Policy Review Banner

Security and Data Sharing

Wednesday, April 1, 2009

The terrorist attacks of September 11, 2001, mark the beginning of a new era in transatlantic cooperation to combat terrorism. As eu High Representative for Common Foreign and Security Policy Javier Solana put it, this cooperation has been “one of the unsung transatlantic success stories,” evolving over the years regardless of the political climate between the United States and Europe.

While this success has been genuine, counter-terrorist cooperation at the operational level between the United States and Europe still has a long way to go. Terrorism and its frequent companion, organized transnational crime, continue to enjoy many advantages. In Europe, the role of the eu as an institutional entity in combating terrorism and organized transnational crime has expanded during the past decade as Europeans seek to devise a common response to these transnational threats. However, the way in which this process has occurred has often caused serious problems among the 27eu member states and is beginning to do the same for the United States.

EU decisions all too often fall short of their stated goal of combating terrorism or organized crime.

Essentially, eu integration in these fields has been driven largely by political rather than practical imperatives. To advance European integration, policymakers often drive a top-down decision-making process rather than allowing practitioners to devise and propose new structures or other responses from the bottom up as they have traditionally done. As a result, eu decisions all too often fall short of their stated goal of combating terrorism or organized crime. Further, while the need to respond realistically and effectively to the threats from terrorism and organized crime has soared, the means for doing so have become ever more complex. Now as never before, non-law enforcement agencies must be actively engaged, including those focusing on national security, diplomatic, military, and economic functions.1 In the United States, the federal system creates a complex and often duplicative or overlapping environment that militates against a holistic response. Now Europe, as it carves out a role for the eu transcending that of the member states, is largely replicating that complexity on its side of the Atlantic.  

In this extremely challenging setting, transatlantic disagreements are to be expected. However, recent disputes, primarily over sharing personal data — a technical issue about which most people know little or nothing — are on the verge of disrupting mutually beneficial cooperation. The potential for serious adverse repercussions will only grow if key provisions, affecting law enforcement, of the Treaty of Lisbon are adopted and implemented.

The Treaty of Lisbon, the proposed next stage of eu integration, was originally scheduled for adoption in 2009.2 Following the June 2008 “no” vote by the Irish, its future is unclear. Like its predecessor, the Constitutional Treaty rejected in French and Dutch referendums, the Lisbon Treaty contains many proposals that, even if formally rejected, are likely to reappear in some other form. It calls for new and sweeping revisions of internal eu decision-making procedures as well as fuller participation of the European Parliament in many law enforcement and regulatory areas. These provisions could have a dramatic adverse impact on the ability of the United States (and member states) to share information and intelligence in a timely and constructive fashion. The operations of a wide range of regulatory and other civil agencies either directly or indirectly engaged in combating terrorism and organized crime could also be adversely affected.

Nor are disputes over the sharing of personal data likely to be confined merely to the eu and the United States. Rather, as with policies in other areas such as trade and environment, the eu will be seeking to have its standards for international exchanges of information adopted worldwide.

Unfortunately, in the United States, the federal structure greatly complicates efforts to devise a coherent interagency and intergovernmental strategy for dealing with the eu. Lack of sustained senior-level attention to U.S.-eu cooperation, combined with a lack of analytical and long-term strategic planning capability in many of these agencies, only compound these problems.

Some of these tensions could be mitigated through proper implementation by both sides of the soon-to-be-ratified U.S.-eu Agreement on Mutual Legal Assistance (mlat).3 If adopted, the mlat could radically improve the flow of information on both sides of the Atlantic to U.S. and eu law-enforcement, regulatory, and administrative authorities, in some situations shortening investigations by months if not years.

Bottom-up or top-down

For decades, U.S. and European law-enforcement officials have sought access from each other, in a timely and predictable way, to pertinent information. Usually cooperation took the form of bilateral agreements and informal arrangements between, say, U.S. agencies and their German or French counterparts. Information was typically shared in a highly compartmentalized structure driven by the relationships among individual agencies and their foreign counterparts in specific countries.

In this process, relations across national boundaries traditionally developed from the bottom up. The agency with a particular problem generally triggered the development of the relationship. When, for example, the fbi focused on international organized crime, it ran into the barrier of Swiss banking secrecy. The Department of Justice, not the U.S. government as a whole, provided the impetus to approach the Swiss; a bilateral U.S.-Swiss mlat was the result. Similarly, U.S. law enforcement agencies also pursued multilateral arrangements such as Interpol when those were deemed to be in their interest.

