Select Committee on European Communities Twenty-Ninth Report



PART 3 OPINION

  80.    Europol's role is to facilitate the exchange of intelligence between police forces in the EU. It will also itself collate information in a central data bank and carry out crime analyses. Our Report, EUROPOL, clearly sign-posted the importance of the Third Country Rules. In 1995, the Committee said:

  "We agree with those witnesses who said that it would not be realistic for Europol to be prohibited from exchanging data with States and bodies based outside the European Union. Although information received from outside sources may be unreliable and there are undoubted risks to individuals from transmission of personal data beyond the Member States, the provisions need to be considered along with the provisions on data quality, on subject access and those on supervision and on effective remedies ...".[25]

We continue to support closer co-operation in law enforcement within the EU. Intelligence-led policing can make a significant contribution to the detection and prevention of serious cross-border crime. But information which is incorrect or mis-used can seriously undermine individuals' rights and freedoms. The exchange of data between Europol and Third States or bodies may aggravate the risk of error or misuse as, in such cases, it may not always be clear which data protection rules apply and which, if any, body is responsible for supervising the data flows.

  81.    The Third Country Rules raise major questions concerning the adequacy of data protection rules and the risks to the individual of the unlawful obtaining and use of information. Yet these Rules have been agreed without, at least in the case of the United Kingdom, that degree of public exposure and debate which citizens of the European Union and their Parliaments are entitled to expect.

Post hoc scrutiny

  82.    Somewhat unusually the Committee has undertaken a brief but detailed scrutiny of the Third Country Rules even though they have been agreed. We do not believe that our enquiry has been academic or sterile. As we will show there are problems with the Rules and possible inconsistencies between the texts and the Convention. In a number of areas the drafting of the Rules could have been clearer, avoiding uncertainty in the legal framework of Europol's external relations which the Rules seek to establish. If in fact it is too late to change the texts the recommendations we make below may influence and, we hope, assist the negotiation and conclusion of agreements made under the Rules and the future practice of Europol. They may also be relevant to any revision of the Rules.

  83.    As mentioned in the introduction to this Report we firmly believe that the Third Country Rules should have been furnished in advance for scrutiny. During our enquiry the Home Office on several occasions sought to offer us some comfort by saying that the Rules were not "set in stone". That is no answer to the questions, whether of policy or legal construction, which the Rules have raised.

Minimum standard of data protection—transmission of data to third States

  84.    When entering into agreements with third States and bodies the Rules require the Council to "take into account" the data protection laws and practice of the third State or body concerned. It was suggested that the Rules themselves should set out basic requirements to secure a sufficient level of protection. The standard set out in the Convention is that of the 1981 Council of Europe Convention and Recommendation No. R(87) 15 concerning the use of personal data in the police sector. The Data Protection Registrar did not consider it necessary for the Rules themselves to specify a minimum standard of data protection. The Committee shares that view. It doubted how much would be gained by stating anything more precise in the Rules. But we recommend that the question be reviewed in two or three years time. There should by then be experience of how the Rules, and agreements made under them, are working.

Conclusion of agreements—role of the JSB

  85.    The JSB has a central role under the Convention in reviewing the activities of Europol to ensure that the rights of the individual are not violated by the handling and use of data by Europol. It is clear that the JSB could be extremely influential in the supervision of Europol in the application and operation of the Third Country Rules. As we shall explain, the JSB's involvement arises in a variety of ways. Its opinion has to be sought before agreements are concluded with third parties. The Data Protection Registrar made it quite clear that she and her colleagues on the JSB are not going to be a "rubber stamp". She expects to be involved from the outset in any negotiation and we support the idea of the JSB taking a pro-active role. The data protection commissioners across the Community have much to contribute—they are well placed to guide the negotiators as to what is an "adequate level" of data protection and what safeguards might need to be included in particular agreements.

Human rights clauses

  86.    Apart from data protection the Rules do not require any further assessment of human rights in the third State or body concerned. The Council has, since May 1995, insisted on the inclusion of a human rights clause in its agreements with third countries. The standard clause specifies that respect for democratic principles and human rights is an essential element of the agreement. It is accompanied by a non-execution clause providing for the suspension of some or all co-operation under the agreement in the event of a violation of an essential element.

  87.    There are, as the Minister pointed out, major differences between the content of third country agreements under the First Pillar and the sort of agreements envisaged by the Third Country Rules. But the purpose, legal and political, of such clauses is the same. They give a clear indication of the standards expected by the EU of itself and its Members and of those with whom it deals. In addition to this political message, the adoption of a policy of including human rights clauses as a standard term in agreements under the Third Country Rules would bring a number of practical advantages. It would avoid the obvious difficulties in negotiating their inclusion case by case. Secondly, as experience in the First Pillar has shown, in the absence of clear provisions relating to the observance of human rights it may not always be simple to denounce or suspend agreements with third States on the grounds of suspected violation.

