Select Committee on European Union Forty-Ninth Report


AGREEMENT BETWEEN EUROPOL AND THE UNITED STATES OF AMERICA ON THE EXCHANGE OF PERSONAL DATA (13689/02)

Letter from the Chairman to Bob Ainsworth MP Under-Secretary of State Home Office

  Sub-Committee F (Social Affairs, Education and Home Affairs) considered the above documents at its meeting on 20 November. The Committee notes that this is an initiative of great political significance and sensitivity, raising important civil liberties issues as well as the issue of co-operation between the European Union and the United States.

  Sub-Committee F had the opportunity to discuss some of these issues with the Deputy Information Commissioner when he gave evidence this morning in connection with the inquiry into proposals to amend the Europol Convention. The Sub-Committee noted with interest that Members of the Joint Supervisory Body (JSB) had, unusually, been included on the EU side in negotiations with the United States. The Deputy Information Commissioner has assured us that the JSB is content that the latest version of the draft Agreement that it has seen is acceptable. However, the Committee has several major concerns about the substance of the Agreement as well as about the way the scrutiny process has been handled, about which I wrote to you last week.

The scope of information exchange

  Article 5(1)(a) states that transmission and processing of information under the Agreement will take place for the purposes set out in the request, which shall be deemed to include the prevention, detection, suppression, investigation and prosecution of any specific criminal offences. However, the nature of these offences is not specified, and the general, catchall reference to "specific offences" extends far beyond the current remit of Europol, and indeed beyond its proposed extension to cover serious transnational crime. We note that in its Opinion on the Agreement, the Joint Supervisory Body urged Europol to give a commitment that it would not consent to the use of personal data for purposes outside the objective of Europol. This concern was hardly addressed in the exchange of letters, where it is stated that the wording of Article 5(1)(a) "includes, inter alia, exchange of information pertaining to immigration investigations and proceedings, and to those relating to in rem or in personam seizure or restraint and confiscation of assets that finance terrorism or form the instrumentalities or proceeds of crime, even where such seizure, restraint or confiscation is not based on a criminal conviction" (emphasis added). It is evident that the scope of information exchange (including sensitive personal data in accordance to Article 6 of the Agreement) is interpreted very broadly, to include information on immigration proceedings (which are not necessarily criminal) and confiscation, regardless of the existence of a criminal conviction. On present information the Committee can see no good reason why the transmission of data should extend to purposes beyond those covered by Europol's remit.

Authorities competent to receive information

  According to Article 7(1)(b) of the Agreement, Europol data may be made available for use by competent US state or local authorities responsible for the tasks mentioned in Article 5(1). In view of the broad wording of Article 5, this extends the scope of the Agreement very considerably, in enabling Europol data to be used by a local US authority. The implications for data protection may be considerable. There also appears to be a serious imbalance in terms of reciprocity, as, according to Article 7(2), US data will be available only to the competent law enforcement authorities of the Member States or for Europol use.

Transmission of data to third States

  Article 7(3) of the Agreement enables the onward transmission of data to international institutions or third States only with the prior consent of the transmitting party. The Joint Supervisory Body reacted to this provision by stating that Europol shall not consent in any case to the onward transmission of "Europol data" by the USA. In the exchange of letters, it is stated that the USA "takes note of the fact that under its legal framework Europol is not allowed to provide authorisation for onward transmission beyond that reflected in this Agreement". If this means that the transmission of data to third countries is not permitted it is not clear what purpose is served by Article 7(3).

Oversight of the implementation of the Agreement

  Article 12 of the Agreement refers to the applicable laws of the parties for such oversight. The JSB asked the USA to clarify the practicalities of implementing the provision. This is attempted in the exchange of letters, whose explanation is accepted by the Joint Supervisory Body. However, in the Committee's view, the general references to "objective bodies and authorities authorised to oversee as appropriate the implementation of the Supplemental Agreement" do little to clarify the situation, with little mention being made of specific organisations.

  In view of the urgency you attach to this proposal the Committee would welcome your comments on these issues in good time before the Sub-Committee's next meeting on 27 November.

  The Committee is also concerned about the way that scrutiny of the Agreement has been handled by your Department. You say in your Explanatory Memorandum that the conclusion of the Agreement is a "a matter of urgency", hoping that "consideration of this can be resolved in the shortest possible time". Yet, although, as is apparent from the papers, the text of the Agreement was submitted to the Joint Supervisory Body for its Opinion on 27 September, and the Opinion was delivered on 3 October, both were deposited for scrutiny only on 13 November—two weeks before the planned adoption of the Agreement by the Council. I would be grateful for an explanation of this delay.

  In view of the significance of the issues involved in the proposed Agreement, and the limited consultation undertaken by the Government on them, the Committee proposes to invite the views of expert organisations, such as Justice, Liberty and Statewatch. In the meantime, we have decided to retain the documents under scrutiny.

