Present arrangements—the EDU

  8.    The Europol Drugs Unit (the "EDU"), the precursor to Europol, was established by Ministerial agreement in 1993 and became operational in 1994. Based in the Hague, its mandate has been extended[4] and its workload has grown. The core business of the EDU is the exchange of information and intelligence by the European Liaison Officers (ELOs) seconded to the EDU from the national enforcement agencies. The United Kingdom has two ELOs, a customs officer and a police officer. In 1997, the EDU responded to over 9000 enquiries from Member States, an increase of 40% compared to the level in 1996. Drugs have continued to account for the majority (over 60%). Money laundering occupies second place (19%) but the numbers of enquiries relating to illegal immigration networks and trafficking in human beings has increased. Some 474 enquiries (out of a total of 2608) emanated from the United Kingdom.[5]

  9.    The EDU has no formal external relations and has no official arrangements for the exchange of information with parties outside the Union. It has, however, had informal contacts with non-Union States and bodies. Visits have taken place. The EDU has also held conferences in which representatives of the Central and Eastern European countries (CEECs) currently seeking membership of the EU have participated (Q 6).

  10.    The National Criminal Intelligence Service (NCIS)[6] has been involved with the development of the EDU and is the designated national unit for the United Kingdom under the Europol Convention. NCIS has a Europol Policy Unit which represents it at all policy meetings at Europol and at EU Working Groups. The Europol Policy Unit provides a central point of reference for all United Kingdom law enforcement agencies and collates and disseminates related information internally and to other Member States. NCIS maintains bilateral relations with other EU States and more widely. Mr Abbott, the Director General of NCIS, said: "Our experience with serious and organised crime is that it is a global problem and consequently our enquiries and developments take us throughout most quarters of the world" (QQ 59, 62).

The Convention—third States and third bodies

  11.    The Europol Convention provides for Europol to establish and maintain relations with third States and third bodies and to exchange information with them. Third States and bodies are listed in Article 10(4) under seven headings:

  "1)  the European Communities and bodies governed by public law established under the Treaties establishing those Communities;

  2)  other bodies governed by public law established in the framework of the European Union;

  3)  bodies which are based on an agreement between two or more Member States of the European Union;

  4)  third States;

  5)  international organisations and their subordinate bodies governed by public law;

  6)  other bodies governed by public law which are based on an agreement between two or more States; and

  7)  the International Criminal Police Organisation".

  12.    As mentioned, four sets of rules have been drafted, Europol 26, 27, 29 and 38. The Home Office explained that there were four separate sets of rules largely because the Dutch, who had held the Presidency of the Union when the initial texts were prepared, considered it appropriate. Each set derives from a different provision of the Convention. This approach was thought to give greater clarity to the exercise, though there were clear linkages and crossovers between the four sets of rules (Q 4).

AGREEMENTS WITH THIRD STATES AND BODIES—EUROPOL 26 AND 29

  13.    Europol 26 and Europol 29 operate in parallel and would enable Europol to conclude agreements with the parties listed in Article 10(4) of the Convention.

Agreements with EU bodies

  14.    Europol 26 deals with agreements with "bodies linked to the European Union" (i.e. those mentioned in points 1-3 of Article 10(4)). The legal base is Article 42(1) of the Convention.[7] The Home Office identified UCLAF (the European Commission's Anti-Fraud Unit) and the Drugs Monitoring Centre in Lisbon as being EU bodies with whom Europol might conclude an agreement. There might be others[8], particularly when the Schengen Agreement has been incorporated into the EU under the Treaty of Amsterdam. Ms Joyce Quin MP, Minister of State at the Home Office, said: "it certainly seems logical to us that Europol should have links with systems such as the Schengen Information System[9] for practical reasons to avoid duplication and to ensure that resources devoted to tasks which both are interested in are used efficiently". She referred to the System's database on stolen vehicles as an example of where information might usefully be shared (QQ 10, 13, 200).

