The DoD has played an active military role in Europe for more than half of the past century. During this time, the DoD has transitioned from active combat to training and various states of combat readiness, culminating in the present phase of training, operations support, facilitation of the North Atlantic Treaty Organization, partner nation military engagement, and coalition and NATO Allied military contingency operations such as Kosovo Force Operations. The focus has also shifted from a relatively stationary target to a nebulous transnational and transregional threat emanating from various parts of the globe. An important aspect of DoD’s partner nation, military-to-military, NATO and law enforcement engagement strategy and activities is the development, maintenance and use of biometric capabilities to support a spectrum of military missions and operations. The use of biometrics for any DoD operations in the EU will be subject to the various EU privacy laws. This article will provide a summary of some of the relevant privacy policies in the EU.
The EU defines personal data as “any information relating to an identified or identifiable person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural and social).” [1] The EU definition of personal data includes all modalities of biometrics, leading to broad interpretations of rules, guidelines and laws that pertain to personal privacy and the use of personal data.
European Convention of Human Rights
All privacy laws and policies in the EU are based on the ECHR. The ECHR was drafted in 1950 by the Council of Europe and entered into force in 1953, and its ratification is a prerequisite to join the Council of Europe. Article 8 provides a right to privacy to respect for one’s “private and family life, his home and his correspondence,” subject to certain restrictions that are “in accordance with law” and “necessary in a democratic society.”
Article 8: “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
Data Protection Convention
The legal evolution of personal privacy law in the EU is intertwined with the adoption of the DPC or the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, an international agreement enacted in 1981 after four years of development by the Council of Europe. The DPC now has 46 countries with ratified membership, including Uruguay as of April 2013, which makes the DPC an international treaty that continues to add members. [2] The DPC is not enforced with punitive measures, but it is used as a guideline for further participation in other EU initiatives and as a standard for the development of the civil infrastructure of participating nations.
“The Convention’s [DPC] approach is not that processing of personal data should always be considered as an interference with right to privacy, but rather that for the protection of privacy and other fundamental rights and freedoms, any processing of data must always observe certain legal conditions. Such as the principle that personal data may only be processed for specified legitimate purposes, where necessary for these purposes, and not used in a way incompatible with those purposes.” [3]
Directive 95/46/EC
Current data protection laws in the EU are guided by Directive 95/46/EC, which the office of the European Data Protection Supervisor commonly refers to as the Data Protection Directive. While the DPD was developed over a period of years leading up to implementation in 1995, prior to some major advances in technology, the legal frameworks are still used, even with their technological shortcomings. It has been up to court proceedings and legal reviews to interpret the legal framework in light of advances in technology. “Directive 95/46/EC…is now the subject of a wide ranging review to make it more effective in a world where information technology is playing a prominent role in all fields of life – both public and private.” [4] However, several clauses in the Preamble of the Directive 95/46/EC, specifically 13, 16, 46 and 56, provide for governmental exceptions in cases of national security or defense, and these clauses would likely be relevant to any potential DoD operations in the EU.
The Prϋm Convention (Schengen III Agreement, 2005)
The Prϋm Convention is an agreement that seeks “to step up cross-border cooperation, particularly mutual exchange of information.” [5] The agreement deals with the issues of personal privacy and biometrics. The agreement goes on to outline how the individual laws of contracting parties and member states will comply with the national law of the states involved. These national laws have been moving towards uniform compliance with Directive 95/46/EC. The Prϋm agreement is meticulous in its compliance and appears to avoid obvious pitfalls associated with biometrics and privacy. The Convention was adopted so the signatories could exchange DNA and fingerprint data from persons of interest.
