GNOSIS 3/2010
In the interaction between public and private The sharing of information limitations in the effectiveness and legitimacy |
Matteo E. BONFANTI |
Towards the definition of a European model of information Now, almost a decade has passed since the terrorist attacks on New York (2001), Madrid (2004) and London (2005), and on the basis on our experience acquired during the investigative activities which followed, one of the themes which has progressively assumed great importance in the ambit of the political and juridical reflections relative to the necessary actions to be undertaken for the purpose of containing certain phenomena of an international nature – i.e. terrorism, criminality and irregular immigration – regards the strengthening of the gathering and, above all, of the trans-frontier exchange of “relevant information” between the authorities of law enforcement and the Intelligence operating in the Member States of the International Community (1) . The attention which, not only the doctrine, but also the International normal practice has recently dedicated to the subject is extremely significant and, with particular reference to the trans-frontier sharing of information, seems to confirm a general awareness of the decisive role that such a form of cooperation could be for purposes of prevention, counteraction and control of the above mentioned phenomena (2) . What is being described finds easy confirmation in the initiatives that, in recent years, have been promoted and undertaken by a significant part of the subjects of the international system. As far as the Member States of the European Union are concerned, many juridical instruments have been cooperatively adopted by them with the scope of “strengthening” and “reinforcing” the gathering and, above all, the exchange of trans-frontier information/data for law enforcement and security uses. The emphasis placed on the aspect of the strengthening of the operations of gathering and sharing data is justified by the fact that among the Member States, and among these and certain Third World Countries, structures and mechanisms have already been in operation for some time and are realizing said forms of collaboration. Through recent juridical instruments and those in phase of definition, the desire has been, therefore, to intervene in the organization of such structures and mechanisms, modifying their function and, by this, increasing the possibility that they can be efficiently implemented to face the threats to the order and security of the EU. The declared objective of the described process is the definition of a “European model of information based on a strengthened capacity of strategic analysis and of an improved system for the gathering and treatment of the operative information” (3) . In general, therefore, the intensification of the gathering and storage of information relevant to the purposes of law enforcement and Intelligence, combined with the strengthened possibilities of sharing it, seems directed to establish “a common capital of information” – of a supranational nature and, in particular, Europe – accessible, in a diffused manner, to those authorities of prevention and counteraction which are employed, in various measures, in the maintenance of the order and security of the Member States of the EU. One of the aspects characterizing the information model presently being constituted, seems to be represented by the very significant role which is assigned to certain private participants, involved to different extents, in the execution of operations of gathering and transfer of data for police and security purposes. Such involvement or “partnership” has assumed different forms, being realized, for example, in the obligation of the private individuals to communicate to the competent national authorities, information of a “suspicious” financial nature, or in the obligation – always on the part of the same subjects – to store and conserve data of a commercial nature, in order to render it available to the law enforcement bodies and Intelligence for the performance of their activities of prevention and counteraction. On the basis of what has been said, it seems, therefore, that the definition of the European model of information is bringing about a certain re-configuration between public and private relations in the delicate sector of maintaining order and security; a sector which, before such intervention, was almost exclusively of public monopoly. It is, therefore, interesting to observe what the principal implications are that determine a similar process. Here, we shall limit ourselves to consider only those that regard certain aspects of the right of the individual to the protection of personal data (legitimacy) and consequently, on the basis of the considerations that follow, those referring also to the objective of legality-security which, through the above cited “partnership” is intended to be pursued (effectiveness). Legitimacy as parameter of effectiveness: how the protection of data can satisfy the needs of legality and security As it is easy to realize, the reinforcement of the gathering and the trans-frontier exchange of information for purposes of law enforcement and security, apart from raising certain questions of a prevalently technical nature – relative to the operation of the mechanisms through which to implement it, or to the procedures to follow to render it really effective – it poses certain problems in terms of guaranteeing the fundamental rights of the individual, in particular, of the right to privacy and protection of personal data. It results, in fact, rather evident that, if not properly handled, such gathering and exchange of information could easily be translated into an unjustified interference in the above cited rights (4) . If this should happen, the pursuit of the operations of gathering and transfer of data is legitimate in light of the objective of legality and security, but