European Commission proposes "free market" for law enforcement database access



At the Justice and Home Affairs Council on 19 July 2004 in Brussels Commissioner Vittorino drew attention to the European Commission Communication titled: "Towards enhancing access to information by law enforcement agencies" (COM (2004) 429/4). This proposes that all law enforcement agencies (police, customs, immigration) should have access to each others databases right across the 25 EU states and even non-EU states.

Where at the moment there are strict rules on cross-border access data - for example in the Schengen Information System (SIS), that immigration data can be accessed by immigration and border officials and police data by police officers - these would disappear under this proposal.

The Communication's argument is as simplistic and illogical as another recent Communication on exchanging information on terrorist investigations: Is the EU trying to combat terrorism or crime? Analysis - which drew the comment from a UK parliamentary committee that the supposed link between terrorism and organised crime is based: "more on assertion than on evidence".

Tony Bunyan, Statewatch editor, comments:

"This is yet another badly argued Communication from the Commission which would be better called: Towards enhancing surveillance by law enforcement agencies.

There is a big difference between exchanging specific data based on a targeted inquiry and allowing unlimited and uncontrollable access to all the data held on national databases by every other agency in the EU. Requests for data and information can already be routed through the Schengen Information System and national SIRENE bureaux and Europol, and spontaneous requests can be carried out under the Mutual Assistance Convention. If there is a specific needs - for murder inquiries or searches for suspected paedophiles - this should be the task of Europol.

To put forward such a proposal without any indication of data protection rights for suspects or those simply held on "intelligence" files is quite irresponsible but not surprising - we have been waiting since 1998 for the Council or the Commission to come up with data protection rights under the "third pillar"".

The proposal - the free movement of data


The long title of the Communication is:

"Towards enhancing access to information by law enforcement agencies (EU Information Policy)"

The cited remit comes from the special EU Summit "Declaration on terrorism" adopted in the aftermath of the bombings in Madrid on 11 March 2004 that called for: "simplifying the exchange of information and intelligence between law enforcement authorities of the Member States". It was one of the many proposals that the "Statewatch Scoreboard" found had little or nothing to do with combating terrorism (see: Scoreboard).

The objective of "simplifying the exchange of information and intelligence" can be interpreted in many ways. The Communication sees it as:

"achieving free circulation of information between law enforcement authorities... [and overcoming] the legal, technical and practical problems hindering exchange between Member States" (emphasis added)

The Commission is proposing "a full stock-taking exercise" with a:

"broad and open consultation with all interested stakeholders, namely the European Data Protection Supervisor"

The European Data Protection Supervisor may well be a worthy person but certainly he does not represent "all the interested stakeholders".

Furthermore, it is claimed that "major threats, like terrorism" will be "avoided" by introducing "intelligence-led law enforcement (a concept already in place in most national police forces), which, in turn, will apparently allow the EU to assume an "international role".

In justification the Communication says that access is needed to:

"prevent and combat terrorism and other forms of serious or organised crime as well as the threats caused by them. In this respect it should be borne in mind that often criminal activity that would not appear to come from within the category of "serious or organised" can well lead or be connected to it"

Like the Communication on exchanging information on terrorist investigations such a logic is "based more on assertion than on evidence". By collapsing terrorism, serious crime, organised crime and then all crime into one continuum it seeks to justify sweeping new powers of access.

The objectives are said to be establishing "the free movement of information between law enforcement agencies" through the "principle" of the "right of equivalent access to data" through the right of access to databases held in other member states "on the same conditions as national law enforcement officials". There is therefore a need to standardise the form in which "data", "information" and "intelligence" are held across the EU.

The Communication also, it appears, intends to allow access by law enforcement agencies to data "not collected for law enforcement purposes" which presumably refers to commercial databases (referred to as: "cooperation between public and private sector actors").

The overall objective is spelt out::

"The Commission is of the view that the only viable option for the future will be the creation of interoperable and interconnected EU systems. A conceptually comprehensive IT architecture that integrates national, European and international inter-linkages offer in the long run considerable savings, synergies and policy opportunities, both in the area of criminal intelligence and in the broader context of an evolving European Security Strategy."

Here we go again - policing and criminal intelligence are to be part of "an evolving European Security Strategy".

Not content with giving all law enforcement agencies access to all data the Communication proposes that the Police Chiefs Task Force - an ad hoc group with no legal basis in the EU - should have yet another role. The compilation of:

"EU strategic assessments would allow the Council to set law enforcement priorities"

and:

"The PCTF should hand down the operational assessments to the operational levels within national law enforcement communities"

This would, apparently, mean that the Council (the 25 EU governments) would not only set "priorities" but expect "specific outcomes, for instance making arrests, seizing or forfeiting assets from criminal activities".

