Will Privacy Law in the 21st Century be American, European or International?

Intermediate Examination Paper, 2010

43 Pages, Grade: befriedigend



A. Introduction

B. The future of global privacy law
I. The scope of „privacy” and “data protection”
II. The need of global harmonisation
1. The need of free flows of data
2. Higher risks and threats
3. Territorial jurisdiction and the internet
4. Recent transatlantic data conflicts
a) Passenger name records (PNR)
b) Society for worldwide interbank financial telecommunication (SWIFT)
c) United Bank of Switzerland (UBS)
5. Conclusion of part II
III. Perspectives
1. U.S. legal framework
2. European legal framework
3. International legal framework
a) United Nations (UN)
b) Organisation for economic cooperation and development (OECD)
c) Asia-pacific economic cooperation (APEC)
4. Extraterritorial application of law
5. Conclusion of part III
IV. Prospects
1. Multilateral conventions
2. Regional conventions
3. Model laws
4. Adequacy and accountability approach
5. Technical standards
6. International guidelines
7. Non-binding policy standards
8. Private-sector instruments
9. Conclusion of part IV

C. Final conclusion


Aaron, David L.,"Remarks before the Information Technology Session of America”, Fourth Annual IT Policy Summit, 1999

Archick, Kristin,"US-EU Cooperation against Terrorism", Washington D.C., Congressional Research Service, 19 January 2005, http://www.fas.org/sgp/crs/terror/RS22030.pdf

beck-aktuell-Redaktion, Verlag C. H. Beck, 22 December 2009, http://0-beck-online.beck.de.catalogue.ulrls.lon.ac.uk/Default.aspx?vpath=bibdata\reddok\hp.10\295477.htm&pos=0&hlwords=swift#xhlhit%3E

Besson, Eric, „Plan de développement de l’économie numérique“, http://www.gouvernement.fr/gouvernement/eric-besson-presente-le-plan-de-developpement-de-l-economie-numerique

Bygrave, Lee, “International agreements to protect personal data", in: "Global Privacy Protection, The First Generation", James B. Rule & Graham Greenleaf (ed.), 2007; cited as: "Bygrave, International agreements to protect personal data"

Bygrave, Lee, “Privacy protection in a global context – A Comparative Overview”, in: "Scandinavian studies in law", Peter Wahlgren (ed.), Stockholm Institute for Scandinavian, Law, iss. 47, 2004; cited as: "Bygrave, Privacy Protection in a Global Context“

Bygrave, Lee, “Data Protection Law: Approaching Its Rationale, Logic and Limits”, The Hague/London/New York, Kluwer Law International, 2002; cited as: “Bygrave, Data Protection Law”

Computer und Recht International (CRI),"EU: Revision of the ePrivacy Directive", 5/2009, pg. 155-157

de Hert, Paul / Schreuders, Eric,"The Relevance of Convention 108. European Conference on Data Protection on Council of Europe Convention 108 for the protection of individuals with regard to automatic processing of personal data: present and future”, from DP Conf (2001) Reports, pg. 63 - 76, The Council of Europe (ed.), http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/events/conferences/DP%282001%29Proceedings_Warsaw_EN.pdf

de Leeuw, Karl / Bergstra, Jan,"The History of Information Security, A Comprehensive Handbook", Elsevier Science, 2007

de Terwangne, Cécile, “Is a Global Data Protection Regulatory Model Possible?”, in: “Reinventing Data Protection?", Gutwirth, Poullet, De Hert, de Terwangne, Nouwt (ed.), Springer Science, 2009

Der Spiegel,"Illegale Überwachung: FBI erschlich sich Telefondaten zur Terrorabwehr", 19 January 2010, http://www.spiegel.de/politik/ausland/0,1518,672646,00.html

Estrella Faria, José Angelo, „Drafting and negotiating history of the electronic communications convention“, in: Amelia H. Boss, Wolfgang Kilian (ed.), The United Nations convention on the use of electronic communications in international contracts, Wolters Kluwer, 2008

European Parliament,"Passenger name records and SWIFT ", Press release on 14 January 2010, http://www.europarl.europa.eu/sides/getDoc.do?type=IM-PRESS&reference=20091216BRI66603&secondRef=ITEM-016-EN&format=XML&language=EN

European Parliament,"SWIFT: new EU-US agreement will be renegotiated next year”, Press release on 17 September 2009, http://www.europarl.europa.eu/news/expert/infopress_page/019-60698-257-09-38-902-20090915IPR60697-14-09-2009-2009-false/default_en.htm

European Parliament, “SWIFT: European Parliament to vote on interim agreement at February session“, Press release on 21 January 2010, http://www.europarl.europa.eu/news/expert/infopress_page/019-67614-018-01-04-902-20100119IPR67613-18-01-2010-2010-false/default_en.htm

European Parliament, “SWIFT interim agreement: Civil liberties Committee to vote on 4 February“, Press release on 27 January 2010, http://www.europarl.europa.eu/news/expert/infopress_page/019-67946-025-01-05-902-20100125IPR67943-25-01-2010-2010-false/default_en.htm

Frumholz, Julia M., “The European Data Privacy Directive”, Berkeley Technology Law Journal, 2000, iss. 15, pg. 461-484

Goldring, John, „Globalisation, national sovereignty and the harmonisation of laws“, Uniform Law Review, 1998, vol. 2, pg. 435-452

Grant, Hazel, “Data protection 1998-2008”, in: Computer Law & Security Review, 2009, vol. 25, iss. 1, pg. 44-50