20 November 2002

Letter from Bob Ainsworth to the Chairman

  Thank you for your letter of 21 November, which raises a number of issues which the Committee has with regard to the Supplemental Agreement between Europol and the United States of America, and the associated documents on the JSB opinions and the exchange of letters.

  As I mentioned in my letter to you of 21 November I am sorry for the delay in furnishing you with the supplemental agreement and an Explanatory Memorandum at an earlier point. We have taken steps to try to prevent a recurrence of this.

  The Government recognises, like the Committee, that agreements such as this have important civil liberties and data protection issues. That is why we have sought to ensure that the Joint Supervisory Body was as closely involved as possible in the negotiations, and that it was completely satisfied with the data protection provisions in the agreement. The JSB ensures that data held is commensurate with Europol's mandate. Officials have also kept in close touch with the Information Commissioner on these proposals, as the body most cognisant of the issues in this area. We have also discussed the implications with law enforcement agencies.

  The Committee has expressed concern that Article 7(1)(b) enables Europol data to be used by competent US state or local authorities responsible for the tasks mentioned in Article 5(1), and that this has implications for data protection. Any data supplied to those authorities is done only for use in accordance with this Agreement, and those authorities would then be subject to the applicable provisions on protection of the data. We do not believe that there is a serious imbalance in terms of reciprocity, Article 7.2 provides for data supplied by the US side to be made available to the competent law enforcement authorities of the Member States, or for use within Europol. In practice, the data will then be forwarded to relevant law enforcement agencies which are carrying out investigations, including police and customs services.

  The Committee has also commented on Article 7(3), which provides for the onward transmission of data to international institutions, or to Third States to take place only with the prior written consent of the Party that supplied the information. The JSB has examined this provision and determined that Europol should not consent in any case to the onward transmission of Europol data by the United States. The exchange of letters makes clear that the US side has noted that Europol is not allowed to provide authorisation for onward transmission of data beyond that reflected in the agreement. It is therefore entirely clear what the position would be, were the US side nonetheless to make such a request. However, this does not mean that the US side will not grant permission for onward transmission of its data by Europol.

  The Committee has also commented on Article 12, on the oversight of the implementation of the agreement. The US has recognised, in the exchange of letters, that at Federal, state and local levels there are objective bodies and authorities empowered to oversee the protection of data, and best placed to monitor and oversee the implementation of this agreement. The US side has listed offices of Inspectors General, Internal Affairs divisions and designated senior officials who have a data protection role. The JSB, which will participate in the oversight of, and compliance with the agreement has signalled that it is content with these provisions.

26 November 2002

Letter from the Chairman to Bob Ainsworth

  Thank you for your letters of 21 and 26 November, which Sub-Committee F (Social Affairs, Education and Home Affairs) of the European Union Select Committee considered at meetings on 27 November and 4 December.

  The Committee is grateful to you for setting out in detail the reasons for the late submission of the documents relating to this Agreement. Your explanation underlines the importance of depositing a text on such a politically sensitive matter at the earliest possible opportunity rather than waiting for a more settled position to be reached in the course of negotiations.

  We understand that in the event the proposed Agreement was withdrawn from the agenda of last week's Justice and Home Affairs Council. We would be interested to know the reason for this and whether signature of the Agreement is still planned for 11 December.

  On the substance of the Agreement the Committee recognises the high political importance of reaching agreement with the United States, particularly in an area which is relevant to the fight against terrorism. But we retain concerns about aspects of the Agreement, and these have been reinforced by the attached submissions from Justice and Statewatch. We would welcome your comments on the detailed analyses of both organisations. For us the main points of outstanding concern are as follows.

The scope of information exchange

  In my previous letter I drew attention to the fact that the Agreement provided for the exchange of data for purposes much wider than Europol's remit. Justice argues that information exchange under the Agreement should be explicitly restricted to criminal proceedings within the remit of the Europol Convention and the Committee sees attraction in this suggestion. We would be grateful for your comments on this point, which was not covered in your letter of 26 November.

US authorities receiving data

  The Committee remains concerned about the wide range of US authorities entitled to receive data from Europol under the Agreement. Restricting those authorities to Federal and State authorities, as suggested by Justice, would go a long way to meeting that concern.

Onward transmission of data to Third States

  We take your point that Article 7(3) of the Agreement is not redundant because, although Europol data may never be passed on to Third States, there could be circumstances in which the US agreed to their data being passed on in this way. However, given the JSB opinion, which has been accepted, that Europol data should never be passed on by the United States, there seems to be no reason why this should not be reflected in the Agreement itself.

US data protection authorities

  Finally, the Committee would be grateful for more information about the data protection bodies in the United States which the United States Government has identified. As you will see, Statewatch questions the independence of these bodies. The Committee accepts that it would not be reasonable to expect the precise application in another country of EU data protection rules, but we would welcome an assurance that data transmitted to the United States would be subject to broadly equivalent data protection standards.

