A May 25 exclusive for The Privacy Advisor reported how a hearing of the U.S. Senate Judiciary Committee's Subcommittee on Crime and Terrorism was concerned that privacy laws, in particular, the GDPR, would make preventing crime difficult for law enforcement.
Four days later, the European Parliament’s civil liberties committee tackled the same issue, and tensions rose at the “High-Level Expert Group on Information Systems and Interoperability,” as MEPs accused EU Counter-Terrorism Coordinator Gilles de Kerchove of failing to understand the principles of data protection law.
European Data Protection Supervisor Director Giovanni Buttarelli and Security Union Commissioner Julian King gave measured accounts of the need for better information sharing between EU member states, but De Kerchove went one further and insisted that information should be shared with Turkey and China as well as Interpol and Europol.
"I think you are a threat to democracy in the European Union. Yes, it’s strong language. But we are also talking about the fundamental rights of 500 million European citizens, and we know they are under threat." — MEP Sophie In't Veld to counter-terrorism coordinator.
De Kerchove was discussing access to databases rather than handing over specific information in response to a legal warrant.
“I would integrate Europol and Interpol in [European databases, including biometric databases]. We need to do that because Interpol is the only tool we have in common with all the countries around the Mediterranean. That the council has set on Europol, it is extremely difficult for Europol to have an operation allowing for the exchange of personal data from all the countries from Morocco to Turkey. If there is one country where we need that sort of agreement, it would be Turkey. But it is not possible because they don’t comply to data protection requirements,” he said.
This prompted outrage from Dutch MEP Sophie In’t Veld. “You want to, at this point in time, say we need to connect more with the Turks and the Chinese? I mean what planet are you living on? I think you are a threat to democracy in the European Union,” she said. “Yes, it’s strong language. But we are also talking about the fundamental rights of 500 million European citizens, and we know they are under threat.”
“I don’t necessarily need to agree with you, but for somebody in your position to really have no idea what treaties mean, what laws mean, what the charge of fundamental rights means, and to actually claim here that you have been constrained, then I am really, really worried. And I have to express my dismay and concern at the persistent, continued lack of understanding by the counter terrorism coordinator on notions such as fundamental rights and of law,” added In’t Veld.
“The court has said several times in recent years that purpose limitation is a core principle of our treaties when it comes to personal data. And not only because of some nerds asking for data protection, but because it’s really a fundamental principle in the way we do law enforcement and the intrusion into fundamental rights, that you have to search for limited purpose.” — MEP Jan Philipp Albrecht
De Kerchove also questioned the origins of purpose limitation: “Purpose limitation is something that is decided by the legislation, it is not the rule which flows from the privacy law as such. But as soon as the legislation has set a purpose you have to abide by this. You cannot use the data for another purpose. And therefore when we feel the need to define additional purpose we have to do so. There is nothing in privacy law which prevents us from doing that.”
But again he was contradicted by a member of the Parliament. The man behind the GDPR, Jan Albrecht, warned him: “If you really want trust for better, mutual cooperation, the wrong way [to go about it] is calling into question a distinction between authorities in our rule-of-law-based democracies, and then asking if there really is an idea of fundamental rights and constitutional principles behind the purpose limitation principle.
“That is really blunt ignorance of the court in Luxembourg,” continued Albrecht. “The court has said several times in recent years that purpose limitation is a core principle of our treaties when it comes to personal data. And not only because of some nerds asking for data protection, but because it’s really a fundamental principle in the way we do law enforcement and the intrusion into fundamental rights, that you have to search for limited purpose.”
De Kerchove said that “privacy by design is a very interesting concept,” and despite undermining its legal certainty — “this is no legal concept which has been enshrined in the regulation on data protection”— said it could have benefits. “To be honest I have the feeling we have not exhausted the potential of privacy by design. I think we can strike the balance a bit differently in between privacy and security if we maximize the potential of privacy by design,” said the counter-terrorism coordinator.
He added that encryption could allow agencies “to have the data, but to protect that data so no one can have access except under strict conditions.”
But Albrecht wanted to tackle some of the underlying assumptions: “I’d like to start referencing what has been said by some of the speakers, that today we have to fight terrorists by or with information systems. I really have to say that this might be one of the biggest misinterpretations of our situation since a decade. Because the perception that a database or an IT system will fight criminals or terrorists out there is just wrong. It’s just wrong. It’s not happening.
“The problem we have is that systems we had in place were not used properly and that there were no equipped and trained personnel to work with the information which was available. There is too much emphasis on the question of how to change the current systems rather than to just apply them,” he said.
In’t Veld agreed: “Our group, in principle, supports very strongly the principle of sharing information. So we do want it, but not unconditionally. There are limits and limitations. We have had several pieces of legislation stranded in the ECJ in Luxembourg. Wouldn’t it be a good idea to prevent that and to take on board the remarks made by the experts from FRA and the EDPS from the very start so that we are actually sure that we have a system that not only will help us share information, but also complies with all the necessary standards?”