[via The Register] If you have half an hour to spare, and you care about your own personal data privacy and security, and that of your family, you might be able to influence the European Commission, before they get out negotiated by the US Government, or get lobbied too hard by the vested securocrat interests.
Free access to financial data may end
By John Oates
Posted in Government, 5th February 2010 15:56 GMT
The European Commission has opened a public consultation on whether the US government should continue to get free access to European bank and financial data under the SWIFT agreement.
The US claims it needs access to our bank accounts in order to fight terrorism - it has had free access since shortly after 11 September 2001. But the Civil Liberties Committee of European MPs yesterday recommended the Parliament reject renewal of the treaty; MEPs only recently got powers over external treaties.
This may sound like just hot air from Brussels, but the treaty is up for a vote next Thursday. MEPs want the data protected in the same way as it would be in Europe.
So when a US firm brings data out of Europe it must still follow EU law. This is now extended so that the data is passed on to an outsourcer, that company must also follow EU law.
The consultation documents are here. You have until 12 March to have your say.
Actually, that European Commission Consultation document is much wider and more general and applies to any data transfers involving Governments / national security / transnational border crime investigations etc:
- If you are answering this consultation as a citizen, please click here to submit your contribution.
- If you are answering this consultation on behalf of an organisation, please click here to submit your contribution.
- If you are answering this consultation on behalf of a public authority, please click here to submit your contribution.
Directorate-General for Justice, Freedom and Security
Unit A2 - External relations and enlargement
Postal address :
Directorate-General for Justice, Freedom and Security
Unit A2 - External relations and enlargement
B - 1049 Brussels
From the metadata of these documents, the author is listed as our old friend Jonathan Faull (.pdf), Director General of the European Commission's Justice, Freedom and Security department since 15 March 2003, with whom we have corresponded in the past
See our blog category archive EU Plans for internet censorship
The Questions which are asked in this short consultation document, are all well and good, provided that they are actually Answered and Implemented properly.
However, there are a few important Questions which are missing - notably in the areas of:
- mandatory Data Security Breach Notification and Public Reporting,
- mandatory use of strong Encryption to protect such data transfers in transit and storage,
- the principle of Data Minimisation,
- Data Retention and Destruction policies,
- applying the same principles and protections for transfers between countries within the European Union as between any EU state and the USA,
- the publication annually of how much public money is being spent on such data transfers, so that we can gauge whether they are cost effective or not.
See our comments below:
This paper non-exhaustively lists questions on which the Commission wishes to seek the opinions of stakeholders with a view to a future EU-US agreement on personal data protection and information sharing for law enforcement purposes.
What should be the purpose(s) of the agreement? Should the agreement only establish data protection standards for EU-US law enforcement cooperation? Or should it address also wider issues related to the processing and transfer of personal data in the context of transatlantic law enforcement cooperation, e.g. reciprocal information transfer or impact on relations with other third countries?
It would be a professional failure of the experts and legislators on both sides, if this opportunity to sort out the wider issues were to be missed.
2. Scope of the agreement
2.1. Material scope
- Should the agreement cover personal data protection when information is transferred that pertains to police cooperation in the area of freedom, security and justice (Title V chapter 5 of the Treaty on the Functioning of the European Union (TFEU)?
Yes - but it must be absolutely reciprocal in both directions across the Atlantic. Anything demanded of EU citizens by the US authorities, must also apply to EU member state requests for data about US citizens, no more, no less.
- Should it also cover personal data protection when information is transferred in the course of judicial cooperation in criminal matters (Title V chapter 4 TFEU)?
Yes - but again, it must be absolutely reciprocal in both directions across the Atlantic. Anything demanded of EU citizens by the US authorities, must also apply to EU member state requests for data about US citizens, no more, no less.
- Should it also be applicable to the transfer of personal data in the context of other Union policies within the area of freedom, justice and security, i.e. the security elements of immigration, visa, asylum and civil law cooperation?
Yes - but yet again, it must be absolutely reciprocal in both directions across the Atlantic. Anything demanded of EU citizens by the US authorities, must also apply to EU member state requests for data about US citizens, no more, no less.
N.B. this must not end up like the European Arrest Warrant, or the proposed European Evidence Warrant, or the United Kingdom / USA Extradition treaty and legislation, whereby a "sanity" check on the proportionality and reasonableness of the request cannot be challenged in, say, a local United Kingdom court, because of the legal pretence that foreign legal systems are somehow entirely equivalent to each other. This adds hugely to the difficulty and expense of trying to challenge such data transfers and sharing, for ordinary private citizens.
2.2. Personal scope
- Should the agreement only cover government-to-government transfers of information?
- Or should it also be applicable to transatlantic transfers of personal data from private entities to law enforcement authorities? If so, should the conditions on private - public data transfers be in any way different from the government-to-government transfers?
The Data Protection Principle of prior, informed, individual consent should apply to every kind of data transfer.
3. Nature of the agreement:
Should the agreement include a provision to the effect that EU and US law enforcement
authorities may request from each other the same types/categories of information and personal data (reciprocity)?
There must be true reciprocity, in both directions across the Atlantic, no more, no less.
4. Data Protection Principles
Should the agreement provide for modalities and consequences of "accountability", e.g. internal and external review procedures? Should the agreement notably provide for a joint review mechanism?
Yes, there should be a joint review procedure, which reports prior to the invocation of a Sunset Clause, which automatically terminates this Agreement in say 5 years, unless it can be re-justified in the future, by which time there will be lots of new technological factors to consider.
4.2. Individual Access
- Should the agreement spell out the conditions for the right to access one's own personal data?
Yes - this fundamental right should remain the default.
There must be no extra costs imposed by this agreement over and above normal, national data protection laws i.e. in the UK no more than £10 for a Data Subject Access request.
