Select Committee on European Union Minutes of Evidence


Memorandum by Professor Juliet Lodge, Jean Monnet European Centre of Excellence, University of Leeds

Europol's future development: the implications of information sharing

INTRODUCTORY REMARKS

  1.  The proposal to modernise Europol is a welcome recognition of the operational requirements for effective supranational action to realise an area of freedom, security and justice. Europol is the increasingly visible spider in a web of many supranational and national agencies[1]. How they will share and exchange information with Europol raises many issues that are problematic for Europol and also result from the realisation of the Information society itself and i2015.

  2.  The tasks given to Europol associated with assisting in combating crime and border management highlight dissolving administrative boundaries. This demands that attention be given to how good governance may be effected in the light of procedures introduced by the Decision which impact on and may alter practice within the member states' agencies. Information sharing is not neutral in its impact.

  3.  Europol's role and potential role in combating international organised crime in all its guises means that the organisation is developing in response to external problems at a time when the issue of effective cooperation among the various relevant national and EU level agencies is compromised by: mutual distrust, different national and agency administrative codes, practices and traditions, variable and inadequately secure information communication technology (ICT) architectures for information storage, processing and exchange. It is increasingly benefiting, however, from cross border cooperation[2] reinforced by cooperation agreements, such as that concluded with Frontex. [3]

  4.  Political and structural problems within the member states' law enforcement systems also inhibit Europol from contributing as effectively as it might wish to combating and prosecuting organised crime and terrorism. Problems encountered by Europol in relation to information sharing with member states' police agencies differ from state to state, and within the states themselves. This problem exists in all EU agencies fed by national and regional members and can seriously compromise Europol's effectiveness operationally whether on a bilateral or multilateral, multi-agency basis (as with exchange possibilities regarding trafficking, border crossings, for instance, with SIRENE, Frontex[4],VIS and SIS II).

  5.  Cooperative arrangements in information sharing (such as within Eurojust) have led to important operational successes. These do not detract from the many unresolved issues within the detail of the Council Decision that need clarifying.

  6.  Ambiguous or loose terminology in the various protocols and Council Decision make for confusion, aggravate the possibility of differential implementation of its provisions in the member states, and raise questions about the gap between operational expectations and aspirations among all concerned. For example, there is no single or common definition or understanding of basic terms like the "personal data"[5], "information" and "intelligence". Common understanding is key and needs revisiting even though Europol has a series of documents defining terms dating back to 1998[6]. The distinctions and ambiguities could prove problematic in decisions determining their exchange and automated access to them (as well as in rules determining the deadlines by which information has to be made available to counterparts/requesting bodies). Variable interpretation and practice will impact on catch-all terms used in the Decision, such as "associated expert" and member states' veto right over who can be one. Creeping securitisation implicit in Arts3-5; weak or absent time frames allowing too much discretionary interpretation (arts 7,11(f), 13(2), 20) and ambiguity increases the potential for delays to be politically engineered (Art 28(2).

Automated exchange of information and its impact on magnifying the accountability and democratic deficits

  7.  Automatic information sharing is to be facilitated by identity management systems as the gateways to partial or full information disclosure. Data is to be available for remote interrogation, access, and updating by specified agencies on role specified bases. Such systems are central to the effective implementation of egovernment for mundane purposes (like renewing television licences, commercial transactions, etc ) and at the heart of the envisaged cross-border exchange of information for policing and law enforcement purposes. RFID and ambient intelligence use is not limited to policing and security purposes and is vulnerable to malevolent intrusion. How Europol will deal the implications of this is unclear.

  8.  Information sharing, categorisation of data, judicial cooperation, uncoordinated implementation of the principle of availability, inconsistency across and within agencies and special investigative methods[7]pose serious problems that need to be addressed in a coherent way to avoid duplication and contradictory practices and outcomes. Differences in accountability among EU states are likely to persist.

  9.  Making those who exchange information accountable in an open, respected, reliable and just way is problematic. The principle of institutional accountability, for example, through the Joint Supervisory Body, European Data Protection Supervisor and European Parliament, needs to be supplemented by robust legislation to strengthen open, visible parliamentary accountability and democratic control at all levels. This requires a critical reappraisal of the terminology of legislation and codes of good practice offering peer review audits in place of stringent parliamentary scrutiny and control. Mere "consultation", for example, of the European Parliament is not sufficient to ensure the effective exercise of political control.

  10.  National parliaments' roles needs to be revisited and strengthened individually vis-a"-vis their domestic law enforcement agencies and all those other agencies who are and will be increasingly engaged in bilateral and, multilateral information exchange and intelligence exchange. Desirable as increasing closer and more frequent cooperation and information sharing is between them and the European Parliament, attention must be paid to what an appropriate joint role might be for them in respect of the public-private partnerships on which the provision of ICTs to enable data sharing for Europol's purposes are based.

