Select Committee on European Communities Twenty-Ninth Report


Human rights

  40.    Justice expressed a further concern about the adequacy of the rules on the transmission of data to third States. In Justice's view, there needed to be a wider assessment of adherence to human rights standards in the country of destination. Justice pointed to the possibility of violation of human rights occurring as a result of information transmitted by Europol to third States and bodies. Justice believed that personal information should not be communicated wherever there was a chance that such violations might occur. Justice also advocated that as under the First Pillar human rights clauses drawn by reference to internationally agreed human rights instruments should be standard in third country agreements (p 25, Q 175).

  41.    The Minister accepted that there was a danger of human rights violations occurring as a result of personal data transferred by Europol. She referred to Article 3(3) of Europol 27 which required the unanimous approval of the Council before agreements with States or bodies could be negotiated: "We believe that this constitutes an adequate safeguard to ensure that agreements are not reached with States or bodies whose human rights standards may be open to question" (p 3).

  42.    As regards the possibility of agreements imposing "further conditions" on third States and bodies, the Home Office explained that this provision enabled the Council to impose any protection necessary in the particular circumstances of the agreement in question. The observance of human rights in the country concerned was something which might give rise to special conditions. It was envisaged that a starting point in an agreement would be to specify a requirement of lawfulness in obtaining data to be exchanged. But the precise standards and protections would vary from country to country, depending on their existing international obligations. For European countries the European Convention on Human Rights might be an appropriate reference point. The Home Office accepted that making agreements conditional on the observance of human rights was a possibility to be considered. Consideration might also be given to providing for some form of suspension clause in the event of a deterioration in the observance of human rights or to framing agreements so that supply of data was permissive, not mandatory (QQ 18-20, 23, 24).

  43.    The Minister believed that agreements which Europol concluded with third parties would include human rights clauses. The question was whether it was appropriate to do so in all cases or on an individual case by case base. She thought the latter preferable, though she accepted that there might be practical difficulties in individual negotiations if the inclusion of a human rights clause was not standard practice (QQ 217-9).

Supervision by the JSB

  44.    Justice called for a greater role for the JSB in monitoring human rights as regards data protection (Q 187). The Registrar expected the JSB to be involved and to offer advice whether sought or not. As to conditions to be inserted in agreements, the JSB might want to suggest particular requirements dealing with limitation on purpose and the extent of data to be transferred. But she did not expect the JSB to take on any wider monitoring of human rights than in relation to information handling (QQ 134, 155).

Restrictions on use of data transmitted

  45.    Transmission of personal data to third States and onward transmission within that State is restricted to crime prevention authorities. A third State or body must agree not to communicate the transmitted data to other States or bodies (Article 5). The Home Office envisaged that agreements would contain clauses preventing data from being passed to law enforcement agencies which did not have the same purposes and functions as Europol (Q 21).

  46.    Personal data can only be transmitted where the request indicates the purposes of and reasons for the request. The recipient must give an undertaking that the data will be used only for the purposes stated and shall be deleted when no longer necessary for the purposes for which it was transmitted (Article 6).

  47.    Mr Abbott (NCIS) recognised the need for concern over the security of sensitive information and intelligence and to be vigilant about what was happening to it. He agreed that there ought to be some sort of procedure which made it clear to the recipient exactly what it could do with the information and contained routine safeguards for those the subject matter of the information. He was not aware that under present arrangements, for example in relation to Interpol, there were any rules in existence. Judgement was used by the staff involved. However, with regard to intelligence, as opposed to routine factual information, all documentation had restrictions marked on it (QQ 92, 101-2).

Director's discretion

  48.    Under Europol 27, Europol may transmit data to a third State or third body if there is an agreement between Europol and the State or body concerned or "exceptionally, where the Director considers the transmission of the data to be absolutely necessary

-  to safeguard the essential interests of the Member States concerned within the objectives of Europol,

-  in the interests of preventing an imminent criminal danger" (Article 2(1)).

