Transatlantic Adequacy and a Certain Degree of Perplexity*
by Dr. Els De Busser
Head of Section European Criminal Law
Max Planck Institute for Foreign and International Criminal Law
The very least that one can say or write about the cooperation in criminal matters between the EU and the US is that it has intensified since 2001. The EU and its bodies that deal with criminal matters – Eurojust and Europol – have concluded agreements with US authorities. However, the data protection provisions in several of these agreements have raised eyebrows. The exchange of personal data is a crucial tool in judicial and law enforcement cooperation in criminal matters. The EU as an entity, but also Eurojust and Europol, entered into negotiations with the US in order to regulate the exchange of personal data that were deemed necessary for the purpose of prevention, investigation, and prosecution of criminal offences. A key requirement for the transfer of personal data from within the EU to a non-EU state (a third state) is the evaluation of whether this third state endorses a level of data protection that is adequate in comparison to the EU rules on data protection. This adequacy assessment should ensure the protection of personal data transferred to another legal system that applies different data protection rules.
When the US and the Council of the EU signed the first version of the Agreement on the processing and transfer of financial messaging data for the purposes of the Terrorist Finance Tracking Program (TFTP), the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs examined the Agreement in order to recommend approval of the Agreement to the Parliament. The Committee asked the Article 29 Working Party (the independent EU Advisory Body on Data Protection and Privacy) and the Working Party on Police and Justice (a specific working group of the Conference of Data Protection Authorities) to evaluate this Interim Agreement. When dealing with the question of whether the US endorses an adequate level of data protection, a prerequisite for the EU for the exchange of personal data with the US, the following statement was made by the chairmen of both working parties: “Furthermore, the wording of Article 6 of the Interim Agreement, according to which the “U.S. Treasury Department is deemed to ensure an adequate level of data protection”, has brought about a certain degree of perplexity amongst the Working Parties’ members.” Thus far, a thorough examination has not been carried out in order to conclude on the adequacy of the US data protection system. The observation made by the two Working Parties regarding the lack of a genuine assessment of the American data protection rules is, in fact, not an isolated case. No assessment was made before signing this so-called Interim Agreement and no assessment had been made prior to the conclusion of other agreements in the past. Shortly after, the Interim Agreement was rejected by the European Parliament due to the low level of data protection incorporated in its provisions. This was motivated by the fact that mass transfers of data were allowed in accordance with the Interim Agreement – a feature that did not comply with the proportionality and the necessity principle of data protection in general – rather than the lack of an adequacy assessment. In June 2010, a new Agreement was adopted with the consent of the European Parliament. This Agreement entered into force on 1 August 2010.1 Again, no assessment of the level of data protection of the US was made.
In this article, examples of cooperation agreements with the US are examined, where, undoubtedly, members of data protection authorities and other data protection experts have experienced a similar “degree of perplexity” due to the lack of an adequacy assessment.
First, the requirement for an adequate level of data protection will be clarified, followed by the challenges in applying this requirement. Subsequently, the agreements between the EU, Europol, and Eurojust, on the one hand, and the US, on the other, will be scrutinised with regard to their compliance with the adequacy requirement.
I. Umbrella Legislation
The EU is known for utilizing “umbrella legislation” on the protection of personal data. This term refers to the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Data Protection Convention)2 as the comprehensive legal instrument that covers all types of automatically processed personal data regardless of the purpose for which they are processed. It is referred to as “umbrella legislation” due to this wide scope. Because all EU Member States have ratified the Data Protection Convention, the data protection principles laid down therein are also the principles governing the EU’s legislation on data protection.
Therefore, when personal data are exchanged between authorities within one Member State or between authorities located in different Member States, they are transferred to a legal system that is bound by the same basic principles on data protection as the legal system they originated from. Obstacles caused by a difference in data protection rules will hardly occur in such cases.
Alternately, in a situation where the personal data are located in an EU Member State and transferred to a non-EU state (a third state), there are two possibilities. On the one hand, the receiving state could be bound by the Data Protection Convention3 and thus by the same basic principles governing the EU’s data protection regime. On the other hand, the receiving state could be a state that has a different view on data protection. This would mean that personal data could enter a legal framework that offers lower data protection safeguards than the EU Member State from which the data originated. The opposite case – stricter data protection rules in the receiving state – is equally possible, but would not give rise to many difficulties unless the smooth international exchange of data is hindered by applying stricter rules.
In order to protect the personal data transferred from a state bound by the Data Protection Convention to a state that is not bound by it, the Convention itself did not lay down any rules. However, one requirement was introduced4 in the 2001 Additional Protocol to this Convention.5 The Protocol obliges the states bound by it to assess the level of data protection of the receiving state. If the level of data protection endorsed by the receiving state is adequate, the transferring state can send the requested data. This is called the adequacy requirement.
The Additional Protocol is not the only instrument that lays down the adequacy requirement,6 but it is the only one with an all-embracing – umbrella – scope including all personal data that are automatically processed. The adequacy requirement has also been copied in legal instruments that cover a more specific part of personal data processing.7 This underlines the fact that the requirement of an adequate level of data protection has become known as a basic prerequisite for cross-border flows of personal data.8
II. The Paradox of the Adequacy Requirement
As appealing as it may sound in theory, the adequacy requirement causes many questions to arise regarding the assessment of the level of data protection and regarding whether the Member State is bound by the requirement or not. It is a prerequisite that has been laid down with the purpose of guaranteeing the EU’s level of data protection and having the objective of ensuring that personal data of EU citizens are not subject to misuse in third states. A prerequisite of such a significant objective should at least be clear in its meaning, and it should be made a uniform requirement for all transfers of personal data to third states. However, this is not the case. Especially with regard to the sensitive area of criminal investigations and prosecutions, it would be logical to establish a strong data protection regime. This is the paradox concerning the adequacy requirement. The question as to exactly what an assessment of a state’s level of data protection should minimally include has not yet been solved. In addition, this assessment is not a prerequisite for all Member States or all data transfers to third states. A fortiori, even when the assessment of the adequacy of the data protection regime in the third state is laid down as a requirement, it is not always applied as such.
1. How to assess adequacy?
The Additional Protocol to the Data Protection Convention specifies the necessity of an assessment of the level of data protection offered by the receiving third state, but does not specify how to carry out the assessment. According to the Explanatory Report to the Additional Protocol, the provisions of Chapter II (basic principles of data protection) of the Data Protection Convention should be taken into account when assessing the adequacy of the third state’s legal framework on data processing. Nonetheless, this clarification is only valid as far as the Convention’s principles are relevant for the specific case of transfer.9 Thus, the basic principles of data protection do not necessarily have to be considered.
As a consequence, each judicial and law enforcement authority of each Member State could come up with its own concept for assessment of the level of data protection of the receiving third state. Differences in evaluation tools and methods as well as in the items evaluated can result in divergent outcomes, depending on the authority or the Member State carrying out the assessment. From the point of view of the third state requesting personal data from two states that have ratified the Additional Protocol, this can lead to a different reply from each state and exacerbate the risk of data-shopping.