  11.  A common intelligence framework may imply a need for a single database. How could the Decision reflect the need to align Europol's existing and emergent technical architectures with other relevant ones?

  12.  Technological capabilities (that vary greatly among EU27) define agendas in ways which allow bureaucrats greater input than elected politicians and heightens the known tendencies of groupthink. The blurring of administrative boundaries impacts on accountability at all levels. This needs addressing : controls on Europol may be tighter than on other levels and encourage reliance on "softer" bilateral channels with EU members and third states' agencies.

  13.  Accountability is not just an audit trail. Best practice and audits are essential preconditions for data protection but are not substitutes for political accountability. The duty of care and vigilance of government (outside the sphere of state security exceptions) needs re-visiting. Politico-legal controls are not (yet) up to the task of ensuring effective accountability by themselves. The EDPS' vigilance remains vital but insufficient[8]. Attention must also be paid to the technologies and associated processing ("backroom") operations designed to expedite and facilitate information exchange for Europol's purposes. Liability for ICT failures needs clarifying. Currently, getting redress and amending errors by compromised citizens is prohibitive in terms of time and resources.

  14.  The tendency to visualise information exchange purely as a function and operational requirement for law enforcement agencies working with Europol perpetuates the artificial and unsustainable boundaries between "internal" and "external" security. It is especially problematic when tied to automatic information sharing and exchange.

  15.  The known risks of inefficient and imperfect information sharing and exchanges on a bilateral basis in paper-based systems will not disappear by having automated information exchange. High standards that Europol and Eurojust may devise need to be higher and set the gold standard in terms of their technical architectures, codes of access and exchange, documentary formats and public accountability mechanisms.

  16.  It is important that political principles (like data and purpose minimisation, codes on data re-use in full or part, information exchange, file exchange, data subject privacy, and baked-in security) rather than simply technical feasibility define architectures to prevent malevolent intrusion, data mis or re-use, sale, fraud and theft. Baked-in security and implementation of high data protection provisions are essential. The political reality is based on reliance on subsidiarity, bilateral understandings and mutual recognition. This results in patchy safeguards for citizens and all concerned. Citizens are not equal in EU territorial or digi-space.

  17.  Different understandings of common terms (eg Council Decision (COM(2006)0817) references to criminality, organised crime, serious (Art 4.2) criminal offences (Art 4.3) crime, criminal justice) in the member states have serious consequences as to how information and intelligence are managed, processed, communicated and subject to exchange and sharing with other public and private or semi-private agencies within the state and across borders, and in— and with—third states. This includes, for examples, consulates regarding visas and, under the envisaged common consular space, evisas and enrolment of biometric data such as fingerprints. If individual security is not necessarily enhanced by them, is collective security also at risk?

INVISIBLE IMPLICATIONS OF AUTOMATED INFORMATION EXCHANGE

  18.  A number of issues need to be addressed in the broad context of information exchange.[9] Who operates the ICT systems outside the controlled environments of Europol and, for example, Eurojust? How are systems selected and funded (this will be a growing drain on the EU budget and matter for the European Parliament as part of the Budgetary Authority. Automatic information sharing and exchange even short of interoperable systems are costly. Elements of the systems (like common preferred formats for documents, indexing and archiving) have uncosted financial consequences for Europol and its contributing bodies and those with whom information is to be "shared" and/or exchanged.

  19.  How are data inputters screened at local and supranational levels and in all those third state agencies with whom data exchange and sharing are envisaged?

  20.  What rules cover system obsolescence, out-sourcing, data coupling, data mining and tracking, digi-footprints, data storage and deletion (eg of DNA),data re-use, access (hard for citizens, relatively easy for member state agencies, commerce) insider and outsider fraud, corruption, data ownership, degradation, the updating of communication protocols? How are different categories of data subject defined?

  21.  There is little doubt that genuine inter-operability will boost the speedy response needed to enhance effectiveness. That is operationally necessary. Automated information sharing and exchange leads to the creation of "new information" files and intelligence. ICTs commodify data. Outsourcing to third states and parties, growing fraud (all too close and visible to the citizen), information trading for unclear purposes without the direct consent of the data subject are generally problematic but especially sensitive in the area of home affairs. Law enforcement information and intelligence derives from many sources (not necessarily universally shared or trusted, that may skew or claim ownership over them).

  22.  Access by public and private third parties must be reviewed in the light of i2015 and securitisation of hitherto "domestic" areas. While biometrics may enhance identity verification their indiscriminate deployment and outsourced handing and sale may compromise individual liberty and collective security. There is a public duty to ensure that the systems envisaged for say Europol-Eurojust are genuinely models of public systems that are as robust-against-fraud from data collection to inputting, access, storage and retrieval as possible.

