Memorandum by Professor Juliet Lodge,
Jean Monnet European Centre of Excellence, University of Leeds
Europol's future development: the implications
of information sharing
INTRODUCTORY REMARKS
1. The proposal to modernise Europol is
a welcome recognition of the operational requirements for effective
supranational action to realise an area of freedom, security and
justice. Europol is the increasingly visible spider in a web of
many supranational and national agencies[1].
How they will share and exchange information with Europol raises
many issues that are problematic for Europol and also result from
the realisation of the Information society itself and i2015.
2. The tasks given to Europol associated
with assisting in combating crime and border management highlight
dissolving administrative boundaries. This demands that attention
be given to how good governance may be effected in the light of
procedures introduced by the Decision which impact on and may
alter practice within the member states' agencies. Information
sharing is not neutral in its impact.
3. Europol's role and potential role in
combating international organised crime in all its guises means
that the organisation is developing in response to external problems
at a time when the issue of effective cooperation among the various
relevant national and EU level agencies is compromised by: mutual
distrust, different national and agency administrative codes,
practices and traditions, variable and inadequately secure information
communication technology (ICT) architectures for information storage,
processing and exchange. It is increasingly benefiting, however,
from cross border cooperation[2]
reinforced by cooperation agreements, such as that concluded with
Frontex. [3]
4. Political and structural problems within
the member states' law enforcement systems also inhibit Europol
from contributing as effectively as it might wish to combating
and prosecuting organised crime and terrorism. Problems encountered
by Europol in relation to information sharing with member states'
police agencies differ from state to state, and within the states
themselves. This problem exists in all EU agencies fed by national
and regional members and can seriously compromise Europol's effectiveness
operationally whether on a bilateral or multilateral, multi-agency
basis (as with exchange possibilities regarding trafficking, border
crossings, for instance, with SIRENE, Frontex[4],VIS
and SIS II).
5. Cooperative arrangements in information
sharing (such as within Eurojust) have led to important operational
successes. These do not detract from the many unresolved issues
within the detail of the Council Decision that need clarifying.
6. Ambiguous or loose terminology in the
various protocols and Council Decision make for confusion, aggravate
the possibility of differential implementation of its provisions
in the member states, and raise questions about the gap between
operational expectations and aspirations among all concerned.
For example, there is no single or common definition or understanding
of basic terms like the "personal data"[5],
"information" and "intelligence". Common understanding
is key and needs revisiting even though Europol has a series of
documents defining terms dating back to 1998[6].
The distinctions and ambiguities could prove problematic in decisions
determining their exchange and automated access to them (as well
as in rules determining the deadlines by which information has
to be made available to counterparts/requesting bodies). Variable
interpretation and practice will impact on catch-all terms used
in the Decision, such as "associated expert" and member
states' veto right over who can be one. Creeping securitisation
implicit in Arts3-5; weak or absent time frames allowing too much
discretionary interpretation (arts 7,11(f), 13(2), 20) and ambiguity
increases the potential for delays to be politically engineered
(Art 28(2).
Automated exchange of information and its impact
on magnifying the accountability and democratic deficits
7. Automatic information sharing is to be
facilitated by identity management systems as the gateways to
partial or full information disclosure. Data is to be available
for remote interrogation, access, and updating by specified agencies
on role specified bases. Such systems are central to the effective
implementation of egovernment for mundane purposes (like renewing
television licences, commercial transactions, etc ) and at the
heart of the envisaged cross-border exchange of information for
policing and law enforcement purposes. RFID and ambient intelligence
use is not limited to policing and security purposes and is vulnerable
to malevolent intrusion. How Europol will deal the implications
of this is unclear.
8. Information sharing, categorisation of
data, judicial cooperation, uncoordinated implementation of the
principle of availability, inconsistency across and within agencies
and special investigative methods[7]pose
serious problems that need to be addressed in a coherent way to
avoid duplication and contradictory practices and outcomes. Differences
in accountability among EU states are likely to persist.
9. Making those who exchange information
accountable in an open, respected, reliable and just way is problematic.
The principle of institutional accountability, for example, through
the Joint Supervisory Body, European Data Protection Supervisor
and European Parliament, needs to be supplemented by robust legislation
to strengthen open, visible parliamentary accountability and democratic
control at all levels. This requires a critical reappraisal of
the terminology of legislation and codes of good practice offering
peer review audits in place of stringent parliamentary scrutiny
and control. Mere "consultation", for example, of the
European Parliament is not sufficient to ensure the effective
exercise of political control.
10. National parliaments' roles needs to
be revisited and strengthened individually vis-a"-vis their
domestic law enforcement agencies and all those other agencies
who are and will be increasingly engaged in bilateral and, multilateral
information exchange and intelligence exchange. Desirable as increasing
closer and more frequent cooperation and information sharing is
between them and the European Parliament, attention must be paid
to what an appropriate joint role might be for them in respect
of the public-private partnerships on which the provision of ICTs
to enable data sharing for Europol's purposes are based.