would be unlawful from a viewpoint of respect of privacy and, in particular, of the fundamental principles and rights of data protection. This last viewpoint of illegitimacy would seem to generate a negative impact on the effectiveness itself of the information activity under consideration. In fact, the importance that the respect for certain regulations of data protection assumes – also for purposes of satisfying the needs of security-legality – should not be underestimated. Let us consider, for example, the fundamental principles of “necessity” and “proportionality” which should inform the data processing (5) . In addition to being provided in the interests of the person concerned, such principles – if indeed respected by the Authorities of prevention and counteraction, in the performance of the operations of gathering and sharing data – can prove equally useful to the actual achievement of the objective of security and legality which one intends to pursue through said operations. In fact, it should be noted that the indiscriminate gathering of data, as well as being done in violation of the principles referred to, can prove counter-productive with respect to the realization of the investigation objectives or the individuation of potential threats. A similar reasoning can be made regarding also the fundamental “principle of the security “ of the treatment, the application of which, directed to satisfy the interests of the person concerned, also responds to the needs of the operators of law enforcement and Intelligence (6) . The same is true for the “principle of precision” of the data and for the “temporariness” of their treatment (7) Referring to the latter, it is necessary to consider that the gathering, conservation and storage of the data for excessively long or indeterminate periods involve very high costs. The sustainment of said costs inevitably means a reduction of the resources which could, instead, be more usefully employed by the same operators of security. From what has been said, therefore, it seems of vital importance to insure that the activity of information gathering and sharing for purposes of law enforcement and Intelligence be carried out subject to certain rules on data protection. This, naturally, applies also when said activities are carried out by private protagonists. “Partnership” and applicable regime of data protection From a general point of view, in the European legal system, the principles and rights in matters of data protection – among which those mentioned above – applicable to the gathering and exchange of information for law enforcement and security purposes are recognized in a structured system or, to underline the main limitation, fragmented legal sources. To simplify and take into account the supranational dimension of such system, it concerns regulations laid down by: a) the legal instruments that establish the function of the mechanisms and procedures through which the gathering and exchange of information between the competent authorities of the Member States are operated, if they provide a complete and coherent series of rules that discipline, under lex specialis, all the pertinent aspects of data protection; b) The Decision Framework 2008/977/ GAI on the protection of data used for police and judicial purposes in criminal matters which, in particular, disciplines the trans-frontier transfer of the information (8) ; c) in very limited cases, the data protection instruments adopted in the ambit of the European Community (Directive 95/46/EC, Directive 2002/58/EC and Regulation EC 45/2001) which provide for a complete series of principles in matters of data protection are not, however, “normally” applied to the treatments having as object the public security, the defence and security of the State, as well as activities of the State in matters of criminal law (9) ; d) in general, the Convention N° 108 of the European Council adopted, at Strasburg in 1981, the relative Protocol of 2001 and the European Convention of Human Rights (ECDU, Art. 8), adopted at Rome in 1950, instruments which bind all the Member States of the EU (10) ; e) the Recommendation N° R (87) 15 of the European Council on regulating the use of personal data in the sector of the police although, however, applicable on a voluntary basis (11) . The complexity of the described regulatory framework is often a source of legal uncertainty; an uncertainty “of system” which becomes more problematic with reference to the involvement of private subjects in the operations of the gathering and sharing of data for purposes of law enforcement and security. In this case, as will be described better, it does not seem to be too certain whether the individuation of the applicable rules should be based on the quality of the person responsible for the treatment (private sector) or on the purposes which, through this, the activity of contrast is pursued. The question is not trivial since, in the first case, the discipline of data protection of reference – in particular, that established by the Directive 95/46/EC – determines a higher level of protection of the person of interest compared to that provided for by the regulations in matters of data protection applicable to the activities of prevention and counteraction – provided ad hoc or, in the absence of the Convention N° 108). In any event, it should be observed that the complexity of the described regulatory framework and the legal uncertainty that derives therefrom could be, with a little optimism, soon resolved. Thanks to the significant modifications made by the entry in force of the Treaty of Lisbon (1.12.2009) to the legal-institutional system of the EU, the relative institutions now have the ability to define new modalities to give greater coherence to the legal regime of data protection applicable to the gathering and trans-frontier exchange of data for the purposes of law enforcement and security (12) . To be underlined, first