The Director's powers are limited to "basic protection level" data (Q 28). Transmission of personal data classified Europol 1, 2 or 3, can only take place when there is an agreement.[20] Europol's classification system (found in the Confidentiality Rules) is described at paragraph 21 above.

Essential interests of Member States

  49.    Mr Cullen was critical of the extent of the Director's powers under Article 2. If interpreted broadly they could defeat the protection provided by the making of agreements with third States and bodies (p 46). As regards the extent of the Director's powers, the Home Office explained that in determining what were the "essential interests of the Member States" the Director could seek advice from the Management Board or ad hoc from the Member States. Mr Wrench said: "In any particular case, where the Director was concerned about whether essential interests were at stake, he would be quickly on the telephone—in the case of the United Kingdom perhaps, to the head of the National Criminal Intelligence Service—to take it over". He did not envisage any document setting out Member States' essential interests (Q 29).

Preventing imminent criminal danger

  50.    The Home Office acknowledged that the criterion "preventing imminent criminal danger", used in both Europol 27 and Europol 29[21], was a broad one. It was not restricted to the threat of criminal activity directly within Europol's mandate (e.g. unlawful drug-trafficking) but included "related criminal offences" within the meaning of Article 2 of the Convention. The notion of "imminent criminal danger" did not necessitate a danger to the State. A serious criminal danger to an individual would suffice (QQ 31-4, 56).

Role of Joint Supervisory Body

  51.    As mentioned, the Europol Convention contains detailed rules for the protection of data and gives the individual the right of access to information held on him or her. Supervision is effected by a twofold process. Each Member State must designate a national supervisory body to monitor the lawfulness of the input, retrieval and any communication to Europol of personal data by the Member State concerned (Article 23). The Data Protection Registrar will perform this function in respect of the United Kingdom (Q 120). The Convention also establishes an independent joint supervisory body (the JSB), comprised of representatives from each of the national supervisory bodies, to review the activities of Europol in order to ensure that the rights of the data subject are not violated. The JSB will also monitor the permissibility of the transmission of data originating from Europol (Article 24).[22] The Data Protection Registrar expected to be one of the United Kingdom's representatives on the JSB (Q 120).

  52.    Under Europol 27, where personal data has been transmitted under the authority of the Director, the Management Board and the JSB must be informed of the decision and the reasons for it. The Director must, on request, supply any further information about the transmission (Article 4). Justice emphasised the importance of accountability in this as in other Third Pillar matters and called for greater accountability of the Director to the JSB. Whenever the Director exercised his powers under Article 2 he should, without waiting for a request, furnish a full statement of reasons to the JSB. The JSB should also be under an obligation to publish statistics on the use of the power in its periodic report (p 26, Q 174).

  53.    The Minister did not agree and took the view that these matters were for the JSB which could request further information where it considered that necessary and, as regards publication of statistics, could take such action as it felt appropriate (p 4). The Data Protection Registrar thought the JSB should take "a very active role in keeping the Director of Europol accountable for what is going on". Though any action by the JSB would be after the event "we can at least make the Director answerable and try to make what goes on as transparent as is consistent with the functions of Europol". She expected the JSB would require regular reporting from the Director, including the use of his discretion in the exceptional cases described above (QQ 147-8).

Powers and resources of JSB

  54.    Justice noted the lack of powers of the JSB when compared to the national supervisory bodies. In Justice's view, the JSB should have an independent power of enforcement, backed by the authority of the Court of Justice, and a guaranteed minimum level of budgetary support. Mr Spencer said: "The Convention lays down that [the JSB] will have a secretariat and the draft rules governing the JSB specify in Article 7 that there will be provision for external experts to carry out location checks on its behalf. That will surely need a substantial budget. A great deal will depend on how many experts can be employed and how close a watch they can keep on things". He suggested that it might be appropriate for the JSB to have an office established within Europol to effect an ongoing programme of checks (p 30, Q 188).