The integration of eu law enforcement and regulatory capabilities that began in the </<span class="smallcaps">1990s has proceeded from the opposite direction. Here the primary impetus has been from the political level downward, driven by two imperatives. First, the ministers of justice and interior of the eu member states see the need, as do their U.S. counterparts, for a common response to globalized threats. They are well aware that no single European country can combat terrorism and transnational crime by itself. Second, however, they and the European political elite in general perceive eu law enforcement and regulatory integration as a tool for fostering broader eu political integration. Hence, eu ministers at their regular meetings agree by consensus to various steps, whether extending the authority of the European Police Agency (Europol) or requiring a common system for sharing judicial information. Most of their decisions are met by foot-dragging and entrenched resistance from national police and judicial authorities who do not see the operational benefit of the initiatives adopted by their ministers. This resistance is only overcome slowly and in stages.

The U.S.-eu relationship that developed after September 11, 2001, reflects the tension between the agreed objectives and the operational reality of eu commitments. U.S. authorities, while aware of the twin political motives of their eu counterparts, saw the eu nevertheless as an emerging and increasingly important international actor in the law-enforcement field. They sought to develop their relationship with the eu in a manner that would add value to the existing bilateral relationships with European countries, not undercut or supplant these ties.4

But cooperation can bring strains. Since September 11, the United States and the eu have begun a joint process of mapping out creative ways to combat the new threats of terrorism and international organized crime. In the process, they have signed a number of agreements, covering issues such as the analysis of financial transfer information,5 or the sharing of airline passenger data. Many of these initiatives, however, face legal challenges in Europe. For example, a system to designate terrorists and terrorist organizations and freeze their assets is being challenged by critics in the European Parliament and at the European Court of Justice.6 While these various U.S.- eu enforcement-related agreements have improved cooperation, many U.S. officials fear that the long-term prospects for transatlantic information sharing are not so rosy. Certainly, every new U.S. proposal for further cooperation automatically faces an uphill battle in Europe, usually as a result of doubts about its protection of personal data that eu authorities share with their U.S. counterparts.

Personal data

Historically, u.s. law-enforcement authorities had little difficulty sharing personal data reciprocally with their European counterparts. Generally, absent limitations with respect to the sharing of evidence obtained by compulsory process, such as a subpoena, personal data on either side could be shared with foreign counterparts when necessary. Now, however, the new eu imperative toward integration has made this issue a major irritant in relations between eu member states and the United States.

In all of its recent negotiations, the eu as an institution sought to obtain broad and sweeping protections for personal data: the specific data relating to the who, when, or how, as well as what specific information is to be shared and the retention periods for holding it. eu positions are generally based on the Council of Europe’s convention on data privacy.7eu policies are further influenced by the existence of strong support for civil liberties and data protection in the European Parliament, as well as an influential network of highly independent national data-protection agencies that collaborate with the European Data Protection Supervisor.

In practice, guaranteeing certain and consistent data protection within the eu is quite difficult. Although all eu member states are signatories to the Council of Europe convention, each country nevertheless tends to shape its compliance in accord with its own traditions and domestic law. Similar differences characterize the implementation of eu instruments. Hence, for example, the level of data protection in Germany is much higher and different than that in France. In addition, many of the 12 new member states, most of which are in Central and Eastern Europe, have rudimentary systems of protection coupled with a long history of abuse.

Although eu standards of protection tend to be set very high, the evidence of public support for these standards is weak. Public opinion polls repeatedly show widespread support for an enhanced eu role in combating terrorism; for the most part, there is much less interest in data protection, either among the public or within member-state governments. While the eu needs a standard of protection, it is less clear exactly what that standard should be. The issue of data protection is also inextricably intertwined in the larger ongoing power struggle between the central eu institutions and the member-state governments.

