Separated by a common language? An examination of the transatlantic dialogue on data privacy law and policy in the fight against terrorism.

• Author: Yadav, Yesha

1. INTRODUCTION

   I don't believe Europeans value privacy more than Americans. And I don't think that Europeans take the threat of terrorism lightly. I do think, though, that there are some historical differences that cause us to look at some of these issues in different ways. (1)

   On June 23, 2006, The New York Times reported that the Central Intelligence Agency ("C.I.A.") of the United States, together with the U.S. Treasury, secretly accessed a vast database of financial records as part of U.S. intelligence efforts to combat terrorism. (2) The surveillance, which commenced shortly after September 11, 2001, provided U.S. intelligence services with access to a massive reserve of financial records held by the Society for Worldwide Interbank Financial Communication ("SWIFT"), a Belgium-based provider of messaging services for financial institutions around the world. (3) In addition to the general outcry provoked by this action within the European Union ("EU"), EU officials determined that SWIFT's cooperation with U.S. intelligence agencies was in violation of EU and Belgian data privacy laws. (4)

   The SWIFT case illustrates the legal and political conflict between the U.S. and the EU with respect to the sharing of sensitive information. This conflict has intensified during the years following September 11, 2001, as the escalating U.S.-led "War on Terror" has focused considerable international regulatory attention on data-sharing between the U.S. and its allies in their effort to combat terrorism. In light of past conflicts between the U.S. and the EU with respect to airline passenger information, it is unlikely that the SWIFT case will be the last incident in this area.

   This paper examines recent controversies in the legal and policy debate between the U.S. and the EU on the sharing of data in the implementation of transatlantic counter-terrorism measures. The nexus between law and policy in this area is particularly close, reflecting the preferences each jurisdiction has in protecting civil liberty and security interests. While the U.S. and the EU offer differing legal frameworks on data privacy, the strategic importance of data in counter-terrorism law and policy necessitates a joint approach. A failure to arrive at such an approach can result in a series of bilateral agreements between the U.S. and individual EU countries, creating unnecessary costs, inconvenience, and uncertainty for both users and processors of data. The haphazard approach in the past, and the continuing failure to come to a proper accord, reflects the tension between civil liberties and the right of the state to erode such entitlements in the face of a terrorist threat. In addition, the failure to come to an accord reflects the uneasiness U.S. and EU lawmakers feel about the compromises they have already made. Fortunately, skirmishes over the cross-border transfer of data can encourage both sides to incorporate elements from the differing approaches into their respective policy regimes.

   Part II of this paper sets out a factual summary of the recent cases involving the transfer of airline passenger data between the EU and the U.S. This section will also analyze U.S. intelligence authorities' access to the SWIFT database. Part III sets out a discussion of the policies underlying data privacy laws in the U.S. and the EU. Part IV critically examines a proposed solution to the issue, and the policy implications of the steps taken to further legal decision-making in this area. Finally, Part V provides some concluding remarks.

2. OVERVIEW OF KEY CASES

   1. Transfer of Passenger Name Record Data ("PNR data") (5)

      Pursuant to the Aviation and Transportation Security Act enacted in 2001, all airlines flying into the U.S. are required to provide the Commissioner of Customs with certain data relating to passengers and cabin crew. (6) Furthermore, following the passage of the Enhanced Border Security and Visa Entry Reform Act in 2002, each incoming and outgoing commercial airliner must provide detailed information on each passenger and crewmember to the Immigration and Naturalization Service. (7) U.S. authorities have the right under U.S. law to access a large amount of passenger data collected in the reservation and departure control systems ("DCS"), (8) and share it with federal agencies for the purposes of fighting terrorism. (9) Such information not only includes basic PNR data, but also other information such as credit card numbers, bank details, telephone number, dietary preferences (which may potentially reveal details about a passenger's religious or ethnic origins), history of preceding and/or planned travel, and medical conditions or contact details for emergency contact persons. (10)

