The German Presidency of the European Union wants police forces across Europe to be able to share data more freely and wants a single body to be in charge of overseeing the process.
The changes are contained in a framework decision proposed by the Presidency to the European Commission designed to outline the protections citizens can expect when their personal data is handled by police and judicial authorities. The agreement augments the Data Protection Directive 95/46/EC and deals with the so called "third pillar", which relates to law and order matters.
The suggested framework decision proposes greater police cooperation on data sharing and the legalisation of more sharing of information on individuals between national forces and between those forces and Europol.
"Common action in the field of police cooperation and common action on judicial cooperation in criminal matters [both under the Treaty on European Union] imply the necessity of the processing of relevant information which should be subject to appropriate provisions on the protection of personal data," says the proposed framework decision.
The proposal suggests allowing personal data gathered in one state and shared with another to be transferable to a third EU Member State, or even outside of the EU. "Personal data received from or made available by the competent authority of another Member State may be transferred to third States or international bodies only if the competent authority of the Member States which transmitted the data has given its consent to transfer in compliance with its national law," it said.
The proposal does not extend to national security matters which have always been seen as the prerogative of member states. This is made clear in the document. In section 4 of Article 1 of the proposal, it states: "authorities or other offices dealing specifically with matters of national security do not fall within the scope of this Framework Decision."
The document also proposes centralising regulatory power in Europe, with a new body taking on oversight duties currently handled by a number of bodies. "The Framework Decision aims to combine the existing data protection supervisory bodies, which have hitherto been established separately for the Schengen Information System, Europol, Eurojust, and the third-pillar Customs Information System, into a single data protection supervisory authority," said the document. "A single supervisory authority should be created, which could, where appropriate, also act in an advisory capacity. A single supervisory authority allows the improvement in third-pillar data protection to be taken a decisive step further."
"This step is to be welcomed because there are a diverse number of data protection authorities for each system, each with their own data protection foibles," said Dr Chris Pounder, a privacy specialist at Pinsent Masons, the law firm behind OUT-LAW. "Unification of the approach is long overdue".
The document gives citizens rights of access to personal data held and transferred on them, though it also says that information about surveillance or data transfer can be withheld if telling the individual concerned would undermine the purpose behind the transfer in the first place.
"It seems the German Presidency is adopting a twin track approach," said Pounder. "First in the short term it is pursuing the Prüm Treaty which is allowing Germany, France and the Benelux counties to share criminal, DNA and vehicle data without waiting for agreement on the framework decision. Second it is pursuing the framework agreement as a longer term objective of trying to make Europe's police forces to agree to binding data sharing".
Meanwhile US authorities have been reprimanded by oversight body the Government Accountability Office (GAO) for not taking enough account of privacy when conducting investigations.
"As it develops and participates in important homeland security activities, the Department of Homeland Security (DHS) faces challenges in ensuring that privacy concerns are addressed early, are reassessed when key programmatic changes are made, and are thoroughly reflected in guidance on emerging technologies and uses of personal data," said a GAO report.
"GAO’s reviews of DHS programs have identified cases where these challenges were not fully met. For example, increased use by federal agencies of data mining – the analysis of large amounts of data to uncover hidden patterns and relationships – has been accompanied by uncertainty regarding privacy requirements and oversight of such systems."
The body also found some privacy failures in relation to an airline passenger screening system called SecureFlight. "GAO reported that TSA had not fully disclosed uses of personal information during testing of Secure Flight, as required by the Privacy Act of 1974," it said.
"One of the problems facing the Americans is that most of Europe's Data Protection Commissioners are worried about the standard of privacy protection in the USA," said Pounder. "The fact that two GAO reports suggest that the USA authorities are having difficulties with respect to basic privacy obligations does not engender confidence in the USA's approach to privacy."