  In the meantime the Sub-Committee agreed to hold the document under scrutiny.

4 December 2002

JUSTICE briefing to the House of Lords Select Committee on the European Union, Sub-Committee F (Social Affairs, Education and Home Affairs) on Supplemental Agreement between Europol and the United States of America on the exchange of personal data and related information (docs. 13689/02 Europol 82 and 13689/02 Europol ADD 1)

  1.  JUSTICE is an independent all party law reform and human rights organisation which aims to improve British justice through law reform and policy work, publications and training. It is the British section of the International Commission of Jurists.

  2.  This supplemental agreement would extend existing co-operation between Europol and the US (based on an Agreement signed in December 2001) to include the exchange of personal data. This draft Agreement raises a number of issues relating to the rights of the individual and data-protection, many of which are exacerbated rather than resolved by the Exchange of Letters between the US and Europol contained in Doc 13996/02 Europol 95.

A  SCOPE OF INFORMATION TO BE EXCHANGED

I—  Europol's Remit

  3.  The purposes for which personal data may be requested and exchanged under the agreement are set out in Article 5.1(a) of the draft Agreement. These are:

    "for the purposes set forth in the request, which shall be deemed to include the prevention, detection, suppression, investigation and prosecution of any specific criminal offences, and for any specific analytical purposes, to which such information relates. Where the receiving Party seeks the use of such information for other purposes, it shall ask for the prior consent of the Party that furnished the information."

  4.  This statement of the purpose for which personal data may be requested is extremely wide. Firstly it applies to "any specific criminal offences" rather than to those European type offences included in Europol's current remit under the Europol Convention or to "serious international crime" as put forward in the amendment to the Europol Convention proposed by the Danish Presidency earlier this year. Secondly the purpose of the request "shall be deemed to include the prevention, detection, suppression, investigation and prosecution of any specific criminal offence" making this list of possible purposes non-exhaustive and open to extension. Finally, the last sentence allows for the possibility of the information to be used for any other purpose with the consent of the Party that furnished the information without specifying in any way the grounds on which that party may consent or refuse to consent to such use.

  5.  These problems are exacerbated by the Exchange of Letters between Europol and the US which states at point 5 that the wording in Article 5.1(a):

    "includes, inter alia, exchange of information pertaining to immigration investigations and proceedings, and to those relating to in rem or in personam seizure or restraint and confiscation of assets that finance terrorism or form the instrumentalities or proceeds of crime, even where such seizure, restraint or confiscation is not based on a criminal conviction."

  6.  This statement clearly identifies non-criminal proceedings as potentially forming the basis of exchange of personal data between Europol and the US. Immigration is not within Europol's remit and as such, Europol should not be in possession of information, nor should it be requesting information relating to immigration investigations and proceedings where those are not related directly to an offence within it's remit according to the terms of the Europol Convention.

  7.  Personal data relating to immigration, now a Community issue, should come within the rules relating to data protection within the first pillar including the Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. Europol is not a Community institution and as such is not governed by this Regulation. The exchange of personal data relating to immigration can in no way be considered to be a function of Europol.

  8.  JUSTICE recommends that the purposes for which personal data may be exchanged under this Agreement should be explicitly restricted to criminal proceedings within the remit accorded to Europol under the Europol Convention. There should be no possibility for data to be exchanged under this Agreement for purposes not directly related to a specific serious international crime.

II—  Special Categories of Personal Data

  9.  The transmission of personal data revealing race, political opinions, or religious or other beliefs, or concerning health and sexual life is permitted under Article 6 of this draft Agreement where the transmitting party determines that such data is "particularly relevant to a purpose set forth in Article 5.1". Such sensitive types of data are covered by Article 6 of the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data of 28 January 1981 which specifies that such personal data "may not be processed automatically unless domestic law provides appropriate safeguards".

  10.  The Europol Convention states in Article 10 on the collection, processing and utilization of personal data:

    "The collection, storage and processing of the data listed in the first sentence of Article 6 of the Council of Europe Convention of 28 January 1981 with regard to Automatic Processing of Personal Data shall not be permitted unless strictly necessary for the purposes of the file concerned and unless such data supplement other personal data already entered in that file. It shall be prohibited to select a particular group of persons solely on the basis of the data listed in the first sentence of Article 6 of the Council of Europe Convention of 28 January 1981 in breach of the aforementioned rules with regard to purpose."

  11.  JUSTICE recommends that Article 6 of the draft Agreement should mirror the wording contained in Article 10 of the Europol Convention for the sake of clarity. In particular, the words "particularly relevant" should be replaced with the term "strictly necessary". This is the sense given to the term in the Exchange of Letters and there seems to be no justification for the broader wording in the draft Agreement. Specific safeguards for the transmission of such data should be contained in the Agreement to reflect the sensitive nature of this type of data as recognised in the Council of Europe Convention. Without such clearly outlined safeguards transmission of such data should not be permitted.