11. A common intelligence framework may
imply a need for a single database. How could the Decision reflect
the need to align Europol's existing and emergent technical architectures
with other relevant ones?
12. Technological capabilities (that vary
greatly among EU27) define agendas in ways which allow bureaucrats
greater input than elected politicians and heightens the known
tendencies of groupthink. The blurring of administrative boundaries
impacts on accountability at all levels. This needs addressing
: controls on Europol may be tighter than on other levels and
encourage reliance on "softer" bilateral channels with
EU members and third states' agencies.
13. Accountability is not just an audit
trail. Best practice and audits are essential preconditions for
data protection but are not substitutes for political accountability.
The duty of care and vigilance of government (outside the sphere
of state security exceptions) needs re-visiting. Politico-legal
controls are not (yet) up to the task of ensuring effective accountability
by themselves. The EDPS' vigilance remains vital but insufficient[8].
Attention must also be paid to the technologies and associated
processing ("backroom") operations designed to expedite
and facilitate information exchange for Europol's purposes. Liability
for ICT failures needs clarifying. Currently, getting redress
and amending errors by compromised citizens is prohibitive in
terms of time and resources.
14. The tendency to visualise information
exchange purely as a function and operational requirement for
law enforcement agencies working with Europol perpetuates the
artificial and unsustainable boundaries between "internal"
and "external" security. It is especially problematic
when tied to automatic information sharing and exchange.
15. The known risks of inefficient and imperfect
information sharing and exchanges on a bilateral basis in paper-based
systems will not disappear by having automated information exchange.
High standards that Europol and Eurojust may devise need to be
higher and set the gold standard in terms of their technical architectures,
codes of access and exchange, documentary formats and public accountability
mechanisms.
16. It is important that political principles
(like data and purpose minimisation, codes on data re-use in full
or part, information exchange, file exchange, data subject privacy,
and baked-in security) rather than simply technical feasibility
define architectures to prevent malevolent intrusion, data mis
or re-use, sale, fraud and theft. Baked-in security and implementation
of high data protection provisions are essential. The political
reality is based on reliance on subsidiarity, bilateral understandings
and mutual recognition. This results in patchy safeguards for
citizens and all concerned. Citizens are not equal in EU territorial
or digi-space.
17. Different understandings of common terms
(eg Council Decision (COM(2006)0817) references to criminality,
organised crime, serious (Art 4.2) criminal offences (Art 4.3)
crime, criminal justice) in the member states have serious consequences
as to how information and intelligence are managed, processed,
communicated and subject to exchange and sharing with other public
and private or semi-private agencies within the state and across
borders, and in and withthird states. This includes,
for examples, consulates regarding visas and, under the envisaged
common consular space, evisas and enrolment of biometric data
such as fingerprints. If individual security is not necessarily
enhanced by them, is collective security also at risk?
INVISIBLE IMPLICATIONS
OF AUTOMATED
INFORMATION EXCHANGE
18. A number of issues need to be addressed
in the broad context of information exchange.[9]
Who operates the ICT systems outside the controlled environments
of Europol and, for example, Eurojust? How are systems selected
and funded (this will be a growing drain on the EU budget and
matter for the European Parliament as part of the Budgetary Authority.
Automatic information sharing and exchange even short of interoperable
systems are costly. Elements of the systems (like common preferred
formats for documents, indexing and archiving) have uncosted financial
consequences for Europol and its contributing bodies and those
with whom information is to be "shared" and/or exchanged.
19. How are data inputters screened at local
and supranational levels and in all those third state agencies
with whom data exchange and sharing are envisaged?
20. What rules cover system obsolescence,
out-sourcing, data coupling, data mining and tracking, digi-footprints,
data storage and deletion (eg of DNA),data re-use, access (hard
for citizens, relatively easy for member state agencies, commerce)
insider and outsider fraud, corruption, data ownership, degradation,
the updating of communication protocols? How are different categories
of data subject defined?
21. There is little doubt that genuine inter-operability
will boost the speedy response needed to enhance effectiveness.
That is operationally necessary. Automated information sharing
and exchange leads to the creation of "new information"
files and intelligence. ICTs commodify data. Outsourcing to third
states and parties, growing fraud (all too close and visible to
the citizen), information trading for unclear purposes without
the direct consent of the data subject are generally problematic
but especially sensitive in the area of home affairs. Law enforcement
information and intelligence derives from many sources (not necessarily
universally shared or trusted, that may skew or claim ownership
over them).
22. Access by public and private third parties
must be reviewed in the light of i2015 and securitisation of hitherto
"domestic" areas. While biometrics may enhance identity
verification their indiscriminate deployment and outsourced handing
and sale may compromise individual liberty and collective security.
There is a public duty to ensure that the systems envisaged for
say Europol-Eurojust are genuinely models of public systems that
are as robust-against-fraud from data collection to inputting,
access, storage and retrieval as possible.