Agreements with third States and non-EU bodies

  15.    Europol 29 concerns agreements with third States (i.e. States not Member States of the EU as mentioned in Article 10(4), point 4) and "bodies not linked to the European Union" (i.e. the bodies mentioned in Article 10(4), points 5-7). The legal base is Article 42(2) of the Convention.[10] As NCIS indicated, relationships with countries outside the EU were, from the practical standpoint, increasingly important, particularly in relation to drugs and illegal immigration (Q 65).

  16.    When the Convention was signed in 1995 a declaration was added by the Council that "Europol should as a matter of priority establish relations with the competent bodies of those States with which the European Communities and their Member States have established a structured dialogue". The Home Office explained that consequently agreements with the ten CEECs and Cyprus would be the priorities[11]. Mr Cullen (of the Europa Institute, University of Edinburgh) thought that Europol would have an important role to play in helping to prepare applicant countries to accept certain parts of the acquis concerning the combating of organised and other forms of transnational crime (p 45). From NCIS's viewpoint, the applicant countries, particularly because of their geographical proximity, were also a primary target (Q 79).

  17.    As priorities beyond the applicant countries, the Home Office identified the United States, Canada, Russia and Japan. There were also other European countries, such as Switzerland and Norway and Iceland, the last two being States associated with Schengen (Q 14). Mr Abbott (NCIS) said that it would be appropriate to identify those areas where there was the greatest need, where there were proven links with criminal activity (Q 79).

  18.    As regards agreements under Europol 29 with non-EU bodies, the Convention expressly refers to Interpol (Article 10(4) point 7). The EDU already has had a dialogue with them to see how, in the future, Europol might be able to agree co-operation on such matters as technical standards (Q 9). Mr Abbott explained that current arrangements often took NCIS via Interpol, though the latter did not always operate speedily: "Interpol is a valuable organisation, it is an organisation of 177 countries, not all 177 countries have the same capability as others". Mr Abbott did not think that Europol would replace Interpol even as regards relations between the EU Member States. Interpol's mandate was a wider one. He thought it "very important that we ensure that we work out the ground rules so we are quite clear on what Interpol is going to do and what Europol is going to do". NCIS also wanted to retain the operational flexibility to use Interpol and bilateral arrangements, though the expansion of Europol might in time minimise the use of bilaterals (QQ 81-89).

  19.    The Home Office also pointed to the World Customs Organisation[12] and said that within the UN structure there were a number of bodies active in the drugs and crime prevention field with whom there might also be agreements (Q 15).

Purpose of agreements

  20.    Under the draft Europol Rules 26 and 29, agreements essentially serve two purposes. First, they facilitate the secondment of liaison officers to and from Europol. Agreements will stipulate the conditions of secondment and the powers of liaison officers (Article 3, Europol 26 and 29). Mr Cullen said that the formalisation of relations on such matters was desirable, though not without technical difficulty (p 46). NCIS emphasised the importance in practice of having liaison officers "on the ground having face to face relations with law enforcement agencies in the particular country". The advent of Europol would not, however, remove the need for the United Kingdom to retain its bilateral arrangements with individual Member States (Q 64).

  21.    Secondly, agreements enable the transmission of non-personal data classified at Europol level 1, 2 and 3 and at the basic protection level (Article 7, Europol 26 and Article 8, Europol 29). (Witnesses noted critically that the receipt by Europol of information does not require an agreement—this is discussed in the context of Europol 38—receipt of personal data, paragraph 60 below). The security levels here referred to are those specified in the Europol Confidentiality Regulations.[13] All information[14] processed by or through Europol will be subject to a basic level of security measures ("the basic protection level") as laid down in those Regulations and in the Security Manual (providing detailed rules on security) adopted by the Management Board[15] under the Regulations. There are additional security levels, numbered Europol level 1 to 3, each relating to a specific Security Package. The Security Packages provide different levels of protection, depending on the content of the information and taking account of the detrimental effect unauthorised access, dissemination or use of the information might have on the interests of Member States or Europol.

Personal data—relationship with other Rules

  22.    Both Europol 26 and 29 are concerned with the transmission of non-personal data. They are stated to be "without prejudice to the rules concerning the transmission of personal data by Europol to third States and bodies [Europol 27], the Regulation on confidentiality [Europol 17, reproduced in Appendix 5] and the rules concerning the receipt of information by Europol from third States and bodies [Europol 38]" (Article 7(1) of Europol 26, Article 8(1) of Europol 29). Europol 27 and 38 are examined below.

