Vim Jostmaan | 22.02.2007 16:06 | Technology
These rights are anchored, among other things, in the EU Charter of Fundamental Rights, and include respect for private and family life (article 7), nondiscrimination (article 21), the right to the physical and mental integrity of a person (article 3), the right to good administration (article 41) and the right to freedom of expression and information (article 11). Despite the danger of these rights being significantly infringed upon, a trend of creating faits accomplis' seems to be emerging in Europe. Information protection laws always appear to be a few steps behind the implementation of new technologies, and decisions are being taken to collect and transfer personal data in ways that frequently violate human rights.
One example of this situation is the perturbing discovery that personal data of EU citizens will be exploited following the 16 October 2006, signature of a new information exchange agreement between the EU and the US. Under the EU-US PNR agreement, American law enforcement agencies are given access to personal data of Europeans traveling to the US. The US succeeded in achieving significant changes in the new agreement, which are compatible with the requirements of the Department of Homeland Security (DHS), and allow the US in the future to change the manner in which, and the identity of, those people who deal with the PNR information, in accordance with possible future changes in American legislation. In spite of this, and even though privacy protection laws are not as strict in the US as in the EU, the EU council signed the agreement, creating the impression that it preferred to trust the sincerity of American intentions regarding future use of this information, rather than rely on legislation that would truly protect the rights of EU citizens.
It is no wonder, therefore, that just two months after the agreement was signed, the EU council proved helpless when it found out that the US was using personal data of EU citizens in a way that completely contradicted the stipulations of the agreement signed between the sides, was against the 1995 Directive of the EU Parliament and Council (Directive 95/46/ec) regarding protection of information, and violated the basic rights of EU citizens as listed in the EU Charter of Fundamental Rights in an unprecedented way.
This severe undermining of basic rights occurs because personal data of European citizens is used by a secret American System - ATS - which analyzes the data of every person crossing the US borders, and automatically creates a 'risk profile' which indicates a likelihood of being a terrorist or criminal. The very fact that for about four years prior to the system's exposure, 'risk profiles' had been prepared for European and other passengers without their knowledge or agreement, violates a person's right to physical and mental integrity as stated in article 3 of the EU Charter of Fundamental Rights and specified in article 7(b) of the EU data protection directive, according to which personal data may be collected pending the involved person's free and conscious consent.
In addition to the 34 information items (PNR) that European airlines must provide on their passengers in order to receive permission to land at US airports, the ATS data mines also in other data banks to create the 'risk profile'. Building a 'risk profile' on law-abiding citizens based on data such as their country of origin, views, acquaintances, sex etc., without any real cause to suspect them, contradicts article 8(1) of the Information Protection Directive, and severely impinges on the EU citizen's fundamental non-discrimination right, according to article 21 of EU Fundamental Rights Charter which prohibits discrimination based on grounds such as sex, race, color, ethnic or social origin, genetic features, language, religion or belief, political or other views, membership of a national minority, property, birth, disability, age or sexual orientation.
The 'risk profile' determined by the system is secret and concealed from the public, as are the criteria according to which this 'risk profile' is determined. Each of us who has crossed the US borders in the last few years and whose details are found in the data banks has a 'risk profile'. However, we have no right to know what our 'risk profile' is, we have no right to see the information in the profile we were given, and we have no right to request updating or removing information from this profile, should it prove inaccurate. This situation contradicts the EU-US information exchange agreement, according to which a person has the right to amend personal details which have been proven wrong. Also, lack of access to the information contradicts the right to good administration, under article 41 of the EU Fundamental Rights Charter, which includes, among other things, a person's right to have access to his or her file, as explicitly stated in article 12 of the information security directive.
Lack of access to the system also prevents it from being inspected, and raises doubts as to its reliability. The ATS is the source of the 'No Fly Lists' issued by the Transportation Security Administration, which are notorious for their inaccuracy. According to the Transportation Security Administration, Since September 2001, over 30,000 persons have applied to have their names removed from the No Fly Lists, after having been erroneously listed as terrorists.
Although Passengers are unable to access their data in the system, numerous law enforcement agencies, some of them unknown and unlisted, have access to this information. The Customs and Border Protection (CBP) has noted that this information may be disclosed to federal, state, local, or tribal agencies, as well as to agencies of foreign governments, at its own discretion. The information transfer my be intended for a variety of applications. The CBP has listed 15 categories of 'routine uses' for personal information collected and kept in the ATS. One category refers to collecting, storing and transferring information in order to test new technologies and systems designed to enhance border security or identify other violations of law. Another category refers to collecting, storing and transferring data whenever CBP belives the information would assist enforcement of civil or criminal law. This severely violates the right to respect of privacy according to article 7 of the EU Fundamental Rights Charter and the principle of good proprotion, as personal information collected under pretext of preventing people involved in terror from entering the US is used for entirely different purposes, which do not justify disrespect of privacy. Using personal information for various purposes which are not defiend in advance also contradicts article 6(b) of the Information Security Directive, according to which personal data may only be collected for purposes that are specified, explicit and legitimate, and cannot be used for other purposes.
Violation of privacy is even graver given the large quantities of information which might be disclosed to different bodies. The system's estimates of passenger threat potential
as well as passenger data are to be stoed for 40 years, even if a passenger is not found
to be a risk. This is completely opposes the information exchange agreement signed between the EU and the US, according to which personal information may be kept for no more than 3.5 years.
Potential violations of the fundamental rights of EU citizens, stemming from the existence of the ATS and other systems which may exist unknown to the public, indicate the danger involved in creating data banks containing personal information without suitable legislation. Given these potential injustices, it is vital to insist that technological progress should not precede legal procedures, and that before new technological systems are entered into use, which could potentially violate individual freedoms, it is necessary to protect through proper legislation the legal rights which are endangered by these systems.