EU Officials, Lawmakers Prepare to Debate Terror Measures With Privacy Implications

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Jan. 23 —European Union officials are set to start discussions Jan. 27-30 on potential anti-terrorism measures with implications for privacy.

The debate comes in the wake of the extremist attacks in Paris Jan. 7-9.

The bloc's Migration, Home Affairs and Citizenship Commissioner, Dimitris Avramopoulos, and EU Counter-Terrorism Coordinator Gilles de Kerchove will go to the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) Jan. 27 to attempt to drum up support from lawmakers to revive a stalled draft EU directive on sharing airline passenger name records (PNR).

On Jan. 28, the European Commission, the EU's executive, will make a statement to the European Parliament on counterterrorism measures that it intends to propose. The commission is scheduled to publish an EU “internal security strategy” in May.

Then, Jan. 29-30, EU justice ministers will meet in a summit in Riga, Latvia, to discuss measures to combat terrorism and the EU's ongoing data protection reform effort. No decisions on legislation will be finalized at the summit.

PNR Priority

The commission's main priority is likely to be the revival of a draft EU PNR directive that was initially published in February 2011.

The PNR directive would create a harmonized system under which airlines departing from or arriving in the EU would have to provide passenger manifest information to a dedicated law enforcement unit established in each of the 28 EU member states.

Under the proposal, EU member state authorities would be able to hold such data, including passenger names, addresses, phone numbers and credit card details, for up to five years.

The LIBE committee rejected the directive in April 2013, saying that it involved disproportionate data collection, overturned the presumption of innocence and would be better adopted after the introduction of harmonized data protection standards through the planned EU data protection regulation.

In June 2013, European Parliament leaders decided to send the proposal back to LIBE, where it has remained stuck without further action.

Commission Vice-President Frans Timmermans said in a Jan. 21 statement that the commission would consult with the European Parliament and “review our proposal to see if we can accommodate” lawmakers' objections.

The LIBE committee Jan. 27 will also debate EU measures to combat money laundering and terrorist financing.

Awaiting EU High Court Ruling

Bryan Cunningham, a partner with Cunningham Levy LLP in Los Angeles and a former legal adviser to former U.S. National Security Advisor Condoleezza Rice, told Bloomberg BNA Jan. 23 that an EU PNR was “long overdue” and should be part of better information sharing between law enforcement agencies to prevent terrorism.

A confidential document drawn up by de Kerkhove for the Jan. 29-30 justice ministers' meeting said that an EU PNR system is “crucial and urgent.” The document, dated Jan. 17, was obtained and published by U.K. privacy advocacy group Statewatch.

But Ralf Bendrath, an adviser to Jan Philipp Albrecht, the German lawmaker in charge of the EU data protection reform in the European Parliament, highlighted the referral by the European Parliament of a draft EU-Canada PNR agreement to the European Court of Justice, the EU's highest court, for an opinion in the light of the April 2014 invalidation of the EU Data Retention Directive (2006/24/EC).

“We should probably wait for that opinion before adopting our own PNR system,” Bendrath said, at the Computers, Privacy & Data Protection conference in Brussels.

Counterterrorism Proposals

Other counterterrorism steps with a potential impact on privacy that the EU may take were outlined in a confidential document drawn up by de Kerkhove for the Jan. 29-30 justice ministers' meeting.

According to the document, EU countries could establish units similar to the U.K.'s Counter Terrorism Internet Referral Unit, which receives public tip-offs about online content that glorifies terrorism and seeks to have it removed.

The units, and Europol, the EU's law enforcement coordination office, could work with social media platforms in “either flagging or facilitating the flagging of content which breaches the platforms' own terms and conditions,” the document said.

Europol's capabilities could be “beefed up to allow for monitoring and analysis of social media communication on the internet,” and the commission should “examine the legal and technical possibilities to remove illegal content” and propose a common harmonized approach to extremist content, the document said.

Data Retention Issues 

The annulment of the Data Retention Directive has called into question all retention of telecommunications data for EU national security purposes.

The de Kerkhove document said that the commission should “be invited to present as soon as possible a new legislative proposal for data retention.”

A European Commission representative at a Jan. 8 LIBE meeting said that the commission hadn't decided on its response to the invalidation of the Data Retention Directive.

Access to Encrypted Communications

Gerrit Hornung, a professor of law at Germany's University of Passau, speaking Jan. 23 at the Computers, Privacy & Data Protection conference, said that following the Paris terrorist attacks, “we'll face a new round of surveillance measures,” including possible measures on encrypted communications.

De Kerchove's document added that the European Commission may “explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights” the encrypted communications of their customers.

Since the disclosures regarding the scope of surveillance activities by the U.S. National Security Agency made by Edward Snowden, a former employee of a contractor for the NSA, “internet and telecommunications companies have started to use often de-centralized encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible,” the document said.

U.S. President Barack Obama and U.K. Prime Minister David Cameron have raised the issue of the creation of a back door to allow law enforcement agencies access to encrypted private communications.

Encryption Measures Unworkable?

Cunningham said plans to give law enforcement agencies access to encrypted communications are “not enforceable” and “just not workable.”

In particular, to protect the privacy of their customers, technology companies aren't retaining encryption keys but are rather placing them on communication devices so that only the customer holds the key, Cunningham said.

In the U.S., Fifth Amendment rights would probably mean that individuals couldn't be compelled to give up their encryption keys, he added.

Post-Snowden customer concern about data being passed to the authorities means that “every big company that's in the business of communication is attempting to honestly increase the privacy of their customers and to demonstrate to their customers that they are fighting the government” to resist mass electronic surveillance, Cunningham said.

Encrypted communications are a “very, very scary problem” for law enforcement agencies that cannot easily be solved, he said.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

The Jan. 17 paper prepared by the EU Counter-Terrorism Coordinator for the Jan. 29-30 justice ministers' meeting is available at