The European Union is to impose stricter rules on its own use of private citizens' data for all future anti-terrorism measures.
The European Commission currently oversees a large number of mechanisms designed to combat crime, in particular terrorist activity. The vast majority of these instruments involve the collection, storage or exchange of personal data for law enforcement or migration management.
"Citizens should have the right to know what personal data are kept and exchanged about them," said Cecilia Malmström, EU Commissioner for Home Affairs, announcing the new rules on Tuesday.
All future policy proposals will be assessed for their expected impact on individuals' rights and their proposers must prove that the initiatives are necessary, proportionate and safeguard fundamental rights. There must also be a clear allocation of responsibilities, as well as structured review procedures. Compliance with these rules on personal data protection will be subject to control by an independent authority at national or EU level.
One such initiative is the European Cybercrime Platform (ECCP) set up alongside national cybercrime platforms in 2008 to collect, analyse and exchange information about offences committed on the Internet. European citizens can report illegal online content or behavior directly to their national platforms, while the ECCP is managed by Europol and receives law enforcement authorities' reports on serious cross-border cybercrime. Currently, data protection rules are established by the Europol Decision and Council Framework, but in future the ECCP will report on its activities in an annual report submitted to the Council for endorsement and to the European Parliament for information.
Other instruments that could be covered by the new rules include the controversial Terrorist Finance Tracking Program (TFTP), an agreement with the US that allows the US access to European citizens' financial data. Also covered are organisations such as Europol, the European police agency, and Eurojust, which coordinates cross-border judicial operations and has access to information including telecommunications traffic of suspects and offenders in cases of serious crime affecting two or more EU member states.
The new rules will also apply to the Schengen Information System (SIS) and Schengen Information System II, through which data are shared on persons moving within the "Schengen Area", a group of countries which have agreed not to enforce identity checks at their common borders.
European databases for the assessment of asylum applications (Eurodac), visa applications (the VIS Visa Information System) and tracking of air passengers (API or Advance Passenger Information System) will also be covered, as will systems for tracking customs declarations and sharing criminal records.