and foremost, is the recognition of the subjective right to the protection of the data effected directly in the Treaty (Art. 16 TFEU), which determines a reinforcement of such right. Furthermore, the positive effects should not be underestimated – in terms of coherence of the protection of the data – deriving from the change of the legal status of the Charter of fundamental rights of the European Union. In fact, the Charter has assumed the role of the primary source of law of the EU, which has consequences not only on the effectiveness of the rights recognized in it – among which also that of the data protection ex Art.8 –, but also on their uniform application, which will be guaranteed also by the Court of Justice. Areas in which the “partnership” takes place The anti-recycling cooperation of the proceeds of illicit derivation. In the EU, one of the sectors which has seen a progressive involvement of certain private protagonists in the pursuit of the activities of gathering and exchange of information for law enforcement and security purposes, is that of the anti-recycling of proceeds deriving from illicit activities. Such involvement is provided for by the Directive 2005/60/EC relative to the prevention of the use of the financial system for the purposes of re-cycling of proceeds of criminal activities and the financing of terrorism (13) . The duel objective that the so-called “money laundering Directive” poses (anti-recycling and the prevention of financing of terrorism) is pursued by establishing that each Member State undertakes the obligation to provide for a variegated category of private economic operators under its jurisdiction, and who act in the exercise of their professional activity, to carry out operations of identification and verification of the clientele, the gathering and registration of the relative data, as well as, under certain conditions, the sharing of said data with specific national authorities (14) . The application of the content of the Directive determines that, in each Member State and, therefore, in all the territory of the EU, there shall operate a capillary system of control and verification of each and every economic-financial activity or transaction, which will be performed, on a daily basis, by a considerable number of individuals. Among all the activities and financial transactions monitored, certain of them will be submitted to particular controls insofar as suspected of being connected to operations of recycling of money or of financing terrorism. Such activities and transactions and the data of the subject who performs them are, therefore, promptly communicated to a particular national body called the Finance Intelligence Unit (FIU). The FIU is a central National body delegated to receive (and to some extent, request), analyze and communicate to the competent authorities of law enforcement of the State, where its activities are carried out, the information that concerns a possible operation of recycling or the financing of terrorism (15) . As far as the gathering of data is concerned, the Units also have access, directly or indirectly, in good time, to the national databases containing financial, administrative and investigative information, necessary to adequately discharge their tasks. They, therefore, represent – not only formally, in their name, but also substantially, in the actions they can materially exercise – the true Intelligence bodies, charged to gather, elaborate and communicate to the competent national authorities, information relevant to the actions that these Units exercise for the purpose of maintaining security and legality. In addition to collaborating directly with the national authorities, the FIU of the Member States also cooperate between themselves, exchanging information, spontaneously or upon request (16) . Among the major implications that the public-private collaboration in matters of anti-recycling determines for the rights of the individuals to the protection of their personal data, are those generally deriving from all the activities of prevention and counteraction which presuppose the diffused gathering and elaboration of a significant quantity of information, in the case under examination – personal data relative to a large number of individuals who carry out economic activities or make financial transactions. The fact that such operations of data gathering and elaboration have not only single subjects individually suspected of committing illicit activities as their object, but being also based on the ample and diffused monitoring of the population, significantly limits the scope of the principles of necessity and proportionality which inform the data treatment. The Directive 2006/24/EC: data retention Another sector in which certain private subjects have been asked to collaborate with the State Authorities in the gathering of information for law enforcement and security purposes is that of telecommunications. The European legal instrument which has regulated the modalities through which such collaboration is carried out is the Directive 2006/24/EC, the adoption of which was motivated both by the necessity to update – with respect to the intervening technological innovations – the discipline (Community) of data protection in matters of electronic communications and by the desire to introduce certain measures directed to extend, in the ambit of the fight against terrorism, the availability of data generated by such communication, to the police and judicial authorities (17) . In fact, from this last point of view, the object of the Directive is that of harmonizing the regulations of the Member States which establish the “obligations, for the suppliers of electronic communication services accessible to the public or of a public network of communication, to conserve certain data generated and treated by them, for the purpose of guaranteeing their availability for investigations, ascertainment and