Judith Rauhofer, Protecting their own: fundamental rights implications for a EU data sovereignty in the cloud
Comment by: Edward McNicholas
Published version available here: http://papers.ssrn.com/sol3/results.cfm?RequestTimeout=50000000
Workshop draft abstract:
In recent years there has been a significant increase in the systematic access of law enforcement and security agencies to personal data held by private sector entities. This is true both at EU level and at the level of individual EU member states. In 2011, the European Commission adopted a proposal for an EU Passenger Name Record (PNR) Directive that would oblige air carriers to provide data on all passengers entering or departing from the EU (PNR data) to national passenger information units which would store that data, analyse it and transmit the result of the analysis to national law enforcement authorities. In 2012, the Commission published plans to allow the use of the EURODAC database, which collects fingerprints of asylum seekers for the purpose of intra EU border control for the purpose of prevention, detection and investigation of terrorist offences and other serious criminal offences . In the UK, the London Metropolitan Police is routinely granted access to the location and other data generated by users of Transport for London’s Oyster Card . Although the sharing of these types of data is widely criticized, its use by public bodies is ultimately subject to the fundamental rights protection provided by the national constitutions of the EU member states , the right to privacy set out in Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. This means that any interference with those rights by public authorities must be in accordance with the law, necessary in a democratic society and proportionate. While the enforcement of these rights can be both costly and time-consuming, they provide a backstop to unlawful state interference that forms an essential part of a European culture of fundamental rights protection for its citizens’ information privacy. Many EU citizens are therefore particularly sensitive to any threat to their privacy that is posed by institutions that may not be subject to that fundamental rights framework. This includes, in particular, the law enforcement authorities of non-EU countries. Requests from, in particular, US law enforcement and security services, for access to EU citizens’ personal data have therefore been met with widespread resistance from individual citizens, civil society organisations and regulators. In the past transatlantic conflicts have erupted inter alia over the transfer of EU citizens’ PNR data to the Department of Homeland Security and the transfer of SWIFT data to a variety of US law enforcement bodies . More recently, concerns have been raised about the possibility that US law enforcement and security services may be allowed warrantless access to EU citizens” personal data held by US-based cloud computing providers on the basis of the PATRIOT ACT or FISAA. Attacks on these laws from within the US have largely focused on whether they might also be used to access US citizens’ personal information, despite the protections provided by the Fourth Amendment. However, their impact on the rights of EU citizens has only recently made headlines following the publication of a study on cybercrime and cloud computing commissioned by the European Commission . The existence of these rights of access raises questions about new rules governing the transfer of personal data from the EU to non-EU countries that are currently discussed in the context of the reform of the EU data protection regime. The new transfer rules, designed to facilitate cross-border data flows, were included in the reform proposals in response to claims that the current regime is too complex and constitutes a barrier to growth of the global digital economy. This paper will analyse whether, in light of the threats to EU data identified above, the proposed new rules are in fact compliant with the fundamental rights framework in place in the EU and its member state or whether additional safeguards are needed to ensure that EU sovereignty over its citizens’ privacy and personal data is protected.