Greenleaf, Graham,"Five years of the APEC Privacy Framework: Failure or promise?", in: Computer Law & Security Review, 2009, vol. 25, iss. 1, pg. 28-43

Holvast, Jan,"History of privacy", in: "The History of Information Society: A Comprehensive Handbook", Karl de Leeuw and Jan Bergstra (ed), 2007

Kennedy, Gabriela / Doyle, Sara / Lui, Brenda / and Contributors,"Data protecion in the Asia-Pacific region", Computer Law & Security Review, 2009, vol. 25, iss. 1, pg. 59-68

Kirby, Michael,"Privacy protection, a new beginning: OECD principles 20 years on", Privacy Law & Policy Reporter, issue 6, pg. 25, http://www.austlii.edu.au/au/journals/PLPR/1999/41.html

Kobrin, Stephen J.,"Safe harbours are hard to find: the transatlantic data privacy dispute, territorial jurisdictions and global governance", Review of International Studies, British International Studies Association, 2004, iss. 30, pg. 111-131

Kozuka, Souichirou,"The economic implications of uniformity in law", in: Uniform Law Review, 2007, part 4, pg. 683-696, http://www.unidroit.org/English/publications/review/articles/2007-4-kozuka-e.pdf

Kuner, Christopher,"An international legal framework for data protection: Issues and prospects", Computer law & Security Review, 2009, pg. 307-317, vol. 25, iss. 5, pg. 2009; cited as: "Kuner, An international legal framework for data protection"

Kuner, Christopher,"Developing an Adequate Legal Framework for International Data Transfers“, in: in: “Reinventing Data Protection?, Gutwirth, Poullet, De Hert, de Terwangne, Nouwt (ed.), Springer Science, 2009; cited as: "Kuner, Developing an Adequate Legal Framework for International Data Transfers“

Lessig, Lawrence,"Code and other laws of cyberspace", Basic Books, 1999

Lillington, Karlin, “Personal privacy issues in the global public eye“, Irish Times, 13 November 2009, http://www.irishtimes.com/newspaper/finance/2009/1113/1224258713752.html

Mathiason, Nick, “Tax scandal leaves Swiss giant reeling”, The Observer, 29 June 2008, http://www.guardian.co.uk/business/2008/jun/29/ubs.banking

Meller, Paul,"Europe Fights U.S. Over Passenger Data", New York Times, 22 September 2003, http://www.nytimes.com/2003/09/22/business/worldbusiness/22FLY.html?pagewanted=1

Mills, Elinor, “Google proposes global privacy standard“, http://news.cnet.com/Google-proposes-global-privacy-standard/2100-1030_3-6207927.html

Newman, Abraham L., “Protectors of Privacy. Regulating Personal Data in the Global Economy”, Cornell University Press, 2008

Nouwt, Sjaak, „Towards a Common European Approach to Data Protection: A Critical Analysis of Data Protection Perspektives of the Council of Europe and the European Union“, in: “Reinventing Data Protection?, Gutwirth, Poullet, De Hert, de Terwangne, Nouwt (ed.), Springer Science, 2009

Pallasky, Ansgar,"Datenschutz in Zeiten globaler Mobilität", Nomos Verlag, 2006

Peeters, Maarten, „Security Policy vs. Data Protection, Transfer of Passengers’ Data to U.S. Authorities“, Zeitschrift für Multimedia und Recht (MMR), 2005, pg. 11-16

Poullet, Yves / Dinant, Marc J.,"The internet and private Life in Europe: Risks and aspirations", in: A.T. Kenyon and M. Richardson (ed.), "New dimensions in Privacy Law. International and Comparative Perspectives", Cambridge Univ. Press, 2006

Poullet, Yves,"Data protection legislation: What is at stake for our society and democracy?", in: Computer Law & Security Review, 2009, vol. 25, iss. 3, pg. 211-226

Prosser, William L.,"Right of Privacy", in: "Handbook of The Law of Torts", West Publishing Co., 3rd Edition 1964, pg. 829-851

Regan, Priscilla M., “The United States”, in: "Global Privacy Protection: The First Generation", James B. Rule and Graham Greenleaf (ed.), Edward Elgar Publishing, 2009, pg. 50-80

Reidenberg, Joel R.,"Setting Standards for Information Practice in the US Private Sector", in: Iowa Law Review, 1995, vol. 80, no. 3, pg. 497-546; cited as: "Reidenberg, Setting Standards for Information Practice in the US Private Sector"

Reidenberg, Joel R., „E-Commerce and Transatlantic Privacy“, in: Houston Law Review, 2001, iss. 38, pg. 717-749, http://reidenberg.home.sprynet.com/Transatlantic_Privacy.pdf; cited as: "Reidenberg, E-Commerce and Transatlantic Privacy“

Robinson, Neil,"Has European Data Protection Law Become Outdated?", Zeitschrift für Multimedia und Recht (MMR), 2009, iss. 11, pg. 725-726

Roch, Michael P.,"Filling the Void of Data Protection in the United States: Following the European Example, Santa Clara Computer and High Technology Law Journal, February 1996, pg. 71-96

Rule, James B.,"Conclusion", in: "Global Privacy Protection: The First Generation", James B. Rule and Graham Greenleaf (ed.), Edward Elgar Publishing, 2009, pg. 50-80

Schäuble, Wolfgang, “Aktuelle Sicherheitspolitik im Lichte des Verfassungsrechts”, Zeitschrift für Rechtspolitik (ZRP), 2007, pg. 210 ff.