B—  WIDE RANGE OF AUTHORITIES IN THE US AUTHORISED TO RECEIVE EUROPOL DATA

  12.  Article 7 of the draft Agreement allows data supplied by Europol to be used by competent US federal, state or local authorities. It also allows for onward transmission of data to international institutions or third states (Article 7.3) with the prior written permission of the transmitting party. Data received by Europol will only be made available to the "competent law enforcement authorities of Member States of the European Union or for use within Europol".

  13.  The wide range of purposes allowed under Article 5.1 (see above) leaves it unclear exactly what authorities in the US would be "competent". There seems also to be an inequality between Europe and the US as to which authorities may use data transferred under this agreement.

  14.  JUSTICE recommends, in the interests of clarity and in order to ensure that the purpose for which data is transferred and used under this Agreement is purely in relation to serious international crime, that only federal or state law enforcement authorities in the US should be competent to receive information. In the light of the response of the JSB and the Exchange of Letters on Article 7 JUSTICE recommends the removal of Article 7.3 relating to onward transmission of data to third countries or international institutions for the avoidance of doubt.

C—  DATA PROTECTION SAFEGUARDS IN THE US

  15.  Data protection standards in the US are an unknown quantity. The Exchange of Letters does little to clarify the US safeguards regarding data protection at federal, state or local levels. Countries outside the EU and Council of Europe are not obliged to conform to the same high data protection standards in force in Europe. If Europol is allowed to exchange data with the US without requiring compliance with EU data protection standards in the treatment of that data, this would render EU protections meaningless in effect. All negotiations must be conducted in the light of the lack of judicial or political accountability by the US for any breaches of European or international human rights standards or of European data protection provisions.

  16.  JUSTICE recommends that the specific nature of data protection standards applicable to exchanges of data made under this Agreement including a list of the competent authorities monitoring compliance should appear on the face of the Agreement.

D—  CONCLUSION AND RECOMMENDATIONS

  17.  There is little or no democratic supervision of the negotiation process for this type of agreement and there is no clear line of recourse to justice for an individual in the event that such agreements affect his or her fundamental rights. An agreement of this type which may have a great impact on individual rights should, as a minimum, be considered by the Article 29 Data Protection Working Party at EU level before signature is authorised to ensure that it complies with EU standards of data protection.

  18.  Recommendations:

    —  Article 5.1 of the draft Agreement should make it clear that personal data will only be exchanged for the purposes of the prevention, detection, suppression, investigation and prosecution of serious international crime and that, under no circumstances, will personal data be exchanged under this Agreement in non-criminal proceedings;

    —  Article 6 should allow for the transmission of special categories of personal data only where "strictly necessary" and not just where "particularly relevant";

    —  Only federal or state US law enforcement authorities should be competent to receive data under the terms of this Agreement;

    —  Article 7 paragraph 3 should be removed to prevent onward transmission of data;

    —  Applicable data protection standards and the independent authorities set up to oversee compliance with those standards should be specified on the face of the Agreement or in an annexe thereto;

    —  The Agreement should be approved by the Article 29 Data Protection Working Party prior to signature to ensure that it complies with EU data protection standards.

JUSTICE

26 November 2002

  Contact: Susie Alegre

Statewatch submission to the Select Committee on the European Union, sub-committee "F" on the Supplementary Agreement between Europol and United States (Council docs. 13689/02; 13689/02 add 1; and 13996/02)

  1.  Statewatch welcomes the chance to comment on this agreement before its signature. In general, the agreement is highly deficient as regards data protection rights and there are worrying contradictions between the text of the agreement and an exchange of letters of ambiguous legal status.

Transparency and accountability

  2.  The discussion of this particular draft treaty is a good occasion to point out the deficiencies in the Council's and Europol's approach to such treaties as far as transparency and accountability are concerned. None of the treaties concluded by Europol have been published in the EU Official Journal before or even after their ratification except the treaty with the European Central Bank, and very few are available online in the EU councils' register of documents. None are online on the Europol website and in fact the press releases on that site only refer to a small number of such agreements. There is no power for the European Court of Justice to rule on the validity or interpretation of such treaties and there is no procedure for public review of the application of such treaties. The European Parliament is not consulted (and perhaps not even informed) about the conclusion of such agreements and there is no requirement of national parliamentary ratification. Beforehand the EP was not consulted about the general rules regarding Europol external relations and national parliaments had no ratification power over those rules either. There has been no public discussion of the issues underlying the conclusion of such treaties. It is obviously not practical for the Europol Joint Supervisory Body to examine whether the other party upholds its obligations under the agreement, and there is no common body tasked with this power in its absence. Complaints to the EU Ombudsman can only relate to Europol, not to acts of the other party, and again there is no replacement common body.

