With the advance of the Internet, activities that used to be time-consuming now only take a minute. For those who increasingly find themselves under time pressure, Internet is a means to save time, and many are choosing, for instance, to shop online. Yet besides the money that is spent, within the context of a particular transaction personal data is given out. What may happen to this data beyond the commercial context, and what decisions could be made based on this data?
At times, personal data shared with a company while making an online purchase may end up in the hands of law enforcement authorities. This would be the case, for instance, if the proposed Passenger Name Records (PNR) Directive, mandating EU air carriers to transfer passenger data to special passenger information units, comes into force. While, clearly, the only goal for which individuals give out data is obtaining a ticket, they practically have no say as to the onward transfer of this data to such units. The legal basis for such transfer - in the given case Articles 82(1)(d) and 87(2)(a) TFEU - trumps individual consent, and the only thing remaining is to count your losses…of data.
Another issue is that, under Article 4 of the PNR Directive, passenger information units may use passenger data for the purposes of terrorist profiling. Among other applications, such profiling aims to apply the previously found patterns in data, associated with terrorist activity, to new PNR databases and identify individuals who match these patterns. If, as a result of profiling, a passenger is flagged as ‘requiring further examination’, an investigation will follow and, should the risk be confirmed, he could be denied boarding and apprehended. One of the main issues arising here is the (in)transparency of profile-based decision-making and an individual’s right to access the profile. Can, and if so, to what extent, the passenger get access to the profile - this government-imposed identity - that has been created and applied to him?
Some answers – yet perhaps even more questions – are provided by the Framework Decision 2008/977/JHA and the jurisprudence of the European Court of Human Rights (ECtHR). Article 17 of the Framework Decision (applicable only to cross-border, but not national processing of data) allows individuals a limited access to their own data, and the emphasis is made on the indirect access through the Data Protection Authority (DPA). The ‘limited access’ line of reasoning could also be traced in the ECtHR judgments such as Segerstedt-Wiberg and Leander, where the interests of national security prevailed over the (full) disclosure, to the concerned individuals, of the data gathered on them.
The common point of this framework is that it is focused on personal data – i.e., data that belongs to an identified or identifiable individual. Yet, in the context of terrorist profiling, are we always talking about personal data? Without going into profiling terminology, suffice to say that at least some profiles applied to individuals under Article 4 of the PNR Directive would be based on ‘pre-determined criteria’ – i.e. on patterns that were previously identified using the anonymized data of other persons. Such a profile, it would seem, cannot be linked to an individual to whom it is applied within the sense of the EU data protection framework. Thus, if an individual requests access both to the profile that has been applied to him and personal information gathered on him after he was flagged, it is only a limited access to the latter that would be granted.
This brief assessment of a profiling case-study shows that technology develops faster than law, and the latter cannot lag behind. To be or not to be profiled is no longer a question, as, at least in the law enforcement field, we can expect profiling to be widely used without individuals’ consent. Given the specificities of profiling techniques, in addition to the protection of personal data, the legal framework should allow for the protection of individuals against the negative aspects of profiling, at least by providing some access to profiles that have been imposed on them. The proposed Police and justice sector data protection Directive seems to have offered, although vaguely, such an opportunity in its Article 11, stating that an individual can be granted access to ‘any further information in so far as such further information is necessary to guarantee fair processing in respect of the [individual]’. Let us hope that this provision will see light in the final version of the Directive!