Governments are becoming increasingly data-hungry. Largely because of concerns about terrorism, government agencies are seeking to collect and process more and more types of personal data. While many of these types of data collection may be necessary, unfortunately the burdens of collecting often are placed on companies that are also under conflicting data protection obligations.
Following 9/11, governments in both the EU and the US sought to greatly expand their access to different types of data, in order to investigate terrorist incidents and prevent other ones from happening. This type of collection includes areas such as money laundering, antiterrorist financing, airline passenger data, customs information, telecommunications records, logs of web pages, and many other types of data. In today’s globalized economy, much of this data is not itself collected or retained by governments, but is held by private sector entities and companies.
But companies also have obligations under data protection and privacy law. In Europe, data protection law places heavy burdens on companies to only collect and process personal data for specific purposes and not to process them in other ways; to delete data once the purposes of processing have been ended; and not to pass on personal data to third parties (including governmental entities) without notice being given to individuals and, in some cases, only with consent.
Companies are certainly willing to do their part in the fight against terrorism, but they are often placed in a position of having to comply with conflicting data protection and law enforcement rules, so that it is almost inevitable that they will have to violate one of the two. For example, before the US and the EU finally reached an agreement recently on the transfer of airline passenger data to US law enforcement authorities, airlines flying from Europe to the US were in effect breaching EU data protection rules by transferring such data to the US Department of Homeland Security. In another case, the French data protection authority found that whistleblower complaint hotlines run in France by companies, many of which were obligated by US law to maintain such hotlines in their operations overseas, violated French data protection law. The number of these conflicts is only increasing.
Data protection and law enforcement regulators often seem to be operating in different worlds, and do not speak to each other sufficiently. What is needed is more communication between privacy regulators and those in other areas, and an overarching framework for privacy protection in the context of transferring personal data to law enforcement authorities. Moreover, this framework needs to be coordinated not only within Europe, but also between Europe and other countries like the US.