Simitis, Spiros,"Übermittlung der Daten von Flugpassagieren in die USA: Dispens vom Datenschutz?, Neue Juristische Wochenschrift, 2006, iss. 28, pg. 2011-2013

Smedinghoff, Thomas J.,"Defining the legal standard for information security"in: "Securing privacy in the Internet Age", Stanford University Press, 2008

The Economist,"Learning to live with Big Brother; Civil liberties: surveillance and privacy", 29 September 2007, Vol. 384, Iss. 8548

Warren, Samuel / Brandeis, Louis,"The right to privacy", in: Harvard Law Review, Vol. IV, December 15, 1890, No. 5

Westin, Alan, „Privacy and Freedom”, The Bodley Head Ltd, 1970

A. Introduction

Rapidly developing technologies are providing new and very powerful means to sort, combine and analyse data[1]. This data exists in a networked environment, thus personal information can be collected and processed on any computer on the Net and is, at least in theory, accessible by every computer on the Net. The development of the Internet has made it possible to transfer this data "around the globe at the click of a mouse"[2]. Fresh business models such as "cloud computing", the newest "driver to illustrate the speed and breadth of the environment"[3], allow this data to be processed across national borders on a routine basis.

Individuals and companies are "increasingly immersed in social networking, search technologies, online commerce and many other activities in which information about an individual is sent worldwide from one point to another"[4]. These activities became more and more borderless, because the Internet, as an open window to the world, blurs the lines between public and private space, firstly since globalisation and the outsourcing of economic actors entrain an ever growing exchange of personal data, additionally because of the security pressure in the name of the legitimate fight against terrorism opens the access to a significant number of data to an increasing number of public authorities and finally this is due the tools of the digital society accompany everyone at each stage of life by leaving permanently individual and borderless traces in both space and time.[5]

Therefore, calls of both the public and private sectors for an international legal framework for privacy and data protection[6] have become louder.

Last remarkable steps of the public sector were the "Montreux Declaration"[7], in which the Privacy Commissioners stated that "it is necessary to strengthen the universal character of this right in order to obtain a universal recognition of the principles governing the processing of personal whilst respecting legal, political, economical and cultural diversities" and appealed to the United Nations "to prepare a binding legal instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human right". This appeal was repeated in 2008 at the 30th International Conference held in Strasbourg[8], and at the 31th conference 2009 in Madrid[9] through the draft of a global legal instrument on DP with a view to submitting it to the United Nations.

But also companies such as Google and Facebook have come under continuous pressure from governments and citizens to reform data use of data. Complaints from the Canadian Privacy Commissioner made it imminent for Facebook to change significantly some of the ways in which it handles personal data. Google as well has repeatedly revised its own practices of handling and retaining personal data in response to complaints from the European Commission. In 2007, Google called for the creation of "Global Privacy Standards"[10].

Could these calls possibly be best achieved by an international framework for DP, rather than a collection of national or regional approaches? The main purpose of this work is to consider what the obstacles are to such a DP framework, what issues would have to be faced for it to be approved and implemented and what aspects of harmonisation of law could be applied to DP as well.

B. The future of global privacy law

I. The scope of “privacy” and “data protection”

To those outside the DP world it must seem incredible that lawyers are still debating the central issue in DP: what are we trying to protect?[11]

In 1890, the American lawyers Samuel Warren and Louis Brandeis described the scope of "privacy" in a famous article: it is "the right to be let alone"[12]. In 1967 a new milestone was reached when Alan Westin defined privacy in terms of self determination: "Privacy, now, is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”[13]. The strong relationship between privacy and the development of technology then made it inevitable under the circumstances an of an uprising information society to introduce the term "data protection".

In the following, companies, nongovernmental or governmental organizations and academics tended to mix the two terms "data protection" and "privacy". The "Global Privacy Standard"[14] for example refers as well to "privacy", as to "consent, purpose limitation, and access rights" in their elaborated principles themselves. The latter have traditionally been thought to be key concepts of DP law. Neither the calls for an international framework could avoid mixing both terms: The resolution approved at the 30th International Conference in Strasbourg still refers to "the rights to data protection and privacy"[15].

In the European DP law, privacy includes issues relating to the protection of an individual’s personal space that go beyond DP, such as "private, family and home life, physical and moral integrity, honour and reputation, avoidance of being placed in a false light, non-revelation of irrelevant and embarrassing facts, unauthorised publication of private photographs, protection against misuse of private communications, protection from disclosure of information given or received by the individual confidentially"[16]. DP is explicitly mentioned as a fundamental right in several EU Member State constitutions. While the Article 29 Working Party[17] produced a document about what is "personal data"[18], the EU Data Protection Directive 95/46/EC[19] divided his approach to the definition issue into four key elements: Any information, relating to, identified or identifiable, natural person. So, the definition of personal data is more clouded now than it was ten years ago. Hazel Grant states that "perhaps we now have two definitions of "personal data": one for general use and one for dealing with cases where an individual requests his/her own personal data"[20].

The U.S. Constitution protects (not until being interpreted by the US Supreme Court) under the rubric of "privacy" values that go beyond the protection of personal data: An individual’s constitutional right to be free from unreasonable searches and seizures by the government[21], the right to make decisions about contraception[22], abortion[23] and other intensely personal areas such as marriage, procreation, child rearing, and the right to associate free from government intrusion[24].

