While threat information is shared routinely between the United States and allied military and intelligence agencies, the ongoing push to strengthen the ISE internationally centers on the effort to share information about individuals—including biographical and biometric data. It is the treatment of such personal data that has proven to be a sticking point with EU member countries.
In the United States, only citizens and legal residents have the right to obtain from the U.S. government a report of what personal data the government has on them and to have errors in the data corrected. By contrast, the EU grants these privacy privileges to every individual.
In meetings on this issue, U.S. and EU delegations have agreed on everything except “reciprocal application of data privacy law principle.” One congressional staffer summed up U.S. reluctance to extend redress to foreign citizens in one word: “Guantanamo.” The U.S. government is wary of granting known and suspected terrorists the right to ask what information is held about them in government databases as well as the right to challenge the accuracy of that information.
Despite the disagreement on the privacy issue at the EU level, the United States has succeeded in inking information-sharing agreements with a total of 10 individual European countries, including Germany, Spain, and Italy. Congress incentivized the agreements in 2007’s 9/11 Commission Act when it offered visa-free U.S. travel privileges to countries that share information to help prevent terrorists from traveling to the United States.
Mark Koumans, U.S. Department of Homeland Security (DHS) deputy assistant secretary for international affairs, explains that the agreements call only for “hit/no hit” queries on biometric data, like fingerprints, preventing any use of the agreements for international data mining. If, for example, the United States collects fingerprints and suspects a nexus to terrorism, the U.S. government would transmit the data to a partner country and receive only a positive or negative response. If there’s no hit, the process ends. If there is a hit, U.S. authorities could initiate a formal exchange regarding the suspect’s travel and possible ties to terror. For example, a Preventing and Combating Serious Crime (PCSC) agreement between the United States and Estonia provides for sharing of biographical information, including name, aliases, date of birth, nationalities, travel document numbers, and criminal history.
The arrangements for sharing information with Canada, the United Kingdom, New Zealand, and Australia, according to the United Kingdom’s The Guardian, involve the establishment of what the countries called a “Server in the Sky” for sharing of biometric data about known or suspected terrorists—a pool of data that has swelled with collection of information from forensic investigations in Iraq, Afghanistan, and elsewhere.
The PCSCs also require that civil liberties protections regarding privacy and freedom of speech be maintained throughout the process. For example, the receiving country must hold data only as long as it remains relevant to the purpose of the original transfer, and the “sharing” country must notify the recipient of any changes or corrections. Similar to U.S. regulation 28 CFR Part 23, which governs federally funded criminal intelligence operations in the United States, agreements like the one with Estonia forbid sharing racial, ethnic, political, labor, health, or sexual information unless it is relevant to the case at hand.
Last year, as DHS prepared to hand off negotiations with the EU to a new presidential administration, both governments issued reports summarizing common ground and their lone point of contention. In its report, EU officials suggested a nonbinding “soft law” or political agreement to foster information sharing based on the current state of play.
DHS Chief Privacy Officer Mary Ellen Callahan tells Security Management that much EU opposition to an information-sharing agreement stems from misunderstandings about the commonalities between the two sides’ privacy laws. For example, redress rights in the EU can be waived on security grounds, just as in the United States. For that reason, the U.S. side has launched an effort to educate its European counterparts on that common ground.
Talks between officials representing the United States and the EU continue, Koumans says. Last month the United States and the EU signed a joint declaration affirming their shared commitment to information sharing and privacy rights.
@ Read the documents via “Beyond Print."