The European Data Protection Supervisor (EDPS), which is an independent supervisory authority committed to protecting personal data and privacy, issued an opinion (the “Opinion”) on December 17, 2010, on the European Union Commission’s communication on the EU’s Internal Security Strategy.
The EU Internal Security Strategy (“ISS”), which had been adopted on February 23, 2010, aims to target organized crime, terrorism and cybercrime. It lays out a European security model to answer to these threats while respecting fundamental EU values, such as fundamental rights.
The EU Commission then adopted on November 22, 2010, a communication on the ISS entitled "EU Internal Security Strategy in Action: Five steps towards a more secure Europe" which was sent to the EDPS for consultation. The Commission proposed five strategic objectives, which all have links with privacy and data protection:
– disrupting international crime networks,
– preventing terrorism and addressing radicalization and recruitment,
– raising levels of security for citizens and businesses in cyberspace,
– strengthening security through border management, and
– increasing Europe’s resilience to crisis and disasters.
The Opinion looks at these objectives from the perspective of privacy and data protection, and specifies a number of data protection notions and concepts which should be taken into consideration when designing, developing and implementing the ISS in the EU.
The Commission’s communication stipulates that “[w]here efficient law enforcement in the EU is facilitated through information exchange, we must also protect the privacy of individuals and their fundamental right to protection of personal data.” The EDPS welcomes this statement, but regrets that the communication does not elaborate on data protection, nor does it explain how privacy and personal data could be protected (p.6).
The EDPS writes further that the ISS “should have as one of its objectives a broadly understood protection which would ensure the right balance between on the one hand the protection of citizens against the existing threats and, on the other hand, the protection of their privacy and the right to the protection of personal data. In other words, security and privacy concerns must be equally taken serious in the development of the ISS…“(p.6) (our emphasis).
Some of the actions which derive from the ISS objective are likely to increase the risks for individuals’ privacy and data protection, and these risks must be counterbalanced. The EDPS points out three concepts which should all be taken into account when implementing the ISS:
– Privacy by Design
o This concept is currently developed in both the private and the public sector. The EDPS believes that “built-in” privacy must play an important role in EU internal security (p.7).
– Privacy and Data Protection Impact Assessment (PIA)
o The EDPS recommends that PIAs be conducted, either as a separate assessment or as part of the general fundamental right’s impact assessment carried out by the Commission, and it should recommend specific and concrete safeguards (p.8)
– Data Subject Rights and Best Available Techniques (BATs)
o The Commission’s communication does not specifically address the issue of data subjects’ rights. However, all the persons subject to the all the different EU internal security systems and instruments must have the same rights relating to how their personal data are processed, and thus the EDPS invites the Commission to look more carefully into this issue.
o The EDPS notes that “[p]articular attention should be paid to redress mechanisms. The ISS should guarantee that whenever individuals’ rights have not been fully respected, data controllers should provide for complaints procedures which are easily accessible, effective and affordable” (p.8).
o BATs can be used to achieve the correct balance between realizing the ISS objectives and respecting individuals’rights. Reference documents on BATs should be elaborated in order to promote harmonization of these measures throughout the different Member States. The European Network and Information Security Agency (ENISA) can play a role in the elaboration of these guidelines (p. 9).