Data protection conflicts between the United States and the European Union in the war on terror: lessons learned from the existing system of financial information exchange.

• Author: VanWasshnova, Matthew R.

INTRODUCTION

In the middle of 2006, two significant issues, both involving privacy and specifically data protection, came to the forefront of U.S. efforts in the War on Terror. First, in May 2006, the European Court of Justice (ECJ) annulled an agreement between the United States and the European Union regarding the transfer of airline passenger information-or passenger name records (PNR)--from the European Union to the United States. (1) The annulment of the PNR data transfer agreement by the ECJ reignited the debate as to whether the transfers violated E.U. data protection laws. The second major issue arose on June 24, 2006 when the New York Times uncovered a secret U.S. government financial record surveillance program called the Terrorist Finance Tracking Program (TFTP). (2) Details of the secret TFTP immediately raised concerns of data protection violations both in the United States and in the European Union.

Because terrorists reveal themselves to the international community only (1) when they travel abroad; or (2) when they transact abroad, both the PNR transfer and the TFTP represent noteworthy counter-terrorism efforts by the United States. Clearly, however, the annulment of the PNR data transfer agreement and disclosure of the TFTP to the international community have strained relations between the European Union and the United States. The European Union and the United States will be hard-pressed to improve relations unless the two governments can find common ground regarding the impact of their data protection policies on these two distinct problems. In order to find that common ground, this note recommends (1) that the United States terminate the TFTP and improve the existing system of financial information exchange to obtain the information that it needs for combating the financing of terrorism; and (2) that the United States apply the existing system of financial information exchange to the PNR data transfer process.

This Note seeks to adapt and apply the universally accepted system of financial information exchange that was first developed as an anti-money-laundering tool, and later embraced as a counter-terrorism finance instrument, to the PNR data transfer and TFTP issues introduced above. Therefore, it will address the transfer of airline passenger data alongside the current global model of sharing financial information in anti-money laundering and countering the financing of terrorism (AML/CFT) efforts. Part I analyzes the general distinctions between data privacy protection policies in the United States and European Union and examines the reasons underlying the conflicts addressed in Part II. Part II first sets out the background of PNR data transfers between the United States and European Union and the evolution of the subsequent conflict regarding the transfers. Part II then explores the TFTP and its alleged violations of E.U. data protection laws. Part III considers the existing AML/CFT approach to financial information exchange and its implementation in the United States and Europe. Remaining mindful of the delicate balance between security and privacy protection, Part IV recommends that (1) the United States and European Union follow the existing system of financial information exchange in sharing airline passenger information, and (2) the United States terminate the TFTP or restructure it so that it follows the AML/CFT model of sharing financial records.

1. E.U. AND U.S. DATA PROTECTION LAWS

   A. The E.U.'s Blanket Protection vs. the U.S.'s "Patchwork Quilt"

   The European Union and the United States have taken two separate, and perhaps incompatible, paths in legislating data privacy. (3 The European Union aims to restrict the amount of data collected and to prevent the data from being used for purposes other than those for which they were collected. (4) The United States, on the other hand, allows broader data collection and storage: Moreover, while the European Union has tightly woven a blanket data protection policy "covering the full spectrum of uses of personally identifiable information," (6) the United States has stitched a "patchwork quilt" (7) of privacy legislation, legislating restrictions only where individual problems arise. (8) This basic difference between the data protection policies of the United States and the European Union is the root problem underlying the PNR data transfer and TFTP disputes outlined in Part II of this Note.

   B. The European Union and the Data Protection Directive

   In 1995, the European Parliament and the European Council passed Directive (9) 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive). (10) The Data Protection Directive "can be seen as a general framework legislative provision, which has as its principle aims: (1) the protection of an individual's privacy in relation to the processing of personal data; and (2) the harmonization of the data protection of the Member States." (11)

   Another important principle of the Data Protective Directive is that personal data can be transferred only to countries outside of the European Union that guarantee an "adequate level of protection." (12) Thus, the Data Protection Directive has an extra-territorial effect because it prevents private and public sector entities within the European Union from transferring data to any countries outside of the European Union that provide inadequate data protection. In determining whether a foreign country affords an adequate level of protection, the Commission assesses the totality of the

   circumstances surrounding a data transfer operation ... [with] particular consideration ... given to the nature of the data, the purpose and proposed processing operation or operations, the country of origin and the country of final destination, the rules of law ... and the professional rules and security measures which are complied with in that country. (13) When the European Commission (Commission) finds that a foreign country does not maintain an adequate level of protection, Member States are required to prevent any data from being transferred to that country and the Commission is required to enter into negotiations with the country to remedy the problem. (14)

   A final major principle of the Data Protection Directive is its focus on oversight. For instance, Article 28 of the Data Protection Directive requires each Member State to establish an independent enforcement body. (15) Each Member State's independent authority must be consulted when the government drafts legislation relating to processing of personal data. (16) These independent authorities also have the power to conduct investigations, initiate legal proceedings, and hear claims pertaining to data protection violations. (17) In addition, Article 29 established the Article 29 Working Party, which advises the Commission on data protection and privacy matters. (18) The Article 29 Working Party is composed of a representative from each Member State, a representative of the Community, and a representative of the Commission. (19)

   C. The Sectoral and Self-Regulatory Approach to Data Protection in the United States

   While the European Union has focused specifically on data protection in the Data Protection Directive, U.S. privacy law refers to a more general right to privacy. (20) This is a direct result of the evolution of the U.S. right to privacy at common law, (21) which was necessitated by the failure of the U.S. Bill of Rights to specifically provide for a fundamental right to privacy. (22) Because the term "privacy" can have various meanings in U.S. law, ranging from a woman's fight to an abortion to a person's choice to keep or remove his or her name from a telemarketing list, a person has to scour a number of authorities--the "patchwork quilt"--to determine how any element of his or her data is protected in the United States. (23) This sectoral approach has at times left parts of the public inadequately protected from privacy infringements and is specifically problematic because technological developments render some legislation obsolete. (24)

   The U.S. Congress has also applied protections unevenly between the public and private sectors. As shown by the Freedom of Information Act (FOIA) (25) and the Privacy Act of 1974, (26) the U.S. Congress has been willing to regulate the use of data in the public sector. (27) The Privacy Act of 1974, which amended the FOIA, protects a person's records (28) from government agency disclosure and requires that federal agencies establish "appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity." (29) Also under the Privacy Act of 1974, agencies must "establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records...." (30) However, the fact that Congress deliberately chose not to extend the Privacy Act of 1974 to the private sector illustrates the general reluctance of the U.S. government to interfere in the affairs of individuals and businesses. (31)

   Besides this "patchwork quilt" of data privacy legislation, the United States also relies on various forms of self-regulation, "in which companies and industry bodies establish codes of practice and engage in self-policing." (32) Like the sectoral approach, however, self-regulation is often criticized for being predominantly reactive, providing inadequate data protection, and failing to have sufficient independent oversight and enforcement mechanisms. (33)

   When the European Council passed the Data Protection Directive in 1995, the Commission considered U.S. protection of European data inadequate because the United States did not have comprehensive privacy protections. (34) To enable the continuing free flow of commerce...