  3.  There are now over a dozen such treaties and the Council is contemplating the approval of more all the time; it now is possible that this entire process will be repeated with Eurojust. Since the relevant treaties do not in themselves disclose personal data or operational techniques, there is no public security reason to justify the Council's behaviour. A complete overhaul of the Council's approach is therefore long overdue.

Exchange of letters

  4.  It is striking that a number of important points have been dealt with by an exchange of letters, which is one-third the length of the original agreement. There is no reference to this exchange of letters in the main text and so the Joint Supervisory Board's assumption that the exchange of letters will be legally binding is not necessarily correct. In any event this is clearly not a transparent or coherent way to draft treaties raising important civil liberties issues.

Data protection

  5.  The agreement lacks any provision specifically addressing data protection. This is despite the right to protection of personal data as set out in EU, international and national rules, expressed in Article 8(1) of the EU Charter of Rights ("Everyone has the right to protection of personal data concerning him or her."). However, as Article 10 of the agreement governs all private-party access to exchanged information, presumably it extends to applications for information by data subjects. The text of this clause is hugely questionable. While Article 10(3) states that it is without prejudice to a party's rules on release of information, it seems clear that Article 10(2) will affect such rules, for the receiving party is obliged to first to apply the sending party's veto on release and then fight disclosure of such information on behalf of the sending party, regardless of the relevant law of the receiving party. This is quite different from simply permitting each of the parties to apply their own data protection law as regards data subject's access to information held on them, for there will presumably be cases in which one party's law would permit release of the data upon the initial application. But the agreement commits each party to oblige the data subject to an expensive legal battle before such data is released. It should be kept in mind that such a battle will also be expensive for taxpayers, who would be funding one party's defence of a decision made by the other party. This is despite the right of access to data by data subjects as set out in EU, international and national rules, expressed in Article 8(2) of the EU Charter of Rights ("Everyone has the right of access to data which has been collected concerning him or her . . .").

  6.  The oversight provisions of Article 12, even read along with the exchange of letters, are not impressive. It is highly doubtful whether "designated senior officials or other components" (whatever a "component" may be) could be considered to provide "independent" supervision under any possible interpretation of "an appropriate level of independence". For that matter administrative actions and regulations can be easily amended or repealed in the event of an "inappropriate" show of independence by a supervisory authority, and one may doubt whether an Internal Affairs division of law enforcement authority, which will rightly focus on possible corruption in that authority, has the specialism in data protection issues that an independent data protection supervisor would have. There is no information as to the extent of independence by "Inspector-Generals" in practice and as to the extent of their mandate to address specific data protection issues.

  7.  In any event, the international obligations applying to EU Member States and the EC rules on data protection require there to be an independent authority, not merely one with the "appropriate" degree of independence. This is expressly stated in Article 8(3) of the EU Charter of Rights. It thus seems clear from the exchange of letters that the American rules fall short of those required by the EU Charter of Rights, which applies to Europol as a "body" of the Union by virtue of its Article 51(1).

  8.  Similarly, the agreement flouts the international rules severely restricting processing of data in certain "sensitive" categories, as set out in Article 6 of the agreement. The exchange of letters tries to assert that "particularly relevant" has the same meaning as "absolutely necessary" as in the Europol rules, but the two terms are not even remotely comparable. There is thus a huge risk that Europol will either transmit its information or receive American information which violates the rules on processing of sensitive data.

  9.  The provisions in the exchange of letters relating to Article 5(4) are worrying. Thye rule out the use of Article 5(4) as regards "generic" data protection rules besides those expressly mentioned in the agreement. Quite apart from the dismissive turn of phrase used, the fact is that there are no data protection rules expressly mentioned in the agreement.

Access to documents

  10.  The agreement lacks any provision specifically addressing access to documents, but again presumably Article 10 of the agreement addresses this issue. Moreover, Article 10(3) states that it is without prejudice to a party's rules on release of information, but it seems clear that Article 10(2) will affect such rules, for the receiving party will be obliged to first to apply the sending party's veto on release and then fight disclosure of such information on behalf of the sending party, regardless of the relevant law of the receiving party.

Other issues

  11.  The text of the agreement will not reassure citizens that Europol will stay strictly within its mandate. Only the exchange of letters indicates that the concept of "jurisdiction" is the same as Europol's mandate. But this is apparently contradicted by the reference to immigration investigations in the discussion of Article 5 in the exchange of letters. Certainly it is possible that such information could be relevant to investigations into trafficking of persons or other serious crimes within Europol's mandate but this obviously only constitutes a small fraction of immigration proceedings. The limitation on Europol's powers as regards immigration proceedings does not emerge clearly from the text of the agreement or the exchange of letters—quite the contrary.

  12.  Article 3(3) appears to limit remedies in the event of breaches of the agreement even if one is discovered by an individual. Surely it should be left to national law to determine in what circumstances evidence is used in proceedings and the legal relevance of the agreement in that regard? A blanket ban on deriving rights from the agreement to obtain, suppress or exclude evidence may be questionable in light of the right to a fair trial in Article 6 ECHR and Article 14 ICCPR (which the US has ratified along with all the EU Member States).