  88.    We believe that the inclusion of human rights clauses as standard in agreements under the Third Country Rules would send an important political signal, provide an effective safeguard and ensure consistency in the European Union's external relations.

Necessity for an agreement—receipt of information

  89.    Justice contrasted the approach in Article 2 of Europol 38 with that of Article 2 of Europol 27. Under the latter Europol could only transmit data where, in all but exceptional cases, there was a formal agreement with the recipient. Witnesses noted that there did not appear to be any such prior condition for the receipt of data. The danger was that whatever safeguards the Rules (in particular the provisions in Article 4 relating to correction, retention and transmission of data) provided would not apply in the absence of an agreement.

  90.    For the reasons advanced by the Minister and the Data Protection Registrar we take the view that the existence of an agreement with a particular third State or body should not be a pre-condition for the receipt of information. That would be too restrictive in practice and could seriously inhibit the closer co-operation of police forces in the fight against serious crime and the added value to be brought to that by Europol's analysis and intelligence functions. The critical issue is what safeguards should apply to third country information received without an agreement. We doubt whether there is such a wide loophole as has been suggested. The correction and deletion of data would appear to remain subject to Article 20 of the Convention. As regards the use of information obtained in violation of human rights, Article 4(4) of Europol as presently drafted provides minimal protection. The existing deficiencies should be made good and safeguards applied to all such information received by Europol. We address this below. However, we support the proposal of the Registrar that information received in the absence of an agreement should be marked by Europol as to its source—the audit trail, as the Registrar said, is important.

Equivalence of protection—receipt of information

  91.    Concern was expressed by the Data Protection Registrar that the Rules do not expressly provide that information received from third States and bodies is subject to the same data protection rights and controls as information transmitted within the EU. The Minister did not consider an express provision in the Rules to be necessary, the existence and level of protection being implicit by virtue of Article 42 of the Convention. The Committee agrees with the Registrar that it should be made explicit that individuals have the same rights in relation to information received from third States and bodies as they have in relation to information transmitted within the EU. We consider it important in this context that individuals' rights should be clearly spelt out in what will effectively be a chapter in Europol's rulebook.

Receipt of information obtained in violation of human rights

  92.    Article 4(4) of Europol 38 proved to be the most controversial provision in the Rules. It deals with Europol's handling of data obtained in violation of human rights. Article 4(4) prohibits Europol from storing such data in its information system or analysis files where it has "clearly been obtained by a third State in obvious violation of human rights". This wording reflected Member States' reluctance to impose on Europol a duty which they thought would be difficult to meet in practice. The result is, in our view, a test which is too weak a protection of human rights. In our view, Article 4(4) errs too far on the side of trying to protect Europol and its officials from criticism. There may be cases in which the "clearly" and "obvious" condition would not be met but the circumstances indicate that there is a serious risk that there has been a violation. A lower threshold should be workable and the Committee regrets the defensive approach taken by the Council. However, Europol should be able to hold the data in order to have the opportunity to enquire into the circumstances before a decision is taken whether the data could be stored.

  93.    Article 4(4), so revised, should extend to all cases where there appears to be a serious risk that there was a violation of human rights, whether the data are received by Europol within or outside the framework of an agreement. It is unacceptable that there should be variable standards of human rights protection according to whether there is a formal agreement with the source.

Exceptional circumstances

  94.    It is important to note that Article 4(4) does not address the question of the onward transmission and use of information obtained in violation of human rights. That Europol should in certain cases be able to pass such information to police authorities of the Member States concerned was generally accepted. The example (the possible terrorist attacks) given by the Minister is perhaps extreme but nevertheless compelling. The problem with the Rules at the moment is that they are silent. Onward transmission and use is apparently unrestricted.

  95.    We consider that the Rules should address this matter expressly and that equivalent safeguards be accorded to information received in the absence of agreements. Onward transmission by Europol should only be permitted "in exceptional circumstances". It is not necessary (and indeed might be dangerous) to be more precise. Whether the circumstances were exceptional would have to be considered case by case. Both the Management Board and, at least as regards alleged violations of data protection, the JSB should systematically review all decisions invoking exceptional circumstances to ensure against misuse and to build up practice guidelines. Moreover, the Management Board and the Council have a strong interest in the discovery of possible violations of human rights as this may affect the continuance or suspension of an existing, or conclusion of a new, agreement with the source of the information.

Correction of data—a double standard?