The central proposal - to allow a "free market" with the "free movement" of data and intelligence - is on top of proposals already on the table which would allow:

"enhanced interoperability between European databases (SIS II, VIS and EURODAC) in order to exploit their added value within their respective legal and technical frameworks in the prevention and fight against terrorism"

However, the planned "interoperability" is not limited to "terrorism" but extended to crime in general and immigration and border controls.

The Communication does actually say that there must be "robust data protection" but nowhere is the issue addressed, except as below.

Planned legislation

The Communication has three Chapters and the last "Chapter III" is all of 14 lines long and entitled: "Legislative initiatives linked to this Communication". In full it reads as follows:

"The Commission will continue to develop policy, including legislative initiatives in the related areas of protection of personal data in the third pillar and the use of passenger information for law enforcement purposes, the latter in accordance with the principles set out in the Commission’s Communication of December 2003 (COM (2003) 826 final of 16.12.03 on the Transfer of Air Passenger Name Record (PNR) Data. A Global EU Approach).

The proposal for a Framework Decision on Data protection will establish common standards for the processing of personal data exchanged under Title VI of the Treaty on European Union in order to empower access to all relevant law enforcement data by police and judicial authorities in accordance with fundamental rights. This Framework Decision should provide a single general data protection framework for the purpose of co-operation to prevent, detect, investigate and prosecute crime and threats to security. It will establish a framework for the more specific provisions contained in the different legal instruments adopted at EU level, and will further reduce the practical differences in information exchange between Member States on the one hand and Member States and third countries on the other hand, and embedded in it a mechanism that ensures the protection of fundamental rights."

So the Commission is planning to introduce at least two measures. The first on "protection of personal data in the third pillar" which sounds promising as we have been waiting since 1998 for a measure actually protecting personal data in the "third pillar" (policing, immigration and judicial cooperation). But wait, the next paragraph says the purpose is not to establish rights for citizens but rather to "empower access to all relevant law enforcement data by police and judicial authorities" for the purpose of "co-operation to prevent, detect, investigate and prosecute crime and threats to security". And further the intention is not only to "reduce the practical differences in information exchange between Member States" but also between "Member States and third countries". The idea that such a proposal can also ensure "the protection of fundamental rights" is beyond belief.

It is worth noting that as recently as 14 May 2004 the full meeting of the Commissioners discussed a draft of this Communication which was entitled "European information policy for law enforcement and related data protection issues" (C (2004) 1799, 6 May 2004).- it seems between this date and 16 June "and related data protection issues" was lopped off.

Of course if there was any real commitment to provide citizens with meaningful data protection when data and "intelligence" is held on them it might be expected that the Presidency's "multiannual programme building the area of freedom, security and justice" (doc no: 11122/04) would mention it - but it is silent on the issue.

The second new proposal the Commission intends to put forward concerns "the use of passenger information for law enforcement purposes". But wait a minute did not the Council on 29 April 2004 adopt a "Council Directive on the obligation of carriers to communicate passenger data" - despite the European Parliament twice rejecting the proposal? [See: EU-PNR: JHA Council to agree the surveillance of airline passengers: Report and documents]. This Directive - at the last minute - had inserted into it provisions for law enforcement agencies to keep passenger data for as long as they want and gave all agencies (not just immigration and border controls) the right of access to the data.

So why is the Commission proposing another measure? Could it be that as the above Directive only covers those flying into and out of the EU it is intended to extend the surveillance of passengers to internal travel as well? Certainly the Commission's Communication on the "Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach (COM (2003) 826, 16.12.03) envisaged collected personal data on all passengers whether travelling within or into the EU.

What ever happened to data protection?


The issue of data protection in the "third pillar" (justice and home affairs: policing, immigration and asylum and judicial cooperation) has long been recognised as a "gap" in EU policy (the 1995 Directive on data protection does not cover this area). The issue of data protection in the “third pillar” was first raised in the Council of the European Union (the 15 governments) in May 1998. The German Presidency of the European Union, 8 June 1998, said to the: “search for the (lowest) common denominator in this field is not new”. However, the “Action Plan of the Council and the Commission on how best to implement the provisions of Amsterdam establishing an area of freedom, security and justice” (13844/98) said that data protection issues in the “third pillar” should be: “developed with a two year period” (IV.47(a)).

It was not until August 2000 that a draft Resolution drawn up by the Working Party - this was revised five times, the last being on 12 April 2001 under the Swedish Presidency of the EU (6316/2/01) when agreement appeared to have been reached - and the Article 36 Committee was asked to address outstanding reservations. This draft, although peppered with exceptions and derogations, could have been the basis for a public debate.

However, since 12 April 2001 there has been silence - and under a rationalisation of the Council's working parties from 1 July 2002 (6582/1/02 REV 1) (reducing the number of Working Parties from 26 to 15) the Council's Working Party on data protection was abolished without explanation.


Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author.
Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.