Supplementary Agreement between Europol and United States
(Council docs. 13689/02; 13689/02 add 1; and 13996/02)
[For full-text documentation and background see Statewatch News Online]
1 Statewatch welcomes the chance to comment on this agreement before its signature. In general, the agreement is highly deficient as regards data protection rights and there are worrying contradictions between the text of the agreement and an exchange of letters of ambiguous legal status.
Transparency and accountability
2 The discussion of this particular draft treaty is a good occasion to point out the deficiencies in the Council's and Europol's approach to such treaties as far as transparency and accountability are concerned. None of the treaties concluded by Europol have been published in the EU Official Journal before or even after their ratification except the treaty with the European Central Bank, and very few are available online in the EU Council's register of documents. None are online on the Europol website and in fact the press releases on that site only refer to a small number of such agreements. There is no power for the European Court of Justice to rule on the validity or interpretation of such treaties and there is no procedure for public review of the application of such treaties. The European Parliament is not consulted (and perhaps not even informed) about the conclusion of such agreements and there is no requirement of national parliamentary ratification. Beforehand the EP was not consulted about the general rules regarding Europol external relations and national parliaments had no ratification power over those rules either. There has been no public discussion of the issues underlying the conclusion of such treaties. It is obviously not practical for the Europol Joint Supervisory Body to examine whether the other party upholds its obligations under the agreement, and there is no common body tasked with this power in its absence. Complaints to the EU Ombudsman can only relate to Europol, not to acts of the other party, and again there is no replacement common body.
3 There are now over a dozen such treaties and the Council is contemplating the approval of more all the time; it now is possible that this entire process will be repeated with Eurojust. Since the relevant treaties do not in themselves disclose personal data or operational techniques, there is no public security reason to justify the Council's behaviour. A complete overhaul of the Council's approach is therefore long overdue.
Exchange of letters
4 It is striking that a number of important points have been dealt with by an exchange of letters, which is one-third the length of the original agreement. There is no reference to this exchange of letters in the main text and so the Joint Supervisory Board's assumption that the exchange of letters will be legally binding is not necessarily correct. In any event this is clearly not a transparent or coherent way to draft treaties raising important civil liberties issues.
5 The agreement lacks any provision specifically addressing data protection. This is despite the right to protection of personal data as set out in EU, international and national rules, expressed in Article 8(1) of the EU Charter of Rights ('Everyone has the right to protection of personal data concerning him or her.'). However, as Article 10 of the agreement governs all private-party access to exchanged information, presumably it extends to applications for information by data subjects. The text of this clause is hugely questionable. While Article 10(3) states that it is without prejudice to a party's rules on release of information, it seems clear that Article 10(2) will affect such rules, for the receiving party is obliged to first to apply the sending party's veto on release and then fight disclosure of such information on behalf of the sending party, regardless of the relevant law of the receiving party. This is quite different from simply permitting each of the parties to apply their own data protection law as regards data subject's access to information held on them, for there will presumably be cases in which one party's law would permit release of the data upon the initial application. But the agreement commits each party to oblige the data subject to an expensive legal battle before such data is released. It should be kept in mind that such a battle will also be expensive for taxpayers, who would be funding one party's defence of a decision made by the other party. This is despite the right of access to data by data subjects as set out in EU, international and national rules, expressed in Article 8(2) of the EU Charter of Rights ('Everyone has the right of access to data which has been collected concerning him or her...').
6 The oversight provisions of Article 12, even read along with the exchange of letters, are not impressive. It is highly doubtful whether 'designated senior officials or other components' (whatever a 'component' may be) could be considered to provide 'independent' supervision under any possible interpretation of 'an appropriate level of independence'. For that matter administrative actions and regulations can be easily amended or repealed in the event of an 'inappropriate' show of independence by a supervisory authority, and one may doubt whether an Internal Affairs division of a law enforcement authority, which will rightly focus on possible corruption in that authority, has the specialism in data protection issues that an independent data protection supervisor would have. There is no information as to the extent of independence by 'Inspector-Generals' in practice and as to the extent of their mandate to address specific data protection issues.