National consultation

  13.  As a final observation, the Home Office explanatory memoranda state that the "outside interests" consulted by the Home Office were "the ACPO, NCIS and other law enforcement agencies". It might be questioned whether such bodies are really "outside interests" in relation to the Home Office, although it obviously makes sense to consult them. But it is striking that the Home Office did not see fit to consult the Information Commissioner or any non-governmental organisation interested in data protection and privacy issues on the draft agreement.

Conclusion

  14.  Since the United States has found time to agree two massive pieces of legislation on internal security matters since 11 September 2001, it has also had time to consider whether or not its framework for data protection is adequate for international collaboration and to make changes to that framework. It has not done so despite the considerable demands it is making on other members of the international community. As a result, we have a poorly drafted, ambiguous and contradictory agreement and exchange of letters negotiated in a wholly inadequate legal framework which apparently exceeds Europol's mandate and is clearly incompatible with the data protection principles of the EU. There is no direct mention of data protection whatsoever and no specific rules on access to data. The exchange of letters even rules out application of data protection rules in one important case and the restriction on processing of "sensitive" data in EU rules receives short shrift from the text.

  15.  If the Council were to refuse to accept the agreement in its current form, this would be a welcome decision in support of the EU's expressly stated principles of support for civil liberties and would encourage a long-overdue rethink of the adequacy of data protection law in the United States. In any event, it is long past time to overhaul the secretive and illegitimate system applicable to Europol's treaties with third states and bodies.

Statewatch

26 November 2002

Letter from Lord Filkin Parliamentary Under Secretary of State to the Chairman

  Thank you for your letter of 4 December to Bob Ainsworth. You asked for further information about the above-mentioned agreement taking into account matters raised in the enclosures to your letter provided by Justice and Statewatch. I deal below with the various points you raised.

1.  AGENDA FOR THE JHA COUNCIL 28-29 NOVEMBER

  You asked why the draft Agreement was withdrawn from the agenda for the meeting of the Justice and Home Affairs Council held on 28-29 November. The Agreement was the main subject of discussion at the ministerial lunch on Friday 29 November, where considerable time was spent by relevant Justice Ministers exploring the issues. The Agreement was subsequently taken as an "Any Other Business" item, after which the Presidency concluded that work should continue at official level with considerable collective commitment to finding an agreement as soon as possible.

2.  THE SCOPE OF INFORMATION EXCHANGE

  The Committee has concerns that the Agreement would be for purposes going more widely than Europol's mandate. Justice suggests that the purposes for which information may be exchanged under Article 5.1 of the Agreement are not exhaustive and could also extend to non-criminal matters. But this is not the case. The Agreement does not amend the Europol Convention and should be read together with the Convention. Europol's mandate is set out in Article 2 of the Convention and its Annex. Bob Ainsworth explained in his letter of 4 December to Jimmy Hood, which crossed with yours, that Europol's mandate is in relation to preventing and combating all the forms of serious international crime listed in Article 2 and the Annex where there are factual indications that the crimes are organised. The list is wide, as the examples in Bob's letter show, but it is not open-ended.

  Justice mentions in particular immigration matters, and says that immigration as such is not within Europol's mandate. But the prevention and combating of serious international organised crimes associated with illegal immigrant smuggling is specifically mentioned in Article 2 of the Convention. The Agreement, in referring to immigration investigations and proceedings, is not inconsistent with Article 2.

  Taking into account Article 2 of the Convention and its Annex, I do not see that there is a need to amend the Agreement in the way that Justice suggests. The scope of the Agreement is already clearly limited to the range of criminal matters within Europol's mandate.

3.  US AUTHORITIES RECEIVING DATA

  The Committee also draws attention to the suggestion by Justice that only United States federal and state authorities should be regarded as competent authorities for the purposes of the Agreement.. Justice's concern is associated with its view that the scope of the Agreement is wider than Europol's mandate. I have explained that I do not share that view. As Europol is competent to share information in relation only to the forms of crime within Article 2 of the Convention and its Annex, it follows that the US authorities with which the information would be shared within the terms of the Agreement would similarly be competent in relation to those particular matters. Justice's suggestion that restricting competent authorities to federal and state authorities would ensure that data is shared only for purposes connected with serious international crime is therefore unnecessary and indeed would act as a constraint in that it would exclude local authorities which have competence in relation to matters falling within Europol's mandate.

4.  ONWARD TRANSMISSION OF DATA TO THIRD STATES

  The Joint Supervisory Body says in its opinion on the draft Article 7.3 of the Agreement that the exchange of letters should include the point that Europol data may not be passed on by the United States. Your Committee says that this point should be reflected in the Agreement itself. I agree that in an ideal situation there would be no objection to this. But taking into account the pressure to bring the Agreement into action as soon as possible, and obtain the immediate benefits it can bring, I am satisfied that Article 7.3 as it stands, read together with the exchange of letters, makes clear to those who would be operating the Agreement and the exchange of letters that Europol may not authorise onward transmission by the United States.