  55.    The Data Protection Registrar had some sympathy with the call for adequate resources. The matter would have to be kept under review. It was not yet clear how much traffic through Europol there would be. As regards the suggestion that JSB might take on enforcement internationally dealing with counterparts outside the EU, the Registrar said that the question was whether it was feasible. She favoured action in advance of problems: something to look for before concluding an agreement with a third party should be the adequacy of local enforcement if things went wrong. As regards co-operation between enforcement bodies, the Registrar drew attention to the highly developed network of data protection commissioners which would grow because of the requirements of the EC Data Protection Directive. There was a wider international network beyond that and upon which she believed an informal approach to co-operation and enforcement should be built (Q 163).

  56.    The Home Office said that there had already been some discussion about the JSB's resources and how it would be funded. Under the Convention (Article 24(9)) the JSB had to be consulted on that part of the Europol annual budget that concerned it. At least ECU 500,000 has been set aside to fund the JSB next year (Q 245).

Correction and deletion of data

  57.    The recipient of data must also undertake to correct or delete data later found to be incorrect, inaccurate, out of date or which should not have been transmitted. The Director has to inform the Management Board where such correction and deletion of data has been required (Article 7).

  58.    Justice doubted whether third States and bodies would respect such requirements when Europol had retained the ability to ignore any similar requirements imposed on it (p 29). This is considered further at paragraph 68 below.


  59.    Agreements between Europol and third States and bodies must contain appropriate provisions on liability in the event of unauthorised or incorrect data processing (Article 8). The Home Office explained that this provision is concerned with the relationship between Europol and the third State or body. It does not affect the position of the citizen aggrieved by unauthorised or incorrect data processing by Europol. His or her rights are against the Member State concerned, as set out in the Convention.[23] That Member State might seek reimbursement from Europol. The purpose of Article 8 was to enable Europol to obtain reimbursement from the third State or body (QQ 38, 39).


  60.    Europol 38 is concerned with the receipt of information by Europol. The legal base is Article 10(4) of the Convention. The rules in Europol 38 enable Europol to conclude agreements with third States or bodies, the decision as to which being, with the exception of EU-related bodies, for unanimous agreement of the Council. Before giving its approval the Council has to obtain the opinion of the JSB (Article 2).

Necessity for an agreement

  61.    Justice contrasted the approach in Article 2 of Europol 38 with that of Article 2 of Europol 27. Under the latter Europol could only transmit data where, in all but exceptional cases, there was a formal agreement with the recipient in place. Article 2 of Europol 38 provides that Europol "may conclude agreements with third States and third bodies on the receipt of information by Europol". Justice noted that there did not appear to be such a prior condition for the receipt of data. The danger was that in the absence of an agreement whatever safeguards the Rules (in particular the provisions in Article 4 relating to correction, retention and transmission of data—these are described below) provided would not apply. Justice said: "The rules on the receipt of personal data thus appear to have been drafted throughout on the tacit assumption that data quality is secondary to the fact that some information has been offered, however suspect its provenance and regardless of how it was obtained" (p 29, Q 166).

Data protection—equivalent level of protection

  62.    The Data Protection Registrar, referring to Article 42 of the Convention, took the view that the Rules should expressly provide that information received from third party States and bodies was subject to the same controls and rights as information transmitted within the EU. Individuals should have the same rights in relation to information received from third States and bodies as they did in relation to information transmitted within the EU (p 17). The Minister did not consider this necessary. The position was made clear in Article 42 and was reiterated in the preamble to the Rules (p 3). The Registrar replied: "I would still prefer to see something expressly provided for in the Rules, really because the Rules are going to be the working documents. The Rules are going to be what are used day-by-day by those who are handling the information, and who must make sure that the rights of individuals are protected" (QQ 137-8).