The focus of this paper could therefore enclose a huge variety between privacy, DP, human rights and personal space. Nevertheless the author will keep in mind, that the concepts of DP and privacy are "twins, but not identical"[25], and that DP law "seeks to give rights to individuals in how data identifying them or pertaining to them are processed, and to subject such processing to a defined set of safeguards"[26], while privacy can be seen as a “concept which is broader than data protection, though there can be a significant overlap between the two”[27]. Thus, it seems to be more practical to limit the scope of this paper on a global framework for DP.

II. The need of global harmonisation

1. The need of free flows of data

In the last decades, the sharing of personal data, the movement of goods and services and similar multi-place economic activities has lead to "globalisation". The transfer of personal data is linked to these flows of goods and services, thus the need to have personal data free to be transferred worldwide grew at the same time. When the OECD Privacy Guidelines were adopted in 1980, guaranteeing the free flow of data was already taken into account so that business activities could be run properly.

On top of this is the fact that we also live in a networked society. Ancient telecommunication technologies for human interconnection that were hard to learn and were left to certain experts are now available to “ordinary” individuals. Wide spreading private websites, blogs, forums and particularly so called "social networks" are the result. It is hard to imagine life without this new form of online communication, open to the general public, so the free data flow on these platforms became an everyday need.

Thus, the aim of a global harmonisation should be, that it don´t make any difference for data users or data subjects whether data processing operations take place in one or in several countries. Concern has been expressed that data users might seek to avoid DP controls by moving their operations to countries which have lower standards in their DP laws or no such laws at all. In order to control that risk some countries have implemented special controls into their domestic law. Again, such controls may interfere with the need of free international data flow. A formula had to be found to make sure that DP at the international level does not prejudice this principle.

The EU DP Directive for example states that it is important to ensure that 1) the processing of personal data receives effective protection regardless of where it is carried out, and 2) that data can be processed between jurisdictions with as few impediments as possible.

2. Higher risks and threats

Yves Poullet states that the constant growth of the capacity of computers, user terminals and the communication infrastructure, and the almost limitless capacity of computer analysis is the first of three mayor changes that caused new risks to privacy.[28] Secondly, there is the Internet revolution: The convergence of the network around a single platform, the appearance of the "Semantic Web" and Web 2.0 and the changes in identification technology. Thirdly, the "emergence of ambient intelligence that takes technology and the network and puts that technology into our everyday life"[29] ;

Another threat consists in the gathering of personal information and profiling, seemingly a fix part of the e-Commerce. Already in January 2000, a US Federal Trade Commission survey revealed, that between 97 % and 99 % of all websites collect personal identifying information from and about consumers.[30] Information and communication "generate additional and most of the time hidden flows of data, which are necessary for the information service or help to the management of the service while others are exploited for their potential economic value"[31].

As globalisation of economic activities has caused an intensification of cross-border personal data exchanges, it also has increased the difficulty for data subjects to keep control over one´s personal data once they have been communicated through the network.

Since the 11th of September 2001, the globalised and networked society has become a “cross-border surveillance society”[32]. Flows of personal data have entered into the telescopic sight of trans-national police, surveillance services and politicians worldwide. The former German minister of the interior, Dr. Wolfgang Schäuble, named the global information society the "basis of crime", calling for a "legislator to constitute transparent bases to know who collects data and what for, what kind of networks can be linked-up, how long data can be stored etc. Security politics cannot avoid an increasing decentralised information structure, ending up in a changing threat for national security. They have to adjust it actively”[33]. In the same or similar way many governments say they need to gather data to ward off terrorism.[34]

The relation between governmental prevention and repression is changing: The States are “intensifying and globalising their averting of danger"[35] of more and more decentralised organised threats on national security. Surveillance at work, CCTV control, Radio frequency identification (RFID), Passenger name records (PNR) and biometric data scanners followed the process of an increasing security concern worldwide. This opened the doors for intrusive technologies of data processing and of hidden collections and uses of personal data. DP legislation needs to be adapted to these technological and socio-political changes that threaten the essential conditions for every person to freely develop their personality.

3. Territorial jurisdiction and the internet

Even between States which have a very similar system of DP law, it may not always be easy to determine which State has jurisdiction and which national law applies. Furthermore, persons resident in one country may find it difficult when they want to exercise their rights regarding automated data files in other countries. Such problems can only be satisfactorily solved through international harmonisation, at least a higher level of co-operation.

4. Recent transatlantic data conflicts

The transatlantic dispute illustrates significant EU-US differences about the meaning of privacy, DP and the protection of it. Such a dispute became evident when 1) the impact of DP regulation could not be limited to the geographic territory of the originating jurisdiction and 2) state capabilities and authority in other affected jurisdictions were "constrained to the point where impacts cannot be mitigated"[36].

Particularly the EU DP Directive has an impact on the transatlantic conflicts. This Directive was designed to protect European´s data privacy. As mentioned above, in a world where data flows are a cross-border issue, "that regulation must reach beyond the EU if it is to be meaningful, it must apply wherever the data are transferred and processed", thus, "domestic legislation has a transnational footprint"[37]. These kinds of conflicts are not new, but an increasing intensity of transatlantic economic transactions could make them the rule rather than an exception.

a) Passenger name records (PNR)

Following the terrorist attacks of 9/11, the US passed legislation in November 2001 providing that air carriers operating flights to, from or across the US territory had to provide the US customs authorities with electronic access to the data[38] contained in their automated reservation and departure control systems, called "Passenger name records" ("PNR"). The following political negotiations between the European Commission and the US Department of Homeland Security (DHS) concerned the transfer and use of European air passengers’ data to US authorities in the fight against terrorism and other serious crimes.