5.  US DATA PROTECTION AUTHORITIES

  You also refer to Statewatch's queries on how independent Inspector Generals and other data protection bodies in the United States will be in practice, and ask for an assurance that data transmitted to the United States under the Agreement would be subject to broadly equivalent data protection standards as apply under EU rules. In that respect, the Government agrees with the assessment of the Joint Supervisory Body that the draft Agreement balances the need to fight serious crime with the rights of the individual. The Joint Supervisory Body also notes that the exchange of letters addresses all the points which it identified. In these circumstances, I am satisfied that the Agreement and the exchange of letters provides a basis on which exchange of information between Europol and the United States can proceed. I would point out that the Joint Supervisory Body underlined the need to monitor the implementation of the Agreement and the exchange of letters. I agree with that. Articles 12 and 13 of the Agreement envisage independent oversight of the operation of the Agreement, and consultation between the parties in promoting its effective use. In the event of any difficulties in operating the Agreement, then it could be re-visited and if necessary be amended as provided for in Article 14.

  I hope that you find this letter helpful and that we have satisfactorily answered the Committee's questions as far as it is possible to do so.

9 December 2002

Letter from Lord Filkin Parliamentary Under Secretary of State to the Chairman

  Further to my letter of earlier today responding to EUC Sub-Committee F's outstanding questions on this proposal, I am now writing to inform the Committee of recent developments on this proposal. The Presidency has indicated that it is still seeking signature of this Agreement on 11 December and will therefore submit the Agreement to the General Affairs and External Affairs Council on 10 December. I further gather from Lene Espersen that there has been full agreement to the text at COREPER and all other EU member states have lifted their Parliamentary Scrutiny Reserve apart from UK and one other member state and that they expect the other member state to do so.

  There are occasions when the Government should resist finalising agreements even if we are alone, but I do not on reflection think this is one of them. This is an important agreement both in terms of its substance and symbolism of the joint commitment between the EU and the US to work together to fight terrorism. It has been in negotiation for some time and it is urgent to implement it both to improve our ability to combat international terrorism and to give a clear signal to the US that we are with them in this fight. The Danish Presidency is intending a joint signing of this agreement with the US Attorney General in the US on 11 December and I do not feel it right for the UK, probably alone, to block this and I have therefore reluctantly decided that I have to over-ride Parliamentary scrutiny.

  Nevertheless, despite the limited time, we have done our very best to answer all the Committees' questions and hopefully allay your concerns. We have explained that the Government is satisfied with the data protection safeguards in the agreement, now that the Joint Supervisory Body has provided a positive opinion after clarifying certain issues in an exchange of letters between the Parties.

  I have assured the Committee that information will be supplied only under the terms set out in Article 5(1) and there is no circumstance in which Europol should go beyond its mandate. The Article also sets out conditions for the handling of such requests, and the security measures to be used for the care of this material. The Government is satisfied with these security measures, which ensure that information exchange is within the terms of the Europol Convention. Implementation and monitoring of the agreement will be undertaken by the Joint Supervisory Body on the Europol side, and by relevant internal bodies such as Inspectors General and complaints investigation units on the US side. We have also confirmed to the Committees that Europol will not be authorised to allow the US side to pass information on to a Third Party.

  The Government is therefore satisfied, in accordance with the Cabinet Office guidelines, that this constitutes a measure of benefit to the UK which should come into operation as soon as possible. I would like to emphasise that this is not a decision which has been taken lightly. I remain strongly committed to the principles of parliamentary scrutiny, and respect the importance of the Committees' remit and the Government's undertaking not to agree EU legislation before domestic parliamentary scrutiny has been completed. However on this occasion I consider an override of the Scrutiny Reserve Resolution to be justifiable.

9 December 2002

Letter from the Chairman to the Lord Filkin, CBE, Under-Secretary of State, Home Office

  Thank you for your letter of 9 December about this Agreement. You told me on the telephone on Monday that the Government had decided that they would override the scrutiny reserve when the Agreement was taken by the General Affairs Council on 10 December in preparation for signature with the United States the following day. I explained that we could not agree to clear the document from scrutiny until Sub-Committee F had considered your letter at its meeting on 11 December, in view of the very substantial issues involved.

  Nevertheless I was grateful to you for explaining why the Government had decided to override the scrutiny reserve. We were, however, very surprised to learn that a matter of such importance was never substantively considered by the Council of Ministers but only discussed informally over lunch.