The development of a uniform checklist of the minimum provisions necessary for an adequate level of data protection would be an important step. In fact, the groundwork has already been laid. The Article 29 Working Party reflected on the matter and published a discussion document on the central question of adequacy. The document focused on the adequacy requirement in Directive 95/46/EC and was already published in 1997.10 Even though it is not applicable to the field of criminal matters, the document provides good guidelines on what an adequacy assessment should include. These guidelines have been formulated in a general manner and could have easily been adjusted to fit adequacy assessment in criminal matters.
To allow for some flexibility on the part of the states exchanging data, the Additional Protocol allows for derogations from the adequacy requirement that should be interpreted restrictively.11 Similar to the derogations from the provisions on human rights in the European Convention for Human Rights and Fundamental Freedoms (ECHR), they should at least be laid down by (national) law and be necessary for the protection of legitimate prevailing interests. Corresponding to the ECHR, the explanatory report to the Additional Protocol also refers to the same interests, based on which the right to privacy and data quality principles can be lawfully derogated from as follows: to protect an important public interest, the exercise or defence of a legal claim, or the extraction of data from a public register. Exceptions can also be made for the specific interest of the person whose data are transferred for the fulfilment of a contract with this person or in his interest, to protect his vital interests or if he has given his informed consent.12
In case an adequate level of data protection cannot be assured, another possibility for exchange still exists if the receiving state provides sufficient safeguards that are deemed adequate by the requested state. The safeguards can be limited, however, to include only the relevant elements of data protection and are only applicable to a specific transfer of data.13
2. Mandatory nature or the lack thereof
The adequacy requirement is not a requirement for all transfers of personal data from a Member State to a third state that is not bound by the Data Protection Convention. Three arguments motivate this statement.
Firstly, the Additional Protocol has so far been ratified by only 19 EU Member States.14 Even though the Protocol has a general scope and is applicable to all automatically processed personal data, its partial ratification means that the adequacy requirement is not a uniform requirement for all data transfers from the EU to third states.
Secondly, the EU legal instruments including the adequacy requirement are only applicable to a specific group of data transfers. Directive 95/46/EC – which is implemented in every Member State – includes the same adequacy requirement, but is only applicable to data transfers that fall within the scope of Community law. Similarly, Regulation 45/200115 – which is also implemented in every Member State – has included a provision on the adequacy requirement, but is only applicable to the transfers of personal data made by Community institutions and bodies. The most recent legal instrument in the field of data protection, the Framework Decision on Data Protection in Criminal Matters16 is equally limited in scope. It is only applicable to the personal data that have been transmitted or made available by another Member State and excludes the data gathered by the requested Member State itself. The Framework Decision states that, in future agreements, the adequacy assessment should be ensured. Still, in accordance with the Framework Decision, Member States can derogate from the adequacy requirement for the protection of specific legitimate interests of the data subject, legitimate prevailing interests – especially important public interests –, or when sufficient safeguards are provided by the receiving state.
Thirdly, the data protection rules that the EU agencies Eurojust and Europol have laid down for themselves, and which govern transfers to third states, are very different from one another. Europol has introduced a four-step approach for reaching a decision on the adequate level of data protection of a third state.17 With the exception of urgent circumstances,18 the Management Board consults the Joint Supervisory Board (JSB) regarding the processing of data by Europol. Then, the Council of the EU conducts a second check and, in a third step, the Director initiates negotiations, after which the Management Board and the JSB need to give their approval to conclude the agreement in a final step. This four-step filtering system has no counterpart in Eurojust data protection rules. In accordance with the rules governing data transfers by Eurojust, an adequacy assessment by its data protection officer is sufficient. Eurojust does not involve the Council and only turns to the JSB when the data protection officer meets difficulties in making his assessment. The decision on strengthening Eurojust does not add to Eurojust’s data protection provisions in order to improve the assessment.19
Therefore, the mandatory nature of the adequacy requirement is diverse and depends on which Member State or EU agency is transferring data, whether the state has ratified the Additional Protocol or not, and on the data that are transferred. Obviously, this conclusion is only based on the EU’s legal instruments and not on Member States’ national law. Member States can – on their own initiative – incorporate an adequacy requirement for outgoing data transfers in their national law.
Only two cases exist in which all EU Member States are obliged to assess the adequacy of the level of data protection in a third state requesting personal data: that in which the processing of data falls within the scope of Community law and that in which the data are processed for the purpose of a criminal investigation, as long as it concerns data that the transferring Member State has received from another Member State. There is thus no general adequacy requirement for data processed for the purpose of prevention, investigation, and prosecution of criminal offences.
Due to the entry into force of the Lisbon Treaty a general legal instrument for data protection that embraces all three former pillars should be developed. In order to achieve such a general legal instrument and also in order to update data protection provisions in function of new technologies in data gathering and processing, the European Commission started discussions on a review of the data protection legal framework in 2011. The Commission announced to present a proposal for a strong, consistent and future-proof legal framework for data protection at the beginning of 2012.
3. A “forgotten” requirement
Even when there is a clear obligation to make an adequacy assessment, there are cases in which it has been “forgotten”. Obviously, the word “forgotten” is meant in an ironic sense here, as it is difficult to imagine mandatory rules accidentally not being applied. It is more likely that a conscious – politically more opportune – choice was made to disregard them. This is especially visible in transatlantic cooperation. The agreements made between the EU and its agencies mandated to deal with cooperation in criminal matters (Eurojust and Europol), on the one hand, and the US on the other, have one particular thing in common. They all ignore the adequacy requirement. As mentioned earlier, both Eurojust and Europol are bound by the adequacy requirement. They are not parties to the Additional Protocol to the Data Protection Convention, but have included the requirement in their own set of rules governing their data transfers to third states.
In the Europol Decision,20 two possibilities are regulated by which Europol can transfer personal data to third states.21 The general rule is the conclusion of an agreement, after authorisation of the Council and supported by a prior opinion of the JSB. As an exception, the Director of Europol can enter into negotiations without authorisation of the Council and without prior consultation with the JSB. Exceptional circumstances are defined – at the discretion of the Director – by the absolute necessity to transmit personal data in order to safeguard the essential interests of the Member States concerned, within the scope of Europol’s objectives, or in the interest of preventing imminent danger associated with crime.22 The Director must in these circumstances consider the level of data protection applicable for the receiving authority in the third state and weigh this against the essential interests. The parameters for making this assessment are laid down in Article 23 of the Europol Decision. In comparison to the Europol Convention, the Europol Decision adds a new parameter: “whether or not the entity has agreed to specific conditions required by Europol concerning the data.”23 This is a useful and necessary guideline for the Director. However, the provision of parameters to judge the adequacy of the level of data protection of a third state could have been developed into a more detailed checklist. Also, in the case of Europol, the question of what should be minimally included in an adequacy assessment has been left open.