Transmission outside agreements—Director's discretion

  23.    The Director[16] of Europol may transmit non-personal data subject to the basic protection level

-  to bodies linked to the EU, where, "in the case of particular data, the Director of Europol considers that the protection of such data is guaranteed by the European Union body" (Article 7(2) of Europol 26).

-  to third States and bodies not linked to the EU, "exceptionally, when the Director of Europol considers such transmission absolutely necessary to safeguard the essential interests of the Member States or to prevent imminent criminal danger" (Article 8(2) of Europol 29).

  24.    The Home Office said that the Director's powers were limited to basic protection level data. The reference in Article 7(2) of Europol 26 to data protection being "guaranteed" by the EU body avoided spelling out precisely what data protection regime applied. The EC Data Protection Directive did not apply to law enforcement bodies and as yet there was no common standard for data protection in Third Pillar institutions and bodies, though the possibility of having a common standard had been mooted. The Minister welcomed the recent Italian initiative that work should be undertaken to identify possible inconsistencies and to examine possibilities for achieving greater harmonisation and avoiding duplication of effort. The Council Legal Service had been asked to prepare a paper looking at the different data protection regimes in Third Pillar instruments and reporting any differences. The Council would look at the question again when it had that information. (QQ 36-37, 203).

  25.    The circumstances in which the Director can supply data to third States and non-EU bodies (Article 8(2)) are reiterated as regards personal data in Article 2 of Europol 27. The Standing Committee of experts on international immigration, refugee and criminal law (a Dutch body sometimes known as the Meijers Committee) was critical of these two provisions. Both Articles appeared to circumvent the need for the prior authorisation of the Council for agreements enabling transmission of data to third States. Secondly, there was a danger that the provisions in the Rules designed to ensure a proper procedure for data transmission would be bypassed, leading to deterioration in the level of data-protection (p 47). We return to these provisions, and the extent of the Director's discretion, at paragraphs 48-50 below.

TRANSMITTING PERSONAL DATA TO THIRD STATES AND BODIES—EUROPOL 27

  26.    Article 18 of the Europol Convention, which deals with the communication of personal data to third States and bodies, provides for the Council to determine the general rules for such communication. Europol 27, whose legal base is Article 18(2) of the Convention, lays down these rules, the primary one being that personal data can only be transmitted to a third State or body where there is an agreement between Europol and the recipient[17] (Article 2(1)). Agreements must contain provisions concerning the recipient of the data, the type of data to be transmitted and the purpose for which the data are to be transmitted or used (Article 3(1)). "Further conditions" may be imposed on the third State or body. Personal data is defined in the Rules as "any information relating to an identified or identifiable individual: an identifiable individual shall be a person whose identity can be determined, directly or indirectly, particularly through an identification number or one or more specific characteristics of his physical, psychological, mental, economic, cultural or social identity" (Article 1(g)).

  27.    The transmission of data revealing racial origin, political opinions or religious or other beliefs, or concerning health or sexual life is limited to "absolutely necessary cases" (Article 6). The Home Office explained that the categories of data listed were those identified as requiring special treatment[18] in the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 ("the 1981 Council of Europe Convention"). Mr Wrench said: "It is difficult to have hard and fast rules on this and hence the use of the phrase `absolutely necessary'. But I think that when, for example, Europol's mandate is extended to deal with terrorism; and when Europol is dealing with trafficking of human beings, with organised paedophile activity across borders; then those are the sorts of cases where political opinions and sexual orientation are highly relevant to what Europol would be doing" (Q 35).

Relationship with the Convention and other Rules

  28.    The transmission of data under Article 2.1 of Europol 27 is subject to Article 18 of the Convention, which says that where the transmission "concerns information subject to the requirement of confidentiality, it shall be permissible only insofar as an agreement on confidentiality exists between Europol and the recipient". As already mentioned, Confidentiality Rules (Europol 17) have been made under Article 31 of the Convention. Those Rules distinguish "information which is expressly marked or is clearly recognised as being public information" from other information, the latter to be designated Europol information and to be subject to at least the basic protection level (Article 8(1)). This might suggest that all information which is not "public information" is information "subject to the requirement of confidentiality" within the meaning of Article 18(6), particularly when the Confidentiality Rules themselves require Member States to safeguard basic protection level materials by national laws "including the obligation of discretion and confidentiality" (Article 8(c)).

