The European Commission has adopted a draft mandate to negotiate a personal data protection agreement between the European Union and the United States when cooperating to fight terrorism or crime. The aim is to ensure a high level of protection of personal information like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters.

The agreement would enhance the right of citizens to access, rectify or delete data, where appropriate. EU citizens would receive a right to seek judicial redress in the US if their data is unlawfully processed. Independent public authorities would be given a stronger role in helping people exercise their privacy rights and in supervising transatlantic data transfers. The Council must approve the Commission's negotiating mandate before talks can begin. The European Parliament will be fully informed at all stages of the negotiations and will have to give its consent to the outcome of the negotiations.

Since 11 September 2001 and subsequent terrorist attacks in Europe, the EU and US have stepped up police and judicial cooperation in criminal matters. One important element is the transfer and processing of personal data if relevant for the prevention, investigation, detection or prosecution of crimes, including terrorism.

The EU and US are both committed to the protection of personal data and privacy. However, they still have different approaches in protecting data, leading to some controversy in the past when negotiating information exchange agreements (such as the Terrorist Finance Tracking Programme, so-called SWIFT agreement, or Passenger Name Records). The purpose of the agreement proposed by the Commission today is to address and overcome these differences.

The new proposal would give the Commission a mandate to negotiate a new data protection agreement for personal data transferred to and processed by enforcement authorities in the EU and the US. It would also commit the Commission to keeping the European Parliament fully informed at all stages of the negotiations.

The Commission aims to establish legally binding and enforceable personal data protection standards that will ensure that individuals’ fundamental rights and freedoms are protected. Compliance with these standards would be controlled by independent public authorities on both sides of the Atlantic.

Under the Commission's proposal:

• The transfer or processing of personal data by EU or US authorities would only be permitted for specified, explicit and legitimate purposes in the framework of fighting crime and terrorism
• There would be a right to access one's personal data and this would be enforceable in courts
• There would be a right to have one's personal data corrected or erased if it is found to be inaccurate.
• There would be an individual right of administrative and judicial redress regardless of nationality or place of residence.

Background

The Terrorist Finance Tracking Programme was set up shortly after the terrorist attacks of September 2001. Relevant results of US analyses have been shared with EU member states and have contributed to effective investigation and prevention of terror attacks.

The Commission adopted the draft terms of the mandate which has now been approved by the Ministers of Justice and Home Affairs in late March, after the European Parliament had rejected in February the bank data exchange with the United States via the SWIFT network, because of concerns of MEPs over issues such as privacy, proportionality and reciprocity.