      Provision of such detailed and comprehensive information by European airlines and database providers to U.S. authorities was considered by European authorities to be incompatible with Directive 95/46/EC on the protection of individuals with regard to the processing and free movement of such data. (11) In particular, there was concern that U.S. demands would violate this Directive by mandating that data, originally collected for a commercial purpose, would be used for a secondary purpose, namely for gathering intelligence for counter-terrorism efforts. (12) In addition, the Directive prohibits the transfer of data to countries outside of the EU if these countries do not provide an "adequate level of protection" for the data. (13) The U.S., considered as lacking a comprehensive regulatory framework for data privacy (discussed further below), was prima facie deemed to lack an "adequate level of protection." (14) However, transfers of personal data between the U.S. and the EU could still take place within a bilaterally negotiated agreement, or with the consent of the subject whose data was subject to the transfer. (15) Finally, there was concern that once data was provided to the U.S., European data privacy authorities would no longer be able to exercise control over the management of the data (16) and that the data itself was then liable to be treated without a sufficiently robust standard of protection. (17)

      Accordingly, the legal demands made by U.S. authorities on European airlines regarding detailed passenger data necessitated joint regulatory and political action to ensure compatibility with the Directive. (18) Consequently, EU and U.S. authorities came to a provisional agreement in May 2004, in which the European Commission, likely submitting to political pressure and without the support of the European Parliament, declared that U.S. data privacy laws could be considered "adequate" for the purposes of protecting the transfer of airline data and subsequent data collection by U.S. authorities. (19) However, following protests by the European Parliament and a subsequent legal challenge to its validity, this agreement was held to be null and void by the European Court of Justice. In July 2007, a revised agreement was concluded to ensure that U.S. authorities agreed to conditions for protecting data gathered from EU airlines. (20)

      The July 2007 agreement between the U.S. and the EU (the "PNR Agreement") permits the transfer of airline data on the basis of assurances given by the Department of Homeland Security for the processing and handling of such data. (21) Accordingly, it has been agreed that the data shall be used and shared for limited, defined purposes, i.e., "combating: (1) terrorism and related crimes; (2) other serious crimes ... that are transitional in nature; and (3) flight from warrants or custody." (22) The PNR data may also be used "where necessary for the protection of the vital interests of the data subject or other persons, or in any criminal judicial proceedings, or as otherwise required by law." (23) Sharing of PNR data between law enforcement and intelligence bodies may be undertaken only on a limited and proportionate basis. (24) Moreover, the transfer of the data to third-party countries may, with the exception of emergency cases, only be carried out after determining the reasons for requesting such access and on assurances that such data will be adequately protected. (25) Further, sensitive data (disclosing, inter alia, religious beliefs or ethnic origins, political and philosophical beliefs) is filtered and not retained, unless the data is required for an exceptional use. (26) The filtered PNR data collected by the U.S. can be retained for an initial period of seven years, after which, it may be accessed only with special permission. (27) Under the agreement, the Department of Homeland Security may electronically access the airline databases within the European Union in advance of the airlines transfering the data to the U.S. (28) The agreement underscores the importance of a "push" system, whereby the data transferred to the U.S. is filtered for appropriateness, rather than a "pull" system (which may still be operated until such time as airlines can use "push" technology) that absorbs all data before filtering it. (29)

   2. SWIFT and the Transfer of Financial Data

      SWIFT provides messaging services between financial institutions for the transmission of data relating to financial transactions worldwide. Structured as a not-for-profit industry-owned co-operative under Belgian law, (30) SWIFT has a number of offices in countries around the world, including the U.S. It is overseen by a board of the world's major banks, including several central banks, such as the U.S. Federal Reserve, the Bank of England, the Bank of Japan and the European Central Bank. (31) SWIFT provides a routing mechanism for banking data, rather than operating as a bank and does not hold accounts. (32) It is estimated that SWIFT is responsible for providing messaging services for approximately six trillion dollars in financial transactions daily. (33)

      In light of its importance to the worldwide banking infrastructure, the data held by SWIFT was considered by the...