Classification of information received

  63.    As regards the reliability of the information and its source, Europol must ask the third State or body to assess this in accordance with Article 11 of the Rules applicable to analysis files (Europol 10). Article 11 of those Rules sets out the following "criteria" for the assessment of the source of information:

  "A.  Where there is no doubt of the authenticity, trustworthiness and competence of the source, or if the information is supplied by a source who, in the past, has proved to be reliable in all instances.

  B.  Source from whom information received has in most instances proved to be reliable.

  C.  Source from whom information received has in most instances proved to be unreliable.

  D.  The reliability of the source cannot be assessed."

The following criteria apply to the assessment of the reliability of information:

  "1.  Information whose accuracy is not in doubt.

  2.    Information known personally to the source but not known personally to the official passing it on.

  3.    Information not known personally to the source but corroborated by other information already recorded.

  4.    Information which is not known personally to the source and cannot be corroborated."

If no assessment is provided, Europol must assess the information in accordance with those criteria (Article 3).

  64.    Under the Convention responsibility in respect of data communicated by third parties rests with Europol (Article 15). The Home Office confirmed that nothing in Europol 38 overrode Europol's responsibilities under the Convention. The purpose of Article 3 (described above) was to assist Europol in their execution (QQ 40-41).

  65.    Justice said that the requirements of Article 3 had nothing to do with data protection and data reliability: "it is simply a rough and ready means by which Europol classifies information according to what is known about the reliability of the source. There is nothing to stop information being stored when (for instance) the source has in most cases proved to be unreliable, or where this cannot even be assessed". Justice said that the dangers in using any information whose reliability was suspect were greater where it came from a State not subscribing to the 1981 Council of Europe Convention and to Recommendation No. R(87) 15. The latter was quite specific on the need at all times to distinguish data based on facts from data based on opinions or personal assessments.[24] Article 3 of Europol 38 should have placed greater weight on Article 15 of the Europol Convention. Unverified data should be treated with the utmost caution, especially where there were grounds for believing that it had been obtained in breach of human rights. Justice stressed the need for there to be agreements with third States on receipt of information dealing specifically with this matter (p 28, Q 183).

  66.    The Data Protection Registrar recognised that Europol, like domestic police forces, had to have the freedom to receive any information. It then had to make a judgement about whether the information was the sort it should be holding: "you have to be careful not to say that there is a category of data, or a source of data, that you would want to rule out entirely". How information was marked according to its source should give some indication as to how it should be used and how long it should be kept (Q 136). Justice "slightly" disagreed with the Registrar. It should be made clear at the outset that certain data were unacceptable (QQ 169-70).

Correction and deletion of data

  67.    Agreements must provide that the third State or body must inform Europol when it corrects or deletes information sent to Europol. But Europol need not delete the information if it needs to process it further for the purpose of the analysis file or Europol has a further interest in the information based on intelligence more extensive than that of the transmitting State or body. Where Europol retains the information, the third State or body concerned must be informed of the continued storage of the data. If Europol has reason to believe that information received is not accurate or no longer up to date, it must inform the third State or body which supplied it. Where information is corrected or deleted by Europol, it must inform the third party of that fact (Article 4).

  68.    Justice questioned the compatibility of Article 4 with Article 20 of the Convention which provided that Europol "shall correct or delete such data". There were no exceptions to that rule. The drafting of Article 4 was odd and suggested that someone had added a sentence as an amendment to what had previously reflected Article 20. There was, in the Minister's view, no incompatibility. Article 20 referred to the situation where it emerged that data held by Europol was incorrect and Europol recognised that it was incorrect. The exception in Article 4(2) of Europol 38 referred to the case where a third State informed Europol that it had corrected or deleted information but where in Europol's view, because of other information it had, to delete the information would not be appropriate because the original information retained valid data (QQ 236, 239).

