Place your thumb on the scanner, please. Be warned, when cashing a cheque in Washington, the bank may demand a fingerprint as well as your signature. When you ask what they want to do with your fingerprint and how long it will be kept on record, the counter staff invariably do not know. In the United States, regulations on what companies can do with personal data are virtually non-existent. They can collect personal data, store it for as long as they want, and even sell it to other companies. And major US corporations, i.e. Facebook, have made the harvesting of personal data an integral part of their core businesses.
American public authorities do not enjoy the same level of freedom to exploit personal data. But the rules that govern what they do depend on the type of data in question. For example health-care data is well protected. However, American public authorities are entitled to demand personal data from archives maintained by commercial concerns: in particular phone and credit card companies. At the same time, since the 9/11 attacks in September 2001, the American government has even more latitude if the data is required for an anti-terrorism investigation, the motive for which the United States is currently demanding that it be granted access to European bank and passenger name records. But within the European Union, the data privacy has the status of a basic human right. Individuals automatically retain ownership of personal data, and governments and companies, who may only make use of it for clearly defined purposes, have no right to communicate it to third parties.
Privacy a serious matter in EU, but not in US
On 21 June, at a conference in the Georgetown School of Law, Washington, an American authority on the subject, Professor Adam Levitin explained that the two continents have “different philosophical approaches” to the ownership of personal data. “Privacy is a serious matter in the EU, but that is not the case in the United States.”
On 8 July, the European Parliament finally voted to approve the latest version of the agreement to authorise bank data sharing with the US, which included a number of guarantees on the protection of personal data. “The agreement is far from ideal,” remarks Dutch MEP Sophie in ’t Veldin Strasbourg. Large quantities of data on innocent people will still be sent to the United States. However, the parliament was aware that if it voted no, as it did against the previous version of the agreement February, the United States would have by-passed it by establishing a number of bilateral accords with individual European countries.
National parliaments caught napping
At the parliament, discussions chaired by In ’t Veld on the issue of air passenger data policy will probably pave the way for a vote this autumn. “Negotiations on the transfer of passenger name records will be much more complicated,” she explains. “The bank data will be managed by the US Department of the Treasury, which will adopt a reasonable approach. But the passenger data will be the responsibility of the US Department of Homeland Security. Those people are completely inflexible. With regard to the bank data, the EU obtained a guarantee that it would only be consulted within the framework of anti-terrorism investigations. But the Department of Homeland Security has a much wider mandate which includes preparedness to combat epidemics and natural disasters. We have no guarantee that passenger data will be accessed exclusively within the framework of terrorist investigations.”
In ’t Veld deplores the lackadaisical attitude adopted by EU member states. “They overlook the fact that we have never seen any audit of the effectiveness of data collection. The Americans have told us that consultation of passenger name records enabled them to establish a list of 2,000 suspects, but they haven’t said how many people were subsequently convicted. There have been cases of people working for NGOs, who were arrested in airports because their work involved contact with representatives of the FARC in Colombia, or Hamas in Palestine. National parliaments have been caught napping. Of course, questions have been asked, but they seem to be happy with any answer that includes the terms “anti-terrorist” or “intelligence gathering.”
Programme under surveillance
An agreement between the EU and the United States approved by the European Parliament on 8 July will authorise the transfer of European citizens’ bank data managed by SWIFT (Society for Worldwide Interbank Financial Telecommunication) to the US. EUobserver reports that the latest deal provides for a number of safeguards including the appointment of “an independent person to oversee the way personal data on bank transactions… is searched by US authorities when looking for terrorist funding.”
The news website notes that in the long term, the text granting approval for the SWIFT agreement will also pave the way for “an EU-level “Terrorism Finance Tracking Program” similar to the one set up in the US in the aftermath of 9/11.” Exactly what this will entail will be detailed in “a technical assessment of an EU system in the second half of 2011.”