- If there is no possibility to directly access one's own personal data for justified reasons, should the agreement provide for the possibility of indirect verification through an independent authority responsible for the oversight of the processing in the sending or recipient country?
There should be a statutory complaints mechanism, whereby if a US or EU Government department or agency refuses to deal properly with a legitimate request about what personal data of yours it holds or has transferred and shared elsewhere, then the local Data Protection authority can take up the case on the citizen's behalf.
Such cases should be analysed annually, and any errant agencies, department or officials should be named and shamed in public.
4.3. Single contact points
- Should the agreement provide for a single contact point in the US in case of data protection concerns related to data transferred from the EU?
Yes - this should merely act a Single Point of Contact with properly trained, experienced staff, available 24/7 securely via the internet and the phone system, in contact with the appropriate people in the Federal Government department and agency and also in each State.
- Should the agreement provide for a single contact point in the EU in case of data protection concerns related to data transferred from the US?
Yes - this should merely act a Single Point of Contact with properly trained, experienced staff, available 24/7 securely via the internet and the phone system, in contact with the appropriate people in each national European Union country, and if necessary, each European Union agency e.g. FRONTEX, Eurojust, Europol or the Schengen Information System etc.
- Should the modalities for transparency and assistance to data subjects by US and EU data protection supervisory authorities be spelled out in the agreement?
Both sides, and the general public, should be absolutely clear about exactly what has been agreed, in detail.
4.4. Judicial redress
- Should the agreement lay down provisions for effective access to courts for data subjects that believe that their data protection rights have not been respected? How could this be achieved?
Yes, but in order for this to be effective individual private citizens must not be put at any financial disadvantage when taking legal action against Government bureaucracies, with access to unlimited legal funds, paid for by the taxpayer.
The national Data Protection authorities should be given adequate funding and manpower resources to take on national, foreign and international Government departments, law enforcement and intelligence agencies though the Courts, on behalf of an individual private citizen.
- Should laws which discriminate in respect of access to the courts on grounds of nationality or residence be amended?
This is desirable, but it should not be the immediate priority.
We should get the system working properly for the 450million EU citizens and the 300 million US citizens first.
5. Any other comment
You may introduce here any other comment you would like to make on the future European Union (EU) - United States of America (US) international agreement on personal data protection and information sharing for law enforcement purposes.
What is missing from this list of Questions ?
- Data Security Breach Notification - here some parts of the USA are ahead of the EU in terms of Data Protection and Security of their citizens' data. When, not if, government agencies or their sub-contractors misplace, lose or allow to be stolen your personal data (and often that of thousands or millions of others) this fact must not be allowed to be kept secret. Everybody who might be affected by such a data security /privacy breach must be notified, and there should be criminal sanctions involving prison and / or fines to enforce this.
Any Government Department, Police or intelligence Agency which fails to publish its annual Data Security Breach notification report, should be suspended from being allowed to receive any data under this EU-US agreement.
The parallels with the filing of annual financial accounts by such public entities to help ensure that public money is not being wasted or stolen, is exact. We expect the same level of Data Protection probity and diligence as we do with Public Finances.
- Reciprocity within the European Union - the Data Protection laws and the laws which supposedly regulate law enforcement or intelligence agency access to people's private data are not yet equal and reciprocal throughout the European Union.
- Mandatory use of strong Encryption - most financial data is encrypted these days>There must never be any excuse for Government, law enforcement or intelligence agencies or their private sector sub-contractors, to allow such intercepted or transferred data to be transmitted or stored as unencrypted plaintext.
This will not protect such data from corrupt insiders, but it will vastly reduce the risks of opportunistic or targeted "identity theft", fraud, insider trading, blackmail, harassment etc. made possible by misplaced, lost or stolen portable computers, removable data storage devices and media and electronic communications etc.
Even if the financial or other data handed over to the Government , law enforcement or intelligence agencies is not encrypted, they should only have strongly encrypted data storage and transmission systems available to them, regardless, so as to reassure the general public and to promote trust and cooperation.
Any Government Department, Police or intelligence Agency which fails to protect our data with which it has been temporarily entrusted, should remain liable for any financial losses or inconvenience or business disruption, which their negligence has helped to cause.
- Data Minimisation - this principle should be explicitly written into the Agreement. If what is really wanted is , for example, proof that someone is an adult rather than a child, there is no justification to request or transfer or share their actual date of birth, place of birth social security number etc.,only the simple credit card transaction style Yes / No blind oracle answer to the question is needed, and that is all that should be permitted.
See the Data Sharing Review commissioned by the United Kingdom Government undertaken by Richard Thomas, the then Information Commissioner, and Dr Mark Walport, the Director of the Wellcome Trust.
- Data Retention and Destruction - this EU -US agreement should explicitly spell out the Data retention and Data Destruction policies which apply. Handing over private data, from millions of innocent EU or US citizens should never be "for ever" or "for the foreseeable future". There must be a time limit, of say a year, after which the requesting agency or department must review the necessity and proportionality of their data request, and then provably destroy all copies of the data which can no longer be justified.
This process will increase the effectiveness of the myriad of law enforcement and intelligence agency databases, by weeding out lots of no longer accurate data.
Extra special care and precautions must be taken for biometric data, since, unlike, say financial account data, this cannot be easily changed, if at all, when, not if its security is compromised through negligence, accident or deliberate attack.
- Value for money. - each Government Department, law enforcement or intelligence agency should publish their annual budget spent on EU-US data transfers, and approximately how much data, and how many data requests this was spent on.
Hand in hand with the Data Security Breach Notifications, this should then be analysed to provide a Cost / Benefit analysis, to see if the policy of data transfers and sharing is actually still cost effective, or if there needs to be personnel changes of senior management and politicians.