pursuit of serious crimes”. (Art. 1 § 1). From what is stated, it is clear that the harmonization has as its principal object, both the typology and the quantity of data to be stored, and the duration of the period of storage and conservation. As far as the first aspect is concerned, the data in question does not relate to the content of the communication, but regards the traffic, the location of the persons – both physical and legal – and that necessary to identify the subscriber or registered user. As far as the duration of the storage, the data retention Directive establishes that the information gathered by the operators of the telecommunication services be stored for a period not less than six months and not over two years from the date in which the communication was received (18) . During such period, therefore, the information is retained by the private parties, but remains available to the competent Authorities of the Member States which, “in respect of the criteria of necessity and proportionality”, can access and utilize it for purposes of counteracting serious crimes. It is to be noted that the data retention Directive expressly establishes that the procedures and conditions of access to the data or, more generally, the modalities with which this data is treated are regulated by the national legislation of each Member State, but without prejudice to the relevant provisions in matters established by the Law of the European Union and by the international Law and, in particular, by the ECDU, as interpreted by the European Court of Human Rights. The reference to the international regulations and case law made by the Directive is broad and does not specifically resolve the question of the precise determination of the data protection regime applicable to the data treatment of a commercial nature which can, however, be utilized for activities of law enforcement. The question was taken up by the Court of Justice of the European Community (CGEC), which, however, does not seem to have definitively resolved it (19) . Coming now to the implications that the operations of gathering, storing and sharing of the data – foreseen by the data retention Directive – have with regard to the principles in matters of data protection, the most important implication seems, once again, to regard the proportionality of the treatment, As has been observed, it is doubtful that the storage and use of the data generated by the employment of the telecommunication services, regulated thus, could be considered moderate with respect to its intended purpose (20) . In other words, the Directive, imposing on the telecommunication services operating in each Member State, the task of gathering, storing – for a long period of time and, therefore, affecting the efficacy of the temporary nature of the treatment – and making available to the competent national authorities, a vast quantity of data generated by the telephonic and internet traffic, by an indiscriminate series of individuals who, for example, without limiting the content of their information to individuals under investigation or suspected of crime, would greatly impair the significance of the above mentioned principle (21) . European PNR system The EU is presently discussing a measure directed to establish the obligation for airline companies that operate direct international flights coming from or in transit over the territory of, at least, one Member State, to make available, to competent national authorities, a series of data of a “commercial nature” – named as a whole, according to the English acronym PNR, or Passenger Name Record – to be utilized, however, for the purposes of prevention and counteraction to international terrorism and other serious forms of criminality. The data in question is that contained in the automatic system of bookings and departures of flights operated by the said companies and make reference to the single passengers who use them. Generalizing, it consists in a significant quantity of information, useful to the national authorities of law enforcement and security, to identify the individual passengers, to monitor their international movements, as well as – extremely important – to make “evaluations” on the risk that one, or more, of these passengers could be implicated in the preparation or commission of an international terrorist crime or other serious crimes (22) . It is necessary to observe immediately that, in the International panorama of measures adopted by the States to handle certain criminal phenomena, particularly terrorism, the sharing of information between the air transport operators and national authorities is certainly not a novelty. In fact, such information sharing for law enforcement and security purposes represents a form of collaboration between public and private sectors which, originally, was created by the United States following the terrorist attack of 2001. Similar forms of collaboration have been realized by other States, such as Canada and Australia. Recently, also the Member States of the EU have decided to proceed in this way. However, before examining in more detail the content of the European initiative, it is necessary to examine some important consequences that the programmes of PNR data transfer, adopted by the United States, Canadian and Australian Systems respectively, have had on the EU system. In fact, it should be observed that, even though circumscribed to a specific system, such programmes determined, each one, above all, in their phase of implementation, certain consequences on the international level. In particular, the obligation to communicate the PNR data for law enforcement and security purposes established by said systems and regarding “every” air company operating international flights from or to their territory, had important repercussions on the European data protection regulations. In fact, said obligation being provided for “every” air vehicle and, therefore, also