  Sub-Committee F duly considered your letter today. The Committee was grateful for your detailed explanation of the Government's position on the points we raised. We welcome your acknowledgement that it would have been preferable to include in the Agreement itself a provision explicitly prohibiting the onward transmission of Europol data by US authorities to third States. Otherwise, however, the Committee remains unconvinced that the provisions are satisfactory in relation to its three main concerns:

    —  the scope of information exchange;

    —  the wide range of US authorities receiving data; and

    —  the nature of, and safeguards afforded by, the US data protection authorities.

  I will not repeat at length the concerns that the Committee has advanced in previous correspondence. We would only note that:

    —  on the scope of information exchange, we are not persuaded that there is an adequate mechanism for ensuring that data transmitted to the United States is used only for purposes for which it is held by Europol. On the immigration point, while it is true that smuggling of human beings would fall within Europol's remit, this is not the case with immigration "proceedings" in general, a much broader term which could include administrative data held by immigration authorities;

    —  we remain of the view that the definition of receiving US authorities authorised to receive data is too broad. Allowing data to be transmitted to US authorities at local as well as state and federal level seems wholly inconsistent with the Government's view that within the EU all data transfer should be channelled through designated national units; and

    —  we are no clearer, following your letter, about the nature of the US data protection authorities responsible for oversight of the implementation of the Agreement.

  Finally, the Committee is concerned that the Joint Supervisory Body does not appear to have exercised a sufficiently independent judgment of the important data protection issues involved. This contrasts markedly with the rigorous approach that the Office of the Information Commissioner has taken to the data protection aspects of the current proposals to amend the Europol Convention.

  As the Agreement has now been signed, there is clearly no point in continuing to retain it under scrutiny. But it does seem to us that there are some general lessons to be learned from this episode, which we hope may help to ensure that similar difficulties do not arise again.

  I have already expressed our concern about the late deposit of the Agreement. In our view the root of the problem was the fact that by the time the Committee saw the Agreement its text appeared to have been settled with the United States, and we were in effect presented with a fait accompli, because the Government was not prepared to reopen the text. There is clearly little purpose in the scrutiny process if from the outset there is no prospect of its influencing the eventual outcome. We need to receive texts of this kind at a sufficiently early stage—on the basis of an unofficial draft if necessary—to enable any views that the Committee may have to have some effect. I hope that this will be the case in the future.

  Our experience with this measure also calls in question whether in an area of such political sensitivity it is appropriate for responsibility such agreements to be delegated to the Director of Europol.

11 December 2002

Letter from Lord Filkin, Parliamentary Under Secretary of State to the Chairman

  Thank you for your letter of 11 December and for setting out your views so clearly on the issues that still concern you.

  I wanted to let you know that the agreement was finally adopted by the JHA council on 19 December and signed by the Presidency, on behalf of the Member States of the European Union, on 20 December 2002. This was not quite the timetable we had expected. It was not possible to sign the Agreement on 11 December as originally intended. One Member State retained a parliamentary reserve until 18 December that prevented its adoption in time for signature.

  Although the Agreement has been finalised, and I do not want to prolong our correspondence unnecessarily, I did not want to leave your points unanswered. I have tried therefore to explain the Government's position even if I am not able fully to allay your concerns.

  You remain concerned at the scope of the information exchange. Following the JSB opinion, and the exchange of letters, we are content to accept the US assurance that there are appropriate bodies and authorities authorised to oversee the implementation of the Agreement. Although Article 5 includes exchange of information for the purposes of "immigration investigations and proceedings" Article 1 of the agreement and the exchange of notes make clear that the offences must be within Europol's mandate. Immigration matters not involving illegal smuggling of human beings would be outside the mandate.

  You consider the definitions of receiving US authorities authorised to receive data to be too broad. The definition of "competent authorities" in the Europol Convention is wide. It refers to all public bodies that are responsible under national law for preventing and combating criminal offences. It is for each Member State to decide for itself, which of its authorities are within this broad definition. The Convention also envisages that information flows would in effect be between Europol and the competent authorities. The aim is to ensure that Europol's analytical and other support capabilities provide added value to the competent authorities' own investigations over a full range of serious international organised crimes. This need to promote knowledge of Europol's work and to disseminate the product of its activities among a wide number of competent authorities is similarly implicit in the agreement with the United States. The competent authorities in the Member States stand to reap the mutual benefits of this wide sharing of information, assisted by Europol. To restrict the number of competent authorities in the case of the United States would be to constrain the collective effort of the Member States and third countries in dealing with the common threat from terrorism and organised crime.

  You are unclear about the nature of the US data protection authorities responsible for oversight of the implementation of the Agreement. I accept that the wording is broad but the exchange of letters indicates that relevant US authorities include offices of Inspectors-General, Internal Affairs divisions and designated senior officials. I note your view that the Joint Supervisory Body does not appear to have exercised a sufficiently independent judgement and that you contrast this with the approach of the Office of the Information Commissioner. I can only point out that a representative of the Information Commissioner sits on the JSB and that the Government took reassurance from the fact that the JSB's opinion on the agreement and the accompanying exchange of notes was positive.

18 January 2003


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2003