Articles 25 and 26 of the EU DP Directive are dealing with the transfer of personal data to third countries. Article 25 states that the transfer of personally identifiable data to any third country that does not provide "adequate" protection is prohibited. This includes the US. Exceptions to the application of this Directive on this case are not applicable[39]. That was one of the reasons why the Commission also thought that the legality of the transfer of PNR to the US authorities could not be based on an Article 25 § 6 decision alone. It stated that the transfer will be legal if such an adequacy finding is combined with a ”light" bilateral international agreement: ”An international agreement would thus be required to authorize U.S. authorities to pull PNR data from the EU, as long as a system whereby PNR data would be ’pushed’ from the Community to the U.S. is not in place"[40].

The European Commission tried to solve this US demand for data held by European firms by negotiating with the U.S. authorities a series of requirements and subsequently adopting the Decision 2004/535/EC, assuming that the US would ensure an adequate level of DP for the transfers, in order not to infringe Article 25 of the EU DP Directive 94/46/EC. This decision made it possible for the European Council to adopt the Agreement of 17 May 2004 between the European Community and the United States of America[41] to officially allow the transfers. In this "safe harbor" PNR transfer agreement, the United States have committed to "undertakings"[42], how to use PNR data.

In spite of this, the US-EU PNR agreement has been criticised by the Article 29 DP Working Party and privacy advocates.[43] Academics called it a "dispensation of data protection"[44] and thus the PNR also reached the attention of the general public. On 30 May 2006 the European Court of Justice (ECJ) annulled the Decisions 2004/496/EC and Commission Decision 2004/535/EC due to the fact that both could not have their legal basis in EU transport policy, a first pillar provision.[45] But the European Council worked to substantively resurrect the agreement before the court-mandated deadline of 30 September 2006.[46]

Objections of DP issues also concern the insufficient defined project tying of data during transfer and forward to other positions in the US and third countries. Moreover the period of storing of initial 3 1/2 years increased to 7 years with the possibility of another extension of 8 years. The transfer of data records is still processed in a so called "pull"-proceed, is to say through an access to booking systems of carriers. In an isolated case this could be more than the mentioned 19 data records. Therefore the Article 29 Working Group ordered the carriers to install a filter software to cause that the in the agreement agreed data records would be transferred in a so called "push" proceeding. On the part of the carriers the necessary preparations for a "push" proceeding are completed, now the American authorities have to make the next move to meet their obligations.

A new, controversial PNR interim agreement between the US and the EU in consequence of the mentioned ECJ decision was signed in July 2007 and expired on 31 July 2007. On 1 August 2007, a new agreement, which has a maturity of seven years entered provisionally into force, replacing the interim agreement that was concluded.[47] Furthermore questionable is the range of the transferred data. Certainly the newest agreement contains only 19 data records compared with the 34 data records agreed before, but data elements have been united to such records. In the future, the US authorities are in certain cases even permitted to access other data than the below mentioned as long as these are recorded in the booking systems of the carriers.

The European Parliament's pressure and the prospect of the Lisbon Treaty's entry into force have led the Council of Ministers to suspend further discussion on a PNR scheme until Members receive co-decision powers on this issue. On 6 October 2009, EP Rapporteur Sophie In't Veld (ALDE Party) welcomed the decision to put on hold a European scheme for providing airline passengers' personal data to anti-terrorist units. Several accords have been applied provisionally but not yet formally ratified, including the SWIFT network in connection with the US Terrorism Finance Tracking Programme (TFTP) and the transfer of PNR to the US and Australia. Formerly part of the "third pillar", they can now be approved or rejected by the European Parliament, which acquired this new power under the Lisbon Treaty and it applies to agreements that were signed but not formally concluded by 1 December 2009. So, the European Council will make a statement on a number of international agreements that must be submitted in the near future to Parliament for its consent, including transfers of bank data to the USA (SWIFT) and several passenger name record agreements (PNR) that are already being applied. EU ministers have signed the accords but they require Parliament's approval, without which they will have no legal force.[48]

Similar to the PNR data conflict is the issue of "biometric passports". In the travel sector, security will be improved mainly by the fact that dangerous people are already prevented from entering the airplane. An effective "identification based security structure" requires one on identification and verification of persons based security structure. Essential elements of this are the introduction of biometric passports and the prior transmission of passenger data. As breakthrough for biometric systems as a global security technology can be named the US activities in the aftermath of the 9/11 attacks. The American legislator opted for the widespread introduction of biometrics in visas and foreign travel documents. EU citizens' passports, issued from October 2006 must now contain biometric data according to the guidelines of the International Civil Aviation Organization (ICAO) to ensure that the exemption from the visa requirement is maintained. The Council of Europe[49] then took the opportunity to introduce the regulation[50] on standards for security features and biometrics in passports and travel documents issued by Member States (so called "e-passports"). In November 2005, Germany for example, has started to issue biometric passports. The European Commission has adopted on 29 June 2006 in Brussels, the access protection for the chip data in e-passports. The Extended Access Control (EAC) will protect the stored fingerprints in passports against unauthorized access. EU-wide, the introduction of the second generation of electronic passports has started. From November 2007 on, not only the passport photograph but the fingerprints will be part of the biometric data.

