222.  Europol, like any other body handling sensitive personal data, needs rules for protecting those data, and these rules have to balance the needs of crime analysis with those of data protection in a situation where the volume of data is growing exponentially.

DATA PROTECTION UNDER THE EUROPOL CONVENTION

223.  Under Article 14 of the Convention, Member States are required to have in force data protection provisions at least of the standard required by the 1981 Council of Europe Convention.[78] Europol itself is required to take account of the principles of the Convention.

224.  Europol has a data protection officer, though this is not a requirement of the Convention. Monitoring of data protection at Europol is ultimately the responsibility of the Joint Supervisory Body (JSB), an independent body set up under Article 24 "to ensure that the rights of the individual are not violated by the storage, processing and utilization of the data held by Europol." The members of the JSB are drawn from the data protection authorities of the Member States. David Smith, the Deputy Information Commissioner who is the United Kingdom representative on the JSB, and currently its Chairman, explained that "The role of the Joint Supervisory Body is essentially independent supervision. It is to take an independent view of whether Europol is complying with the data protection requirements in the Europol Convention and in the legal instruments which sit above that … The Joint Supervisory Body is primarily concerned with processing by Europol and, when bilateral channels are used, that essentially is not a Joint Supervisory Body matter." (QQ 411-412)

225.  These last words illustrate the tension arising between the respective responsibilities of the Member States and of Europol. The JSB is concerned only with data held and used by Europol. Data used on Europol's premises for bilateral exchanges belong to the Member States involved and not to Europol; they are therefore not subject to Europol's rules on data protection, or to supervision by the JSB, but they will be subject to the data protection rules of the Member States. Likewise, all the data on Europol's databases come from a Member State. Until inputted into Europol's databases they are the sole responsibility of the Member State, and even after they have been inputted the Member State retains a responsibility.

226.  Mr Smith gave us an example of the problem (Q 416):

AGREEMENTS WITH THIRD STATES

227.  We explained in Chapter 6 that there is one category of agreements between Europol and third countries which deal only with strategic matters and other generalities. Before Europol can communicate personal data to a third country or body the Council must be satisfied that "an adequate level of data protection is ensured" in the State or body in question. It reaches its conclusions on the advice of the Management Board, which in turn consults the JSB.[79]

228.  The adequacy is assessed taking into account the nature of the data, the intended use, and the duration of the intended data processing. Mr Smith explained that an "adequate" level of protection did not necessarily have to be equivalent to the level of protection offered by the Member States themselves, but he thought the adequacy requirement was entirely justified.

229.  When he gave evidence to us on 9 July 2008 the JSB had on its agenda agreements with Russia and Israel, on the basis that Europol wanted to exchange personal information with Russia and Israel and could not do so because an agreement was not yet in place. (Q 434)

230.  Eurojust too can communicate data to the competent authorities of third States, but again only if it is satisfied that "an adequate level of data protection is ensured" in those States.[80] However in the case of Eurojust its own Joint Supervisory Body assesses the adequacy of these arrangements, and there is no guidance at all on the matters it should take into account. Mr Smith thought it "slightly odd" that the adequacy of the level of data protection was assessed by separate bodies, and that the same applied to other organisations; in his view "a slightly more joined-up system would be of benefit to everybody."(Q 434)

231.  We agree. Where organisations can share much of their information it is in our view more than slightly odd that different bodies can make potentially different assessments of the adequacy of the data protection arrangements in a third country.[81] Although in the case of Europol the opinion of the JSB is advisory only, that is no reason why the JSBs of Europol and Eurojust should reach different conclusions without any justification. The same is true in the case of the other European agencies with which Europol will be required to have cooperation agreements once the Decision is in force.

DATA PROTECTION UNDER THE DECISION

232.  The Decision establishing Europol as an agency is, as we explained in Chapter 2, a third pillar instrument. Any general data protection provisions applying to the third pillar would therefore apply to Europol.

