EUOBSERVER / BRUSSELS - The European Union and the US continue to wrangle over how best to protect personal data exchanged between law enforcement authorities on both sides of the Atlantic as part of the War on Terror and the struggle against transnational crime.
"Painstaking" and "difficult" talks lie ahead, Jonathan Faull, the head of the European Commission's justice and home affairs department, told journalists on Wednesday (2 July).
According to the official, the two sides have reached "a certain measure of common agreement on principles". "We are 70-80 percent of the way there," Mr Faull said about nearly 18-month-long, closed-door negotiations.
European data protection rules are "very different" from those applied in the US. So far, negotiators have been able to tease out twelve "personal data protection requirements" such as purpose specification, sensitive data, independent oversight or redress.
"The Americans had to be convinced one by one of the importance of these principles and the need to agree to them," the commission's Jonathan Faull said, adding: "Why are the Americans doing that? Because they have an interest in sharing data." Main sticking points
But the devil lies in the detail, and the two sides are yet to agree the scope of the application of these basic principles.
"It is not hard to say that the duration of retention of data should be the shortest possible ... that 's fine as a principle. What people need to know and want to know is how long," Mr Faull said.
According to him, the purpose for which the state requires personal data "must be specified and limited". Sensitive information such as health "should not be processed and if so, only in very exceptional circumstances with appropriate safeguards".
If law enforcement authorities are looking for a terrorism suspect, who is known to be a diabetic, then it might be "reasonable" for those authorities to request a sensitive piece of information on health, so they can check it against another database, Mr Faull said. Otherwise, airlines "should destroy" the information once the food was served and the purpose for which the information was provided expired.
Currently, the main sticking point is "redress", meaning whether European citizens could file a lawsuit against the US government. The 1974 Privacy Act allows American citizens and permanent residents to challenge the state, but this right does not apply to foreigners.
"It seems to us very important that the Europeans should have in the US courts the same rights of action as the Americans have in our courts when they believe that their data protection rights were infringed," Mr Faull said.
Divisions also remain concerning companies that could find themselves caught up in a possible conflict between EU and US law. In addition, relations with countries beyond the US that may receive access to data that cross the Atlantic need to be sorted out.
"We want to be sure that wherever our data end up they get proper level of protection," Mr Faull said, adding that the issue is particularly important vis-a-vis Canada. What's next?
The EU's executive body hopes to have a legally binding international deal "sometime next year".
"Once we determine that an agreement is really possible ... we will seek a necessary mandate from the council [representing EU governments] and there will be formal international negotiation with the view to concluding binding international agreement between the EU and the US," Mr Faull said.
The current EU treaty allows for more speedy negotiations as justice and home affairs matters lie in hands of the member states. Under the Lisbon Treaty, arrangements would be different, meaning the European Parliament would gain an equal say in the process.