  29.    The Home Office said that the basic protection level was not the same as the requirement of confidentiality in Article 18(6) of the Convention. Information subject to the basic protection level was "information which Europol has which as a matter of good practice one would not want to put into the public arena". An example given was a document concerning a meeting of national experts at Europol. Information subject to the requirement of confidentiality would have a security marking of Europol 1, Europol 2 or Europol 3 (QQ 213-5).

Taking account of third State's data protection laws

  30.    Regard must be had to the data protection laws and practices of the third State or body concerned when entering into an agreement under Europol 27. This requirement should be seen in the context of the Convention's approach to data protection.

  31.    The Convention contains a number of articles on the protection of personal data. The basic requirements are set out in Article 14. Each Member State is required to implement in its national law a standard of data protection which at least corresponds to that required under the 1981 Council of Europe Convention. Member States in legislating are further required to "take account of" Recommendation No. R(87) 15 of the Committee of Ministers of the Council of Europe of 17 September 1987 concerning the use of personal data in the police sector. Europol itself is required to "take account of the principles of" the Council of Europe Convention and Recommendation No. R(87) 15. Article 15 provides for the division of responsibility between the Member States and Europol for the legality of the collection, transmission, input, and accuracy of data and verification of the storage time-limits. Europol must store data in such a way that its origin (including third parties) can be established. Article 16 requires Europol to draw up reports on retrievals of personal data to check their permissibility under law. Article 17 limits the use of data retrieved from the Europol information system to enabling the competent authorities in the Member States to prevent or combat significant criminal offences. Article 19 gives the individual rights of access to data relating to him or her and stored within Europol. Requests are made via the national competent authority. Article 20 provides for the correction or deletion of data which are incorrect or contravene the Europol Convention's rules. Article 21 sets out time limits for storage of data and provides for review of the need for continued storage. Article 22 makes similar provision for review of data in paper files.

  32.    As regards the protection of personal data transmitted to third States and bodies, both the Convention and Europol 27 contain relevant provisions. The Convention (Article 18(3)) requires the adequacy of the level of data protection afforded by third States and bodies to be assessed "taking into account all the circumstances which play a part in the communication of personal data; in particular, the following shall be taken into account:

1) the nature of the data;

2) the purpose for which the data is intended;

3) the duration of the intended processing; and

4) the general or specific provisions applying to the third States and third bodies".

Under the rules in Europol 27, before transmitting data, Europol must take account of "the law and administrative practice of the third State or non-EU related body in the field of data protection, including as to the authority responsible for data-protection matters" (Article 2(2)).

  33.    Whereas the Management Committee of Europol can decide with which EU related bodies agreements should be negotiated, it is for the Council, acting unanimously, to determine with which third States and bodies agreements may be negotiated. In so doing the Council must take into account the data protection laws of the States or bodies concerned ("the criteria mentioned in Article 2(2)", set out above). Agreements can only be concluded following the approval of the Management Board or, in the case of agreements with third States and bodies, the Council, prior to which the opinion of the Joint Supervisory Body (the "JSB"—its role is described more fully at paragraph 51 below) must have been obtained (Article 3).

  34.    The Data Protection Registrar said that she would expect and encourage the involvement of the JSB at an earlier stage: "Certainly, in the United Kingdom, we like to be involved as early as possible in the developments of any agreements that anybody might be deliberating in relation to the sharing of data". There was already a strong network of data protection authorities working together informally on First Pillar matters. The Registrar hoped that the same people sitting as the JSB would be able to adopt a similar approach. As to whether she expected to be consulted by the Government as to how it might cast its vote in the Council on a particular agreement, she said: "`Expectation' might be putting it too high, based on my experience of the way these things happen, but I would not be inhibited in seeking to offer my views" (QQ 126, 128, 130).