Although EU standards of protection tend to be set very high, evidence of public support for these standards is weak.

eu officials tend to interpret their legal system for data protection as requiring, inter alia, a rigorous and specific finding of “adequacy” as a pre-requisite for sharing such information with other countries, including the United States. The actual definition of “adequacy,” however, is in practice elusive and varies from category to category of data. The U.S.-eu agreements reached to date have been based on the concept that, while U.S. and European systems were different, they generally shared the same basic principles and provided essentially equivalent levels of protection. This result has generally satisfied the need for findings of adequacy. However, current eu demands for adequacy, as reflected in some draft eu proposals, would require, for example, that the United States essentially adopt the most protective features of the European system, including the creation of a data-protection agency or agencies completely independent of executive branch oversight.

The U.S. system contains a variety of oversight mechanisms, such as the Offices of Inspectors General, the Government Accountability Office (gao), the Freedom of Information Act authorities, and congressional oversight powers that have, over time, demonstrated their ability to act independently. A growing segment of the Congress is demanding closer scrutiny of these mechanisms and has mandated the establishment of privacy offices in federal agencies. The Congress is also likely to give the Privacy and Civil Liberties Board an expanded role in overseeing data privacy issues in the future.

However, many in the eu largely dismiss the U.S. system as inadequate. They argue that these various authorities are not sufficiently independent of the executive branch and do not contain sufficient breadth of application across different fields: e.g., there is no single data-privacy supervisor for the U.S. government. There may be a benefit in providing more oversight within the U.S. system, but it must be done in a way that is consistent with U.S. law and tradition and does not diminish the effectiveness of U.S. law-enforcement capabilities. A completely independent oversight body as sought by segments of the eu would be contrary to the structure of the U.S. system, which normally requires that any government agency be subject to numerous checks and balances — that it be under some form of executive or congressional control.

Some Europeans have also called for “adequacy” findings with respect to every category of data, such as credit cards or internet browsing habits, often with additional “safeguards” for every class of data or new use of data. In some new proposals, European insistence on sharing with a third party only when the recipient (presumably another U.S. government agency) can prove that the data are not only “useful” but “necessary” could prove an unrealistic standard for fostering a cooperative relationship. Such standards work in the opposite direction from the current U.S. mandate for much wider, quasi-automatic domestic sharing of critical information among interested agencies.

Analyzing the usefulness of any new data-sharing initiatives would benefit both U.S. and EU officials.

The United States should not shy away from a discussion of these issues. For instance, it might prove beneficial to discuss oversight and transparency issues, especially with regard to bulk data collection, such as data on internet usage. Significant tensions exist with regard to its collection, analysis, and dissemination: It is not information or intelligence predicated on a specific criminal act, but data collected on all citizens, usually for another purpose, by either a commercial or governmental entity. Nor has sufficient information been made public which would help establish the operational, rather than the merely theoretical, usefulness of such processing. For instance, existing U.S. oversight bodies as well as the public do not know, even in general terms, what the benefits have been to date of gathering airline passenger or other similar data. While there are obviously national security limitations on what can be discussed publicly, this issue should be explored in more detail. Ultimately, the U.S. argument for sharing must also justify the burdens of collection costs as weighed against the potential threat to personal liberties.

Analyzing the usefulness of any new data-sharing initiatives would benefit both U.S. and eu officials — the eu is about to embark on many similar types of data gathering and processing. A more uniform set of rules could well result in more domestic information-sharing within the United States. State and local authorities must now cooperate with each other and with federal counterparts to combat terrorism, yet they lack clear rules for gathering and sharing personal data. Officials should not need to worry about venturing too far into gray zones and risking legal sanctions.

In >2007, in an attempt to alter the piecemeal dynamic described above, the United States and the eu began in-depth discussions on a set of common principles that would provide an overarching framework for any future agreements involving the sharing of personal data. Those talks concluded in the spring of 2008,8 with most principles agreed but several issues still outstanding, such as the ability of European citizens to sue the U.S. government over its handling of their data. Some observers are more pessimistic than others regarding the outcome of this process. They cite the substantial eu political pressures to restrict data-sharing with the United States, as well as the inherent difficulty in anticipating all the future categories of personal data that the two sides may wish to share.  

Enter the Treaty of Lisbon

The treaty of lisbon, were it to be enacted, would have a profound negative impact on the ability of either the eu member states or the eu central institutions to cooperate efficiently and to share data with the United States. Implementing many of its provisions would undercut law-enforcement cooperation and make it more difficult, if not impossible, to work together effectively in combating terrorism and international organized crime. Key pitfalls are the unresolved question of who is in charge of the undefined area of “national security”; the enhanced role of Parliament and the European Court of Justice in fields critical to law enforcement; and the potential impact of the Treaty on new internal and external cooperation mechanisms.