The exceptional way for Europol to negotiate data transfers to third states – through the Director, without authorisation of the Council – was used to conclude two agreements with the US after the 2001 terrorist attacks.24 The first of these agreements was, however, inserted into the conventional procedure at the Council meeting on Justice, Home Affairs and Civil Protection.25 The Director of Europol was then authorised to conclude a cooperation agreement on the exchange of strategic information, not including personal data, the negotiations on which had already begun.26 During this same Council meeting, Europol received the authorisation to start negotiations on another agreement that would focus on the exchange of personal data. This would mean that the level of data protection of the US should be assessed in accordance with Article 18, §1, 2) of the Europol Convention (which was applicable at the time) and in accordance with the rules governing the transmission of personal data by Europol to third States and third bodies.27 The Council noted during this meeting that a data protection report concerning the US had been drawn up by Europol.28 Nonetheless, the JSB stated that Europol did not provide a report on the data protection law and practice in the US and that the JSB was therefore unable to make a conclusion on the level of data protection in the US.29 On 3 October 2002, the JSB issued another opinion based on practical experiences with the US system and on presentations made during the negotiations.30 The JSB stated that the Council was in the position to allow the Director of Europol to conclude the agreement, but expressed concerns about the purposes for which personal data would be used after their exchange to the US. Data should not be used for purposes outside the objectives of Europol. These concerns are not unreasonable since the purposes for which the data can be used in accordance with the Agreement have been widened by the parties in documents called “exchange of notes”. These notes are not formally part of the Agreement, but are intended to assist its implementation.31 Nonetheless, they explicitly state that the data that are exchanged in accordance with the Agreement can also be used for “inter alia, exchange of information pertaining to immigration investigations and proceedings, and to those relating to in rem or in personam seizure or restraint and confiscation of assets that finance terrorism or form the instrumentalities or proceeds of crime, even where such seizure, restraint or confiscation is not based on a criminal conviction.”32 Immigration investigations and confiscation not based on a criminal conviction clearly go further than the objectives of Europol.
Still, the 2002 Supplemental Europol-US Agreement on the exchange of personal data and related information (2002 Europol-US Agreement) was signed on 6 November 2002. Proof of the US endorsing a data protection regime that fulfils the conditions of the adequacy requirement has not been produced to date. An informal explanatory note only reflecting Europol’s view on the 2002 Europol-US Agreement, states, quite sarcastically, that the Agreement is “generally in line with the major principles incorporated in Europol’s legal framework”. The adequacy requirement does not seem to be considered a major principle of Europol’s legal framework. The text of the note goes even further and states that the provisions of Article 5 of the Agreement on general terms and conditions “would not be used as a legal basis for generic restrictions, but only in specific cases where there was a real necessity.”33 The phrase “generic restrictions” can clearly be understood as the requirement involving an adequate level of data protection. This means that the note calls for the rejection of this requirement in the cooperation with the US.
The exception that has been made for the US could create political strife with other third states. Europol has negotiated agreements with states such as Australia, Canada, Croatia, Iceland, Norway, and Switzerland. All of these agreements were negotiated after an opinion of the JSB was issued and confirmed by the Council that no obstacles exist to include the transmission of personal data in the agreement. The only exception that has been made so far is for the US.
Eurojust only exchanges case-related34 personal data with third states bound by the Data Protection Convention or third states that support an adequate data protection system. In the latter case, possible additional safeguards can be included in agreements between the data controller and the third state.35 Switzerland, Iceland, Romania, Norway, and Croatia all have ratified the Data Protection Convention. The US was the first state not bound by the Data Protection Convention to conclude an agreement with Eurojust. In fact, proof of an adequacy assessment of the US rules on data protection was not provided. Instead, the Eurojust JSB – which is responsible for monitoring data protection – remarkably preferred not to be involved directly in the negotiation process, but instead to be closely informed about the important steps and developments made.36 The JSB expressed concerns regarding the use of data that had been made public regardless of whether the release had occurred lawfully or not.37 The lack of an assessment on the level of data protection was not mentioned.
With regard to the inclusion of the adequacy requirement in the cooperation agreements, the Agreement concluded between the EU and the US on mutual legal assistance38 and the Agreement concluded between Eurojust and the US39 can be analysed together. The requirement has, in fact, been abolished in these instruments even more clearly than in the 2002 Europol-US Agreement. Both Agreements include an article on “limitations on use to protect personal and other data,” which explicitly states that generic restrictions with respect to the legal standards of the requesting State or party in the processing of personal data may not be imposed by the requested State or party as a condition for providing evidence or information.40
Where, in the 2002 Europol-US Agreement, the US was labelled an adequate partner with regard to its data protection regime, even though this was unjustified, in the 2003 EU-US Agreement and the 2006 Europol-US Agreement, the adequacy requirement was thrown overboard.
III. Continuing Along the Same Path
Four years after it was revealed that the Society for Worldwide Interbank Financial Telecommunication (SWIFT) answered to administrative subpoenas issued by the US Department of the Treasury (UST) by sending personal data (financial messaging data) in bulk for the purpose of investigating the financing of terrorism under the Terrorist Finance Tracking Programme (TFTP), the US called for an agreement with the EU on a regular transfer of these data. A change in SWIFT’s architecture meant that a large amount of its data was no longer stored in the US, but in the EU. Thus, in 2009, the US and the Council of the EU began negotiating an agreement in order to establish the transfer of SWIFT’s financial messaging data for the purpose of the TFTP. First, a temporary agreement of nine months – the Interim Agreement – was to be signed and, after that, a permanent agreement negotiated. However, the entry into force of the Lisbon Treaty made the European Parliament’s consent a prerequisite for entry into force of the Interim Agreement. A substantial report written by Parliament Member Jeanine Hennis-Plasschaert41 brought about the rejection of the Interim Agreement on 11 February 2010.42 Not mentioned in the report as a reason to vote against the Interim Agreement, but nevertheless important, is Article 6, in which it is stated that the UST is “deemed to ensure an adequate level of data protection”. The Article 29 Working Party and the Working Party on Police and Justice rightfully expressed their disapproval of this provision and pointed out that other reports (that are confidential, such as the report by Judge Bruguière on the compliance of the TFTP with the safeguards offered by the UST) cannot necessarily substitute an adequacy assessment.
The mandate that was adopted to launch negotiations between the Commission and the US authorities on a new agreement for the transfer of financial messaging data included the statement that the Agreement should contain safeguards and controls, which ensure an adequate level of protection of personal data.43 On 28 June 2010 a new Agreement between the EU and the US on the processing and transfer of Financial Messaging Data for the purposes of the TFTP was concluded. With regard to the adequacy requirement, the provisions of the Agreement have not been amended.
In fact, there was no legal obligation to include the adequacy requirement in the Agreement. According to the Court of Justice it is the final purpose of the data that determines the legal basis of a legal instrument44 but the aforementioned Framework Decision on Data Protection in Criminal Matters is limited in scope and does not apply to the data transferred between SWIFT and the UST. Nevertheless, considering the number of Member States who are bound by the adequacy requirement due to their (recent) ratification of the Additional Protocol to the CoE Data Protection Convention it would have been sensible to anticipate the ratification by all EU Member States. In addition, considering the explicit adequacy provisions in the aforementioned other legal instruments it would have been efficient to remain in their line of reasoning regarding the adequacy requirement.
