EU Justice Ministers have approved the start of talks between the EU and the US on a personal data protection agreement when cooperating to fight terrorism or crime. The stated aim is to ensure a high level of protection of personal information like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters. Once in place, the agreement would enhance citizens’ right to access, rectify or delete data when it is processed with the aim to prevent, investigate, detect or prosecute criminal offences, including terrorism. Vice-President Viviane Reding, the EU’s Justice Commissioner, said: “Today’s decision gives us the green light to negotiate a solid and coherent agreement with the United States which balances enforceable rights for individuals with the strong cooperation we need to prevent terrorism and organised crime. I look forward to meeting my US counterparts in Washington next week to kick start these important negotiations.” The EU and US have different approaches in protecting personal data, leading to some controversy in the past when negotiating information exchange agreements (such as the Terrorist Finance Tracking Programme or Passenger Name Records). The purpose of the negotiations is also to address and overcome these differences. The mandate aims to achieve an agreement which provides for a coherent and harmonised set of data protection standards including essential principles such as proportionality, data minimisation, minimal retention periods and purpose limitation; contains all the necessary data protection standards in line with the EU’s existing data protection rules, such as enforceable rights of individuals, administrative and judicial redress or a non-discrimination clause; and ensures the effective application of data protection standards and their control by independent public authorities.
The agreement would not provide the legal basis for any specific transfers of personal data between the EU and the US. A specific legal basis for such data transfers would always be required. The new EU-US data protection agreement would then apply to these data transfers.
James Goudie QC