for those having a legally registered office in the EU territory, which are required to treat the data according to principles defined by the European regulations in matters of protection of personal data, the question arose over the compatibility of the PNR data transfer with respect to the said principles. This question has been legally resolved, even though in different moments and with a very particular affair for the American case through the conclusion of an agreement between the EU and the third State consignee of the data transfer, which assumed precise commitments in matters of protection of the received personal data (23) . Therefore, on the basis of an agreement, the EU authorized the European airline companies to transfer the PNR data to the foreign competent authorities of law enforcement. On the basis of what has been described and taking the European Union as a point of reference, it is, therefore, possible – schematizing – to distinguish between two dimensions that the PNR data sharing system is currently assuming in Europe. On the one side, in fact, it forms part of the ambit of international cooperation between the EU and certain Third World Countries: it essentially consists in the transfer of personal information, treated for commercial purposes by the operators of air transport services having their registered offices in the EU, to law enforcement and security authorities outside of Europe. On the other side, there is a PNR profile that concerns, instead, the cooperation of law enforcement and security “within” the EU. From this point if view, the system is still in the definition phase. Recently, in fact, the Commission presented to the Council a Proposal of decisions on the use of the PNR data for law enforcement purposes (so-called PNR European Proposal) which, as already mentioned above, intends, essentially, to regulate the modalities according to which the air carriers which make direct international flights, coming from or in transit from the territory of, at least, one Member State, transmit said data to the competent authorities of the security of the Member States (24) . The Proposal underwent certain important amendments, some of which directed to increase the utilization potentials of the PNR data (25) . What is interesting to note is that, if the Proposal is definitively approved, a monitoring system will be instituted for all the individuals who use a transnational air flight on departure, on arrival or only in transit from the territory of a Member State. If then, said flight will have origin, or will be directed towards Canada, Australia or the United States, theoretically, the monitoring will be twofold and this will be carried out not only by the competent authorities of law enforcement of the Member States, but also by those of said Countries (26) . a) API and PNR: different approaches for different purposes Before concentrating on the analysis of the measures of the PNR European Proposal, it is necessary to mention that, in the EU ambit, there already exists and operative mechanism of data transfer relative to passengers of international flights, to the Authorities of the Member States, which are responsible for controls at the external frontiers. This mechanism is that provided for by the Directive 2004/82/EC of the Council (Directive API, Advance Passenger Information) which, in essence, imposes on the Member States to establish the obligation for the air carriers which operate transnational flights towards the territory of a Member State of the EC to communicate, in advance, to the national competent authorities in charge of the surveillance of the external frontiers, the data relevant to the persons who will be transported by them (27) . The objective of the Directive is, therefore, to counteract illegal immigration towards the EU by improving the control at the frontiers. The Directive in force could give rise to doubts over the necessity of the approval of a further legal instrument which provides for an obligation of information gathering and exchange on passengers on more or less analogous air flights. In reality, the two initiatives are distinguished one from the other by elements which are not negligible. The first and most macroscopic difference between the data sharing mechanisms of which both the legal instruments are promoters, regards the purpose pursued and the approach utilized. As already mentioned, as far as purpose is concerned, the API Directive is directed to improve the control of the illegal immigration, while the Proposal of the Commission has the objective of foreseeing and counteracting the crimes of terrorism and other serious crimes (28) . Instead, with regard to the approach or the method utilized to pursue, respectively, each of the cited objectives, it might be useful to quote what was expressly affirmed by the Commission in the Report (page 3) which accompanies the Proposal, that is: “for the purposes of the fight against terrorism and organized crime, the information contained in the API data through use of the detection systems (like, for example, the Schengen Information System (SIS) would be only sufficient to identify already known terrorists and criminals. The API data is official data, drawn from passports and sufficiently accurate with regard to the identity of a passenger, while the PNR contain more data and are available sooner than that of the API. These elements of data are very important instruments to make evaluations of risk on the passengers, to obtain information and establish associations between known and unknown subjects”. The emphasis placed on the operations of evaluation of the risk of the passengers and of the profiling, demonstrates the intention of the Commission to institute a system of information sharing inspired by the pursuit of “tactics” purposes, i.e. of prevention and counteraction of crimes, but also “strategic” purposes and security, i.e. to prevent the phenomenon