Select Committee on European Union Twenty-Ninth Report


CHAPTER 7: SECURITY

Enhanced security

198.  We referred in Chapter 3 to the importance of developing the trust Member States have in the integrity and security of Europol's information systems, so that they can be confident of entrusting to Europol even their most sensitive intelligence information. The trust is of two kinds: trust by Member States in the security of each others' intelligence services, and trust in the technology of the data systems.

199.  Professor Lodge emphasised that Europol needed to maintain the right balance between automation and analysis by the individual. In answer to our question about the increase of bilateral information exchanges foreseen by the Council Decision, she said: "I think, firstly, that ad hoc-ism can be very valuable, but, as you are pointing out, it is based on mutual trust, and the more that Europol, Eurojust and all the associated agencies move towards automated information exchange, the more they are relying on the technology rather than the analysis by the individual. If you cannot trust technology—and you cannot trust the technology—then this issue of trust has further ramifications for political accountability and legitimacy of the whole system which then impacts on the citizen."(Q 155)

Responsibility for security

200.  Europol's rules for monitoring security issues are governed by a Council Act which came into force on 1 July 1999, the day Europol began operations.[74] The Act provides that one of the Deputy Directors appointed by the Council acts as Europol Security Coordinator; he is the Deputy Director to whom the Director assigns, as one of his duties, "the function of coordination and control in matters of security". The Act also sets up a Security Committee consisting of representatives of the Member States and of Europol. The Committee is chaired by the Security Coordinator, and its task is to "advise the Management Board and Director of Europol on issues relating to security".

201.  Because of the critical importance of security, one of the first questions we put to the Director was to ask him if he was satisfied with the level of security at Europol. In reply, the Director described the various aspects of security involved: "physical security, technical security, vetting of people, screening of people, handling of data, safeguarding of data". He was confident that Europol had achieved "a considerable level of security", and that it was improving. (Q 168)

202.  When Mr Ratzel explained to us the relationship between the Director and his deputy when acting as Security Coordinator, he told us that the Security Coordinator was, in that capacity, "not under my governance". He added that "The Security Committee, in which all the Member States participate, advises the person in charge of security and in that security coordinating function he is independent from my tasking."

203.  Mr Ratzel further explained to us that "If the Security Coordinator decides that something is wrong with security within Europol he informs me and advises me what to do. If I do not follow the advice, if I am not able to follow it, if I am not willing to follow it or if I am not successful in following it, this person informs the Management Board what was the advice, what has been done by the Director and what nevertheless has not been achieved so far. That gives you a clear indication of the strong role of the security coordinator."

204.  From this evidence it seemed that the Security Coordinator was not responsible to the Director for security matters, and indeed for some purposes bypassed him and went straight to the Management Board. We thought it inconceivable that the Director should not have overall responsibility for security; moreover it seemed to follow unequivocally from the words of Article 4(2) of the Council Act that he should have this responsibility: "The Security Coordinator shall be directly answerable to the Director of Europol".

205.  Accordingly, after we had completed taking evidence we asked Europol officials to clarify the situation. They submitted to us a supplementary memorandum, specifically approved by the Director (p 78). From this it seems that, despite the wording of Article 4(2) of the Council Act, when acting as chairman of the Security Committee the Security Coordinator is indeed "independent from the Director's governance and tasking". The memorandum explains that the Security Committee "can thus be considered as a sub-committee of the Management Board" and that "it is thus self-evident that the chairman of a sub-committee of the Management Board acts independently from the Director of Europol."

206.  Nor is that all. Mr Ratzel also told us that there was an additional internal unit dedicated to dealing with security for data protection, data security and confidentiality, "and at the same time this unit serves the security coordinator as a secretariat in his role of having the Security Committee guided … In addition, we have a security officer in the organisation who is in charge of looking for security issues every day in practical terms and also, as far as necessary, of dealing with internal inquiries. These internal inquiries are then done under my command." The head of the unit was thus also in charge of data protection, data security and confidentiality, and was at the same time the data protection officer of the organisation. However as data protection officer he was not under the Director's command, but nevertheless had direct access to him and advised him what to do on data protection issues.

207.  We asked Mr Ratzel how much of a worry security was to him on a scale of one to ten, "one" meaning that he did not worry about it at all. His reply was "close to two". (QQ 169-170) We do not suggest that he was not concerned about security; we hope he is, for in our view a lack of concern about security rapidly breeds complacency. An organisation which is not proactive about security is one which puts itself at risk of security breaches; good security is a matter of constant vigilance.

208.  Nevertheless we think there are a number of reasons why Mr Ratzel should be worried. It seems to us that the mechanisms set up for handling security issues are extraordinarily and unnecessarily complex—so complex that the Director's oral evidence to us needed considerable clarification. We can well understand that the Management Board, which has oversight of the proper performance of all the Director's duties, including those relating to security, should want independent advice on these matters. The Director too needs advice, and for this he has a deputy who is security coordinator, and who in turn has a security officer and a security unit. That seems logical. What is wholly illogical is that the Security Committee should advise not just the Management Board but also the Director, and should be chaired by the Director's senior security adviser who, in his capacity as chairman, is not responsible to the Director.

