(BRUSSELS) – How much personal citizen information does the EU transfer daily to the American authorities? It’s difficult to answer the question precisely, but one thing is certain: much more than what the general public assumes. This is confirmed day in day out by a series of events and reports that dramatically show the extent to which European authorities have bowed in to American pressure, slowly eroding a system of protection of privacy that used to be viewed as the best in the world.
In the wake of the terrorist attacks of 9/11 in the U.S. and subsequent attacks in Europe, the European Union and the United States agreed to enhance their police and judicial cooperation and signed several agreements on the transfer of personal information. One of them is the agreement signed in June 2010 on the transfer of data on financial transactions held by Swift (Society for Worldwide Interbank Financial Telecommunication) from the EU to the U.S. for the Terrorist Finance Tracking Program. In a recent report, the supervisory body of Europol, an EU agency in charge of ensuring the respect of the agreement, admits now, rather surprisingly, that Europol “does not know the amount of data actually transferred”!
In 2006, U.S. press revealed that American authorities were secretly accessing and pulling data from Swift. Swift was later relocated to Europe where more stringent data protection rules would reportedly prevent the Americans from illegally accessing the financial transaction trails of European citizens. But clearly, as soon as the media hype was over, the massive transfer of information resumed. If Europol does not know the amount of data transferred and if the report further states that “no information has been released by the U.S. regarding the amount of data transferred,” this can only mean one thing: the data is not transferred by Europeans in what is called a “push” system; instead, Americans have still access to the European database, and if there are no filters to prevent it, it means they can search the entire base and retrieve all the information they want, in what is called a “pull” system. In other words, there are no limits to the information retrieved by the Americans!
This clearly violates the promise made by European governments to the European Parliament, which had only reluctantly given its consent to the agreement. Many members of the European Parliament (MEP) were led to believe that within a year of the agreement, a system would be set-up to ensure that the Americans would only get the data they had required. But two years later, Dutch MEP Sophie In’t Veld, who had been in charge of evaluating the agreement said “the system has yet to be implemented.” And the report by the supervisory body of Europol concludes that “there is a need for greater transparency towards other parties, including the general public.” Quite ironically, the report itself has been classified as “EU secret” and only three pages were made public.
The PNR-agreement (Passenger Name Record) signed last April is another very controversial agreement: it obliges European airline companies to transmit to the U.S. Department of Homeland Security the passenger file of any person boarding for, or transiting through, the U.S. This includes the passenger’s names, contact details, payment information, itinerary, email and phone numbers. These data are used to identify persons who would be subject to closer questioning or examination.
Here, too, there are huge concerns about privacy. Some MEPs had called for turning the deal down amid concerns that European citizen’s data would not be given sufficient protection. An independent report by legal experts said the agreement does not guarantee independence of supervision and that individual’s rights and judicial review would not be enforceable. Others say the terms are vague and difficult to interpret, leaving the door open for abuse. Many questions remain about what information exactly is transferred, how the information will be used, how long the U.S. will keep it and who else will be able to access it. There are special concerns over so-called sensitive data – such as meal preferences or information about medical conditions – which might reveal a passenger’s ethnic origin or state of health. And here, too, there are doubts about how many airline companies actually bothered to install a “push” system, which is known to be more expensive and technically more complex than the “pull” system.
Very revealing is the letter the American Civil Liberties Union (ACLU) wrote to the members of the European Parliament when the agreement was still being negotiated to denounce the U.S. “administration attempts to collect the personal information of an ever-increasing share of the world’s population,” denouncing “the utter absence of real and enforceable privacy laws in the United States.” But Sophie in’t Veld says her colleagues have been held to ransom by U.S. authorities, who threatened to suspend visa-free travel to the U.S. if the deal was rejected.
Europe, unlike the United States, has developed a tradition of strong privacy protection; this right is not only enshrined in the European Convention of Human Rights but also in European and national legislations. The 27 EU member states have all adopted laws destined to create safeguards against the undue processing of data; they have Data Protection Authorities (DPA), who are meant to be independent bodies ensuring the respect of the legislation. The idea is to protect citizens from undue interference in their private lives, be it by others or by the state. By allowing the huge amount of transfer of personal data to a country that lacks a legal framework, the EU member states are thus violating the same values and rights they claim to protect.
Citizens rarely react though, not in Europe and even less so in the United States. There still is this tendency to believe that as long as they do not misbehave, they have nothing to fear from the collection of their private data. But privacy is not about security or criminality, it’s about the right to lead a life without the state snooping on you.
Another implicit belief here is that most citizens feel they are not concerned. Let’s be clear, they think it only affects criminals and foreigner – yes, Muslims or Arabs or Africans. And so, in the name of security, they accept to sacrifice the freedom of… others. They forget that once the system is in place, it is not going to differentiate between people. And by the time they realize the damage these huge databases can do, it will be too late. As Alex Turk, the former French DPA once said, “It is like a frog you put into hot water: when you throw it into boiling water, it has the reflex to immediately jump out; but if you plunge it in cold water and then heat it progressively, the frog won’t notice until it’s too late.” We are in danger of being scalded with our own consent.
Snooping on citizens is simply not acceptable in a democracy; telling people we have to limit their freedom for security reasons does not make sense. To soldiers sent to fight in foreign countries, we say they are fighting for freedom, even if this means dying in the process. In other words, we consider that freedom is worth dying for. How come, then, we accept so easily limits to our freedom for vague security reasons? On what basis would the logic here be reversed? How come we don’t see that this leads precisely to what we pretend to condemn: an authoritarian state? It is not for nothing that the former Eastern European countries are the most reluctant to the huge databases that are being created. It is urgent to jump out of the heating water before we all get scalded.