Out-Law News 2 min. read
13 Nov 2008, 3:48 pm
A proposal being negotiated by the EU and the US to allow greater sharing of personal data across the Atlantic must also only go ahead if individuals are guaranteed the right to examine the process of exchange and rectify mistakes, according to Peter Husinx, the European Data Protection Supervisor (EDPS).
The EDPS is in charge of ensuring that EU institutions operate in line with privacy laws and advises those institutions on good privacy practice. Husinx has published his opinion on a data sharing plan created by the EU and the US earlier this summer.
The agreement was made by the EU-US High Level Contact Group, which produced a report on its negotiations in June.
The office of the EDPS said that it welcomed the fact that the two sides were treating data protection and privacy issues seriously, but that the two sides would have to work on protections for individuals if the deal was to progress.
"A dialogue on 'transatlantic law enforcement' is at the same time welcome and sensitive," said Hustinx. "It is welcome in the sense that it could give a clearer framework to the exchanges of data that are or will be taking place."
"It is also sensitive as it could legitimise massive data transfers in a field – law enforcement – where the impact on individuals is particularly serious, and where strict and reliable safeguards are all the more needed," he said. "Additional work on outstanding issues should therefore be completed before considering an agreement."
Hustinx backed the proposal to make any agreement between the EU and the US legally binding because it would provide legal certainty.
The biggest bone of contention between the two sides, though, is about what action an individual can take if their data is wrongly processed. The EU argued for the right to take the authorities to court and for that right to be extended to anyone whose data is processed, regardless of nationality.
The US did not agree to that, though. Its Privacy Act, for example, says that only US citizens and legal permanent residents can take it to court. The constitutional separation of powers also means that complainants have to exhaust all direct avenues of redress with government agencies themselves before going to court.
The parties failed to reach agreement on the issue. Though the US side said that other court remedies were available, the EU said that any EU citizen must be able to take action through the Privacy Act.
Husinx strongly backed the EU side in the dispute.
"The availability of adequate means for redress needs to be properly addressed," said an EDPS statement. "Strong redress mechanisms, including administrative and judicial remedies, should be available to all individuals, irrespective of their nationality."
Hustinx's office said that the report should form the basis of a road map towards a legally binding agreement, in a process which should address the problems he highlighted.