of terrorism and criminality. More trivially, the proposed PNR European System is directed both to permit the national authorities of law enforcement and security, to monitor a certain individual passenger suspected of being personally connected to the preparation or commission of crimes of a transnational nature, and to allow said authorities to monitor the entire population of air carrier passengers and, through the analysis, combination and verification of the relative information, and from the deduction of their behaviour, to individuate subjects who represent a threat to security and public order. A similar approach, contained in the Proposal of the Commission, has not only been confirmed, but further developed by the Council and is in phase of discussion. There are further differences between the API data transfer regime and that of the PNR. One of these concerns both the quantity and the quality of the exchanged data, limited and almost homogenous as far as the API data is concerned: ample and structured for that of the PNR. Furthermore, if the first consists in information of an “objective” or “official” nature and of a lasting validity (e.g. the number and type of travel document used by the passenger or the mountain border post of entry into territory of the Member States) the PNR data consists also in information of a more variable nature (general observations on the passenger and on his movements) much of which is personally communicated by the individual at the moment of flight booking (telephone number and e-mail address, information on the modality of payment). Finally, a further difference between the two systems of data sharing concerns the conditions or modality through which the transfer of the information is made by the air companies to the national authorities of prevention and counteraction of the Member States. In the case provided for by the API Directive, the exchange is made on the basis of a precise request coming from the national authorities; in the case of the PNR Proposal the information must be automatically shared, as soon as it becomes available. b)The content of the PNR European Proposal PNR Coming now to the examination of the PNR data sharing mechanism provided for by the Proposal, it must be observed that the central element of this last is the individuation, on the part of each Member State, of a “Passenger Information Unit” or PIU, competent, in the first place, in the gathering of the PNR data, which is treated by the booking systems at the airline carriers operating international flights, on departure or on arrival from the territory of the State or of the Member States to which the Unit refers (Art. 3 § 1). The Unit represents, therefore, the first consignee of the transfer of the data in possession of the airline companies and the “nerve center” for their elaboration and analysis (29) . With regard to the timing according to which the PNR data sharing is carried out, it is provided that this is communicated in advance of the programmed departure of the flight and immediately after the closure of the flight. Always with reference to the modalities of data sharing, the Proposal (Art. 5 § 4) establishes that the air carrier, after a transitory period of two years has passed, must “transfer” on their own initiative, the data in their possession to the competent PIU (the so-called “push” method). Instead, during the transitory period, the air carriers which do not have the technical equipment necessary to transfer, on their own initiative, the information in their possession, are obliged to allow the PIU to “withdraw” the data directly or extract it from the respective databases (the so-called “pull” method). The distinction between the two methods is important for the purposes of determining the implications these methods have in matters of data protection. As, in fact, it was observed by the European Guarantor for the protection of data in the opinion relative to the Proposal of 2007, the “push” method, which allows the airline companies to maintain control over the quality of the transferred data and on the circumstances of such transfers, is the only method that permits respect of the principle of proportionality of the treatment. It must, however, be a genuine “push”: the data, that is, must not be transmitted in block to the PIU, but already filtered, in this very first phase of the treatment (30) . Once, the data registered in the booking systems of the airline companies is received, the PIU is responsible for their storage (3 years extendable up to a maximum of 10) and their analysis (Art. 9) (31) . The Unit, first and foremost, proceeds to the evaluation of the risk connected to the passengers, examining the information received and comparing it with that stored in the relevant national and international databases, like, for example, those that constitute part of the SIS. The purpose of such operations is that of identifying those who are, or could be implicated in a terrorist crime or other serious crimes, as well as their accomplices, and to communicate the relative data to the competent authorities of prevention and counteraction of the Member States. Among the tasks of the PIU, there is, in addition, that of creating and up-dating the risk indicators for the evaluation of the passengers and, in general, to furnish intelligence on the type of movements and other tendencies connected to the crimes of terrorism and other serious crimes. As it is easy to imagine, if the PNR European Proposal should be approved and the data sharing system contained therein becomes operative, it would have several implications for the rights of individuals to the protection of their personal data. Before examining them, however, it is necessary to make a brief reference to the question of the individuation of the data treatment by the airline companies until its transfer to the competent PIU. It seems understood that it is submitted to the