  96.    A separate point made by Justice on Article 4(2) of Europol 38 was the apparent double standard it created when compared with Article 7 of Europol 27. Recipients of data must give an unqualified undertaking to correct or delete data upon request from Europol, while Article 4(2) gives Europol discretion in certain cases to retain data when informed of the correction or deletion by the third State. Europol has one standard for itself and another, more strict, for third States. Leaving to one side legal arguments on the compatibility of Article 4(2) with the Convention (this is discussed at paragraph 99), we agree with Justice that this apparent inconsistency could send out the wrong signals to third States. We can well imagine that third States when negotiating agreements under the Third Country Rules may seek to obtain similar freedom of action as regards information received from Europol. There is also the risk that third countries may be disinclined to abide by their obligations to correct or delete data if Europol can override similar restrictions.

Accountability of Director—transfer of data to third countries

  97.    Exceptionally the Director of Europol has powers to transmit data, including personal data, to third States and bodies where there is no agreement in place. The formal position is that the Director must report each decision, and the reasons for it, to the JSB but the burden is on the JSB to ask what type of data has been sent and for what purpose. Justice thought the burden should be shifted onto the Director who should be required to give full information without prior request. The Data Protection Registrar left us in no doubt that the JSB would be vigilant in its superintendence of the Director. We believe that the balance is about right. Both the JSB and, as the Minister added, the Management Board have an interest in these powers being exercised properly and would be looking at what happens in practice. We do, however, support Justice's suggestion that reports describing the use of the powers should be put in the public domain.

Joint Supervisory Body—resources

  98.    We have already drawn attention to the importance of the JSB. Justice suggested that the JSB should be given a greater role and stronger enforcement powers. They also expressed concern that the JSB should be fully resourced. The approach of the Data Protection Registrar was to rely on existing formal and informal powers, which she believed should be effective. There is no doubt that the JSB must be adequately resourced so that it can properly and effectively perform its tasks under the Convention. We share the Registrar's view that whilst the Council and the Management Board must be alert to the question of resources it is too early to say that what may be given will not be enough, though the current allocation of ECU 500,000 hardly appears adequate. We would add that proper regard also needs to be paid to the adequacy of the resources of the Registrar to enable her and her staff to fulfil the roles envisaged for the JSB and national supervisory bodies under the Convention and its Rules.

Relationship between the Rules and the Convention

  99.    Our enquiry has revealed at least two places where the Rules may not be compatible with the Convention.

  100.    First, there is the question of the extent of the Director's powers to transmit information to a third State or body in the absence of an agreement. The Rules would entitle him to supply information provided it is "basic protection level". Where the data is subject to a higher classification (Europol 1,2 or 3) then there can be no transmission by Europol outside an agreement with the third party concerned. It is not clear how the Director's discretion is compatible with the Convention which only permits the transmission of information "subject to the requirement of confidentiality" where an agreement on confidentiality exists between Europol and the recipient. Europol's Confidentiality Regulations might have made the position clearer but, in our view, they do not. They draw a distinction between public information and other information to be designated Europol information and to be subject to at least the basic protection level. This might suggest that all information which is not "public information" is information "subject to the requirement of confidentiality" within the meaning of Article 18(6). The Home Office sought to explain the position and rationalise the relationship of the Convention and the two sets of Rules. The requirement of confidentiality is restricted to information subject to security levels Europol 1, 2 or 3. But we did not find their arguments entirely convincing. The least that can be said is that there is a problem of construction arising from the texts.

  101.    A second area of difficulty surrounds the relationship of Article 20 of the Convention and Article 4(2) of Europol 38. The former requires Europol to correct or delete data which emerges to be incorrect or whose retention would contravene the Convention. Article 4(2) says that Europol need not delete information where it has a further need to process the information for the purpose of analysis or has a further interest in it, based on intelligence that is more extensive than that possessed by the transmitting third State. Justice said that this was incompatible with Article 20 which appeared to permit of no exceptions. The Minister rejected the notion that the two provisions were incompatible, taking the view that they reflected the distinction between being informed by the third party that information was incorrect and actually, being (in Europol's view) incorrect. If this was the intention then we think it could have been expressed more clearly. We believe that a wider exposure of the draft Rules could have helped to resolve this problem and of that concerning the extent of the Director's discretion described in the last paragraph.

Future scrutiny

  102.    The Minister told us of her recent meetings with the European Parliament and the keen interest being shown there in the workings of Europol. As the record shows, the interest of this House is no less. We request the Government to keep the Committee fully informed of developments. In addition to annual reports produced by Europol, we request the Government to deposit in the libraries of both Houses copies of all agreements concluded under the Third Country Rules. We also request the Government to furnish to the Committee in good time to effect meaningful scrutiny copies of any proposals to amend the Rules.

RECOMMENDATION

  103.    The Committee considers that Europol's Rules governing relations with Third States and Bodies raise important questions to which the attention of the House should be drawn, and makes this Report to the House for debate.


25   10th Report, 1994-95, HL Paper 51, para 98. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries

© Parliamentary copyright 1998