In mid-January 2008, the European Commission presented plans for additional biometric travel checks. In future, all third-country nationals entering the EU have to give their fingerprints and undergo an automatic iris control. This biometric information will be stored together with the other passport data and checked with other databases. When leaving, the third-country nationals will be subject of the same procedure again. Through this process, the EU intents to carry out an "entry-exit-control". EU citizens are "invited" to register on a voluntary basis. Not only travellers requiring visas will be registered, but all the third-country nationals, which drastically raises the number of people affected. The appropriateness of the collection of fingerprints, going beyond the requirements of ICAO, is at least questionable, regarding the right of informational self-determination and DP issues.[51]

b) Society of worldwide interbank financial telecommunication (SWIFT)

As a result of heightened security concerns, the US government called for access to increased amounts of European data about its citizens. Since 2006, a European-based financial services consortium, called SWIFT, provided the US Treasury Department with detailed personal information concerning international money transfers.[52] US-EU negotiations had become necessary because the central SWIFT's data centre moved from the U.S. to Switzerland, so a direct access by the U.S. authorities was no longer possible. On 27 July 2009 the Council unanimously adopted the negotiating directives for the negotiation by the Presidency, assisted by the Commission, of an international agreement with the US, on the basis of Articles 24 and 38 of the Treaty on European Union, to continue the transfer of SWIFT data to the US authorities. The day before the entry into force of the Lisbon Treaty[53] the SWIFT agreement with the U.S. government was signed. This against various raised concerns in the run although SWIFT concluded with the US Treasury Department a memorandum of understanding which narrowed the scope of data transferred and confined the scope of data searches to specific counter-terrorism cases, and subjected such transfers and searches to independent oversight and audit, including real-time monitoring.

Thilo Weichert, Director of the ULD[54], mentioned that the German federal government "despite of the existence of the SWIFT constitutional concerns had not stopped the agreement by their veto. As part of the ratification process Germany can and must now take drastic action. […] The EU and Germany cannot make themselves accomplices in systematic infringement of basic rights now, because the access is no longer possible, make themselves accomplices in systematic infringement of basic rights", because "the most basic requirements of data are disregarded"[55]. Another criticism consists in the fact that after the Lisbon Treaty, the full participation of the European Parliament would have been necessary on this agreement. The Article 29 Working group stated that even in the fight against terrorism and crime the fundamental rights must be preserved. It also has to be taken in account that SWIFT makes it potentially possible to detect not only transfers linked to illegal activities but also information on the economic activities of the individuals and countries concerned, and could thus be misused for large-scale forms of economic and industrial espionage.

Through the SWIFT interim agreement the US is still allowed to access through the SWIFT authority personal data on transfers and other private banking account data of EU citizens to identify suspected terrorists. According to the ULD (see above), only an inquiry from the U.S. authorities with a reference to terrorism is sufficient to force SWIFT to publish the data and disseminating that information to the U.S. Any further use of this data results, even the disclosure to dictatorial states, presupposes only that the US can justify this with the identification, detection, prevention or prosecution of terrorism or terrorist financing. The affected persons have virtually no rights and no legal protection. There are no adequate physical protection measures and no independent data privacy controls.[56] At the sight of newest disclosures about lapses in the American authorities concerned with DP issues, it remains questionable if the US authorities use this data for counterterrorism activities only.[57]

Under the pressure from members of the European Parliament, the Council of EU ministers has agreed to renegotiate a deal with the US on the transfer of banking data in 2010, by which time the European Parliament may have a final say on such agreements under the Lisbon Treaty. Meanwhile, the European Parliament adopted a resolution[58] setting out guidelines to ensure privacy is not harmed under the deal being negotiated at present. In this resolution, the European Parliament repeated that the data transferred to the US authorities should be processed "only to fight terrorism" and that "storage and use must not be disproportionate" to this objective. It evoked the need to "strike the right balance between security measures and the protection of civil liberties and fundamental rights". EU citizens and enterprises should be granted an equal level of defence rights, and "judicial redress mechanisms" should be set up to prevent abuse.

Thus, the CoE will have to keep in mind the European Parliaments´ opinion when it makes a statement on a number of international agreements that must be submitted in the near future to Parliament for its consent, including transfers of bank data to the USA (SWIFT) and several passenger name record agreements (PNR) that are already being applied.[59] EU ministers have signed the accords but they require Parliament's approval, without which they will not be legally binding. The European Parliament acquired this new power under the Lisbon Treaty and it applies to agreements that were signed but not formally concluded by 1 December 2009. Both, the SWIFT and the PNR (interim) agreements have been applied provisionally but not yet formally ratified. So, according to Commissioner Jacques Barrot, "an immediate renegotiation will take place under the Treaty of Lisbon", which would give Parliament the final say on the text.[60]

The European Parliament will have the last word on the interim agreement on banking data transfers to the United States, signed on 30 November: The Parliament received the text on 25 January, and the Civil Liberties Committee discussed it the next day. Mr Weber, member of the „European People´s Party“, said that the agreement would have to meet several criteria in order to win his group's support. "We need to apply EU standards to EU data", "to give people a right of redress" in the event of misuse of personal data, and to allow access to data "on a case by case basis", he explained. "We have an open mind. It is up to the Council of Ministers to persuade us that this agreement is useful in order to fight terrorism", he added.[61] The European Commission announced[62] that a second report on SWIFT, by former counter-terrorism judge Jean-Louis Bruguière, would be published on 4 February.

c) United Bank of Switzerland (UBS)

The United Bank of Switzerland (UBS) is a diversified global financial services company, with its main headquarters in Basel and Zürich, Switzerland. It is the world's second largest manager of private wealth assets, and is also the second-largest bank in Europe. UBS also has a major presence in the United States, with its American headquarters located in New York City and Stamford, Connecticut. UBS's retail offices are located throughout the US, and in over 50 other countries.

