Proposed exchange of personal data between Europol and USA evades EU data protection rights and protections

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Updated 20 & 9 December 2002

Documentation updated: 5.12.02

This proposal was agreed at the Justice and Home Affairs Council on 19 December 2002.

Two questions led to this item being withdrawn from the agenda of the Justice and Home Affairs Council on 29 November: i) differences between a number of government over the question of liability (which has now been resolved) and ii) parliamentary scrutiny reservations (which have not been resolved).

On 4 December the chair of the UK parliament's Select Committee on the European Union (House of Lords) wrote to the Home Office Minister raising concerns on four issues: a) the scope of the proposed exchange of data which is not restricted to the remit of the Europol Convention; b) the apparently unlimited range of authorities in the USA who would have access to personal data provided by Europol; c) there should be an express reference to the fact that "Europol data should never be passed on by the United States"; d) asks for details on the "data protection bodies in the US which the US government has identified". The letter concludes: "In the meantime the sub-committee agreed to hold the document under scrutiny".

It is apparently planned to adopt the measure as an "A" Point (ie: without debate) at the General Affairs Council on Tuesday 10 December and for there to be a formal "signing" ceremony with the US on Wednesday 11 December.

Tony Bunyan, Statewatch, editor comments:

"The way this measure is being rushed through has provided no realistic opportunity for national and European parliaments or civil society to subject the proposal to proper scrutiny. The issues at stake are too important to be left to secret decision-making removed from democratic accountability."

Story filed 27.11.02

On Friday 29 November the EU Justice and Home Affairs Council meeting in Brussels will be discussing an agreement between Europol and United States authorities for the exchange of personal data which lacks fundamental data protection principles including the individual's right to know and challenge information held on them.

Way back on 18 October 2001 the EU negotiators presented the US authorities with details of "the data protection principles applicable to the processing of law enforcement" in the EU, the US side said they would respond by providing a similar brief - but this never arrived and the negotiators simply set about drawing up a new sets of rules. The reason the brief from the US never arrived is simply because the US does not have data protection laws - US citizens, but only US citizens, have some rights under its 1974 Privacy Act.

In every other agreement reached by Europol to exchange personal data with non-EU states the Joint Supervisory Body of Europol (responsible for data protections aspects) has presented a report on the data protection laws of the country in question before negotiations can be started. Europol treaties with 11 states and international organisations have so far been concluded, negotiations with a further five countries are underway and another 13 agreements are in the pipeline.

In this case the Joint Supervisory body admits that its Opinion (dated 3 October 2002) which gives the go-ahead is based on "general knowledge" and "presentations" by US officials.

What is even more extraordinary is that this Opinion of the Joint Supervisory Body makes no reference to Article 10 of the proposed agreement which covers "Access by private persons and entities". Under the Europol Convention the equivalent provision is Article 19 on the "Right of access" which although subject to initial veto of access, then provides for an appeal to the Joint Supervisory Body. Article 10 of the agreement is summarised in a UK Home Office Memorandum as meaning that: "The data should not be released if the transmitting party does not agree". So, for example, an individual would have no right of access to information or intelligence sent across by US authorities to Europol on them - the US would have the right of veto. Moreover, Europol and US authorities are allowed to exchange information which can include data on "race, political opinions, or religious or other beliefs, or concerning health and sexual life" if the request is considered "relevant" (Article 6). Such personal details concerning political or terrorist suspects and their friends would be virtually unchecked.

The Europol Convention provision on the "Correction and deletion of data" (Article 20) is simply ignored in the Europol-USA agreement (and by the Joint Supervisory Body) - under Article 20.4 of the Europol Convention: "Any person shall have the right to ask Europol or correct or delete incorrect data concerning him".