  69.    Justice also referred to a "gross inconsistency" between the provisions of Article 4 and those of Article 7 of Europol 27. Under the latter the recipient of data from Europol had to give an unqualified undertaking to correct or delete data upon request from Europol. Third States were unlikely to take seriously such restrictions when Europol had given itself freedom to ignore them when it thought fit. There were, moreover, dangers both to individuals and the reputation of Europol. Mr Spencer said: "We rather feel that the Council has done Europol a disservice by framing rules with what appear to be deliberate loopholes because without really rigorous rules to back them up, senior officials of Europol are going to find it hard to ensure that over-zealous or over-ambitious employees do not bend the rules unnecessarily" (p 29, QQ 166-8). The Minister did not agree. She believed that Justice had failed to make the distinction between being informed that a piece of information was incorrect and that information actually being incorrect (Q 241).

  70.    Justice also took the view that whenever Europol, under Article 4, decided not to delete data after having been advised to do so by the country of origin this should be notified to the JSB together with a full statement of reasons for the decision. The JSB should be under an obligation to publish statistics on the use of the power in its periodic report (p 26). The Minister did not agree. It was unnecessary to impose such obligations. The JSB could take such action as it felt appropriate (p 4). Justice did not accept this: the JSB's powers and resources were inadequate for such monitoring (p 30).

Information obtained in violation of human rights

  71.    Article 4(4) of Europol 38 provides:

"Without prejudice to Article 20 of the Convention [correction and deletion of data] information which has clearly been obtained by a third State in obvious violation of human rights shall not be stored in the Europol information system or analysis files". The earlier version (Europol 28) provided that such information would be "marked" by Europol.

  72.    Witnesses expressed concern about the implications of Article 4(4). Mr Cullen said that "it surely would not be acceptable for Europol to deal in any way with information obtained in violation of human rights" (p 46). The Registrar said that consideration needed to be given to identifying in what circumstances the processing of information obtained in violation of human rights could be justified and what the appropriate safeguards would involve (p 17). Justice criticised Article 4(4) as not being sufficient to protect and promote adherence to human rights law. Information obtained as a result of a serious breach of human rights could not be used for any purpose other than as evidence of that breach. Serious breaches might be defined by reference to the concept of non-derogable human rights, such as the right to life, freedom from torture, slavery and non-retroactivity of criminal offences as found in Article 15 of the European Convention on Human Rights. Justice advocated that "as a minimum, Europol should not be allowed to receive or hold information obtained through a breach of these rights, or transmit them to Member States" (p 25).

  73.    As to the detailed wording of Article 4(4), the Home Office explained that the reference to information which had "clearly been obtained by a third State in obvious violation of human rights" was because Member States had been hesitant about imposing a duty on Europol which it would be difficult to meet in practice. Mr Valls-Russell (EDU) said: "[The wording] is to make it practical to operate; also, not to introduce a sort of ex post facto illegality. That is the biggest fear. If, to take an extreme example, there were not the words "obvious" and "clearly", Europol could take information in good faith and then later, ..., when it is found that it was obtained illegally, Europol becomes guilty of an illegal act". The Home Office accepted that it would only be in exceptional cases that Article 4(4) would have any application. Where data on Europol's files was later found to have been obtained in violation of human rights it would be deleted. It would no longer be stored by Europol. Mr Valls-Russell also described the likely reaction within Europol: "I think the Director would be reporting very quickly to the Management Board. The Director would be making strong representations to the country concerned. The chances are that we would actually refuse to deal with that country in future because it would make our whole position untenable" (QQ 43-50).

  74.    The Minister took the view that the concerns expressed by the Registrar and Justice (in response to the version of Article 4(4) in Europol 28) had been met, at least in part, by the amendment made to the text of Article 4(4). Such information would not be "stored" in the Europol information system. It could, however, as the Minister indicated, be transmitted. The reason was that several Member States (including the United Kingdom) wished to leave open the possibility that such information could be transmitted in exceptional circumstances, for example, if Europol received information about a possible terrorist explosion. It would be unacceptable for such information to be destroyed when to do so could result in casualties or loss of life. The Government believed that this would be a responsible use of such information and would in no way promote or legitimise violations of human rights in gathering the information (p 3, Q 220).