209.  Moreover we doubt whether, other perhaps than in the case of institutional matters, advice to the Management Board on security is best provided by a sub-committee which, like the Management Board itself, consists of representatives of all the Member States. Security issues should be dealt with on a need to know basis. Member States whose security services are directly affected by a breach or potential breach of security must be informed, but we see no reason why any other Member State need be involved at all, let alone twice over.

210.  The first draft of the Council Act—then known as the Confidentiality Regulations—included in Article 3, establishing the Europol Security Committee, a paragraph (4) providing that "The members of the Europol Security Committee shall have appropriate experience in security and law enforcement."[75] Inexplicably, this was deleted before the Council Act was adopted, the implication being that there is no need for the members of the Committee to have any such experience. It seems to us self-evident that whatever body it is that provides advice to the Management Board on security matters must consist of, or at least include, security experts.

211.  Although security of course plays a part in data protection, there is a major difference between, on the one hand, safeguarding intelligence so that it does not leak to criminals and jeopardise operations against them, and on the other preventing information about individuals from leaking into the public domain. Only the first of these is truly a security issue. Yet it seems that the same security officer who, when dealing with internal security inquiries, works to the Director, is also the data protection officer, and as such not under the Director's command.[76]

OUR CONCLUSIONS AND RECOMMENDATIONS

212.  It is not for us to suggest a detailed structure for managing security at Europol. However we believe there is a case for a radical re-think. In our view the following basic principles should be adhered to.

213.  The Director of Europol should have overall responsibility for security in the organisation he directs. There is no case for the responsibility lying with a deputy whose responsibility bypasses the Director.

214.  Advice to the Director on security issues must come from within the organisation: from the deputy he appoints to deal with such matters, and from the security officer and other officials responsible.

215.  Whatever body it is that advises the Management Board on security issues must be small, must consist of security experts, and must work on a need to know basis. Except perhaps in the case of institutional matters there is no need for all Member States to be involved, or indeed for any Member States to be involved unless the security issues directly involve them or their national units or liaison officers.

216.  There must be clear demarcation between safeguarding security and data protection.

217.  Changes to the security structure can be made by amendment of the Council Act. The Council can make such amendments at any time; there is no need to wait for the Europol Decision to come into force.[77]

Individual security

218.  Mr Ratzel gave evidence to us in person on security issues, so that we did not have an opportunity to question directly the Europol Security Coordinator or Security Officer. However when we took evidence from Eurojust the President was accompanied by Jacques Vos, the acting Administrative Director of Eurojust, who explained to us the problems about vetting the security of individuals from 27 different Member States: "There is no consistency whatsoever and this needs to be redressed in the future Europe-wide because there is a big disparity now between the vetting procedures applied in a NATO context, for example, where the military systems are well equipped to handle this, and agencies like ours … We are now in the process of identifying those sensitive posts … They should be cleared at the highest level."(Q 223) We agree, though we would qualify this by saying that clearance should be to the highest level required by the particular post in question.

219.  Clearly there will continue to be a lack of trust between the Member States and Europol, and a continuing failure to communicate to Europol sensitive intelligence, if they cannot be sure that all those working at Europol, whether directly for Europol or in the national units, are cleared up to the highest necessary security levels.

220.  Article 31(2) of the Europol Convention provides: "Where Europol has entrusted persons with a sensitive activity, Member States shall undertake to arrange, at the request of the Director of Europol, for security screening of their own nationals to be carried out in accordance with their national provisions and to provide each other with mutual assistance for the purpose." In Article 40(2) of the Decision the opening words have been changed to "Where Europol intends to entrust persons with a sensitive activity …" making clear that an individual must have security clearance before receiving any Europol classified information.

221.  We agree with Mr Vos that, in organisations like Europol or Eurojust, security clearance must routinely be to the highest level required for a particular post. A person who cannot be cleared to that level has no reason to be at Europol, nor to be receiving information from Europol in a Member State. Security clearance is an expensive exercise, but if Member States are prepared to devote the necessary resources to clearing all individuals involved to the highest security levels required for their work, this alone should do much to enhance trust.


74   Council Act of 3 November 1998 adopting rules on the confidentiality of Europol information, OJ C 26 of 30.1.1999, p 10, as amended by the Council Act of 5 June 2003, OJ C 152 of 28.6.2003, p 1. Back

75   Document (P) 11143/96. See Europol: Confidentiality Regulations (1st Report, Session 1997-98, HL Paper 9), page 10. Back

76   We deal with data protection in the following chapter. Back

77   Currently a Council Act adopted under Article 31(1) of the Convention needs unanimity, but no other body is involved. Once the Decision is in force, Article 40 will require consultation of the European Parliament, but QMV rather than unanimity. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2008