discipline established by the Directive 95/46/EC. In reality, this point is rather controversial. Given that the PNR data is handled by private subjects (the airline companies), not only for commercial purposes, but also to make it available to the national authorities of prevention and counteraction, it is not possible to affirm with certainty, that the data protection regime applicable to this data is that established by the Directive 95/46/EC. In the case of this kind, the purpose of law enforcement and security of the treatment seems to be the prevalent one. In this case, the question could be coped with by making recourse to the interpretation adopted by the GCEC in the sentence of May 2006, relative to the agreement concluded between the USA and the EC on the transfer of the PNR data (32) . On that occasion, the Luxembourg judges established that the transfer “in systematic form” of the PNR data from the airline companies to the American authorities constituted a treatment having as object the public security and, therefore, did not fall into the area of application of the Directive 95/46/CE. In light of this Court interpretation, it seems correct, therefore, in this case, to let prevail the criteria of the purpose of the treatment over that of the nature of the subject that implements it and judge, therefore, the PNR data treatment carried out by the airline companies as treatment for police purposes generically subject to the regulations of the Convention N° 108. Coming now to the implications that the described system has in matters of protection of personal data, the main ones regard the respect of the principles of necessity and proportionality of the treatment of the personal information. On the basis of considerations not unlike those made previously, it seems difficult that the ample and diffused monitoring of the individual passengers is compatible with said principles. Furthermore, since the objective of the system is not simply that of identifying the known terrorists or criminals, comparing the names with those on the lists managed by the law enforcement authorities, but rather to gather a large quantity of information on the passengers of air flight and to make, through them, evaluations of risk, it is fundamental to reduce to a minimum the possibility of incurring errors (false positives). Conclusive observations On the basis of what has been described, it is possible to conclude that the most critical problems which the examined forms of “partnership” determined in matters of data protection regard, above all, the principles of necessity and proportionality of the treatment. The major problems derive from the fact that operations of gathering and sharing of information involves a variegated category of personal data which is daily generated by the individual-holder in the exercise of activities which are, in themselves, legitimate. Such diffused and generalized gathering of information responds to the need of the authorities of prevention and counteraction to dispose of a pool of information, the content of which is used for purposes of preventing crimes and, in particular, terrorism. Without limiting the pursuit of this last objective and starting from the assumption that security-legality, on one side, and protection of data, on the other, are together in a complementary relationship and not, according to an approach which is schematic and of principle, one of antithesis, it would be opportune to provide some correctives inspired by a greater selectivity in the gathering and exchange of information. |
(1) Generally, with the expression ‘Law Enforcement Authorities’, we refer to the Police and Judicial bodies, as well as those that carry out controls on the external frontiers of the States, that is, Customs Controls (with particular reference to the EU System, see Art. 2 (a ) of the Decision Framework 2006/960/GAI, in OGEU L 386, 29/12/06. Pgs. 89-100. Instead, for the Intelligence Authorities is intended those institutions which carry out, prevalently, activities of acquisition , analysis and evaluation of information, such as those normally performed by the Information & Security Services or Agencies. The distinction between the two types of Authority lies in the different tasks that they carry out and in the different purposes pursued. Notwithstanding ,what has just been stated does not prevent the activities executed by the Law Enforcement bodies and those performed by the Intelligence from having points of contact and elements in common. To make just one example, also the Police Forces can perform activities of Intelligence, or better, activities which are more correctly called “intelligence-led policing”.
(2) It should be observe that terrorism, organized crime and trans-frontier irregular immigration are phenomena which although extremely different one from the other, present, in the dimension studied here, certain elements of connection. The first and most significant is represented by their shared “transnational” or “international” character which, besides other things, determines that the actions taken for their prevention, management and contrast tend to be based on although with scarce efficacy, the international coordination between the competent authorities operating in the various States. Furthermore, terrorism, irregular immigration and organized crime are a “contiguous” phenomena. Such characteristic can be found by observing the “elements of contact” among the activities in which they consist and are manifest. See MARULLO: The Role and activities of the Intelligence Services and the Police Forces in the fight against organized crime and terrorism in the EU Countries in respect of the Convention of the European Council for the protection of personal data, and the European Convention of Human Rights, in BASSIOUNI (by) the international cooperation for the prevention and the repression of international criminality and terrorism. Milan 2005, pgs. 187 and following). What is described above explains the recent tendency of the Members of the International Community to consider the above phenomena in a united way and to predispose measures of prevention and contrast strictly integrated among themselves. (3) Communication of the Commission. A Space of Liberty, Security and Justice at the Service of the Citizens. 