7 In any event, the international obligations applying to EU Member States and the EC rules on data protection require there to be an independent authority, not merely one with the 'appropriate' degree of independence. This is expressly stated in Article 8(3) of the EU Charter of Rights. It thus seems clear from the exchange of letters that the American rules fall short of those required by the EU Charter of Rights, which applies to Europol as a 'body' of the Union by virtue of its Article 51(1).
8 Similarly, the agreement flouts the international rules severely restricting processing of data in certain 'sensitive' categories, as set out in Article 6 of the agreement. The exchange of letters tries to assert that 'particularly relevant' has the same meaning as 'absolutely necessary' as in the Europol rules, but the two terms are not even remotely comparable. There is thus a huge risk that Europol will either transmit its information or receive American information which violates the rules on processing of sensitive data.
9 The provisions in the exchange of letters relating to Article 5(4) are worrying. They rule out the use of Article 5(4) as regards 'generic' data protection rules besides those expressly mentioned in the agreement. Quite apart from the dismissive turn of phrase used, the fact is that there are no data protection rules expressly mentioned in the agreement.
Access to documents
10 The agreement lacks any provision specifically addressing access to documents, but again presumably Article 10 of the agreement addresses this issue. Again, Article 10(3) states that it is without prejudice to a party's rules on release of information, but it seems clear that Article 10(2) will affect such rules, for the receiving party will be obliged to first to apply the sending party's veto on release and then fight disclosure of such information on behalf of the sending party, regardless of the relevant law of the receiving party.
11 The text of the agreement does not reassure the reader that Europol will stay strictly within its mandate. Only the exchange of letters indicates that the concept of 'jurisdiction' is the same as Europol's mandate. But this is apparently contradicted by the reference to immigration investigations in the discussion of Article 5 in the exchange of letters. Certainly it is possible that such information could be relevant to investigations into trafficking of persons or other serious crimes within Europol's mandate but this obviously only constitutes a small fraction of immigration proceedings. The limitation on Europol's powers as regards immigration proceedings does not emerge clearly from the text of the agreement or the exchange of letters--quite the contrary.
12 Article 3(3) appears to limit remedies in the event of breaches of the agreement even if one is discovered by an individual. Surely it should be left to national law to determine in what circumstances evidence is used in proceedings and the legal relevance of the agreement in that regard? A blanket ban on deriving rights from the agreement to obtain, suppress or exclude evidence may be questionable in light of the right to a fair trial in Article 6 ECHR and Article 14 ICCPR (which the US has ratified along with all the EU Member States).
13 As a final observation, the Home Office explanatory memoranda state that the 'outside interests' consulted by the Home Office were 'the ACPO, NCIS and other law enforcement agencies'. It might be questioned whether such bodies are really 'outside interests' in relation to the Home Office, although it obviously makes sense to consult them. But it is striking that the Home Office did not see fit to consult the Information Commissioner or any non-governmental organisation interested in data protection and privacy issues on the draft agreement.
14 Since the United States has found time to agree two massive pieces of legislation on internal security matters since September 11, 2001, it has also had time to consider whether or not its framework for data protection is adequate for international collaboration and to make changes to that framework. It has not done so despite the considerable demands it is making on other members of the international community. As a result, we have a poorly drafted, ambiguous and contradictory agreement and exchange of letters negotiated in a wholly inadequate legal framework which apparently exceeds Europol's mandate and is clearly incompatible with the data protection principles of the EU. There is no direct mention of data protection whatsoever and no specific rules on access to data. The exchange of letters even rules out application of data protection rules in one important case and the restriction on processing of 'sensitive' data in EU rules receives short shrift from the text.
15 If the Council were to refuse to accept the agreement in its current form, this would be a welcome decision in support of the EU's expressly stated principles of support for civil liberties and would encourage a long-overdue rethink of the adequacy of data protection law in the United States. In any event, it is long past time to overhaul the secretive and illegitimate system applicable to Europol's treaties with third states and bodies.
Statewatch, December 2002 (prepared by Steve Peers)
SEMDOC: Statewatch European Monitoring and Documentation Centre. e-mail: firstname.lastname@example.org