The ostrich-like approach of allowing technical
providers decide how automated information sharing and exchange/interoperability
will work in practice technically risks allowing others to present
what is available as the "solution" instead of creating
what is needed. Specificity and clarity are essential. Reliance
on mutual recognition is tempting but ducks the need for uniformity
or basic commonality, especially in defining terms like secrecy,
confidentiality, rights of access. The principle of availability
is contingent. However, the Decision of March 2008 (para 10) states
: Europol National Units should have direct access to all data
in the Europol Information System to avoid unnecessary procedures[10].
CONCLUSIONS
23. Automated systems underpinning information
sharing as envisaged for Europol and contributing/cooperating
agencies are probably as yet not quite fit-for-purpose (even allowing
for respect for ethical principles, data minimisation, purpose
limitation, and so on).
24. Automated data sharing, access and exchange
magnify the problem of trust in private and public sector personnel,
technology, administrators, officers, and politicians both inside
the EU and where third parties in third states or NGOs and international
organisations are concerned. Communication to and from third parties
and non-EU interests needs to be rigorously examined. It would
be foolhardy to allow a "tick box" approach to verifying
the "adequacy" (however that term is defined) or otherwise
of, for instance, robust data protection[11].
25. There is a need for consistency and
tight specifications on access rights, standards, system integrity,
reference architectures, etc. There is an urgent need for an EU
law on ID theft, possibly complementary to or a part of the Decision.
26. Effective action by the law enforcement
agencies relies on bilateral agreements, bilateral trust and bilateral
cooperation. Effective "inter-operability" implies a
higher degree of automated information sharing and eventually
mutual access to centralised, agency specific data bases (such
as Eurojust, Frontex etc) and to those in the member states. This
is likely to be informed by experience in the preparation of EU
papers like the Organised Crime Threat Assessment, Terrorism Situation
Report, and Analysis Work Files.
27. The Decision highlights the need for
a cross-pillar, universalised EU model of information exchange.
28. Governments' tendency to consider policing
in isolation from the tools of policing exacerbate a trust, communications
and accountability gap. There is a need to consider over-arching
legislation in respect of egovernance and information and data-sharing
as territorial boundaries are increasingly irrelevant in digi-space
and a future of enhanced nano and ambient technological capabilities.
29. The question is whether the Decision
on Europol can inspire and set the highest standards, and whether
my careful review of practice and the application of secure architectures
agencies that cooperate with Europol can build the mutual trust
in the technology and practice that facilitate mutual endeavour
towards realising common goals.
Submitted in a personal capacity and informed
by research conducted in the JMCE on the EU Framework 6 programmes
"Challenge" (CITI-CT-2004-506255) and "R4eGov"(IST-2004-026650
April 2008
1 Detailed in Europol, Work Programme 2008 sent
to Article 36 Committee, 7911/07, Brussels, 16 April 2007. Back
2
Europol supported the LKA Brandenburg (State level Criminal Investigation)
and the Public Prosecutor's Office in Frankfurt / Oder in Germany
in dismantling a world wide drug trafficking ring. Close cooperation
between the law enforcement authorities in Germany, including
the BKA, the Europol Liaison Bureau Germany, and Interpol were
vital.wwww.europol.europa.eu
April 2008 Back
3
On 28 March 2008 Frontex and Europol signed a cooperation agreement
is to boost cooperation between Europol and Frontex, in particular
through the exchange of strategic and technical information. The
agreement entered into force on the first day following its signature. Back
4
EuroSUR border surveillance system to exchange information with,
inter alia, Frontex has been proposed in a recent Commission communication. Back
5
The Article 29 Data Protection Working Party Opinion 4/2007 on
the concept of personal data [01248/07/EN] was adopted on 20 June
2007. Back
6
See for example, the Council Act of 3 November 1998 adopting rules
on the confidentiality of Europol information, Official Journal
C26/1 30 Jan 1999. Article 1 states: (a) "processing of information"
("processing") means any operation or set of operations
which is performed on personal or non-personal data, whether or
not by automatic means, such as collection, recording, organisation,
storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making
available, alignment or combination, blocking, erasure or destruction;
(b) "third party" means a third State or body as referred
to in Article 10(4) of the Convention; Back
7
Council of the EU, Implementation of the EU Counter-terrorism
strategy-Discussion Paper, 15448/07, Brussels, 23 Nov 2007. Back
8
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2008/08-03-03_Comments_border_package_EN.pdf Back
9
J.Lodge(ed) Are you who you say you are? The EU and biometric
Borders, Wolf Legal Publishers, Nijmegen, 2007. Back
10
Council secretariat to Europol Working Party/Art 36 Committee
Proposal for a Council Decision establishing the European Police
Office(EUROPOL)-consolidated text, 7744/08, Europol 29, Brussels
29 March 2008. Back
11
For discussion of national data protection authorities, see E.Brouwer,
Digital Borders and Real Rights, Wolf Legal Publishers,Nijmegen,2006,pp192ff Back
|