Although without legal obligation to do so, Article 8 of the Agreement is dedicated to the level of data protection of the UST which is ‘deemed to ensure an adequate level of data protection for the processing of financial payment messaging and related data transferred from the European Union to the United States for the purposes of this Agreement’. The reason why this provision was included in the Agreement is unclear, however not unique since the assumption of the adequate level of data protection of the US has been made in the aforementioned agreements with the EU, Eurojust and Europol.
IV. Adequate Perplexity
Research has proven that the basic data protection principles applicable in criminal matters in the EU are not fully complied with in the cooperation between the EU Member States.45 In much the same way as this internal exchange and its lack of duly applied data protection principles, compliance with the adequacy requirement is also problematic. In the external exchange of personal data between EU Member States and third states, the adequacy requirement is not a general requirement and has not been defined in detail. Differences between Member States’ views on an adequacy check can thus lead to data shopping or the search by a requesting third state for the most “lenient” Member State. Therefore, the meaning of the requirement itself can be put into question. If you do not operate with the same criteria, why do you have the requirement in the first place? The answer should be to protect personal data transferred to third states that might have a different view on data protection than that represented by EU data protection principles. However, the protection that the adequacy assessment should offer is clearly not watertight.
Considering the importance of the protection of personal data transferred for the purpose of a criminal investigation or prosecution, and also considering the high importance of the protection of personal data transferred to a state that has not ratified the Data Protection Convention, it is all the more surprising to see that the assessment intended to ensure this protection is not mandatory in the EU.
From a political point of view, it is also surprising to see the clear difference in the treatment of third states. The exception that has been made for the US of not carrying out an adequacy assessment has not been made for any other third state so far.
It is therefore understandable that the members of the Article 29 Working Party and the Working Party on Police and Justice reacted to the lack of an adequacy assessment in the first version of the Agreement with an appropriate degree of perplexity. Since the provisions on the adequacy assessment in Article 8 remained untouched in the adopted version of the Agreement and so far no assessment has been carried out, this perplexity will also have remained intact. Moreover, this degree of perplexity is equally justified with regard to the agreements that the EU, Europol, and Eurojust concluded with the US authorities.
In 2012 the European Commission will come forward with a proposal for a general legal framework on data protection. This is an outstanding chance for making the provisions on the adequacy requirement more consistent. However, the above mentioned examples demonstrate that having provisions in place on the adequacy requirement does not necessarily mean that these are applied.
* This article is the updated version of the previously published article by E. De Busser, “Transatlantic Adequacy and a Certain Degree of Perplexity” in eucrim 1/2010, pp. 30-36 and is reprinted here with the author’s permission.
1 Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, O.J. L 195, 27 july 2010, pp. 5-14.
2 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, ETS no. 108, 28 January 1981.
3 So far, 14 third states have ratified the Data Protection Convention.
4 Chronologically, it was Directive 95/46/EC (O.J. L 281, 23 November 1995, pp. 31-50) that was the first instrument to include the adequacy requirement; however, the scope of the Directive is limited to the processing of personal data for the purpose of activities that fall within the scope of Community law.
5 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding Supervisory Authorities and Transborder Data Flows, ETS no. 181, 8 November 2001.
6 See, e.g., Directive 95/46/EC, O.J. L 281, 23 November 1995, pp. 31-50.
7 See, e.g. Article 26, Council of the European Union, Rules of procedure on the processing and protection of personal data at Eurojust, O.J. C 68, 19 March 2005, pp. 1-10 and Article 4, Council of the European Union, Act 12 March 1999 adopting the rules on the transmission of personal data by Europol to third states and third bodies, O.J. C 88, 30 March 1999, pp. 1-3.
8 See also European Data Protection Supervisor, Third opinion 27 April 2007 on the Proposal for a Council Framework Decision on the Protection of Personal Data processed in the Framework of Police and Judicial Cooperation in Criminal Matters, O.J. C 139, 23 June 2007, § 26.
9 Additional Protocol to the Data Protection Convention, ETS no. 181, 8 November 2001, Explanatory Report, § 29.
10 Article 29 Data Protection Working Party, XV D/5020/97-EN final, WP 4, 26 June 1997.
11 Additional Protocol to the Data Protection Convention, ETS no. 181, 8 November 2001, Explanatory Report, ETS no. 181, 8 November 2001, Explanatory report, §31.
12 Ibid., §31.
13 Ibid., § 32-33.
14 The protocol entered into force for Austria, Bulgaria, Cyprus, Czech Republic, Estonia, Ireland, France, Germany, Hungary, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Portugal, Romania, Slovakia, Spain and Sweden.
15 European Parliament and Council, Regulation (EC) no. 45/2001, 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, O.J. L 8, 12 January 2001, pp. 1-22.
16 Council of the European Union, Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, O.J. L 350, 30 December 2008, pp. 60-71.
17 Council of the European Union, Decision of 27 March 2000 authorising the Director of Europol to enter into negotiations on agreements with third States and non-EU related bodies, O.J. C 106, 13 April 2000, pp. 1-2.
18 In urgent circumstances, the Europol Director is authorized to transmit personal data to third states.
19 Council of the European Union, Decision of 16 December 2008 on the strengthening of Eurojust and amending Decision 2002/187/JHA, O.J. L 138, 4 June 2009, pp. 14-32.
20 Council Decision establishing the European Police Office, O.J. L 121, 15 May 2009, pp. 37-66.
21 Council of the European Union, Act 12 March 1999 adopting the rules on the transmission of personal data by Europol to third states and third bodies, O.J. C 88, 30 March 1999, p. 1.
22 Article 2, §1, b) Council Act of 12 March 1999 adopting the rules on the transmission of personal data by Europol to third states and third bodies. The inclusion of terrorist offences is a new addition to this provision made by the Europol Decision.
23 Article 23, §9, e) of the Europol Decision.
24 V. Mitsilegas, “The New EU-USA Cooperation on Extradition, Mutual Legal Assistance and the Exchange of Police Data,” EFAR 2003, vol. 8, pp. 516-517.
25 European Council, 14581/01, 6-7 December 2001, p. 11.
26 The first draft, dating from 31 October 2001, is available in the Council of the EU’s public documents database. Council of the European Union, 13359/01, Draft agreement between Europol and USA, 31 October 2001.
27 O.J. C 88, 30 March 1999, p. 1.
28 European Council, 14581/01, 6-7 December 2001, p. 11.
29 Europol JSB, Document 01/38, 26 November 2001, p. 2.
30 Europol JSB, Document 02/65, 3 October 2002.
31 Council of the European Union, 13696/1/02, 28 November 2002, p. 2.
32 Council of the European Union, 13996/02, 11 November 2002, p. 3.
33 Council of the European Union, 13696/1/02, 28 November 2002, p. 10.
34 Evidently, with regard to non case-related data exchange, the issue of an adequate level of data protection or adherence to the 1981 CoE Convention is not pressing as, in this respect, use for a wider range of purposes is allowed.
35 Council Decision of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crime, O.J. L 63, 6 June 2002, Article 27, §4 and Council, Rules of procedure on the processing and protection of personal data at Eurojust, O.J. C 68, 19 March 2005, Article 28, §§ 2 and 3.