The Prϋm Treaty also includes counter-terrorism amongst its articles in Article 16: “Supply of Information in order to Prevent Terrorist Offenses.” Article 16 provides a proactive legal framework that seeks to prevent terrorist offenses by having participating nations supply personal data to each other, even without a request for information. “For the prevention of terrorist offences, the Contracting Parties may, in compliance with national law, in individual cases, even without being requested to do so, supply other Contracting Parties’ national contact points, as referred to in paragraph 3, with the personal data and information specified in paragraph 2, in so far as is necessary because particular circumstances give reason to believe that the data subjects will commit criminal offences as referred to in Articles 1 to 3 of EU Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism. This is a critical aspect of sharing to prevent.” [6] The chapter continues in the second clause stating that, “The data to be supplied shall comprise surname, first names, date and place of birth, and a description of the circumstances giving reason for the belief referred to in paragraph 1.” [7] The Prϋm Convention gives participating members legal justification to develop broad counter-terrorism initiatives based on a reasonable belief of an impending threat “because particular circumstances give reason to believe that the data subjects will commit criminal offenses…” [8]
“In June 2008, the Council of the European Union converted the Treaty of Prϋm into EU legislation (The EU-Prϋm-Decision). The new EU legislation requires every EU member state to establish a forensic DNA database and to make this database available for automated searches by other EU member states. As DNA profiles are regarded as personal data, national privacy legislation derived from the European Data Protection Directive 95/46 also applies to forensic DNA databases.” [9]
General Data Protection Regulation
Recognizing that the digital world has changed in the past two decades since the advent of the Internet, the European Commission proposed a comprehensive reform of the EU’s data protection rules to strengthen privacy rights and boost Europe’s digital economy on January 25, 2012. [10]
A few of the “Information Age” factors driving the need for a redefinition of personal data and levels of protection include the increasing use of:
- Social networking sites
- Cloud Computing
- Location-based services
- Smart cards
EU member states have implemented the 1995 rules very differently with disparate degrees of enforcement. A uniform, single law across the EU would eliminate the current patch-work implements and attendant administrative burdens. The EU’s European Council aims for adoption soon, and the regulation will take effect after a transition period of two years.
References:
[1] Glossary RSS. (n.d.). Retrieved November 1, 2014, from http://ec.europa.eu/justice/data-protection/glossary/index_en.htm
[2] Signatories of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data: Albania, Andorra, Armenia, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Moldova, Monaco, Montenegro, Netherlands, Norway, Poland, Portugal, Romania, Russia, San Marino, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, The former Yugoslav Republic of Macedonia, Turkey, Ukraine, United Kingdom, Morocco, and Uruguay.
[3] Hustinx, P. (n.d.) EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, p. 6, Retrieved from https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2014/14-09-15_Article_EUI_EN.pdf
[4] Hustinx, P. (n.d.) EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, p. 1, Retrieved from https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2014/14-09-15_Article_EUI_EN.pdf
[5] Prϋm Convention (2005) Ch1 Art1:1, Retrieved from http://ec.europa.eu/anti_fraud/documents/data-protection/dpo/prumtr.pdf
[6] COUNCIL DECISION 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime. (2008). Official Journal of the European Union.
[7] Prϋm Convention (2005) Art16:2, Retrieved from http://ec.europa.eu/anti_fraud/documents/data-protection/dpo/prumtr.pdf
[8] Prϋm Convention (2005) Art16:1, Retrieved from http://ec.europa.eu/anti_fraud/documents/data-protection/dpo/prumtr.pdf
[9] DNA-Database Management Review and Recommendations, ENFSI DNA Working Group, April 2014.
[10] Data Protection Newsroom – Commission proposes a comprehensive reform of the data protection rules. (2012). Retrieved from http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
About the Author:
Mr. Christopher Daub is a biometrics subject matter expert who most recently worked for Northrop Grumman Corporation as a business development representative and analyst. He has seven years of military and private industry experience in military intelligence. Prior to his current position, Mr. Daub spent four years at the National Ground Intelligence Center in Charlottesville, VA as a drilling reservist and contracting subject matter expert on IEDs and biometrics analysis. He holds a B.A. in Political Science from Indiana University – Bloomington.