Who is responsible for national security?The Treaty states clearly that national security — which is nowhere defined — is the “sole responsibility of each member state.”9 Theeu will not have its own intelligence collection function under the proposal, nor will there be an eu version of the cia. Instead, the eu will rely, as it has until now, on information from member-state intelligence services (however defined or viewed under national law) for a whole range of functions.10 Nor will the European Court of Justice have jurisdiction over member-state policy or law-enforcement activity with regard to maintaining law and order or internal security.11

These clauses appear quite straightforward; however, eu implementation — if history is a guide — will be more complex. Other treaty clauses confirm that the eu is already a de facto player in areas usually considered, at least in the United States, to be part of national security. These include border security, asylum and immigration policy, public health, infrastructure protection, and civil protection, all of which relate directly or indirectly to combating terrorism or transnational crime. Thus, despite the attempt to put this issue to rest, the treaty instead leaves unresolved the question of what role the central eu institutions will have in dealing with European “national security.” In the present circumstances, we can expect the eu to push for greater authority in this field, using an expansive interpretation of ambiguous clauses.

In the field of law enforcement, the eu must now proceed on the basis of decisions reached by consensus, or unanimity, among the eu member states. The Treaty, in an effort to streamline its internal processes, would instead authorize decision-making on the basis of qualified majority voting (qmv) — a powerful tool that is already at the foundation of eu power in areas such as trade. Using qmv would likely result in a much quicker consolidation of eu authority in areas such as those related to national security and law enforcement.12 Taken together, these measures will very likely result in an accelerated transfer of some sovereignty aspects from member-state governments to eu central institutions.

In the field of law enforcement, the EU must now proceed on the basis of decisions reached among its member states.

The eu, a relatively new player, has many shortcomings in the area of justice and law enforcement in general. Its central institutions lack practitioners’ expertise in law enforcement, as operational capabilities remain with the national governments. The central institutions do, however, focus on policy. Unfortunately, their policy expertise is relatively weak in the law-enforcement and national security areas, as these have until recently been beyond the eu’s purview.

Typically, the eu focuses much of its attention inward. In this case, however, it cannot afford to spend years getting its house in order in terms of the sharing of sensitive information — and only then figure out how to share such data with other countries. The result could be European and American lives lost and critical property destroyed unnecessarily.

An expanded role for the European Parliament and the European Court of Justice. The Lisbon Treaty also creates a new and substantial role for the European Parliament and other central eu institutions in overseeing the process for sharing personal data. The Parliament has already made clear its view that priority must be placed on the protection of civil liberties, especially the protection of personal data. Historically, however, it has been precisely in this area that it has disagreed sharply with other eu central institutions — for example, regarding eu data retention requirements or the exchange of airline passenger data with the United States.

If the Parliament acquires the power of co-decision in these areas, it will strengthen its positions and its role in resolving disputes. It will lack, however, the capability and expertise to handle and analyze sensitive data, including classified material, in order to inform itself. The Parliament will also lack any experience of the operational complexities involved. Critics accuse the U.S. Congress of similar failings, yet the Congress has much greater capabilities, born of its centuries of national security and defense responsibilities, than the European Parliament is likely to acquire in the short to medium term. Significantly, European law enforcement has yet to develop an effective capability at the eu level for making its views known and thereby ensuring that its concerns receive proper attention.

The Schengen Agreement established a common external border and lifted internal ones.

The relative importance accorded to data privacy will also be reinforced by supportive clauses in the Treaty related to the 2000euCharter of Fundamental Rights. The Treaty of Lisbon states that the Charter “shall have the same legal value as the Treaties.”13 This appears to mean that the eu central institutions shall apply the Charter’s provisions, as shall eu member-state governments when they are implementing eu law.14 Since more than half of member-state legislation is drafted in Brussels, this means that, de facto, the Charter would be applied very broadly.

