By Ellen Nakashima
Tuesday, July 8, 2008; Page D01
The United States is negotiating deals with European countries to exchange fingerprint and DNA data in criminal and terrorist cases, and in some circumstances to transfer data on race or ethnic origin, political and religious beliefs, or sexual orientation.
Such agreements are a condition for granting citizens of newer European Union member states the right to enter the United States without visas, and for maintaining that right for older E.U. members. U.S. citizens already enjoy such a right when traveling to Europe.
Senior Bush administration officials said the data exchange is crucial for spotting dangerous people before they enter the United States and for furthering criminal and terrorist investigations.
The United States and the E.U. have been negotiating a separate, broad agreement on commercial data protection. But European privacy officials are concerned that the emerging bilateral pacts will not adequately protect people's privacy. And U.S. privacy advocates are concerned about the potential transfer of sensitive information on U.S. citizens to Europe.
The bilateral pacts augment the airline passenger record agreement reached last year with the E.U., which requires airlines flying here from abroad to transfer data on passengers to U.S. security agencies. They also complement a series of bilateral agreements to exchange screening data on known or suspected terrorists, which exclude data on race, religious beliefs and other sensitive items.
"So if we arrest someone who's a German national and we take his fingerprints, we do have the opportunity to send those fingerprints to Germany to say, 'Do you know anything about this person?' " said Stewart A. Baker, assistant secretary for policy at the Department of Homeland Security. "European governments are entering into these agreements much more readily than they were four, five years ago, because concerns about terrorism are no longer confined to one side of the Atlantic."But some European lawmakers fear that, taken together, the accords will lead to a far-reaching exchange of personal data without appropriate safeguards and that eventually the United States will seek access to Europe-wide databases. "We seem to be opening the floodgates, left, right and center," said Sophie in't Veld, a European Parliament member from the Netherlands. "It seems to me there are hardly any restrictions left."
In March, the United States and Germany reached a preliminary agreement on sharing access to fingerprints, DNA files and other information for the prevention and combating of serious crime. The pact is expected to be the model for other bilateral agreements, European officials said. The United States is also holding talks with central and eastern European countries such as Estonia, Hungary and the Czech Republic.
Access to fingerprint files will be on a "hit, no hit" basis, explained Peter Schaar, German data protection commissioner. If one country asks the other to check a fingerprint and there is a match, or hit, the inquiring country would need to follow up with a request for more information on the subject's identity.
The agreement, which was described by two European officials, also allows for the transmission of "personal data revealing racial or ethnic origin, political opinion or religious or other beliefs, trade union membership or information concerning health and sexual life" in cases where they are "particularly relevant to the purposes of this agreement." It defines personal data as "any information relating to an identified or identifiable natural person."
The agreement also specifies that the parties, "recognizing the special sensitivity of the above categories of personal data, shall take suitable safeguards, in particular, appropriate security measures, in order to protect such data."
Baker said that means the United States would not hand over data on a suspect's religious beliefs unless it were relevant to an investigation, as in a terrorism plot involving Islamic extremists.
He said the United States has agreed to limit the purpose for which the data are sought, not to share it with other governments and not to retain data if they are no longer useful -- if there is no match on a fingerprint, for instance. He said errors in records will be corrected.
But Schaar, who is independent from the government, said he found no "clear rules on purpose limitation" or on the storage period. "First," he said, "which data are of concern is not really completely clear. Second, who are the competent authorities on the U.S. side? Third, and most important, there is a lack of independent supervision in the United States over data protection." In European states, independent privacy commissions safeguard the privacy rights of citizens, he said.
David Sobel, senior counsel for the Electronic Frontier Foundation, said transparency is an issue. "It's all well and good to say the Estonian government will provide a right of access and redress, but under what circumstances is an American citizen going to know that the Estonian government has even received his information?"
Germany's president is expected to authorize the signing of the German agreement soon. Its Parliament must pass implementing legislation.
One official from a European state seeking visa-free status said he hopes the pacts will allow his country to obtain such status by the end of the year. "The United States is a close ally of ours," said the official, who spoke on condition of anonymity because of the talks' sensitivity. "Obviously, counterterrorism and the fight against crime is a huge priority for the U.S. and my government, as well."