On 22 June 2008 it was reported, that the US Federal Bureau of Investigation (FBI) had made a formal request to travel to Switzerland to probe a multi-million-dollar tax evasion case involving UBS. The New York Times reported that the case could involve some 20,000 US citizens. This is reported to be a consequence of information revealed in 2006 by a UBS client at risk of prosecution for US tax evasion.[63] After half a year of investigations against UBS, on 13 January 2009, chief Raoul Weil, Chairman and CEO of UBS Global Wealth Management and Business Banking and member of the Group Executive Board, having been indicted by a Federal grand jury in the Southern District of Florida[64] in connection with the ongoing investigation of UBS's US cross-border business by the United States Department of Justice in November 2008, was formally declared a fugitive after failing to surrender to U.S. authorities on charges of conspiring to help wealthy Americans hide assets to avoid paying taxes.

The incidents in this case aggravated for DP issues on 18 February 2009, when UBS agreed to pay a fine of $780 million to the US Government and entered into a deferred prosecution agreement on charges of conspiring to defraud the US by impeding the Internal Revenue Service (IRS). The Swiss Financial Markets Supervisory Authority (FINMA) subsequently gave the US government the identities and account information of certain US customers of UBS’s cross-border business. The day after, 19th February, the US government filed suit against UBS to reveal the names of all 52,000 American customers, alleging that the bank and these customers conspired to defraud the IRS and federal government of legitimately owed tax revenue.

The Swiss Federal Administrative Court prohibited in February 2009 the publication of bank records to U.S. authorities. However, the first data had already been sent to the US authorities on 18 February 2009.

On 19 August 2009, UBS signed a settlement agreement with the US Internal Revenue Service (IRS) regarding the John Doe summons issued on 21 July 2008. The agreement does not call for payment from UBS and both parties will promptly file a stipulation with the court dismissing the enforcement action relating to the John Doe summons. The agreement also resolves all issues relating to the alleged breaches of UBS's Qualified Intermediary Agreement with the IRS as set forth in the Notice of default dated 15 May 2008. In the agreement, the transfer of a total of 4550 consumers was arranged, the first 500 of them by 30 November 2009. The agreement has no DP objections at all.

5. Conclusion of part II

As we have seen, data protection issues have become a point of conflict between the United States and Europe in the new security environment, complicating transatlantic cooperation on counterterrorism[65]. Particularly the EU DP Directive 05/46/EC raised European protection levels and limited member state transfers of information to countries without adequate safeguards. At the end of the 1990s, the transatlantic partners "had entered into a full-blown trade conflict, threatening to disrupt information flows between the largest economic areas in the world. The tensions raised by the directive continue to plague transatlantic information privacy”[66]. But not only the US-EU market is affected. Worldwide the blockage of data flows "hinders the expansion of international trade, especially in the service sectors"[67].


[1] so called “data mining”

[2] Kuner, "An international legal framework for data protection: Issues and prospects", pg. 308

[3] Robinson, pg. 725

[4] Lillington, http://www.irishtimes.com/newspaper/finance/2009/1113/1224258713752.html

[5] http://www.privacyconference2008.org/index.php?page_id=12

[6] In the following called „DP“

[7] 27th International Conference of Data Protection and Privacy Commissioners on 14 September 2005, "The protection of personal data and privacy in a globalized world: a universal right respecting diversities", www.privacyconference2005.org/fileadmin/PDF/montreux_declaration_e.pdf

[8] "Strasbourg Resolution", 30th International Conference of Data Protection and Privacy Commissioners, Resolution on the urgent need for protecting privacy in a borderless world, and for reaching a Joint Proposal for setting International Standards on Privacy and Data Protection (2008), http://www.privacyconference2008.org

[9] "Madrid Resolution", http://www.privacyconference2009.org

[10] "Google is calling for a discussion about international privacy standards which work to protect everyone´s privacy on th internet. These standards must be clear and strong, mindful of commercial realities, and in line with oftentimes divergent political needs. Moreover, global privacy standards need to reflect technological realities, taking into account how quickly these realities can change"; http://googlepublicpolicy.blogspot.com/2007/09/call-for-global-privacy-standards.html

[11] Grant, pg. 44

[12] Warren / Brandeis, pg. 195

[13] Westin, pg. 7

[14] published in November 2006 by a working group led by the Ontario Information and Privacy Commissioner, see http://www.ipc.on.ca/index.asp?navid=46&fid1=575

[15] http://www.privacyconference2008.org/index.php?page_id=12

[16] Parliamentary Assembly of the CoE, Resolution 428, para C2, off 1970, http://assembly.coe.int/main.asp?Link=/documents/adoptedtext/ta70/eres428.htm; United Nations Universal Declaration of Human Rights (in the following "UDHR"), Art 8, http://www.un.org/en/documents/udhr/index.shtml#a8

[17] this Working Party was set up under Article 29 of Directive 95/46/EC and his tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC

[18] WP136 Opinion 4 of 20 June 2007 on the concept of personal data, http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf

[19] Directive 95/46/EC of the European Parliament and of the Council of 24/10/1995 (in the following “EU DP Directive”; Official Journal of the European Communities No. L 281/31, Recital 3

[20] Grant, pg. 46

[21] Katz v U.S., 389 US 347, 1967

[22] Griswold v Connecticut, 381 US 479, 1965

[23] Roe v Wade, 410 US 113, 1973

[24] NAACP v Alabama, 357 US 449, 1958

[25] de Hert / Schreuders, pg. 42

[26] Kuner, “An international legal framework for data protection”, pg. 308

[27] Kuner, “An international legal framework for data protection”, pg. 309

[28] Poullet / Dinant, pg. 60 and ff.