The USA also set pre-conditions for the agreement:

  1. i) that there should no changes to its national laws (though the US government has managed to pass two sweeping and extensive new laws, the Patriot Act and the Homeland Security Act, overriding traditional liberties and introducing intrusive powers of surveillance);
  2. ii) no substantive changes to automated data processing by its law enforcement agencies - which is clearly necessary for the USA as the authorities have no idea how many agencies have access to the data held:

"the US side made it clear that it was impossible for them to indicate with any degree of accuracy which authorities could be involved in using such information"

Statewatch has prepared a stinging analysis which calls for the agreement to be rejected:

Statewatch analysis, full-text: Analysis (pdf) Analysis (Word)

Tony Bunyan, Statewatch editor, comments:

"We have a poorly drafted, ambiguous and contradictory agreement which exceeds Europol's mandate and is incompatible with the data protection principles of the EU. There is no mention of data protection whatsoever and no rules on access to data.

For this to be agreed without proper consultation of national and European parliaments and civil society is quite unacceptable. The EU governments appear to be prepared to forget about their obligations to provide data protection for people in Europe in order to reach an an agreement with the USA.

This is yet another instance where in the post 11 September 2001 climate agreements with the USA are to be made which are not limited to combating terrorism but extend to crime in general with little or no accountability"

For further information please contact: 00 44 208 802 1882

Background

  1. Following the 11 September 2001 attacks in the USA, Europol negotiations with the USA were given top priority. Since there is no specific federal data protection regime that would meet the provisions in the Europol Convention on agreements with third states, an 'interim' Europol-USA cooperation agreement - excluding the exchange of personal data - was signed on 6 December 2001. The Europol Joint Supervisory Body (which was not properly consulted on the agreement in accordance with the Europol Convention) argued that there is no legal basis for such an agreement in the Convention - which only contains rules on 'full' cooperation agreements.

However, according to EU documents, in the absence of an agreement (and any rules on data protection whatsoever), "the exceptional transmission of personal data without an agreement is still taking place".

  1. There is no power for the European Court of Justice to rule on the validity or interpretation of such treaties and there is no procedure for public review of the application of such treaties. The European Parliament is not consulted (and perhaps not even informed) about the conclusion of such agreements and there is no requirement of national parliamentary ratification.
  2. The agreement lacks any provision specifically addressing data protection. This is despite the right to protection of personal data as set out in EU, international and national rules, expressed in Article 8(1) of the EU Charter of Rights ('Everyone has the right to protection of personal data concerning him or her.').

The agreement also fails to guarantee the right of access to data by data subjects as set out in EU, international and national rules, and expressed in Article 8(2) of the EU Charter of Rights ('Everyone has the right of access to data which has been collected concerning him or her...'). Nor does it respect the international obligations applying to EU Member States and the EC rules on data protection which require there to be an independent authority, not merely one with the 'appropriate' degree of independence as in the proposed Treaty. This is expressly stated in Article 8(3) of the EU Charter of Rights. Similarly, the agreement flouts the international rules severely restricting processing of data in certain 'sensitive' categories, as set out in Article 6 of the agreement and there is thus a huge risk that Europol will either transmit its information or receive American information which violates the rules on processing of sensitive data.

Background documentation

1.Draft Supplemental agreement between the USA and the European Police Office on the exchange of personal data and related information, 4.11.02, document no: 13689/02  13689/02 ADD 1  13689/02 COR 1

  1. Informal explanatory note: Europol-US Supplementary Agreement: document no: 13696/02
  2. JSB opinion in respect to the draft supplemental agreement between the USA and the European Police Office on the exchange of personal data and related information, 4.11.02, document no: 13696/02 ADD 1
  3. Exchange of letters related to the Supplemental Agreement between the USA and Europol on the exchange of personal data and related information, 11.11.02, document no: 13996/02 13996/02 ADD 1  13996/02 COR 1
  4. Draft Supplemental Agreement + Exchange of letters: 14237/02  14237/02 COR 1

6.Statewatch analysis, full-text: Analysis (pdf) Analysis (Word)

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error