Responsibility for security
200. Europol's rules for monitoring security
issues are governed by a Council Act which came into force on
1 July 1999, the day Europol began operations.[74]
The Act provides that one of the Deputy Directors appointed by
the Council acts as Europol Security Coordinator; he is the Deputy
Director to whom the Director assigns, as one of his duties, "the
function of coordination and control in matters of security".
The Act also sets up a Security Committee consisting of representatives
of the Member States and of Europol. The Committee is chaired
by the Security Coordinator, and its task is to "advise the
Management Board and Director of Europol on issues relating to
security".
201. Because of the critical importance of security,
one of the first questions we put to the Director was to ask him
if he was satisfied with the level of security at Europol. In
reply, the Director described the various aspects of security
involved: "physical security, technical security, vetting
of people, screening of people, handling of data, safeguarding
of data". He was confident that Europol had achieved "a
considerable level of security", and that it was improving.
(Q 168)
202. When Mr Ratzel explained to us the
relationship between the Director and his deputy when acting as
Security Coordinator, he told us that the Security Coordinator
was, in that capacity, "not under my governance". He
added that "The Security Committee, in which all the Member
States participate, advises the person in charge of security and
in that security coordinating function he is independent from
my tasking."
203. Mr Ratzel further explained to us that
"If the Security Coordinator decides that something is wrong
with security within Europol he informs me and advises me what
to do. If I do not follow the advice, if I am not able to follow
it, if I am not willing to follow it or if I am not successful
in following it, this person informs the Management Board what
was the advice, what has been done by the Director and what nevertheless
has not been achieved so far. That gives you a clear indication
of the strong role of the security coordinator."
204. From this evidence it seemed that the Security
Coordinator was not responsible to the Director for security matters,
and indeed for some purposes bypassed him and went straight to
the Management Board. We thought it inconceivable that the Director
should not have overall responsibility for security; moreover
it seemed to follow unequivocally from the words of Article 4(2)
of the Council Act that he should have this responsibility: "The
Security Coordinator shall be directly answerable to the Director
of Europol".
205. Accordingly, after we had completed taking
evidence we asked Europol officials to clarify the situation.
They submitted to us a supplementary memorandum, specifically
approved by the Director (p 78). From this it seems that,
despite the wording of Article 4(2) of the Council Act, when acting
as chairman of the Security Committee the Security Coordinator
is indeed "independent from the Director's governance and
tasking". The memorandum explains that the Security Committee
"can thus be considered as a sub-committee of the Management
Board" and that "it is thus self-evident that the chairman
of a sub-committee of the Management Board acts independently
from the Director of Europol."
206. Nor is that all. Mr Ratzel also told
us that there was an additional internal unit dedicated to dealing
with security for data protection, data security and confidentiality,
"and at the same time this unit serves the security coordinator
as a secretariat in his role of having the Security Committee
guided … In addition, we have a security officer in the organisation
who is in charge of looking for security issues every day in practical
terms and also, as far as necessary, of dealing with internal
inquiries. These internal inquiries are then done under my command."
The head of the unit was thus also in charge of data protection,
data security and confidentiality, and was at the same time the
data protection officer of the organisation. However as data protection
officer he was not under the Director's command, but nevertheless
had direct access to him and advised him what to do on data protection
issues.
207. We asked Mr Ratzel how much of a worry
security was to him on a scale of one to ten, "one"
meaning that he did not worry about it at all. His reply was "close
to two". (QQ 169-170) We do not suggest that he was
not concerned about security; we hope he is, for in our view a
lack of concern about security rapidly breeds complacency. An
organisation which is not proactive about security is one which
puts itself at risk of security breaches; good security is a matter
of constant vigilance.
208. Nevertheless we think there are a number
of reasons why Mr Ratzel should be worried. It seems to us
that the mechanisms set up for handling security issues are extraordinarily
and unnecessarily complex—so complex that the Director's
oral evidence to us needed considerable clarification. We can
well understand that the Management Board, which has oversight
of the proper performance of all the Director's duties, including
those relating to security, should want independent advice on
these matters. The Director too needs advice, and for this he
has a deputy who is security coordinator, and who in turn has
a security officer and a security unit. That seems logical. What
is wholly illogical is that the Security Committee should advise
not just the Management Board but also the Director, and should
be chaired by the Director's senior security adviser who, in his
capacity as chairman, is not responsible to the Director.
209. Moreover we doubt whether, other perhaps
than in the case of institutional matters, advice to the Management
Board on security is best provided by a sub-committee which, like
the Management Board itself, consists of representatives of all
the Member States. Security issues should be dealt with on a need
to know basis. Member States whose security services are directly
affected by a breach or potential breach of security must be informed,
but we see no reason why any other Member State need be involved
at all, let alone twice over.