  75.    Justice believed that the Minister's argument was a dangerous one: "it could be seen as condoning unlawful acts by third states or third bodies, in the interests of providing Europol with information". Justice was concerned that, as in the warning given by Liberty in its evidence in the Committee's earlier enquiry, the pressure to exchange data with third States and bodies in the interests of mutual assistance might well outweigh considerations of strict data protection. Justice said that Europol should neither store nor transmit such information "in any but the most extraordinary cases; for instance, if Europol is told at very short notice that a bomb has been loaded on to an aircraft which is on the point of taking off, so that there is no time to assess the reliability of the source or how the information was obtained" (p 28-29).

Exceptional circumstances

  76.    The Minister said that she would have been prepared to include in Article 4(4) a restriction on the transmission and use of the information to "certain exceptional circumstances". But there were problems in defining such a phrase and it had not been possible to reach agreement with other Member States on this. Mr Wrench said: "if you are going to have more precision that way, you will probably want to match it with greater precision by what you mean by violation of human rights". It was expected that both the JSB and the Management Board would watch carefully the operation of Article 4(4) (QQ 51, 53, 225-8, 231-2, 235).

  77.    Justice said that the Rules should limit any action by Member States to saving lives (p 29). The Data Protection Registrar thought that any exclusion for special circumstances would have to be very carefully defined it. It might not be sufficient simply to refer to "exceptional circumstances". The term might need to be expanded to include the need for there to be a direct and imminent threat to life (Q 139). For Justice, Mr Noorlander said that it should also be made clear that information transmitted on to a Member State could only be used in the particular circumstances and should not be disclosed to any other States (Q 180).

  78.    Where information obtained in violation of human rights was transmitted to Member States the question arose as to whether any restrictions on its use and retention should apply. Mr Abbott (NCIS) said that he could not give a categorical answer that he would never accept such information: "it is possible that the information may well be so important in terms of it being life threatening or a threat to national security that it may be appropriate to use it". But Mr Abbott said that he would be "comfortable" with a restriction that information obtained in violation of human rights could not be used as evidence against a party (QQ 111, 113). The Data Protection Registrar said that if the information was used she was not persuaded that it would then be right to delete the information. Having used it there ought to be an audit trail back to where it came from. "So in those circumstances I think I would prefer to see blocking rather than erasure". The information could not then be available for future searches, but if the transmission by Europol was challenged it would still be there for the exceptional circumstances to be examined (Q 139).

  79.    A further point was that Article 4(4) only addresses information obtained "by a third State" and therefore would not prima facie cover information obtained by a "third body". Justice did not believe a distinction should be drawn (p 26). The Home Office believed the omission of "third bodies" to have been accidental: "this is probably a point where the draftsman nodded" (Q 54).

20   The Department construed the reference to "the requirement of confidentiality" in Article 18 (6) as meaning levels 1 to 3. See paragraph 29 above. Back

21   Article 8(2). See paragraph 23 above. Back

22   The Committee has reported to the House on the draft rules of procedure of the JSB. Europol: Joint Supervisory Body: 13th Report, Session 1997-98, HL Paper 71. Back

23   Article 38 provides that each Member State is liable, in accordance with its national law, for any damage caused to an individual as a result of legal or factual errors in data stored or processed by Europol. The individual may seek compensation in the Member State in which the event which gave rise to the damage occurred. The text of Article 38 is set out in Appendix 4.  Back

24   Principle 3 (Storage of data) provides: "As far as possible, the different categories of data stored should be distinguished in accordance with their degree of accuracy or reliability and, in particular, data based on facts distinguished from data based on opinions or personal assessments". Back

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries

© Parliamentary copyright 1998