Since the September 11th attacks on the US, data has been used as a tool in the fight against terrorism. Tracking terrorists worldwide has prompted US authorities to seek access to information held in European databases.
This has created a transatlantic battle that has pitched counterterrorism strategy against privacy concerns. The EU’s data-protection directive is strict about what data can be used for; much of the battle has focused on the US ignoring those rules when it accesses EU data.
Soon after the September 11th attacks, US authorities began to target the financing of terrorism by demanding that Swift, a company that transfers money between countries, hand over information on all European banking transactions.
It was able to do this because, despite being a European company, Swift’s major databases containing the information were also stored in the US.
But the data transfers were secret; they became known only after a leak to the ‘New York Times’ in 2006. The news caused controversy in Europe, with the EU’s data-protection commissioners ruling that the data transfers were illegal and should be stopped.
An agreement was struck in 2007 between the EU and US to allow the data transfers, but it had to be amended when Swift changed how it managed the data to better comply with EU rules.
Another controversial transatlantic tussle over data has involved information about airline passengers entering the US, known as passenger-name records (PNR). Airlines have always collected this information before people fly. As well as home addresses, phone numbers and credit-card details, it can include sensitive information about health and religious beliefs.
In 2004 the US sought the data as a way of alerting authorities to dangerous people entering its territory. An agreement was signed with the EU, but there were concerns in the European Parliament about whether EU citizens' data was being protected. The European Court of Justice struck down the deal.
A new agreement was signed in 2007 but later rejected by MEPs, who said concerns remained about the type of data collected, the length of time it would be stored, what it would be used for and whether EU citizens could seek redress if the information was incorrect. Last year the European Parliament approved a new deal after these concerns were addressed.
The US is not the only country eager to use data to fight crime. The 2006 EU data-retention directive obliges telecom firms to store phone-call and email data for at least six months and allow police and other security agencies to access it.
EU authorities are also trying to get access to Eurodac, which stores fingerprints of asylum seekers. The database originally prohibited police access, but that looks about to change, with backing from the European Commission and the European Parliament. The EU is also trying to introduce its own airline-passenger database for use by security authorities.
Law-enforcement bodies say the information gleaned from major databases is vital in the fight against serious crime. David Heyman, assistant secretary in the policy office at the US department of homeland security, told a US Congress committee in 2011: “Just as fingerprinting was first used and became an important tool in criminal investigations in the beginning of the 20th century, so too, at the start of the 21st century, has passenger-name-records analysis become a vital tool in terrorist and transnational criminal investigations. DHS has also relied on PNR data analysis in nearly every human-smuggling case involving air travel.”
But others remain unconvinced about trawling databases for specific information. One study by the Breakthrough Institute, a think tank in the US, showed the number of FBI cases prosecuted by the US department of justice between 2002 and 2008 fell significantly. “At the same time investigators were collecting more information, they were also referring fewer cases to prosecutors overall, and a much higher percentage of those did not meet prosecutors’ standards,” it said.