  The ostrich-like approach of allowing technical providers decide how automated information sharing and exchange/interoperability will work in practice technically risks allowing others to present what is available as the "solution" instead of creating what is needed. Specificity and clarity are essential. Reliance on mutual recognition is tempting but ducks the need for uniformity or basic commonality, especially in defining terms like secrecy, confidentiality, rights of access. The principle of availability is contingent. However, the Decision of March 2008 (para 10) states : Europol National Units should have direct access to all data in the Europol Information System to avoid unnecessary procedures[10].

CONCLUSIONS

  23.  Automated systems underpinning information sharing as envisaged for Europol and contributing/cooperating agencies are probably as yet not quite fit-for-purpose (even allowing for respect for ethical principles, data minimisation, purpose limitation, and so on).

  24.  Automated data sharing, access and exchange magnify the problem of trust in private and public sector personnel, technology, administrators, officers, and politicians both inside the EU and where third parties in third states or NGOs and international organisations are concerned. Communication to and from third parties and non-EU interests needs to be rigorously examined. It would be foolhardy to allow a "tick box" approach to verifying the "adequacy" (however that term is defined) or otherwise of, for instance, robust data protection[11].

  25.  There is a need for consistency and tight specifications on access rights, standards, system integrity, reference architectures, etc. There is an urgent need for an EU law on ID theft, possibly complementary to or a part of the Decision.

  26.  Effective action by the law enforcement agencies relies on bilateral agreements, bilateral trust and bilateral cooperation. Effective "inter-operability" implies a higher degree of automated information sharing and eventually mutual access to centralised, agency specific data bases (such as Eurojust, Frontex etc) and to those in the member states. This is likely to be informed by experience in the preparation of EU papers like the Organised Crime Threat Assessment, Terrorism Situation Report, and Analysis Work Files.

  27.  The Decision highlights the need for a cross-pillar, universalised EU model of information exchange.

  28.  Governments' tendency to consider policing in isolation from the tools of policing exacerbate a trust, communications and accountability gap. There is a need to consider over-arching legislation in respect of egovernance and information and data-sharing as territorial boundaries are increasingly irrelevant in digi-space and a future of enhanced nano and ambient technological capabilities.

  29.  The question is whether the Decision on Europol can inspire and set the highest standards, and whether my careful review of practice and the application of secure architectures agencies that cooperate with Europol can build the mutual trust in the technology and practice that facilitate mutual endeavour towards realising common goals.

Submitted in a personal capacity and informed by research conducted in the JMCE on the EU Framework 6 programmes "Challenge" (CITI-CT-2004-506255) and "R4eGov"(IST-2004-026650

April 2008




1   Detailed in Europol, Work Programme 2008 sent to Article 36 Committee, 7911/07, Brussels, 16 April 2007. Back

2   Europol supported the LKA Brandenburg (State level Criminal Investigation) and the Public Prosecutor's Office in Frankfurt / Oder in Germany in dismantling a world wide drug trafficking ring. Close cooperation between the law enforcement authorities in Germany, including the BKA, the Europol Liaison Bureau Germany, and Interpol were vital.wwww.europol.europa.eu April 2008 Back

3   On 28 March 2008 Frontex and Europol signed a cooperation agreement is to boost cooperation between Europol and Frontex, in particular through the exchange of strategic and technical information. The agreement entered into force on the first day following its signature. Back

4   EuroSUR border surveillance system to exchange information with, inter alia, Frontex has been proposed in a recent Commission communication. Back

5   The Article 29 Data Protection Working Party Opinion 4/2007 on the concept of personal data [01248/07/EN] was adopted on 20 June 2007. Back

6   See for example, the Council Act of 3 November 1998 adopting rules on the confidentiality of Europol information, Official Journal C26/1 30 Jan 1999. Article 1 states: (a) "processing of information" ("processing") means any operation or set of operations which is performed on personal or non-personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; (b) "third party" means a third State or body as referred to in Article 10(4) of the Convention; Back

7   Council of the EU, Implementation of the EU Counter-terrorism strategy-Discussion Paper, 15448/07, Brussels, 23 Nov 2007. Back

8   http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2008/08-03-03_Comments_border_package_EN.pdf Back

9   J.Lodge(ed) Are you who you say you are? The EU and biometric Borders, Wolf Legal Publishers, Nijmegen, 2007. Back

10   Council secretariat to Europol Working Party/Art 36 Committee Proposal for a Council Decision establishing the European Police Office(EUROPOL)-consolidated text, 7744/08, Europol 29, Brussels 29 March 2008. Back

11   For discussion of national data protection authorities, see E.Brouwer, Digital Borders and Real Rights, Wolf Legal Publishers,Nijmegen,2006,pp192ff Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2008