Further dark clouds for future law-enforcement cooperation relate to the role of the European Court of Justice. Over 20 years ago, the Court ruled that eu law overrides national law, including bilateral treaties with third countries like the United States. Most likely, in the future, difficult issues arising under the Lisbon Treaty or any successor legislation will be referred to the lengthy proceedings of the Court, despite the fact that the court is unlikely to be privy to the nuances of how to handle terrorism or other cases involving sensitive international issues. Court decisions, which will take years to emerge, are likely to favor a single integrated law-enforcement system to replace the existing and often contradictory national ones. The expanding role of the eu could thus infringe directly on existing bilateral law-enforcement or other ties with eu member-state governments. In a similar vein, the Council of Europe’s Court of Human Rights will likely become a very active player on these issues, with similar potentially adverse results.

Thus, notwithstanding certain of its provisions, the Treaty will extend the oversight role of the European Parliament and the European Court of Justice in law enforcement without offering any obvious corrections to their current shortcomings. The final result could be a formalized and highly cumbersome eu approach that fails to acknowledge the traditional importance of informal as well as formal ties in both national security and law-enforcement operations. Its effect would be opposite from that of the U.S.-eu mlat, which is designed to expand bilateral cooperation.

New mechanisms for “enhanced cooperation.” The Lisbon Treaty text, reflecting the internal tensions surrounding law-enforcement issues, introduces some additional mechanisms designed to offer flexibility. A member state, for instance, can put on an emergency brake to stop proposed eu legislation that it believes may affect fundamental aspects of its criminal-justice system. On the other hand, at least nine (i.e., one-third or more) of the member states can pursue “enhanced cooperation” on the basis of the initial draft proposal.15

Some eu integrative measures have already occurred as a result of a perceived need for enhanced cooperation between various eu member states. The Schengen Agreement established a common external border and lifted internal ones; while the Prüm Convention of 2005 set up a number of information sharing commitments, from the exchange of dna profiles and fingerprinting data to supplying information to prevent terrorist offenses.16 In both cases, provisions negotiated among these smaller groups were subsequently adopted by most or all of the other member states. While these arrangements may help to compensate for the overconcentration of authority in central eu institutions that are not yet configured to exercise it properly, they may also result in increasing fragmentation and delays within the eu.

Europe is just the start

The potential impact of the Treaty of Lisbon’s provisions, if adopted, suggests that the United States could face a sea change in how it fights terrorism and organized crime by cooperating with the eu and its member states. All of its cooperation mechanisms will be up for grabs, and new solutions will of necessity have to be shaped by both foreign and domestic policy interests. Yet so far there appears to be almost no recognition of these potential difficulties on either side of the Atlantic.17

Nor does there appear to be widespread recognition that what goes on in Europe affects the entire system for international law-enforcement cooperation. As is the case in other sectors, the eu is dedicated to seeking to have its standards adopted as widely as possible. When the eu and the United States agree, together they can set the world standard — for innovations like those contained in the U.S.-eu mlat, this can be a tremendous advantage. But it also means that the United States can and must expect the eu to pursue international agreements based on its own principles and interests, regardless of U.S. concurrence. This is already happening at Interpol, for example, where the eu wants its rules on data protection to determine the framework imposed on Interpol’s worldwide system. Similar initiatives are likely at the International Civil Aviation Organization and other international standard-setting bodies. eu requirements that inhibit the effective performance of counterterrorism measures can in this way have a very deleterious impact on U.S. interests, and especially on its ties with other, non-European countries.

None of these trends bodes well for our ability to cooperate with the eu in combating terrorism and serious organized crime, despite individual successes. Unfortunately, U.S. policymakers pay virtually no attention to this problem. Instead, the U.S. government still acts as if it can “go it alone,” a feeling fed by its compartmentalized and fractured organization. As issues arise with the eu, individual agencies feel they benefit from the exercise of autonomy. The Department of Homeland Security, for example, can negotiate an agreement with the eu on airline passenger security without much interference from other agencies or even the National Security Council, as can the Department of Justice on relations with Europol, or the Department of Treasury regarding access to bank transfer data. In the case of airline passenger security, Homeland Security obtained a favorable agreement; in contrast, the eu extracted significant concessions from Treasury in the dispute over the transfer of transactions data.

Overall, however, this compartmentalized approach serves only to weaken the U.S. position. Thus far, the U.S. government at senior policy levels has paid little attention to the operational problems associated with information sharing and has failed to develop coherent policies to reflect its overarching interests and objectives. It needs a strategic approach that is not driven by partisan or enforcement rivalries. It will not be able to continue much longer with its current ad hoc approach, which makes a virtue of the very organizational obstacles that hamper effective cooperation with our international partners, especially those in the eu.