10.6.09. § 4.1.2. See Programme of Stockholm - An open and secure Europe at the service and protection of the citizens, approved by the European Council of Brussels, 12.12.09, § 4.2.2. (4) See last doc. cited. (5) According to the “principle of proportionality”, the personal data must be adequate and pertinent to the purposes for which it is gathered and treated. The proportionality regards, above all, the quality of the data. With reference, instead, to their quantity, the “principle of necessity” applies, according to which the data must not be excessive with respect to the purposes for which it is gathered. (6) The “principle of security” provides for the adoption on the part of the subject of the treatment of appropriate measures to protect the personal data from accidental or non-authorized destruction, from accidental loss, as well as, non-authorized access, modification or diffusion. (7) On the basis of the “principle of precision” the data treated must be exact and, if necessary, up dated. The “temporariness”, instead, determines that the treated data must allow the identification of the subject of interest for a period not exceeding that necessary with respect to the purposes for which they have been registered. (8) In OGEU L 350, 30.12.08, pages 60-71. (9) In OGEU, L 281, 23.11.95. pgs. 31-50, ibidem 201, 31.7.02, pgs. 37-47, ibidem 8, 12.1.01, pgs. 1-22. (10) http://conventions.coe.it/Treaty/Commun/ListeTraites.asp?CM=8&CL=ITA (11) http://www.coe.int/t/dghl/cooperation/economiccrime/organisedcrime/Rec_1987_15.pdf. (12) In OGEU C306, 17.12.07 (13) In OGEU L 309. 25.11.05, pgs. 15-36 (14) In addition to credit and financial institutions, the measures of the Directive 2005/60/EC, they are applied, in fact, also to different legal or physical persons who act in the exercise of their professional activities, among which: auditors, external accountants, tax consultants, notaries and other legal freelance professionals; real estate agents, gaming houses; professional activities and business categories that carry out activities which are particular susceptible to be utilized for recycling purposes or the financing of terrorism. (15) In Italy, the FIU (Unit of financial information) was instituted by the Bank of Italy on 1.1.2008, under the Legislative Decree, N° 231, 2007. Its organization and functioning are disciplined with Regulation of the Banca d’Italia (http://www.bancaditalia.it/UIF ). (16) See Decision 2000/642/GAI, in OGEU L 271, 24.10.00, pages 4-6. (17) In OGEU L 105, 13.4.06. pages 54-63. (18) Italy acknowledged the Directive with the Legislative Decree N° 109, 30.05.08, in OG N° 141, 18.6.08 pgs. 3 and following, which has provided for a single period of conservation equal to 24 months for telephonic traffic data, to 12 months for the data of computer traffic and to 30 days for data relative to unanswered calls, without further distinction on the basis of the type of crime. (19) CGEC, 10.2.09. Case C-301/06, Ireland against Council and Parliament (20) MITSILEGAS European Criminal Law, Oxford-Portland, 2009, pg. 268 (21) BIGNAMI is of different opinion, Privacy and Law Enforcement in the European Union. The Data Retention Directive in, Chicago Journal of International Law, Volume 8, 2007. Pgs. 246-254. (22) Usually, the PNR data consists in: a PNR code of identification of the dossier; the date of booking/issuance of air ticket and journey; name(s) of passenger, address, telephone number and e-mail address; information on all modalities of payment; the complete itinerary; the information on the so-called “frequent flyer”; the travel agent; the journey status of passenger, including confirmation, check-in; previous embarkation absences, or passenger without booking; general observations (excluding sensitive information ) on the passenger; the dates on the issuance of ticket, the information on the spot; the information on the code-share; all information relative to baggage; the number of travellers and other names which appear in the PNR; the API information if eventually gathered; finally, the chronicle of the PNR modifications. (23) In OGEU L 213, 8.8.08, pgs. 49-57. Ibidem 204, 4.8.07. pgs. 18-25; OGEU L82, 21.3.06 pgs. 15-19. On the United States’ case, see PAGALLO, The Protection of Privacy in the USA and Europe. Comparison of legal models, Milan, 2008, pgs. 159 and following. (24) Proposal of decisione quadro of the Council on the use of the PNR data (Passenger Name Record) in the activities of counteraction (COM) (2007) 0654 Def), 6.11.07. (25) Council doc 5618/2/09. Rev. 2. 29.6.09 (26) As declared by the Commission in the Proposal of the Decision Framework on the use of the PNR data, cited, page 6, “With regard to the impact of the Proposal on relations with Third World Countries, it cannot be excluded that some of these can ask reciprocal access to the PNR data relative to the flights coming from the EU and directed to their territories, even though on a practical level it is a very remote probability”. (27) In OGEU L 261, 6.8.04. pgs. 24-27. (28) The expression “serious crimes” was included in the text of the Proposal of the Council and has substituted the expression “organized criminality”. (29) From this point of view, it is possible to note the affinity of the function performed by the PIU with that attributed to the FIU, described above. (30) In OGEU C 110, 1.5.08, pages 1-15. (31) Since the period of storage and conservation is source of access discussions between the States, its further modification is foreseeable. (32)CGEC 30.6.06. Cases combined C-317/04 and 318/04 Ibidem |