Towards a Global Data Protection Framework in the Field of Law Enforcement: An EU Perspective Cristina Blasi Casagran Thesis submitted for assessment with a view to obtaining the degree of Doctor of Laws of the European University Institute Florence, 8 June 2015 European University Institute Department of Law This thesis has been submitted for language correction Towards a Global Data Protection Framework in the Field of Law Enforcement: An EU Perspective Cristina Blasi Casagran Thesis submitted for assessment with a view to obtaining the degree of Doctor of Laws of the European University Institute Examining Board: Professor Marise Cremona, European University Institute (Supervisor) Professor Gregorio Garzón Clariana, Autonomous University of Barcelona Dr. Maria O’Neill, University of Abertay Dundee Professor Martin Scheinin, European University Institute Ⓒ Cristina Blasi Casagran, 2015 No part of this thesis may be copied, reproduced or transmitted without prior permission of the author Summary This thesis seeks to examine the existing EU frameworks for data-sharing for law enforcement purposes, both within the EU and between the EU and third countries, the data protection challenges to which these give rise, and the possible responses to those challenges at both EU and global levels. The analysis follows a bottom-up approach, starting with an examination of the EU internal data-sharing instruments. After that, it studies the data transfers conducted under the scope of an international agreement; and finally, it concludes by discussing the current international initiatives for creating universal data protection standards. As for the EU data-sharing instruments, this thesis demonstrates that these systems present shortcomings with regard to their implementation and usage. Moreover, each instrument has its own provisions on data protection and, despite the adoption of a Framework Decision in 2008, this has not brought about a convergence of data protection rules in the JHA field. A similar multiplicity of instruments is also found when the EU transfers data to third countries for the purpose of preventing and combating crimes. This is evident from examining the existing data-sharing agreements between the EU and the US. Each agreement has a section on data protection and data security rules, which again differ from the general clauses of the 2008 Framework Decision. This study demonstrates the influence of US interests on such agreements, as well as on the ongoing negotiations for an umbrella EU-US Data Protection Agreement. One possible way to ensure a high level of EU data protection standards in the field of law enforcement in the face of US pressure is by enhancing the role of Europol. This EU Agency shares information with EU member states and third countries. This thesis demonstrates that Europol has a full-fledged data protection framework, which is stronger than most of the member states’ privacy laws. However, taking Europol rules as a reference for global standards would only partially achieve the desired result. The exchange of data for security purposes does not only involve law enforcement authorities, but also intelligence services. The recent NSA revelations have shown that the programmes used by these bodies to collect and process data can be far more intrusive and secretive than any current law enforcement system. In view of the above, this thesis explores the potential of CoE Convention 108 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and i the Cybercrime Convention as the basis for a global regime for data protection in law enforcement. This thesis concludes that an optimum global data protection framework would entail a combination of the 108 CoE Data Protection Convention and the Cybercrime Convention. The cumulative effect of these two legal instruments would bind both law enforcement and intelligence services in the processing of data. In sum, by promoting the Europol approach to data protection and existing Council of Europe rules, the EU could play a crucial role in the creation of global data protection standards. ii Contents Abbreviations ix Acknowledgments xv Introduction 1 1.1. Subject Matters and Aims 1 1.2. Limitations of the Research 4 1.3. Methodology and Source Materials 5 1.4. Terminology 5 1.5. Structure of Study 6 Chapter 1: Data exchanges for law enforcement purposes within the EU 9 1. Origin, evolution and scope of the EC/EU legislation on the processing 10 of personal data for criminal matters 2. EU data-sharing instruments for law enforcement purposes 19 2.1. The use of traditional mutual legal assistance procedures