36 Joint Supervisory Body of Eurojust, Activity Report 2006, p. 6, www.eurojust.europa.eu 37 Ibid., pp. 6-7.
38 Agreement 25 June 2003 on mutual legal assistance between the European Union and the United States of America, O.J. L 181, 19 July 2003, p. 41.
39 Agreement between Eurojust and the United States of America, 6 November 2006, www.eurojust.europa.eu.
40 Article 9 of the 2003 EU-US Agreement and Article 9 of the 2006 Eurojust-US Agreement.
41 European Parliament Recommendation, A7-0013/2010, 5 February 2010.
42 O.J. L 8, 13 January 2010, p. 9.
43 Recommendation from the Commission to the Council, SEC(2010)315 final, 24 March 2010.
44 ECJ joined cases C-317/04 and C-318/04, Parliament v. Council, 30 May 2006.
45 E. De Busser, Data protection in EU-US criminal cooperation, Antwerp-Apeldoorn, Maklu, 2009, pp. 127-183.
Transatlantic Counter-Terrorism Cooperation After Lisbon*
by Prof. Dr. Valsamis Mitsilegas
Professor of European Criminal Law
School of Law
Queen Mary, University of London
EU-US counter-terrorism cooperation has been an area of EU external relations with substantial growth in the recent past. The political momentum for such cooperation was boosted post-9/11 and resulted in the conclusion of a number of international agreements between the European Union and the United States. Concluded primarily under the third pillar, these agreements have been subject to considerable criticism in Europe, both in terms of democracy and legitimacy and in terms of substance and the compatibility of their content with fundamental rights. These issues are now due to be reviewed following the entry into force of the Lisbon Treaty, which brings about a number of significant constitutional changes to the way the Union operates both internally and externally. This article is a contribution to the current discussion on the direction and content of future transatlantic counter-terrorism cooperation arrangements in the light of the entry into force of the Lisbon Treaty. I will begin by highlighting the key legal, constitutional, and political issues surrounding the existing EU-US counter-terrorism agreements; I will then outline the main changes brought about by the Lisbon Treaty that have the potential to influence transatlantic relations in the field of counter-terrorism and criminal matters more generally; and I will finish by putting forward a series of recommendations highlighting key issues to be taken into account in the future development of transatlantic cooperation against terrorism.
II. Transatlantic Counter-Terrorism Cooperation before Lisbon: The Legacy of 9/11 and the Third Pillar
Transatlantic counter-terrorism cooperation before Lisbon was exemplified by the conclusion of a series of agreements between the European Union and the United States covering a wide range of issues and triggered primarily by the events of 9/11. The first major step in this context was the conclusion of the EU-US agreements on extradition and mutual legal assistance.1 Their signature marked an important constitutional precedent for the European Union, with the agreements being the first major international agreements concluded under the third pillar.2 The agreements were the outcome of the political momentum generated post-9/11 at the EU level. This momentum resulted both in furthering European integration internally, via the adoption of a raft of EU legislation (the Framework Decisions on terrorism and the European Arrest Warrant being prime examples in this context), and in boosting the EU’s position as a global actor in the field.3 While these agreements reflected the Parties’ political will to cooperate post-9/11, subsequent agreements were generated from the need to comply with US measures taken after the attacks. The first example concerns the agreements relating to the transfer, from airlines to the US Department of Homeland Security, of Passenger Name Records (PNR) of passengers flying from the EU to the US, which were necessitated in order to ensure that compliance of airlines with US law requiring such transfers did not breach EU law. Following the acceptance by the Commission of the adequacy of US data protection standards, transatlantic cooperation in this context began as a first pillar international agreement (between the Community and the US).4 Following an ECJ ruling against the legality of the first pillar legal basis used,5 the EC-US agreement was replaced by third pillar agreements between the EU and the US.6 Last but not least, the publicity regarding the transfer to the US authorities of personal data contained in transactions processed by SWIFT7 generated political pressure resulting in another third pillar agreement enabling the transfer of such data to the US authorities, signed one day before the entry into force of the Lisbon Treaty.8 The signature of these agreements by the European Union has been met by strong objections and concerns on political, democratic, and human rights/rule-of-law grounds.
1. Political concerns
Increased cooperation with the US could be seen as welcome as a sign of the emergence of the EU as a global actor in criminal matters. From this perspective, the signature of agreements in criminal matters with the US was of great constitutional significance, as the agreements constituted precedents for external action under the third pillar and, at least for some, rendered academic the then contested issue of whether the Union had a legal personality.9 However, the agenda of furthering European integration in the field of criminal matters has had to be promoted against the background of growing political concerns with regard to the extent and nature of transatlantic cooperation post-9/11. These concerns − which are of course inextricably linked with the content of transatlantic counter-terrorism cooperation − centered on the nature of the US response post-9/11 and the perceived willingness of the EU to uncritically adopt the US “war on terror” approach. In this context, it should be remembered that two of the major elements of transatlantic cooperation in the field of criminal matters, the PNR and the Terrorist Finance Tracking Programme (TFTP) Agreements, consist of an EU response to US unilateral post-9/11 demands and entail to a large extent the acceptance of the legality of US measures under EU law. In its willingness to emerge as a global actor in the field of counter-terrorism and criminal law in general, the European Union has demonstrated a willingness to accommodate to a great extent emergency measures developed outside the Union. As will be seen below, the compatibility of some of these heavily securitised measures with EU law (in particular privacy and data protection standards) has been contested. External action in the field of cooperation in criminal matters came at a juncture, where security was also being prioritised at the level of internal EU action, reflected in policy terms particularly in the Hague Programme, which focused to a great extent on the collection and exchange of a wide range of personal data for security purposes.10
2. Democratic concerns
Concerns with regard to the uncritical adoption of US standards by the EU have been compounded by the marked lack of democratic scrutiny and transparency in the negotiation and conclusion of the agreements. From a constitutional point of view, the fact that the agreements were ultimately negotiated under the third pillar meant that negotiations were formally led by the Presidency of the European Union and that the European Parliament did not have any role in the process of negotiation and signature. These constitutional constraints were combined with the negotiating practice of Member States (and at times the Commission), which effectively shielded the agreements from any kind of meaningful debate and scrutiny. The EU-US agreements remained classified until the very last weeks before signature, notwithstanding repeated requests for their publication for the purpose of scrutiny.11The Europol-US Agreement was not even published in the Official Journal.12 The first version of the PNR Agreement (between the Community and the US) was transmitted to the European Parliament for examination under deadlines which, according to Parliament, did not enable it to conduct meaningful scrutiny − with the handling of scrutiny leading to Parliament challenging the agreement in the ECJ.13The TFTP Agreement was, as seen above, signed a day before the entry into force of the Lisbon Treaty − in an attempt to conclude it under the intergovernmental process of the “old” third pillar, thus pre-empting the Community elements brought about by Lisbon and effectively sidelining the European Parliament. Unsurprisingly, this handling led to the eventual rejection of the agreement by the Parliament after Lisbon.14The conclusion of these agreements, negotiated with minimal transparency in the face of sustained and growing fundamental rights concerns expressed by parliaments, EU expert bodies, and civil society,15was presented as a fait accompli, with signature dates set out in advance and limited time for debate and scrutiny.16
3. Substantive concerns − fundamental rights and the rule of law
A key fundamental rights concern in transatlantic counter-terrorism cooperation involves privacy.17The agreements on mutual legal assistance, PNR and TFTP, all provide for the transfer of a wide range of everyday personal data to a wide range of US authorities. The adverse consequences of such extensive information sharing for the right to privacy and data protection have been documented repeatedly and in detail. The conclusion of these agreements in such broad terms and with limited protection safeguards raises the question of whether, in its emergence as a global actor in criminal matters, the European Union has compromised its proclaimed internal standards and values. The human rights concerns stemming from the acceptance of a heavily securitised US agenda involving maximum collection of personal data are exacerbated in the light of the minimal rule-of-law safeguards secured by the EU in some of the agreements. The scope of information exchange agreements and the specification as to which US authorities will receive personal data have been drafted in such broad terms that the foreseeability and sure footing of the legislation leave much to be desired. Moreover, in particular in the PNR Agreement, safeguards secured by the EU side are not expressly legally binding but take the form of “letters” by the US executive.18
III. The Lisbon Treaty
The Lisbon Treaty introduces a number of changes with potentially far-reaching consequences for EU external action in general and transatlantic counter-terrorism cooperation in particular. They involve both changes in the internal constitutional architecture of the Union (such as, in principle, the abolition of the pillars), as well as changes in the provisions on the Union’s external action. Underpinning these changes is the emphasis placed by the Lisbon Treaty on upholding the values of the Union and on protecting fundamental rights. As will be seen below, these changes can potentially address the shortcomings of the existing transatlantic cooperation analysed above.
