate on such cases has been prevented
by secrecy rules.
In some discussions data protection has even been referred to as an obstacle
to effective law enforcement. This is a mistake. It has to be realised that
there are risks on both sides – and both relate to human rights.
There is an imperative duty on States to protect their populations against
possible terrorist acts. At the same time, governments have an obligation
to protect people’s privacy and to ensure that private information on them
is not coming into the wrong hands or is otherwise misused.
It is urgent that the principles of Rule of Law be re-asserted in this area.
The European Convention on Human Rights with its case-law, and the Convention
for the Protection of Individuals with regard to Automatic Processing of
Personal Data and its additional Protocol specify the standards. Important
guidance is also given by the
Council of Europe recommendation on data protection
in the police sector.
The following are some of the key principles I find particularly relevant
for the future discussion on privacy- and data protection in the fight against
terrorism:
• All processing of personal data for law enforcement and anti-terrorist
purposes must be based on clear and specific binding and published legal
rules.
• The collection of data on individuals solely on the basis of ethnic origin,
religious conviction, sexual behaviour or political opinions or belonging
to particular movements or organisations which are not proscribed by law
should be prohibited.
• The collection of data on persons not suspected on involvement in a specific
crime or not posing a threat must be subject of to a particularly strict
‘necessity’ and ‘proportionality’ test. The concerned individual should
be provided with an effective legal remedy to challenge the information,
its storage and use.
• Access to police and secrete service files should only be allowed on a
case-by-case basis, for specified purposes and subject to judicial control.
• There must be limits to the length of time for which once collected information
can be retained.
• There must be strong safeguards established by law which ensure appropriate
and effective supervision over the activities of the police and the secret
services – also in the fight against terrorism. This supervision should
be carried out by the judiciary and/or through parliamentary scrutiny.
• All personal data processing operations should be subject to close and
effective supervision by independent and impartial data protection authorities.
• National authorities have an obligation to ensure that these standards
are fully respected by the recipients before any personal data are shared
with another country.
Thomas Hammarberg
Notes
 1.
The European Court of Human Rights is currently considering a case brought
against the United Kingdom which concerns the decision to continue storing
fingerprints and DNA samples taken from the applicants after unsuccessful
criminal proceedings against them were closed (S. and Michael Marper
v. the United Kingdom (nos. 30562/04 and 30566/04).
2.
Declaration adopted by the European Data Protection Authorities in Cyprus
on 11 May 2007.
Link
Recommendation R(87)15 of the Committee of Ministers,
Regulating The Use Of Personal Data In The Police Sector.
The European Data Protection Supervisor
This Viewpoint can be re-published in newspapers or on the internet without
our prior consent, provided that the text is not modified and the original
source is indicated in the following way: "Also available at the Commissioner's
website at www.commissioner.coe.int"
|
RSS
Print 
Send 
Version française