Original URL: http://www.theregister.co.uk/2006/12/03/pnr_omen/
Police wolves pace round electric EU sheep
European council dilutes data proposals to taste
European privacy wonks have become alarmed over the degeneration of policy talks on the protection of people who become the subject of police database cross-border pollinations.
If the European Data Protection Supervisor's (EDPS) claim that proposed protections are being watered down in the European Council, this does not bode well for the upcoming transatlantic negotiations on passenger name records (PNR), or early attempts to build an international immigration database to guard between the "developed" and outside world, or other numerous other international faultlines that are opening up between hawks and civil libertarians in the home front of the "war on terror".
On Tuesday, the European Council is due to report the progress of its deliberations over proposals to enforce data protection laws on cross-border police activities. The idea behind the proposals was to force police to think of civil liberties as they make their first tentative database links across borders - the European data protection law drawn up in 1995 couldn't apply to law enforcers because policing wasn't EU business, but the issue has been forced by the current rush to link police databases across the continent.
The Council is far off an agreement because there are a few countries - most notably Britain - that don't want Europe poking its nose in their business. It doesn't matter that the data protection law was European anyway - the British applied EU data protection law over law enforcers as well, even though the European draft wasn't applicable there. So Britain's representation in the Council negotiations is saying, "we don't need your help thanks, we've already got it covered".
But the EDPS is proposing that as police use of data is a special case, it ought to be governed by special protections (Countries like Britain do, after all, have exceptions in their policing of police data that prevent, for example, dangerous people from being alerted that the plods are onto them), and so member states will have to accept further European rules over their law enforcers.
The proposed special-case protections - though barely even considered in the council - include a distinction between different categories of people on police databases, so that they can be treated according to their status. So a convict's history might be shared a little more liberally than that of a suspect on whom there have been pinned only a few unqualified rumours. Similar distinctions should be made between witnesses and victims, said the EDPS.
This is the main sticking point for the negotiators - whether these additional EU protections (should they ever be agreed) should apply from the moment a copper flips open his notebook, or only at the point when the data is piped across the English Channel.
Another complaint of the data protection doves is that the protections are being watered down in the Council because the brief has been given to the policing committee, rather than the data protection committee. "It's like putting the wolf in charge of the sheep," said one lawyer close to the talks.
There's a compelling reason for concern over the handful of states opposing the majority view that there is only an artificial distinction between national and European data protection law for police activities.
If member states don't all impose the same protections on their police data as all the others, said an EDPS opinion on the matter, then protections placed on data being shared could never work.
In this case a state that paid little attention to civil liberties would cause problems for everyone else with its shady treatment of police data - no other state could accept trust its police data enough to use it in any credible operation. Likewise no other state could pass the lax state any data without fear of it being abused, which was why there has been so much fuss about US demands for European passenger (PNR) and financial (SWIFT) data - the US doesn't have mature data protection and no-one trusts them to honour a gentleman's agreement to act like they are all grown up about it.
That's the European view of US data protection law anyway, and there is some truth in it. But the EU position is starting to look a little embarrassing.
Take the interim agreement the EU struck with the US over the PNR data that airlines pipe from European civil databases to US spooks. The US interpretation of the agreement made the EU claims to have made sure the US was going to treat the European data according to haughty European data protection principles sound a little silly.
The EU will look even sillier in January when it aims to open negotiations with the US over a permanent PNR agreement to takeover when the interim bodge expires at the end of July 2007.
How can the Europeans ask the US to adhere to the principle of data protection over shared police data when the Europeans can't even agree amongst themselves? The EU negotiators don't have an answer to that one, but think it might be a problem.®