1. Changes in the policy: European values in EU external relations
A key feature of the Lisbon Treaty is its emphasis on the values upon which the Union is deemed to be founded. These values are central not only to defining European identity internally but also to guiding the external action of the Union. Not surprisingly, respect for fundamental rights and the rule of law are expressly included in the list of EU values found in Art. 2 TEU. This enumeration of the values upon which the Union is founded is not merely declaratory. According to Art. 3(1) TEU, the promotion of these values is a key aim of the Union. The role of the Union in promoting its values is further highlighted with regard to EU external action, with Art. 3(5) TEU stating that “in its relations with the wider world, the Union shall uphold and promote its values and interests and contribute to the protection of its citizens.”
The centrality of the values of the Union, when the Union acts at the global level, is further confirmed by the specific Treaty provisions on external action. According to Art. 21(1) TEU, ‘the Union’s action on the international scene shall be guided by the principles which have inspired its own creation, development and enlargement, and which it seeks to advance in the wider world,’ which include: democracy, the rule of law, the universality and indivisibility of human rights and fundamental freedoms and respect for human dignity. According to Art. 21(2) TEU, the Union will define and pursue common policies and actions, and it will work towards a high degree of cooperation in all fields of international relations, in order to,inter alia, safeguard its values and consolidate and support democracy, the rule of law, human rights, and the principles of international law. Art. 205 TFEU reiterates that these provisions will guide the Union’s action on the international scene. It is thus clear that the promotion of fundamental rights and the rule of law, forming key values of the Union, is a key element of EU external action after Lisbon.
2. Institutional changes – Addressing the democratic deficit?
The Lisbon Treaty introduces far-reaching institutional changes as regards the negotiation and conclusion of international agreements in criminal matters. These changes emanate from the abolition of the pillars in Lisbon and, in principle, the “communautarisation” of the third pillar. In this light, Art. 47 TEU expressly grants the Union legal personality. The negotiation and conclusion of international agreements in matters previously falling under the third pillar are now governed by the general provision of Art. 218 TFEU. A major development in this context is the enhanced role of the European Parliament. According to Art. 218(6)(v), the consent of the European Parliament in agreements covering fields to which the ordinary legislative procedure applies is required. This would cover the majority of areas falling under the TFEU Title on the Area of Freedom, Security and Justice (AFSJ). This change has the potential to address to a great extent the democratic concerns prevalent in the conclusion of the “previous” third pillar agreements, and the democratic debate and transparency in the development of EU external action in criminal matters will hopefully be enhanced. By its rejection of the third pillar TFTP Agreement, the European Parliament has shown that it intends to take its new powers seriously in practice. The rejection of this agreement − on institutional and human rights grounds − is a sign that the European Parliament will assume a central role in the negotiation and conclusion of international agreements in the field of counter-terrorism, with the Parliament being increasingly involved in the early stage of the negotiation of the mandate to these agreements.19This role is implied in Art. 218(10)TFEU, which states that the European Parliament must be informed immediately and fully at all stages of the procedure. It may also be regarded as a reflection of the duty of sincere mutual cooperation, which the Lisbon Treaty extends expressly to cover cooperation between the EU institutions.20
3. Substantive changes – Fundamental rights at the heart of the European project
The commitment to respect human rights lies at the heart of the Lisbon Treaty. Along with the central position of respect for fundamental rights in the list of the values of the Union, this commitment is clearly reflected in Art. 6 TEU. The sources of fundamental rights are manifold. The Union recognises the rights, freedoms, and principles set out in the Charter of Fundamental Rights, which will have the same legal value as the Lisbon Treaty.21Fundamental rights, as guaranteed by the European Court of Human Rights (ECHR) and as they result from the constitutional traditions common to the Member States, constitute general principles of the Union’s law.22The Treaty also calls for the Union’s accession to the ECHR.23These provisions make respect for fundamental rights a key component of both EU internal and external action. The multiplicity of the sources of fundamental rights at the EU level (and, in particular, the express recognition of the legal value of the Charter) means that the content of these rights is both enhanced and expanded. This point is of particular relevance as regards fundamental rights that come into play in the context of transatlantic counter-terrorism cooperation, in particular the right to the protection of private life and the right to data protection, which is expressly recognised in the Charter.24
Another constitutional development which renders the protection of fundamental rights central to EU external action stems from the principle of consistency between EU external action and the other EU policies,25particularly when read in combination with the provisions on the EU as an Area of Freedom, Security and Justice. Respect for fundamental rights is a key element of the development of the Union into an “area of freedom, security and justice”26 and the importance of fundamental rights in this context has also been emphasised in the Stockholm Programme.27The development of internal EU law in the field of cooperation in criminal matters must thus respect fundamental rights. The principle of consistency means that external action on AFSJ in general − and counter-terrorism in particular − must be consistent with internal standards in this field.
IV. Transatlantic Counter-Terrorism Cooperation after Lisbon
Where do the Lisbon changes leave us with regard to transatlantic counter-terrorism cooperation? A revised TFTP Agreement28has now obtained the consent of the European Parliament under the Lisbon framework.29However, this is not the end of the road with regard to the conclusion of international agreements in the field of cooperation in criminal matters. Along with negotiations on the conclusion of a new, post-Lisbon EU-US PNR Agreement,30the conclusion of the TFTP Agreement was accompanied by a commitment to negotiations on the conclusion of a horizontal EU-US Agreement on data protection in the field of criminal law.31In view of forthcoming negotiations on these agreements, and the possibility of transatlantic cooperation being extended to further areas in the future, Lisbon gives rise to a number of issues to be taken into account when shaping the principles and content of such cooperation from an EU perspective.