The promise of the U.S.-eumlat

Such a strategic approach could be developed using the implementation of the 2003 U.S.-eu mlat as a springboard for change, since it offers the promise of several innovative U.S.-eu mechanisms for enhanced cooperation. In recent decades, the United States built a matrix of mlats at the bilateral level with individual European countries. Under these agreements, prosecutors and investigative magistrates can request that information located in the jurisdiction of a partner be secured in connection with an ongoing investigation or prosecution, even if it requires compulsory process to acquire.

The multinational nature of many investigations involving terrorism and organized crime, as well as the expanding eu institutional role in judicial cooperation, rendered this matrix increasingly cumbersome, time-consuming, and obsolete. As a result, a mlat which will operate at the eu level was negotiated, along with 27 amended conforming bilateral agreements. Last fall, the U.S. Senate ratified the package. The mlat also requires approval under relevant domestic procedures by the eu member states. Some 24 of the 27 have already done so, including Ireland, the member state that voted against the Lisbon Treaty.

The U.S. government needs a strategic approach that is not driven by partisan or enforcement rivalries.

The new agreement contains unique provisions which could enhance U.S.-eu cooperation in a broad range of areas and set future standards of judicial cooperation internationally. In particular, it holds great promise for radically improving the flow of information useful to law-enforcement authorities as well as to regulatory and administrative agencies. Its features amount to a revolutionary approach to the process of obtaining cooperation abroad, including the exchange of personal data. One particularly dramatic improvement involves the sharing of bank data. Under a traditional mlat, a great deal of data must first have been contained in the initial request, especially the name of the bank where the account in question was located as well as the account number. In contrast, the U.S.-eu mlat does not require someone investigating either terrorism or serious crime to file a formal mlat request at the outset with such identifying bank data, which may take years of investigative effort to acquire. Instead, the party can initially seek such data if there is reason to believe that an account exists within the jurisdiction of the requested party.

In another first, the U.S.-eu mlat envisions the possible creation of truly international, integrated task forces, not just the coordinated parallel investigations which are now almost routine. Germany, for example, could establish a joint task force, comprised of a single investigative team operating under German law. Other countries with concurrent jurisdiction over the same offense could assign investigators to the task force at their discretion.

If the German director asked the U.S. member of the task force for information on the ownership of a company in Milwaukee, the U.S. member would go to his own sources — as it is truly a U.S. investigation. No time-consuming, formalistic mlat request would be needed, and the information would be given directly to the joint investigative team. U.S. authorities could be limited by the claim of double jeopardy if they sought to prosecute the same individual for the same offense, e.g., after Germany or another member of the team had prosecuted the defendant. However, the benefits in terms of speed and efficiency would more than compensate for this potential downside. And for the first time, regulatory and administrative agencies that have the authority to make criminal referrals to law-enforcement agencies will be able to use the mlat to gather information in connection with their investigations. The sec, for example, could use it for an investigation of insider trading involving a terrorist suspect. The only requirement is that, at the end of day, there is a possibility of making a criminal referral.  

Finally, the new mlat will allow information and evidence provided in response to a request to be used, at a minimum, for any criminal investigation or proceeding; for the purpose of preventing immediate and serious threats to public security; and for use in relevant regulatory proceedings. This flexibility is consistent with provisions already agreed by the United States and European Police Agency (Europol) and is designed to allow governments to respond to immediate threats to public security.18 Significantly, the mlat sets a broad standard for the subsequent use of personal data once it is transmitted to the receiving partners. It is unclear what impact adoption of the Lisbon Treaty would have on implementation of these provisions.

Taken together, these various features contribute to providing a powerful platform for responding faster and more effectively to the unique challenges of international crime and terrorism. Gone are the days when law enforcement officials could work alone on a case, slowly allowing mlat requests to wend their way through the legal system of other countries. The U.S.-eu mlat would provide a legal basis for the coordinated effort of bank regulators, customs officials and other regulatory officials in real time. The new mlat could also serve as a template for updating mlats with other countries in the future. Beyond these practical enhancements, successful joint implementation of the mlat could provide a new impetus for the political compromises necessary to underpin the continuing, reliable sharing of information, including personal data, between Europe and the United States. This joint experience could prove invaluable should the opportunity arise to revisit the provisions of the Lisbon Treaty.

