A stricter regime for profiling07 June 2016
EU Privacy Authorities Request PRISM Details, Question National Security Safe Harbor Exception
Echoing a question that is frequently asked by European Data Protection authorities (including a question asked by the CNIL to the author of this blog), Kohnstamm asks for clarification on the nature of the FISA Court’s procedural safeguards. In particular, Kohnstamm wants to know whether the FISA Court orders are narrowly targeted, and ensure that the purpose limitation principle recognized under EU law is respected by US authorities. Kohnstamm regrets that the internal safeguards that have been developed by the FISA Court and the US administration are kept secret:
While it is always good if criteria limiting the processing of personal data are in place, it may prove problematic if these criteria are kept secret.
On the US Safe Harbor principles, Kohnstamm says that the Article 29 Working Party has doubts whether the seemingly large scale and structural surveillance of personal data that has now emerged can still be considered as falling within the national security exception to the Safe Harbor principles. Kohnstamm says
competent authorities in Member States have the ability to suspend the data flows where there is a substantial likelihood that the principles are being violated and where the continuing transfer would create an imminent risk of great harm to data subjects.
Kohnstamm’s Safe Harbor threat echoes a similar threat made by Commissioner Reding on July 19, 2013. It is unclear whether this will empower and result in EU nations opting out of the Safe Harbor (which is not provided for in the agreement) pending the European Commission’s review.
Kohnstamm underlines that the US intelligence programs need to be analyzed in light of the Council of Europe Data Protection Convention 108, and the United Nations International Covenant on Civil and Political Rights. Kohnstamm says that the Article 29 Working Party believes that the current US practice goes beyond what is authorized by the Council of Europe Cybercrime Convention, to which the United States is a party. Kohnstamm expressed concern about non-US persons lacking the ability to seek redress for US privacy violations before an independent oversight body.
In an implicit recognition that the US may not be the only country conducting broad national security surveillance, Kohnstamm indicates that the Article 29 Working Party will be focusing on intelligence programs conducted within European Member States, including the Tempora program allegedly conducted by the British government. Though not mentioned in the Kohnstamm letter, the French national security surveillance programs revealed by Le Monde on July 4, 2013 will also likely have to be analyzed by the Article 29 Working Party. According to Le Monde, those French programs share many of the alleged privacy defects of their US counterparts.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016