  35.    The Minister reported that it had not yet been decided who on behalf of Europol would lead the negotiations with third States and bodies. The JSB had formally to be consulted. Whether the more active role suggested by the Registrar would be accepted was not certain but Ms Quin said: "that approach seems to me to be one that would be sensible to pursue" (QQ 205-8).

Standard of data protection

  36.    Europol 27 does not lay down any minimum standard or conditions for data protection laws or practice. Mr Cullen doubted the adequacy of the requirement, in Article 2(2), that the Council "take into account" the data protection laws of the Third State or body concerned. In his view, it was important that a number of clauses designed to ensure data protection were built into the rules. Once data has been passed to such third parties it would, in practical and legal terms, be difficult if not impossible to control its use (p 46).

  37.    The Data Protection Registrar did not consider it necessary for the Rules to specify a minimum standard of data protection. The standard set out in the Convention for Member States is that of the 1981 Council of Europe Convention and Recommendation No. R(87) 15 concerning the use of personal data in the police sector (Article 14(1)). She doubted whether anything in particular would be gained by a more precise statement in the Rules. Referring to the Recommendation, the Registrar said: "That sets out a series of standards which are very similar to the data protection principles that we are used to ... They do not differ from those that I am familiar with domestically or at a Directive level for First Pillar issues. They refer to limitation of purpose; to proportionality; to transparency; the sorts of things we are familiar with in other contexts". The Registrar drew attention to the developing understanding coming from the meetings of national supervisory bodies in the context of the EC Data Protection Directive of what was meant by "adequate protection"[19]. Key areas to look at were the framework of law, independent supervisory authorities and redress for the citizen. There was some scope to read across from what was being learnt under the First Pillar, though there was always going to be some difficulty in how in practice adequacy of protection was determined (QQ 131-3).

  38.    As to what might be expected of third States and bodies, Mr Wrench (Home Office) said that the 1981 Convention "certainly provides a benchmark ... of the sorts of standards one would be looking for. However, I think it will have to be defined case-by-case according to (a) which country it is and (b) how intense a level of co-operation of a particular agreement it envisages" (Q 16). Justice, however, remained concerned that the imperatives of crime prevention would distort the judgment of the Management Board in these matters (Q 171).

  39.    The Home Office considered that the United States, for example, had a sufficient level of protection in place to enable a close relationship (Q 17). Justice questioned this, contending that there was no comprehensive data protection legislation and independent supervision there. Justice said: "It is clear from this that there is no underlying assumption that data protection in the USA is "adequate" by the standards set by the [EC Data Protection] directive. We would question any assertion that exchanges with US enforcement bodies are unlikely to require special conditions" (p 28). The Data Protection Registrar expressed similar concerns about the position as regards the United States: "We are having some difficulty in relation to First Pillar issues in deciding whether we consider the United States to offer adequate protection, so we would certainly have concerns in relation to Third Pillar issues". She described the great care and detail with which the undertaking of certain fingerprint recognition processing in Tacoma, Washington State, on behalf of United Kingdom agencies had recently been negotiated. But as regards Europol, the Registrar concluded that though there would have to be careful consideration of the necessary safeguards, which provide equivalent if not identical arrangements, to be put in place "it would be a strange situation if we found ourselves unable to make some arrangements which allowed some transfer of traffic between Europe and the United States for law enforcement purposes" (QQ 156-60, 162).

5   Figures taken from the EDU's Annual Report for 1997. Back

6   NCIS was established in 1992, incorporating seven Regional Criminal Intelligence Offices. Its aim is "to provide leadership and excellence in criminal intelligence by assisting law enforcement and other relevant agencies by processing intelligence, giving direction and providing services and strategic analysis to combat serious activity, excluding terrorism". Back

7   Article 42 is entitled "Relations with third states and bodies". Paragraph 1 provides that "Insofar as is relevant for the performance of the tasks described in Article 3, Europol shall establish and maintain cooperative relations with third bodies within the meaning of Article 10(4), points 1-3". The full text of Article 42 is set out in Appendix 4. Back