within 19 the EU 2.2. Post-9/11 data-sharing instruments 22 2.3. Shortcomings in the implementation and use of EU legal 27 instruments for exchanging criminal information 2.3.1. Delay in the implementation 27 2.3.2. Complexities in the usage 30 3. Expanding the information sources of member states: Data collected 32 for non-criminal reasons but ultimately used for law enforcement 3.1. European information systems created for border management 32 purposes 3.1.1. Background 33 3.1.2. Shift from border control to law enforcement purposes 36 iii 3.2. EU data-sharing instruments created under the basis of the EU 40 internal market clause 3.2.1. Exchange of passenger data within the EU 40 3.2.2. Exchange of financial data within the EU 46 3.2.3. Exchange of telecommunications data within the EU 49 a. Data Retention Directive 50 b. Cyber Security Directive 55 c. The use of mutual legal assistance for accessing 57 telecommunication data 4. The EU data protection legislation under the scope of the AFSJ 59 4.1. General data protection rules in connection with the AFSJ 60 4.1.1. Origins of the EU data protection legislation 60 4.1.2. Impact and scope of Directive 95/46/EC 61 4.1.3. Applicability of Regulation (EC) 45/2001 within the AFSJ 63 4.1.4. The Treaty of Lisbon and the new data protection paradigm 65 4.2. Sector-specific data protection legislation within the AFSJ 68 4.2.1. The limited scope of Framework Decision 2008/977/JHA 69 4.2.2. EU data security classification regime 72 4.2.3. Proposal for a directive on data protection for police and 72 judicial cooperation in criminal matters 4.3. Comparative study of the specific data protection provisions in 77 EU data-sharing instruments 4.4. The purpose limitation and the necessity principles 82 5. Conclusion 84 Chapter 2: Data exchanges for law enforcement purposes between the 87 EU and a third state 1. The external dimension of the AFSJ in the fight against terrorism 88 1.1. Origins and evolution 88 1.2. Data exchanges for security purposes. The blurry line between the 93 AFSJ and the CFSP/CSDP 1.3. Questioning the scope and purposes of article 39 TEU 97 2. International agreements for exchanging information 100 iv 2.1. Data-sharing agreements between the EU and the US 104 2.1.1. The EU-US Mutual Legal Assistance Agreement 105 2.1.2. Agreements on passenger name records 107 2.1.3 SWIFT agreements 113 2.1.4 EU-US agreements on the air and maritime security 117 partnerships 2.2. Issues of concern in the agreements 122 2.2.1. Legal basis implications 122 2.2.2. Public-private partnership 126 3. The EU data protection legislation for international data transfers in the 129 field of law enforcement 3.1. EU secondary law 130 3.1.1. International data transfers according to Council 130 Decision 2008/977/JHA 3.1.2. International data transfers according to the Proposal for a 133 Police and Criminal Justice Data Protection Directive 3.2. Data protection provisions in the main international agreements 136 between the EU and the US 3.2.1. Data protection in the EU-US PNR Agreement 136 3.2.2. Data protection in the SWIFT Agreement 143 3.2.3. EU-US agreement on the security of classified information 146 3.3. EU-US data protection regimes 147 3.3.1. Different conceptions of privacy in the US and the EU 147 3.3.2. Attempts to approximate the EU and the US privacy 152 legislations 3.3.3. Towards an umbrella EU-US Data Protection Agreement 155 3.3.4. The norm-taking role of the EU 158 4. Concluding remarks 163 Chapter 3: The role of Europol in the exchange of information within and 165 beyond the EU 1. The origin and aim of Europol 166 2. Europol’s data exchanges within the EU 168 v 2.1. The increasing involvement of Europol in the data-sharing 168 procedures within the EU 2.2. The use of SIENA as default communication tool within the EU 172 2.2.1. Background 172 2.2.2. SIENA phases 173 2.2.3. The scope of SIENA 174 2.2.4. Advantages of using SIENA as EU default communication tool 175 2.3. Europol’s data protection regime 177 2.3.1. Purpose limitation principle 177 2.3.2. Right of access, correction and deletion of data 180 2.3.3. Europol’s oversight 181 2.4. Main features in the proposed Europol regulation 183 2.4.1. Enhanced powers of Europol 183 2.4.2. Data protection 185 a. The purpose limitation principle 185 b. Right of access, correction and deletion of data 187 c. External supervision of Europol’s data processing 188 2.5. Comparison with data protection standards in the member states 191 3. Europol’s data exchanges beyond the EU 193 3.1. Europol cooperation agreements with third parties 195 3.1.1. Strategic agreements 197 3.1.2.