1. Political considerations – Upholding the values of the Union
As mentioned above, one of the key objections with regard to the conclusion of the third pillar EU-US agreements has been the perceived uncritical acquiescence of EU negotiators to heavily securitised US demands in the post-9/11 era. The time has come to rethink the acceptance of heavily securitised emergency measures in the EU legal order. The emergence of the European Union as a global actor with a strong voice under Lisbon requires the Union to uphold and promote its values, at the heart of which lie the respect for fundamental rights and the rule of law. The emphasis on the need to take fundamental rights and the rule of law seriously is already evident at the EU level both internally (with the Stockholm Programme departing from the heavily securitised agenda of its Hague predecessor) and externally (with the ECJ ruling in Kadi linking the autonomy of the Union legal order with upholding fundamental rights and the rule of law32). Not compromising but rather upholding and promoting these values in the field of transatlantic counter-terrorism cooperation is a key task of EU negotiators in the post-Lisbon era. Promoting these values in this context is also crucial to projecting the identity of the Union in the world, as well as for enhancing the legitimacy of these agreements internally.
2. Institutional/democratic considerations
In the light of the potentially significant consequences of EU-US agreements in the field of counter-terrorism for fundamental rights, a clear case for their conclusion needs to be made to the European public. The democratic and legitimacy deficit underpinning the third pillar agreements needs to be addressed. As mentioned above, the Lisbon Treaty addresses the democratic deficit to some extent, by strengthening the role of the European Parliament in the negotiation and conclusion of agreements between the EU and the US. However, this does not appear to be the case with regard to agreements concluded between the US and EU bodies in the criminal justice field, such as Europol and Eurojust − the third pillar decisions delineating the rules applying to these bodies provide for specific rules on the conclusion of agreements with third countries with no real involvement of the European Parliament.33This deficit needs to be addressed after the entry into force of the Lisbon Treaty, in the amendment of the Europol and Eurojust decisions in line with the legal bases provided for in the Lisbon Treaty.34The strengthening of democratic controls over proposals for future transatlantic counter-terrorism agreements needs to be accompanied by an enhancement of transparency and the involvement of civil society. Transparency can take the form of consultation regarding the need for such agreements and − notwithstanding the limits with regard to divulging details on negotiations − information as regards their progress and general direction. Key players in enhancing both the democratic debate and transparency in this context are national parliaments, which have been granted an enhanced scrutiny role under the Lisbon Treaty.35
3. Substantive considerations
As argued throughout this article, after Lisbon, EU external action in general and in criminal matters in particular must be guided by the values the Union proclaims to uphold and promote, including respect for fundamental rights and the rule of law. In the negotiation of future agreements on transatlantic counter-terrorism cooperation, the protection and promotion of the rights to private and family life as well as data is of particular importance. In this context, and in the light of the precedents of transatlantic counter-terrorism cooperation that are highly invasive to private life, two separate – but interrelated − questions need to be thoroughly examined: what kind of, and how much, personal information is necessary to be collected and transferred to the US for the specific purposes of the agreements negotiated? And, at a second stage, once there is agreement on the types and volume of data to be collected and transferred, are the privacy safeguards offered by the US compatible with EU values and standards? The proposed EU-US horizontal agreement on data protection may serve as a good starting point in addressing both questions as regards the conclusion of future agreements on transatlantic counter-terrorism cooperation (including agreements concluded by Europol and Eurojust) but also as regards the functioning of looser structures of operational cooperation between the EU and the US (such as the exchange of liaison officers). As regards upholding the rule of law, the EU-US data protection agreement may contribute towards the establishment of clear, legally binding standards on privacy protection and remedies for the affected individuals.
Upholding the values of the Union in the context of the collection and analysis of personal data for counter-terrorism purposes should also be a guiding principle for the development of internal Union law in the field of cooperation in criminal matters. In a number of instances, the US approach – as seen above, heavily criticised in the context of EU-US cooperation − is in the process of being adopted by the EU legal order. The adoption of similar measures at the EU level has been justified on the grounds of facilitating transatlantic cooperation, on the one hand by adding EU safeguards and on the other by ensuring reciprocity. In this light, the recently signed TFTP Agreement states that, during its course, the Commission will carry out a study into the possible introduction of an equivalent EU system allowing for a more targeted transfer of data.36In the field of PNR, and notwithstanding the sustained concerns with regard to the compatibility of the EU-US PNR Agreements with EU privacy and data protection law, the Commission tabled a proposal in 2008 for a Framework Decision with a similar system of transmission of PNR data by carriers flying into the EU.37The Commission justified the proposal as a result of “policy learning” from the existing PNR Agreements with the US and Canada and a new, “lisbonised” proposal has been presented in February 2011.38While these proposals may be of use in setting EU standards, which can form benchmarks for subsequent EU negotiations with the US and globally,39their necessity and compatibility with fundamental rights must be fully justified before they are adopted at the EU level. The prospect of the EU importing heavily securitised law and policy with far-reaching privacy consequences is real.
V. Conclusion − Lisbon as an Opportunity for Change?
The legacy of the third pillar with regard to transatlantic counter-terrorism cooperation leaves much to be desired with regard to upholding fundamental rights and the rule of law in EU external action. The Lisbon Treaty has brought about a number of changes with a potentially profound impact on the EU as a global actor in the field of cooperation in criminal matters: it addresses the democratic deficits caused by the abolition of the third pillar and the greater involvement of the European Parliament in transatlantic counter-terrorism cooperation; it emphasises respect for fundamental rights as lying at the heart of the European project; and it focuses on the values of the Union and the duty to uphold and promote them in EU external action. In the light of these changes, Lisbon must be viewed as an opportunity to put the dialogue on transatlantic counter-terrorism cooperation in a different perspective. With the momentum for further agreements between the EU and the US in the field of cooperation in criminal matters growing, now is the time for the European Union to reframe a heavily securitised agenda and emerge as a strong global actor upholding fundamental rights and the rule of law.
* This article is the updated version of the previously published article by V. Mitsilegas, “Transatlantic Counter-Terrorism Cooperation after Lisbon” in eucrim 3/2010, pp. 111-117 and is reprinted here with the author’s permission.
1 Agreement on extradition between the European Union and the United States of America, O.J. L181, 19 July 2003, p. 27; Agreement on mutual legal assistance between the European Union and the United States of America, O.J. L 181, 19 July 2003, p. 34. See also the Council Decision, on the basis of Arts. 24 and 38 TEU, concerning the signature of these agreements: O.J. L 181, 19 July 2003, p. 25.
2See V. Mitsilegas, ‘The New EU-US Co-operation on Extradition, Mutual Legal Assistance and the Exchange of Police Data’ in 2003 European Foreign Affairs Review 8, pp. 515-536. See also the parallel negotiation and later signature of an agreement between Europol and the US on the exchange of personal data (doc. 13689/02 Europol 82, 4 November 2002) − for details, see Mitsilegas op. cit.
3See V. Mitsilegas, op. cit. (footnote 2).
