Nowadays there are technologies to monitor, screen and analyse billions of telephone and email communications simultaneously; to use virtually undetectable listening and tracing devices; and to install ‘spyware’ surreptitiously on someone’s computer which can secretly monitor the online activities and emails of the user and even turn on the computer’s camera and microphone.
It is sometimes said that only those who have something to hide should be fearful about these new measures. However, the notion that if you have nothing to hide you have nothing to fear puts the onus in the wrong place – it should be for States to justify precisely the interferences they seek to make on privacy rights, not for individuals to justify their concern about interferences with their basic human rights.
The use of such new facilities and expanded competencies for the police and security services requires enhanced democratic and judicial control.
Already, the storing of enormous amounts of personal data in social security-, medical- and police databases(1) is a matter of concern. The recent loss, in the United Kingdom, of a disk with millions of such confidential data sets illustrates some of the risks.
Banks, insurance companies and other business enterprises also develop databases on clients and their transactions. Understandably, there is widespread concern that these various databases can be combined and the question is raised whether there is sufficient protection against such inter-linking.
Those who travel are today encountering the modern security measures in very concrete ways. Fingerprinting and other biometric identity control methods are being introduced widely. The EU has agreed to US demands that airlines going to the US should provide 19 pieces of personal data on all their passengers, including names, phone numbers, email addresses, credit card numbers and billing addresses.
This information is to be stored for 13 years and will be available to the US security services. Preparations are underway to introduce a similar system for travelers to and from EU countries.
Police and secret services already have a massive amount of data available to them through these methods. The intention when they process this information is not only to find previously identified culprits of crime. Increasingly they seek persons who match pre-determined ‘profiles’ of persons who allegedly are more likely be a terrorist.
Obviously, it is essential that data protection rules also cover the police, the judiciary and the security services. One of the shortcomings in the proposed EU Council Framework Decision on the Protection of Personal Data is that it would apply neither to domestic data processing relating to European police and judicial cooperation, nor to any processing of personal data by the security services, or indeed by the police when they act in relation to national security. Individuals should be provided an effective legal remedy to challenge the information, its storage and use to judicial scrutiny as laid down in Segerstedt-Wiberg and Others v. Sweden before the European Court.
As terrorists and other organised criminals increasingly act across borders, cooperation between law enforcement forces in various countries has become more urgent. A principle of ‘availability’ is being established within the European Union, to promote unhindered sharing of information. The idea is that the national law enforcement agencies in any one EU country should in principle have full and prompt access, with little or no “bureaucratic obstacles”, to all the data held by any other such agencies in any other Member State.
This means that every piece of information in any national law enforcement database will be available in large parts of Europe - and possibly in other countries as well, notably the USA, which in turn can disseminate it to other collaborating states. This will facilitate police work. On the other hand, any mistake or misreporting will have a potentially much deeper negative impact on the individual. This calls for a developed data protection regime within the Union, based on accepted common, high standards.
If the ‘availability’ process is opened for authorities in other countries as well, including the US, it becomes necessary to ensure that they genuinely respect standards of data protection. Europe should not compromise on these important rules in order to please US counterparts.
The European data protection authorities have stressed the need for a stronger data protection regime. In a joint declaration last year they stated:
‘In view of the increasing use of availability of information as a concept for improving the fight against serious crime and the use of this concept on both national level and between Member States, the lack of harmonised and high level of data protection regime in the Union creates a situation in which the fundamental right of protection of personal data is not sufficiently guaranteed any more.’(2)
This was a serious warning from official expert watchdogs on the national level in Europe. It is important to listen to them, as these problems are very complex and it is not easy for ordinary people, or even politicians, to fully grasp the implications of changes proposed or already decided.
Trust in privacy- and data protection has been badly undermined during the ‘war on terror’, in which previously accepted safeguards have been undermined by governments themselves. In the United States, not even library records have been protected. Also, the fact that extensive telephone surveillance was approved by the President but kept secret even from Congress, did not enhance confidence.
In Europe, as well, there is a need for a deeper discussion on the balance between methods of preventing terrorism and other crimes and the protection of everyone’s private life. In recent years, the human rights requirements have not been given sufficient emphasis. Intrusive methods have turned out to be ineffective, but thorough debate on such cases has been prevented by secrecy rules.
In some discussions data protection has even been referred to as an obstacle to effective law enforcement. This is a mistake. It has to be realised that there are risks on both sides – and both relate to human rights.
There is an imperative duty on States to protect their populations against possible terrorist acts. At the same time, governments have an obligation to protect people’s privacy and to ensure that private information on them is not coming into the wrong hands or is otherwise misused.
It is urgent that the principles of Rule of Law be re-asserted in this area. The European Convention on Human Rights with its case-law, and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional Protocol specify the standards. Important guidance is also given by the Council of Europe recommendation on data protection in the police sector.
The following are some of the key principles I find particularly relevant for the future discussion on privacy- and data protection in the fight against terrorism:
• All processing of personal data for law enforcement and anti-terrorist purposes must be based on clear and specific binding and published legal rules.
• The collection of data on individuals solely on the basis of ethnic origin, religious conviction, sexual behaviour or political opinions or belonging to particular movements or organisations which are not proscribed by law should be prohibited.
• The collection of data on persons not suspected on involvement in a specific crime or not posing a threat must be subject of to a particularly strict ‘necessity’ and ‘proportionality’ test. The concerned individual should be provided with an effective legal remedy to challenge the information, its storage and use.
• Access to police and secrete service files should only be allowed on a case-by-case basis, for specified purposes and subject to judicial control.
• There must be limits to the length of time for which once collected information can be retained.
• There must be strong safeguards established by law which ensure appropriate and effective supervision over the activities of the police and the secret services – also in the fight against terrorism. This supervision should be carried out by the judiciary and/or through parliamentary scrutiny.
• All personal data processing operations should be subject to close and effective supervision by independent and impartial data protection authorities.
• National authorities have an obligation to ensure that these standards are fully respected by the recipients before any personal data are shared with another country.
1. The European Court of Human Rights is currently considering a case brought against the United Kingdom which concerns the decision to continue storing fingerprints and DNA samples taken from the applicants after unsuccessful criminal proceedings against them were closed (S. and Michael Marper v. the United Kingdom (nos. 30562/04 and 30566/04).
2. Declaration adopted by the European Data Protection Authorities in Cyprus on 11 May 2007.