Many of these initiatives were taken, often as a fast response to terrorist incidents, without a thorough consideration of possible duplications or overlapping with already existing measures. In some cases, even a few years after their entry into force, it is not yet established to which extent the invasion of citizens’ privacy ensuing from these measures was in all cases really necessary.
1. The EDPS highlights that the “prevention” and “protection” strands of the EU’s CT strategy “are the most delicate ones from a data protection perspective” because
- they are by definition based on prospective risk assessments
- they envisages increasing partnerships between law enforcement authorities and private companies where info collected by private companies for commercial purposes is used by public authorities for law enforcement purposes.
On this last point the EDPS says:
The preventive analysis of information would entail the collection and processing of personal data relating to broad categories of individuals (for example, all passengers, all internet users) irrespective of any specific suspicion about them. The analysis of these data – especially if coupled with data-mining techniques – may result in innocent people being flagged as suspects only because their profile (age, sex, religion, etc.) and/or patterns (for example, in travelling, in using internet, etc) match those of people connected with terrorism or suspected to be connected. Therefore, especially in this context, an unlawful or inaccurate use of (sometimes sensitive) personal information, coupled with broad coercive powers of law enforcement authorities, may lead to discrimination and stigmatization of specific persons and/or groups of people.
In this perspective, ensuring a high level of data protection is also a means contributing to fighting racism, xenophobia and discrimination, which, according to the Communication, “can also contribute to preventing radicalisation and recruitment into terrorism”.
2. The EDPS further highlights the need for a consistent approach between all Communications and initiatives in the area of home affairs, which is currently lacking. He recommends that the principle of necessity is explicitly considered in each proposal in this area. This should be done both by considering possible overlaps with already existing instruments and by limiting the collection and exchange of personal data to what is really necessary for the purposes pursued. He suggests that “existing instruments should prove in periodic reviews that they constitute effective means of fighting terrorism.” The EDPS recommends that special attention be paid to those proposals resulting in general collections of personal data of all citizens, rather than only suspects.
3. The EDPS also comments on the use of restrictive asset-freezing measures
The need for further improvements of the procedure and the safeguards available to listed individuals has been recently confirmed by the General Court in the so-called “Kadi II” case. In particular, the Court highlighted the necessity that the listed person should be informed in details about the reasons for being listed. This comes very close to the rights, under data protection law, to have access to one’s own personal data and to have them rectified, notably when they are incorrect or out of date. These rights, explicitly mentioned by Article 8 of the Charter of Fundamental Rights, constitute core elements of data protection, and may be subject to limitations only to the extent these limitations are necessary, foreseeable and laid down by law.
In this perspective, the EDPS agrees with the Communication that one of the future challenges in the area of counter-terrorism policy will be the use of Article 75 TFEU. This new legal basis, introduced by the Lisbon Treaty, specifically allows establishing asset-freezing measures against natural or legal persons. The EDPS recommends that this legal basis be used also to lay down a framework for asset freezing which is fully compliant with the respect of fundamental rights. The EDPS is available to further contribute to the development of relevant legislative instruments and procedures, and looks forward to being duly and timely consulted when the Commission – pursuant to its 2011 Work Programme – will develop a specific regulation in this area.
Against this background, EDPS recommends the EU legislator to step up the role of data protection, by committing to specific actions (and deadlines), such as:
o Assessing the effectiveness of existing measures while considering their impact on privacy is crucial and should vest an important role in European Union’s action in this area;
o When envisaging new measures, considering possible overlapping with already existing instruments, taking into account their effectiveness, and limiting the collection and exchange of personal data to what is really necessary for the purposes pursued;
o Proposing the establishment of a data protection framework applicable also to the Common Foreign and Security Policy;
o Proposing a comprehensive and global approach to ensuring, in the area of (asset-freezing) restrictive measures, both the effectiveness of the law enforcement action and the respect for fundamental rights, on the basis of Article 75 TFEU;
o Putting data protection at the heart of the debate of the measures in this area, by ensuring for example that Privacy and Data Protection Impact Assessments are carried out and competent data protection authorities are timely consulted when relevant proposals in this area are put forward;
o Ensuring that data protection expertise is fed into the security research at a very early stage, so as to guide policy options and to ensure that privacy is embedded to the fullest possible extent in new security-oriented technologies;
o Ensuring adequate safeguards when personal data are processed in the context of international cooperation, while promoting the development and implementation of data protection principles by third countries and international organisations.