While the change of U.S. administrations has improved transatlantic atmospherics, the problems described above will remain and will continue to pose a major challenge to greater cooperation. Both the United States and the eu will have to apply considerable political capital and technical expertise to ensure that their cooperation keeps pace with the constantly changing threats from terrorism and serious transnational crime. They must do so in a way that protects civil liberties, including the protection of personal data, while still allowing effective action by their law enforcement and regulatory authorities. The challenge is great, but achieving cooperative success is simply imperative.

1 Intelligence ties with individual European countries have long been an essential tool to combat terrorism, although little is said publicly about them. The U.S. collection and analytical capabilities generally dwarf those of other countries, in breadth as well as depth of coverage. Yet European intelligence agencies can often supply the missing link required to identify terrorists or their organizations.

2 The formal title is “Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community,” available at http://eur-lex.europa.eu/JOHtml.do?uri=OJ:C:2007:306:SOM:EN:HTML. (This and all subsequent online citations accessed March 9, 2009).  Adoption required the concurrence of all the member states; with the “no” vote in the Irish referendum on June 12, 2008, the treaty’s future is uncertain.

3  The “t” in “mlat” stands for “treaty”; “agreement” rather than “treaty” is used for its multilateral form. U.S. ratification of the U.S.-eu mlat and its companion extradition agreement required approval of a package of over 50 agreements, including modified existing extradition and mutual legal assistance treaties with individual European countries. The original U.S.-eu agreements were negotiated with 15 member states. In 2004, that number increased to 25 and in 2007 to 27, in each case requiring the package to be revised and expanded. The agreement on extradition should streamline current procedures, but while it is quite useful, it is not as innovative as the mlat.

4 See Leslie S. Lebl, “Security Beyond Borders,” Policy Review 130 (April & May 2005), and Leslie S. Lebl, “Advancing U.S. Interests with the European Union” (Atlantic Council, January 2007), 49–54.

5  Immediately after September 11, the Treasury Department subpoenaed the private Belgian organization swift to obtain records of its transfers, copies of which are stored in the United States and thus subject to U.S. jurisdiction. After several modifications were negotiated, swift agreed. This arrangement was the subject of several inquiries, including one by the European Data Protection Supervisor, which found that swift had violated eu data-protection laws by transferring data to U.S. authorities. In June 2007, the U.S. Treasury and eu officials exchanged letters clarifying the protection accorded to the financial-transfer information given by swift to U.S. authorities.  

6 See John Rosenthal, “eu Court Threatens U.N. Anti-Terror Measures,” Transatlantic Intelligencer< (January 28, 2008).

7 “Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (January 28, 1981); “Additional Protocol” (November 8, 2001).

8 Charlie Savage, “U.S. and Europe Near Agreement on Private Data,” New York Times (June 28, 2008).

9 “Treaty of Lisbon,” new Article 3 a, TL/en 14.

10 In Denmark, for example, both law enforcement and intelligence fall within a single ministry.

11 Treaty of Lisbon,” new Article 240b, TL/en 144.

12 For a discussion of these mechanisms, see Elspeth Guild and Sergio Carrera, “No Constitutional Treaty? Implications for the Area of Freedom, Security and Justice” (Centre for European Policy Studies, October 2005).

13 “Treaty of Lisbon,” new Article 6, TL/en 15.

14 Sergio Carrera and Florian Geyer, “The Reform Treaty and Justice and Home Affairs: Implications for the common Area of Freedom, Security, and Justice” (Centre for European Policy Studies, August 2007), 3.

15 “Treaty of Lisbon,” new Article 69(a)(3), TL/en 85–86. See the discussion in Carrera and Geyer, “Reform Treaty,” 5–6.

16 “Prüm Convention” (Council of the European Union, July 7, 2005), 10900/05, available at http://register.consilium.europa.eu/pdf/en/05/st10/st10900.en05.pdf

17 Former U.S. official Stewart Verdery and the Heritage Foundation’s Sally McNamara have expressed concerns. See Charlie Savage, “European security treaty raises worry,” Boston Globe (November 26, 2007).

18  See the statement of Bruce Swartz, deputy assistant attorney general, before the Senate Committee on Foreign Relations (May 20, 2008), 10.