8   During its Presidency, the United Kingdom put forward a proposal to add a Protocol to the Convention on the use of information technology for customs purposes (CIS Convention) to enable Europol and the World Customs Organisation to have access to the CIS database. The Convention's purpose is to assist in the prevention and prosecution of serious contraventions of national customs laws by increasing co-operation through the rapid dissemination of information. The CIS will consist of a central database facility, accessible via terminals in each Member State. Back

9   The Schengen Information System (SIS) is a computerised joint information system which enables Schengen States to exchange data in order to "maintain public policy and security, including national security and to apply the provisions of this Convention relating to the movement of persons". (Article 93 of the Schengen Convention of 14 June 1985.) Each Schengen State has a national computer system (or "section") with a complete Schengen-wide data file. A central technical support function in Strasbourg ensures that data entered in one national system is automatically transmitted to the other sections. All Schengen States therefore have access to a common pool of data via their own national systems. The persons on whom data may be stored in the SIS include those being sought for extradition, "aliens" whose entry is objected to by any one Schengen State, missing persons or persons deemed to be in need of police protection, and witnesses and persons to be summoned or notified by judicial authorities in connection with criminal proceedings. In addition, data may be included on persons or vehicles for the purposes of carrying out "discreet surveillance or specific checks". Personal data entered for this purpose must relate to an individual suspected of committing or being likely to commit "extremely serious offences" or who may present a serious threat, including to national security. The SIS may also contain information on objects, such as stolen vehicles, firearms, identity papers or blank official documents, and bank notes. (Articles 95-100 of the Schengen Convention.) Back

10   Article 42(2) provides that "Insofar as is required for the performance of the tasks described in Article 3, Europol may also establish and maintain relations with third States and third bodies within the meaning of Article 10(4), points 4,5,6 and 7". Back

11   In May 1998 the Council adopted a Pre-accession pact on organised crime between the Member States of the European Union and the applicant countries of Central and Eastern Europe and Cyprus. [1998] OJ C220/1. Principle 6 of the pact refers to the importance of mutual practical support for investigations and operations and provides: "This mutual practical support may include: ... joint investigative activities and special operations, supported by Europol as appropriate". Back

12   The World Customs Organisation is an inter-governmental body with 146 members world-wide whose object is to "enhance the effectiveness and efficiency of Customs administrations in the area of compliance with trade regulations, protection of society and revenue collection". The WCO is based in Brussels and its databases include details of its Member Customs Administrations. Back

13   Draft Confidentiality Rules have been prepared pursuant to Article 31 of the Convention, paragraph 1 of which requires Europol and the Member States to "take appropriate measures to protect information subject to the requirement of confidentiality which is obtained by or exchanged with Europol on the basis of this Convention". The full text of Article 31 is set out in Appendix 4. Back

14   Except information which is expressly marked or is clearly recognisable as being public information. Article 8(1) of the Confidentiality Rules. Back

15   The Management Board is one of the principal organs of Europol. It is composed of one representative of each Member State (Article 28 of the Convention). Back

16   The Director is appointed by the Council, acting unanimously, for a four year period renewable only once (Article 29 of the Convention). Back

17   Exceptionally the Director may transmit data in the absence of an agreement. See para 48 below. Back

18   Under Article 10(1) of the Europol Convention, the collection, storage and processing of data listed in the first sentence of Article 6 of the 1981 Council of Europe Convention is not permitted unless strictly necessary for the purposes of the file concerned and unless such data supplement other personal data already entered in that file. Article 6 of the 1981 Convention (first sentence) provides: "Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards". Back

19   Directive 95/45/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [1995] OJ L281/31. Chapter IV of the Directive deals with the transfer of personal data to third countries. The basic rule is that the transfer of data may only take place if "the third country in question ensures an adequate level of protection" (Article 25(1)). The Directive provides for Member States, following a finding by the Commission that a third State does not have an adequate level of protection, to take the measures necessary to prevent the transfer of data to the State. The Commission must first obtain the opinion of a committee composed of representatives of the Member States (Articles 25(4) and 31(2)). The Directive also sets up a Working Party on the Protection of Individuals with regard to the Processing of Personal Data which includes representatives of national supervisory authorities (Article 29). The Working Party can inter alia "give the Commission an opinion on the level of protection in the Community and in third countries" (Article 30(1)(b)). Back