233.  In October 2005 the Commission brought out a proposal for just such an instrument, a draft Data Protection Framework Decision (DPFD) to apply to all third pillar instruments.[82] Negotiations on this were taking place when, in January 2007, the Commission brought out its proposal for the Europol Decision. Chapter V of that proposal included seven articles on data protection issues specific to Europol, but they were prefaced by Article 26, which set out the standard of data protection to be applied, and based this on the assumption that the DPFD would enter into force substantially unchanged.

234.  In his formal Opinion on the Commission proposal of 16 February 2007 the European Data Protection Supervisor (EDPS) noted that Chapter V "contains specific rules on data protection and data security, that can be considered as lex specialis providing for additional rules on top of a lex generalis, a general legal framework on data protection. However, this general legal framework for the third pillar has not yet been adopted." He recommended that the Europol Decision should not be adopted before the Council adopted a DPFD "guaranteeing an appropriate level of data protection in conformity with the conclusions of the EDPS in his two opinions on the Commission proposal for a Council Framework Decision."[83]

235.  This Committee has followed closely the depressing lack of progress of the negotiations on the DPFD. In March 2007 the German Presidency put forward a revised proposal[84] which greatly weakened the original draft. In December 2007 a general approach was agreed on a draft which, so far from providing a lex generalis on which the lex specialis provisions of the Europol Decision could build, explained that "the data protection provisions … governing the functioning of Europol … will not be affected by the present Framework Decision".[85]

236.  The draft of the Europol Decision agreed in April 2008 therefore explains that the DPFD is applicable to the transfer of personal data by Member States to Europol, but does not affect the specific data protection provisions in the Europol Decision.[86] Under Article 27 the general standard of data protection has reverted to that of the Council of Europe Data Protection Convention,[87] as it now is under the Europol Convention.

237.  We express our regret, not for the first time, that the negotiations for a Data Protection Framework Decision, which could and should have resulted in an instrument setting a high general standard of protection for third pillar data exchanges, have instead produced an anodyne and toothless document which the Europol Decision does not trouble to apply to Europol's work.

THE DATA PROTECTION OFFICER

238.  The Decision does include one provision which is a distinct improvement on the Convention. The data protection officer is put on a statutory basis as an independent member of staff responsible for ensuring compliance with the data protection provisions of the Decision. The EDPS welcomed this, but pointed out that in the case of similar officials in other EU institutions there were provisions giving him the necessary staff and budget, and allowing him to be dismissed only in very exceptional circumstances.[88]

239.  Mr Smith also welcomed this provision: "We are very supportive of the principle of setting up this quasi-independent data protection officer. It is a system which Eurojust has adopted and works well under the Eurojust Decision. We are particularly pleased that it emphasises the importance of data protection within Europol, emphasises that the responsibilities there go straight to the Director and that data protection has to be taken seriously. There is also a very clear duty to cooperate with the Joint Supervisory Body." (Q 433)

79   Article 18 of the Europol Convention. Back

80   Article 27 of the Decision establishing Eurojust. Back

81   It is even more strange that, under Article 25 of the first pillar Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data-OJ L 281 of 23.11.1995, p 31), and under the proposed Data Protection Framework Decision (draft of 11 December 2007, document 16069/07, Article 14) it is for individual Member States transmitting data to a third country or international body to assess the adequacy of that country's or body's data protection arrangements, giving scope for a potentially large number of different and conflicting assessments. Back

82   Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, document 13019/05. Back

83   Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision establishing the European Police Office (Europol) COM(2006) 817 final (OJ C255 of 27.10.2007, p 13) (EDPS Opinion), paragraphs 4, 39 and 66. Back

84   Document 7315/07. Back

85   Document 16069/07, recital 24a. Back

86   Recital 12. Back

87   Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, and Recommendation, and Recommendation No R (87) 15 of the Committee of Ministers of the Council of Europe of 17 September 1987. Back

88   EDPS Opinion, paragraphs 58 to 63.  Back