At the end of 2006 the EU & US set up an informal high level advisory group, the High Level Contact Group, to discuss privacy and personal data in the context of exchanging information for law enforcement purposes (note: wider than just terrorism).
The HLCG recently submitted their final report to the EU-US Justice and Home Affairs Ministerial Troika Meeting (of 28 October 2009), with agreed principles which would apply to information exchanges for law enforcement purposes - but this doesn't seem to have received much attention.
The details are in Reports by the High Level Contact Group (HLCG) on information sharing and privacy and personal data protection, 23 November 2009 (annexing the Final Report, Principles on Privacy and Personal Data Protection for Law Enforcement Purposes for which common language has been developed (common principles), Addendum to the final report and Annex to the Addendum, phew!), but the agreed principles are as follows:
- Purpose Specification/Purpose Limitation;
- Integrity/Data Quality;
- Relevant and Necessary/Proportionality;
- Information Security;
- Special Categories of Personal Information (sensitive data);
- Independent and Effective Oversight - in order to maintain accountability;
- Individual Access and Rectification;
- Transparency and Notice;
- Redress [Both the US and EU maintained a reservation on this principle though both sides did agree that the key to this principle is to provide the data subject with an effective remedy as a result of any redress process, but they disagree on the necessary scope of judicial redress];
- Automated Individual Decisions - "Decisions producing significant adverse actions concerning the relevant interests of the individual may not be based solely on the automated processing of personal information without human involvement unless provided for by domestic law and with appropriate safeguards in place, including the possibility to obtain human intervention";
- Restrictions on Onward Transfers to Third Countries.
Their recommendation is to now seek a binding international agreement addressing all these issues.
It's interesting by the way how "law enforcement purposes" specifically means different things in the EU and the US, in these reports:
EU - "use for the prevention, detection, investigation, or prosecution of any criminal offense [sic]".
US - "use for the prevention, detection, suppression, investigation, or prosecution of any criminal offense [sic] or violation of law related to border enforcement, public security, and national security, as well as for noncriminal judicial or administrative proceedings related directly to such offenses or violations".
©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.