[29] Poullet, pg. 217

[30] Bureau of Consumer Protection, "Privacy Online: Fair Information Practices in the Electronic Marketplace", Washington DC, FTC, 2000

[31] de Terwangne, pg. 177

[32] de Terwangne, pg. 177

[33] Schäuble, pg. 211

[34] The Economist, 29 September 2007, Vol. 384, Iss. 8548; pg. 72

[35] Pallasky, pg. 17

[36] Kobrin, pg. 111

[37] Kobrin, pg. 112

[38] while the minimum data for completing a booking is quite small, a PNR data typically contains 34 fields of data of a sensitive nature, like the passenger’s full name, date of birth, home and work address, telephone number, e-mail address, credit card details, as well as the names and personal information of emergency contacts

[39] Peeters, pg. 14

[40] European Parliament Report, 7 April 2004, A5-0271/2004, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A5-2004-0271+0+DOC+XML+V0//EN)

[41] "US-EU PNR agreement", Commission Decision of May 14, 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection, 2004/535/EC, C(2004) 1914, OJ L 235, July 6, 2004, 11-22)

[42] annex to the Commission Decision of May 14, 2004, cited above

[43] http://www.privacyinternational.org/issues/terrorism/rpt/transferringprivacy.pdf

[44] Simitis, pg. 2011-2014

[45] http://ec.europa.eu/dgs/legal_service/arrets/04c317_en.pdf

[46] http://curia.europa.eu/en/actu/communiques/cp06/aff/cp060046en.pdf

[47] Council Decision 2007/551/CFSP/JHA of 23 July 2007, OJ L204/16

[48] European Parliament press release on 14 January 2010, „Passenger name records and SWIFT“

[49] In the following „CoE“

[50] Council Regulation (EC) No 2252/2004 of 13 December 2004

[51] Pallasky, pg. 79

[52] New York Times, "Europe Fights U.S. Over Passenger Data", http://www.nytimes.com/2003/09/22/business/worldbusiness/22FLY.html?pagewanted=1

[53] Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, 13 December 2007, Official Journal of the European Union, C 306, Vol. 50

[54] „Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein”, Germany

[55] beck-aktuell-Redaktion, Verlag C. H. Beck, 22 December 2009, http://0-beck-online.beck.de.catalogue.ulrls.lon.ac.uk/Default.aspx?vpath=bibdata\reddok\hp.10\295477.htm&pos=0&hlwords=swift#xhlhit%3E

[56] beck-aktuell-Redaktion, Verlag C. H. Beck, 22 December 2009, http://0-beck-online.beck.de.catalogue.ulrls.lon.ac.uk/Default.aspx?vpath=bibdata\reddok\hp.10\295477.htm&pos=0&hlwords=swift#xhlhit%3E

[57] Der Spiegel, "Illegale Überwachung: FBI erschlich sich Telefondaten zur Terrorabwehr ", 19 January 2010

[58] "European Parliament resolution of 17 September 2009 on the envisaged international agreement to make available to the United States Treasury Department financial payment messaging data to prevent and combat terrorism and terrorist financing", http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2009-0016+0+DOC+XML+V0//EN&language=EN

[59] European Parliament press release on 14 January 2010, "Passenger name records and SWIFT "

[60] European Parliament press release on 17 September 2009, "SWIFT: new EU-US agreement will be renegotiated next year”

[61] European Parliament press release on 21 January 2010, “SWIFT: European Parliament to vote on interim agreement at February session“

[62] European Parliament press release on 27 January 2010: “SWIFT interim agreement: Civil liberties Committee to vote on 4 February“

[63] http://www.guardian.co.uk/business/2008/jun/29/ubs.banking

[64] U.S. v. UBS AG, 09-20423, U.S. District Court, Southern District of Florida, Miami

[65] Archick,pg. 1 ff.

[66] Newman, pg. 5

[67] Newman, pg. 5

Excerpt out of 43 pages


Will Privacy Law in the 21st Century be American, European or International?
Queen Mary University of London  (Centre for Commercial Law Studies (CCLS))
International Studies in Intellectual Property Law (LL.M.) - End of first term dissertation
Catalog Number
ISBN (eBook)
ISBN (Book)
File size
634 KB
“Any society that would give up a little liberty to gain a little security will deserve neither and loose both." Benjamin Franklin
Privacy Law, Data Protection, Privacy;, Legal framework;, Data Protection Directive;, APEC;, UN;, 95/46/EC;, Social Networking;, Social Networks;, Montreux Declaration;, Data Protection Law;, Legislation;, Cross border;, data flow;, Google;, Facebook;, Global Privacy Standards;, Privacy Standards, Madrid Declaration
Quote paper
Philipp E. Fischer (Author), 2010, Will Privacy Law in the 21st Century be American, European or International?, Munich, GRIN Verlag, https://www.grin.com/document/187981


  • No comments yet.
Read the ebook
Title: Will Privacy Law in the 21st Century be American, European or International?

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free