83. EUROPOL: THIRD COUNTRY RULES (29TH
REPORT, SESSION 1997-98)
Letter from Kate Hoey MP, Parliamentary
Under Secretary of State, Home Office, to Lord Tordoff, Chairman
of the Committee
I have received a copy of the Committee's report
of its enquiry into the Europol Third Country Rules, and welcome
the opportunity to respond to the comments and recommendations
which it contains.
2. I note the Committee's views on our decision
not to deposit these Rules at the very outset for scrutiny. We
have already set out why this was the case. It is, however, perhaps
worth re-iterating, in light of the statement in the report that
the Home Office "sought to offer . . . some comfort by saying
that the Rules were not `set in stone'", that whilst that
is certainly the case, and has some relevance in this area, it
is by no means the main reason why the Rules were not initially
deposited. Due to the way in which the Rules were drafted, we
believed that the most significant documents in this area would
be the individual agreements with third States and third bodies
in respect of which these rules provide a framework. In light
of that, we considered that the Rules themselves were not sufficiently
significant to meet the current criteria for deposit for scrutiny.
3. On the question of whether the Rules
should specify a minimum standard of data protection which must
be adhered to by third bodies with whom Europol has an agreement,
the Committee shares the view of the Data Protection Registrar
that this would be unnecessary. The Committee does however recommend
that the question should be reviewed in two or three years time.
We agree with this, and fully expect that this and other issues
covered by the document will be frequently re-examined from the
point at which Europol takes up its activities.
4. The Committee expresses the view that
the inclusion of human rights clauses as standard in agreements
with third parties would be beneficial in terms of sending a political
signal, providing an effective safeguard, and ensuring consistency
in the European Union's external relations. We share this view,
and will seek to ensure that such a clause is included in each
5. The Committee recommends that information
received in the absence of an agreement should be marked as to
its source in order to preserve the audit trail. We agree, and
would expect Europol to do this as a matter of course: the absence
of any such marking, and the subsequent inability to assess the
validity of a piece of data, would significantly diminish its
operational value. Moreover, Article 15.3 of the Convention requires
Europol to store data "in such a way that it can be established
by which Member State or third party the data were transmitted
. . . ".
6. The Committee considers that Rules should
make clear that individuals have the same rights in relation to
information received by Europol from third parties as they have
in relation to information transmitted within the EU. We have
already made clear that we believe the provision in Article 42
of the Europol Convention, specifying that the exchange of personal
data shall only take place in accordance with Titles II to IV
of that Convention, provides sufficient protection in this regard.
RIGHTS (93, 95)
7. The Committee expresses concern over
Article 4(4) of Europol 38, which prohibits Europol from storing
information which has clearly been obtained in obvious violation
of human rights. They believe that it should be revised so that
Europol is prohibited from storing any data when there is a "serious
risk" that such data has been obtained in violation of human
rights, and also believe that the clause should clearly limit
the transmission of any such data to exceptional cases.
8. Joyce Quinn indicated in her evidence
to the Committee that she had no objection in principle to such
amendments. This is a view which I share. However, as she also
explained, it was not possible to secure agreement to provisions
along those lines during negotiation of the Rules. A similar position
was obtained in respect of a phrase referring to "exceptional
9. I agree that Article 4(4) is not perfectly
drafted; however I am also satisfied that taking this provision
in the context of the Rules as a whole, and taking into account
the protection offered elsewhere with regard to the protection
of human rights, it would have been inappropriate to have insisted
on wording on the lines which have been suggested at the risk
of not concluding a text and that it would also be inappropriate
to re-open negotiations on this matter at this stage.
10. The report compares Article 4(2) of
Europol 38 with Article 7 of Europol 27, which set out the rules
for the correction and deletion of data which has been exchanged
between Europol and a third party. The Committee believes that
these provisions mean that there is one standard for Europol and
another for third parties.
11. We do not accept this interpretation.
Article 7 of Europol 27 refers to information which is "incorrect,
inaccurate, no longer up to date, or should not have been transmitted",
and states that if this is the case with information which Europol
has transmitted to a third party, the third party shall be obliged
to correct or delete the information accordingly. Article 4(2)
of Europol 38 refers to a situation in which a third party informs
Europol that it has deleted or corrected any information. In this
instance, Europol shall correct or delete the information accordingly.
However it shall not delete the information if it has a further
need for or interest in it. Europol may have more information
than the transmitting party, and may believe, as a result, that
the information has a further validity. Furthermore, the third
party may have deleted the information simply because it has no
further interest in it. Europol's investigation may be exploring
different angles from that of the third party, and in that situation
we do not believe that it should be required to delete the information.
12. The key point underlying the formulation
of these provisions is there is a difference between Article 7
of Europol 27 and Article 4(2) of Europol 38, in that the former
refers to a situation in which data is invalid, whereas the latter
refers to a situation in which Europol is informed that the data
has been corrected or deleted by the third party: there is a clear
distinction between the two, and we do not accept that there is
a double standard.
13. The Committee believes that information
regarding the use by the Director of exceptional powers to transmit
information without an agreement should be put in the public domain.
Possible operational considerations (which may require confidentiality
in certain situations) notwithstanding, we would not object to
this in principle, but as we have indicated in earlier correspondence,
we believe that this is a matter for the Joint Supervisory Body
to decide, and we do not believe that the issue should be dealt
with in these Rules.
14. The Committee highlights the importance
of ensuring that the Joint Supervisory Body is adequately resourced
in order to carry out its functions, and that the Data Protection
Registrar is also adequately resourced in order for her to fulfil
her role as a member of the JSB. We share this concern. In accordance
with Article 24(9) of the Europol Convention, we will ensure that
there is ongoing consultation with the JSB to deal with this issue
satisfactorily. We will also be discussing with the Registrar
the resource implications of Europol business for her organisation.
We share the view that it is difficult to predict the amount which
will be required in the future, and would like to assure the Committee
that the issue will be regularly revisited. With regard to the
provision in the Europol Budget for 1999, we are, however, satisfied
that the amount is appropriate.
CONVENTION (100, 101)
15. The Committee cites two places where
they believe that there is a possible incompatibility between
the Rules and the Europol Convention itself.
16. The first instance relates to Article
18(6) of the Convention, which states that information "subject
to the requirement of confidentiality" cannot be transmitted
by Europol to a third party without an agreement being in place,
and the power of the Director, outlined in the Rules, exceptionally
to transmit information subject to the basic protection level
according to the Confidentiality Rules in the absence of an agreement.
In our view, as was stated in earlier evidence, there is no incompatibility:
we believe that information subject only to the basic protection
level (according to the Confidentiality Regulations) does not
fall into the category of information subject to the requirement
of confidentiality mentioned in Article 18(6) of the Convention.
17. The second possible incompatibility
mentioned is between Article 4(2) of Europol 38, and Article 20
of the Convention.This is similar to the distinction, referred
to above in paragraphs 10-12, between Article 4(2) of Europol
38 and Article 7 of Europol 27. The key point is that Article
4(2) of Europol 38 clearly refers to a situation in which a third
party informs Europol that they have corrected or deleted data;
Article 20 of the Convention, however, refers to information which
is definitely invalid. There is a clear distinction between the
18. The Committee requests that the Government
deposits in the libraries of both Houses future annual reports
produced by Europol, and copies of all agreements concluded under
the Rules. They also request that any proposals to amend the Rules
are deposited in good time to effect meaningful scrutiny. We are
happy to comply with these requests.
2 October 1998