4Commission Decision on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection, O.J. L 235, 6 July 2004, p. 11 (including an Annex with the relevant US Undertakings); and Council Decision on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the US Department of Homeland Security, Bureau of Customs and Border Protection, O.J. L 183, 20 May 2004, p. 83 (the Agreement is annexed to the Decision).
5Joined cases C-317/04 and C-318/04, European Parliament v Council,  ECR I-4721.
6An interim agreement to address the legal vacuum resulting from the Court’s ruling in 2006 was followed by another agreement in 2007: Council Decision 2006/729/CFSP/JHA on the signing, on behalf of the European Union, of an Agreement between the European Union and the USA on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security (L 298, 27 October 2006, p. 27 − the text of the Agreement is annexed to this Decision); and the Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), O.J. L 204, 4 August 2007, p. 18. See also Council Decision approving the signing of the Agreement on the basis of Arts. 24 and 38 TEU, p. 16.
7 For further information, see G. González Fuster,P. de Hert and S. Gutwirth, ‘SWIFT and the Vulnerability of Transatlantic Data Transfers,’ in 2008 International Review of Law, Computers and Technology 22, pp. 191-202.
8Council Decision 2010/16/CFSP/JHA of 30 November 2009 on the signing, on behalf of the European Union, of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program, O.J. L 8, 13 January 2010, p. 9 (and p. 11 for the text of the Agreement).
9For an overview of the debate with regard to the existence and extent of the EU legal personality in the context of the third pillar, see J. Monar, ‘The EU as an International Actor in the Domain of Justice and Home Affairs,’ in 2004 European Foreign Affairs Review 9, pp. 395-415.
10O.J. C 53, 3 March 2005, p. 1.
11See House of Lords European Union Committee, EU-US Agreements on Extradition and Mutual Legal Assistance, 38th Report, session 2002-03, HL Paper 135.
12 For an overview of the limited scrutiny of this agreement, see Mitsilegas op. cit. (footnote 2).
13V. Mitsilegas ‘Border Security in the European Union. Towards Centralised Controls and Maximum Surveillance’ in E. Guild, H. Toner and A. Baldaccini (eds.), Whose Freedom, Security and Justice? EU Immigration and Asylum Law and Policy, Hart Publishing, 2007, pp. 359-394. Of course, the Court’s ruling resulted in the agreements being negotiated under the third pillar with the Parliament having a much more limited scrutiny role.
14See J. Monar, ‘The Rejection of the EU-US SWIFT Interim Agreement by the European Parliament: A Historic Vote and its Implications,’ in 2010 European Foreign Affairs Review 15, pp. 143-151.
15On the extradition/mutual legal assistance agreements and the Europol/US agreement, see Mitsilegas, op. cit. (footnote 2); on the PNR Agreements, see V. Mitsilegas ‘The External Dimension of EU Action in Criminal Matters,’ in 2007 European Foreign Affairs Review 12, pp. 457-497; on SWIFT, see the Opinion of the European Data Protection Supervisor of 25 January 2010 and the Opinion of the Art. 29 Working Party of 22 January 2010.
16A number of the Agreements envisaged an ex post scrutiny at the national level, with their conclusion being subject to Member States’ internal constitutional procedures. While the EU-US agreements on extradition and mutual legal assistance were signed in 2003, their conclusion on behalf of the EU took place only on 2009 − see Council Decision 2009/820/CFSP, O.J. L 291, 7 November 2009, p. 40.
17Another concern is the death penalty-extradition agreement − Mitsilegas op. cit. (footnote 2).
18The text of the PNR Agreement does not include details of the PNR data transfer per se. They are set out in a separate accompanying ‘US letter to the EU,’ signed by the former Homeland Security Secretary Michael Chertoff. The letter is, in turn, followed by an ‘EU letter to the US’ confirming that, on the basis of the assurances provided in the US letter, the EU deems that the US ensure an adequate level of data protection and that, based on this finding, ‘the EU will take all the necessary steps to discourage international organisations or third countries from interfering with any transfers of EU PNR data to the United States’− p. 25.
19On the potential role of the European Parliament in shaping policy in the negotiation of international agreements post-Lisbon, see R. Passos, ‘Mixed Agreements from the Perspective of the European Parliament,’ in Ch. Hillion and P. Koutrakos (eds.), Mixed Agreements Revisited, Hart, 2010, pp. 269-294.
20Art. 13(2) TFEU.
21Art. 6(1) TEU.
22Art. 6(3) TEU.
23Art. 6(2) TEU.
24See Art. 7 of the Charter on the right to private and family life and Art. 8 on the right to data protection. See also Art. 47 for the right to an effective remedy. Moreover, Art. 16 TFEU affirms the special place of data protection in the Lisbon Treaty.
25Art. 21(3) TEU, §2.
26Art. 67(1) TFEU.
27O.J. C 115, 4 May 2010, p. 1.
28Council doc. 11222/1/10 REV 1, Brussels, 24 June 2010.
29European Parliament legislative resolution of 8 July 2010 on the draft Council decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, P7_TA(2010)0279.
30The Commission’s Action Plan to Implement the Stockholm Programme (COM(2010) 171) envisages the tabling of proposals for authorising the negotiation of PNR agreements with relevant third countries (p. 21). For more recent developments, see European Voice, Commission to seek new data sharing mandates, 2 September 2010, p. 6.
31See EP Resolution above, point 4.
32Joined Cases C-402/05 P and C-415/05 P, Yassin Abdullah Kadi and Al Barakaat International Foundation v Council and Commission  ECR I-6351. On the link between guaranteeing the autonomy of the Union legal order in the emergence of the Union as a global actor in criminal matters and upholding fundamental rights and the rule of law, see V. Mitsilegas, ‘The European Union and the Globalisation of Criminal Law,’ in 2009-2010 Cambridge Yearbook of European Legal Studies 12, forthcoming.
33On Europol, see Council Decision 2009/371/JHA establishing the European Police Office (Europol), O.J. L 121, 15 May 2009, p. 37, Art. 23. The European Parliament can merely request the Presidency of the Council, the Chairperson of the Europol Management Board, and the Director of Europol to appear before it to ‘discuss matters relating to Europol’ − Art. 48. On Eurojust, see new Art. 26a inserted by Council Decision 2009/426/JHA ‘on the strengthening of Eurojust and amending Decision 2002/187/JHA setting up Eurojust with a view to reinforcing the fight against serious crime,’ O.J. L 138, 4 June 2009, p. 14. The original 2002 Decision (O.J. L 63, 6 March 2002, p. 1) provides mainly for the European Parliament to be informed about the work of Eurojust via the submission of written reports (Art. 32). For details, see V. Mitsilegas, ‘The Third Wave of Third Pillar Law: Which Direction for EU Criminal Justice?’ in 2009 European Law Review 34, pp. 523-560.
34See Art. 85 TFEU for Eurojust and Art. 88 TFEU for Europol.
35See, in particular, Art. 12 TEU.
37Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for Law Enforcement Purposes, COM (2007) 654 final, Brussels, 6 November 2007.
38Proposal for a Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, COM(2011) 32 final, Brussels, 2 February 2011.
39See European Voice op. cit. (footnote 30).