EU pushes ahead with plans for greater law enforcement data access

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

At the meeting of the Working Party on Information Exchange and Data Protection on 11th January, [1] a document from Europol outlining a "high level solution definition" for the Information Exchange Platform for Law Enforcement Agencies (IXP) was approved. [2] This permits further work to be undertaken on the IXP, prior to its implementation in three phases, which will see progressively greater access to (and convergence and harmonisation of) law enforcement databases and computer systems across the EU.

Taking data protection seriously?

The IXP is intended to provide a central point of access to all EU law enforcement databases (such as the Visa Information System, the Schengen Information System, the Europol Information System, the forthcoming European Police Records Index System, and so on). This move is presented as simply helping the work of European law enforcement officials in their hunt for information related to criminal investigations. However, it also has enormous potential for the misuse and abuse of personal data.

Issues related to data protection seem to have been taken on board by Europol, the body responsible for developing the IXP. The high level solution definition makes repeated mention of the need for high levels of data protection, data security, identity and access management, as well as "integrated audit logging… where the activities of individual users across the various systems can be traced in the order of execution."

It remains to be seen how well such ideals will be implemented in practice. As well as any provisions contained with legislation establishing the IXP, the provisions of the forthcoming Police and Criminal Justice Data Protection Directive will presumably also have implication for the system.

Police powers

The ability of law enforcement officials to search through multiple EU databases - and potentially "in due course also national data repositories" - would be a significant development, both in terms of the powers available to the authorities, and the development of an EU-wide police model.

Such concerns are reinforced by the content of the original "business concept" for the IXP, produced in June 2010 for the then Ad hoc Group on Information Exchange. This document proposed that it be made available to:

"The entire law enforcement community in the EU. This includes local, regional and national police forces, customs, coast guard and border control authorities. Also international law enforcement bodies, like FRONTEX [The European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union], OLAF [European Anti-Fraud Office], Interpol, EMCDDA [European Monitoring Centre for Drugs and Drug Addiction], CEPOL [European Police College], EuroJust and Europol should have access. It can also be extended to other institutions, such as DG JLS [Directorate-General for Justice, Freedom and Security, now DG Home Affairs and DG Justice and Fundamental Rights], the Council Secretariat General, but also judicial, prosecution and penitentiary services, where relevant. In principle, even non-EU partners could be given access, like the non-EU Schengen partners Norway, Iceland, Liechtenstein and Switzerland." [3]

'Phased implementation'

It is unlikely that access to personal and operational data will be proposed for all these bodies and agencies. The first phase of the IXP's implementation will see the establishment of a central, web-based "communication portal" that will give access to "general, non-restricted information and communication facilities… The portal as well as the sites and platforms it gives access to are not intended for the processing of personal data related to crimes."

Phase 2 involves "direct connection to all relevant tools and information" and "the technical re-direction of users from the portal to sites, tools and applications hosted on different domains. This would, for instance, allow the user to go from the portal to the Visa Information System."

Phase 3 requires setting up "seamless access control mechanisms" - "it is envisaged to implement an integrated identity and access management mechanism. This would imply that a user, when accessing a domain, application or data source, would no longer require logging in separately."

Undertaking this will of course be an enormous technical challenge. Technological problems have dogged the development of the EU's large-scale IT systems before, most signficantly the second-generation Schengen Information System (SIS II) and the Visa Information System. Setting up unified access controls and identity management across a myriad of EU and national databases and system would be a vast task.

Convergence and harmonisation

The development of such access control mechanisms will almost certainly require some degree of harmonisation of both EU and national IT systems. The high level solution definition states that one of the assumptions made "for reaching phases 2 and 3" is that:

"All law enforcement authorities in the Member States have a robust framework for unified identity and access management in place (which is not always the case). It is also assumed that national solutions can be made interoperable with identity and access management mechanisms of European-wide systems… it is imperative to have common standards and a compatible infrastructure in place that facilitate the authorisation, access control and auditing of users across networks and systems."

The authors, having negated their assumption within the first sentence, thus demand that the convergence and harmonisation of systems will be necessary. This will of course help to achieve "the realisation of the Principle of Availability."

From a technical standpoint, or that of 'business needs' (a phrase often used to refer to the desires of law enforcement authorities), the development of such a system makes perfect sense. Yet its ongoing development has not been, and likely will not be, subject to scrutiny by national parliaments until its implementation is assured. Considering the implications for the powers of law enforcement authorities, such scrutiny is vital.

The approval of the high level solution definition by the Working Party on Information Exchange and Data Protection "[opens] the way for further work prior to the initiation of the first phase". This will include an assessment of the IXP's "development and maintenance costs as well as of its security risks concerning the internet connection," due to the need for "informed decision-making." It is unfortunate that the residents and citizens of Europe continue to be uninformed about such decision-making.

Sources

[1] Working Group on Data Protection and Information Exchange, 'Summary of discussions', 19 January 2012 (EU doc. no. 5283/12)
[2] Europol, 'Business concept for an Information Exchange Platform for Law Enforcement Agencies (IMS Action 4) - High level solution defintion for the IXP / Draft 2', 29 November 2011 (EU doc. no. 17749/11)
[3] Europol, 'Business concept for an Information Exchange Platform for Law Enforcement Agencies (IMS Action 4)', 15 June 2010 (EU doc. no. 1117/10), p.2

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error