210. The first draft of the Council Act—then
known as the Confidentiality Regulations—included in Article
3, establishing the Europol Security Committee, a paragraph (4)
providing that "The members of the Europol Security Committee
shall have appropriate experience in security and law enforcement."[75]
Inexplicably, this was deleted before the Council Act was adopted,
the implication being that there is no need for the members of
the Committee to have any such experience. It seems to us self-evident
that whatever body it is that provides advice to the Management
Board on security matters must consist of, or at least include,
security experts.
211. Although security of course plays a part
in data protection, there is a major difference between, on the
one hand, safeguarding intelligence so that it does not leak to
criminals and jeopardise operations against them, and on the other
preventing information about individuals from leaking into the
public domain. Only the first of these is truly a security issue.
Yet it seems that the same security officer who, when dealing
with internal security inquiries, works to the Director, is also
the data protection officer, and as such not under the Director's
command.[76]
OUR CONCLUSIONS AND RECOMMENDATIONS
212. It is not for us to suggest a detailed structure
for managing security at Europol. However we believe there is
a case for a radical re-think. In our view the following basic
principles should be adhered to.
213. The Director of Europol should have overall
responsibility for security in the organisation he directs. There
is no case for the responsibility lying with a deputy whose responsibility
bypasses the Director.
214. Advice to the Director on security issues
must come from within the organisation: from the deputy he appoints
to deal with such matters, and from the security officer and other
officials responsible.
215. Whatever body it is that advises the
Management Board on security issues must be small, must consist
of security experts, and must work on a need to know basis. Except
perhaps in the case of institutional matters there is no need
for all Member States to be involved, or indeed for any Member
States to be involved unless the security issues directly involve
them or their national units or liaison officers.
216. There must be clear demarcation between
safeguarding security and data protection.
217. Changes to the security structure can
be made by amendment of the Council Act. The Council can make
such amendments at any time; there is no need to wait for the
Europol Decision to come into force.[77]
Individual security
218. Mr Ratzel gave evidence to us in person
on security issues, so that we did not have an opportunity to
question directly the Europol Security Coordinator or Security
Officer. However when we took evidence from Eurojust the President
was accompanied by Jacques Vos, the acting Administrative Director
of Eurojust, who explained to us the problems about vetting the
security of individuals from 27 different Member States: "There
is no consistency whatsoever and this needs to be redressed in
the future Europe-wide because there is a big disparity now between
the vetting procedures applied in a NATO context, for example,
where the military systems are well equipped to handle this, and
agencies like ours … We are now in the process of identifying
those sensitive posts … They should be cleared at the highest
level."(Q 223) We agree, though we would qualify this
by saying that clearance should be to the highest level required
by the particular post in question.
219. Clearly there will continue to be a lack
of trust between the Member States and Europol, and a continuing
failure to communicate to Europol sensitive intelligence, if they
cannot be sure that all those working at Europol, whether directly
for Europol or in the national units, are cleared up to the highest
necessary security levels.
220. Article 31(2) of the Europol Convention
provides: "Where Europol has entrusted persons with a sensitive
activity, Member States shall undertake to arrange, at the request
of the Director of Europol, for security screening of their own
nationals to be carried out in accordance with their national
provisions and to provide each other with mutual assistance for
the purpose." In Article 40(2) of the Decision the opening
words have been changed to "Where Europol intends to entrust
persons with a sensitive activity …" making clear that
an individual must have security clearance before receiving any
Europol classified information.
221. We agree with Mr Vos that, in organisations
like Europol or Eurojust, security clearance must routinely be
to the highest level required for a particular post. A person
who cannot be cleared to that level has no reason to be at Europol,
nor to be receiving information from Europol in a Member State.
Security clearance is an expensive exercise, but if Member
States are prepared to devote the necessary resources to clearing
all individuals involved to the highest security levels required
for their work, this alone should do much to enhance trust.
74 Council Act of 3 November 1998 adopting rules on
the confidentiality of Europol information, OJ C 26 of 30.1.1999,
p 10, as amended by the Council Act of 5 June 2003, OJ C 152 of
28.6.2003, p 1. Back
75
Document (P) 11143/96. See Europol: Confidentiality Regulations
(1st Report, Session 1997-98, HL Paper 9), page 10. Back
76
We deal with data protection in the following chapter. Back
77
Currently a Council Act adopted under Article 31(1) of the Convention
needs unanimity, but no other body is involved. Once the Decision
is in force, Article 40 will require consultation of the European
Parliament, but QMV rather than unanimity. Back
