EU: Survey on police powers to exchange personal data across member states

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Key points:

- most police forces in member states have extensive powers to "autonomously" access and exchange data on individuals
- no data protection provision on individuals rights in draft Framework Decision

Responses to a survey by 22 EU member states (including Norway, Iceland and Switzerland who take part in the Schengen acquis), show that most police forces can access and exchange personal data with agencies in other member states without a judicial authorisation. The survey covers police forces but would apply to all law enforcement agencies (ie: immigration and customs) under the "Draft Framework Decision on simplifying the exchange of information and intelligence between law enforcement agencies of the member states of the European Union, in particular as regards serious offences including terrorist acts."

An essential criteria in the gathering and exchange of data on an individual requested by an agency in another EU state is whether a judicial decision or authority is required or whether the agencies are self-regulating (that is, not subject to any external authorisation).

The responses to the first general question looks at two stages: "pre-investigations" (ie, prior to establishing concrete evidence that a crime has or is about to be committed) and where an investigation is underway in the requesting state. In most EU states the police can access information "autonomously". In both categories only eleven out of 22 police forces would require "authorisation of a judicial authority" to get access to information in the pre-investigation stage and in only nine would this be a requirement if the information was not held and had to be obtained.

The second question lists 47 categories of information and intelligence and asks whether police can access these categories "autonomously" or whether they "can access but only with the authorisation of a judicial authority" or "cannot obtain without a decision of the judicial authority to use coercive measures".

Most police forces can access information and intelligence "autonomously" in many of the 47 categories. The categories include basic information which it might be expected that police forces would hold or get access to, for example, people convicted of an offence, wanted and missing persons, stolen vehicles and goods and firearms. Nearly all of the 19 police forces can access and exchange "autonomously" information on people suspected of a "concrete" crime and those "suspected" of criminal activity (who are under surveillance). Only Switzerland would need to get authorisation to hand over fingerprints, only Portugal, Switzerland and Belgium for DNA, only Luxembourg and Poland for driving licence and passport details, only Luxembourg, Netherlands and Latvia for permits details and fingerprints of foreign nationals, and only Luxembourg for passport data.

There are some categories which many forces can "autonomously" access and exchange data which might come as a surprise. Seventeen police forces can "autonomously" access "transport companies' passenger lists" only five have to get authorisation. Fifteen police forces can "autonomously" accessing "observation reports" (surveillance and background checks and interviews). Fifteen forces can "autonomously" accessing statements by undercover agents". And fourteen police forces can "autonomously" access and pass over information on the documented questioning of suspects and witnesses without the need for authorisation.

It is on more intrusive forms of intervention or surveillance that a real divide in the powers of access emerges. When it comes to "autonomously" accessing the "the documentation of telephone tapping" nine police forces can do this without authorisation (Denmark, Estonia, France, Finland, Lithuania, Poland, Slovakia, Sweden and Norway) - everywhere else judicial authorisation is required. For "autonomously" accessing and exchanging the "documentation of room bugging" nine police forces can do this without external authorisation (Denmark, Estonia, France, Finland, Lithuania, Poland, Slovakia, Slovenia and the UK).

Five police forces can "autonomously" access and exchange real-time "telecommunications monitoring" interception products (Estonia, Poland, Slovakia, Sweden and UK) - sixteen police forces cannot obtain this information without a decision of a judicial authority. Four police forces can "autonomously" access the "storage and production of telecom traffic (communication data) generated by various information technology systems and handled by telecom operators and Internet Service Providers" (Estonia, Latvia, Hungary and Sweden). These figures are interesting in the context of the proposal for the mandatory retention of telecommunications data currently being discussed in the Justice and Home Affairs Council's working parties because in 16 states judicial authorisation is required.

Details of "unusual or suspicious (money) transactions" can be "autonomously" accessed in nine police forces. Personal financial information like bank statements, insurance policies and credit cards can be "autonomously" accessed in six states (Estonia, Finland, France, Lithuania, Hungary and Poland).

Draft Framework Decision

On the initiative of Sweden a "Draft Framework Decision on simplifying the exchange of information and intelligence between law enforcement agencies of the member states of the European Union, in particular as regards serious offences including terrorist acts" is being discussed in the Council's Multidisciplinary Group on Organised Crime. Its objective is the exchanging of "existing information and intelligence for the purpose of conducting crime investigations or crime intelligence operations". There is no "obligation" on the requested member state to "gather" information to met the request and the information and intelligence passed over can only be used in evidence in court with the "consent" of the originating member state (Article 1). The threshold for making a request is for offences which could bring a custodial sentence at at least 12 months, which embraces many, many offences (Article 3).

Article 4a lists 37 offences to which the Framework Decision would apply. These include infringing traffic regulations, infringement of intellectual property rights, and public order - threats of acts of violence at international events such as meetings of the European Council (the 25 prime ministers).

Article 9 is entitled "Data Protection" contains no mention at all of the individual's rights (eg: the right to be informed that data from police and other sources has been given to an agency in another EU state or the right to see and correct the information).

The UK Information Commissioner, in a submission to the House of Commons Select Committee on European Scrutiny, questioned whether infringing traffic regulations and the infringement of intellectual property rights: "really fall within the area of serious crime". The Commissioner also said: "personal data obtained in the course of one set of proceedings cannot necessarily be used in another set of proceedings".

The role of judicial authorities in authorising access to certain categories of information by police forces has not been resolved. A Note from the Netherlands Presidency said in November 2004:

"The practical problems that the proposal tries to tackle, can be illustrated as follows. If one takes the example of a secret telephone number that is found on a "red list", police authorities in some Member States do not have access to such lists, but have to make requests to a judicial authority. If the request comes from a foreign police authority, it seems that the practice is to ask the foreign police authority for a letter rogatory. It may also be that the law of the requested State provides that information may not be provided unless the request has been made by a (foreign) judicial authority (in the context of a criminal investigation or proceedings). It is then that the question arises that a judicial authority in the requesting State may not be involved in the criminal investigation since the intelligence and information gathering is at such an early stage that the judicial authorities are not, under the law of the requesting State, involved in the pre-investigation phase and therefore the requesting State's police authorities cannot legally obtain a letter rogatory. The situation may also be such that the pre-investigation phase may be held up while awaiting an answer to the letter rogatory.

It would seem to the Presidency that here rules for judicial cooperation to some extent interfere with rules for police cooperation. The reason would be that when the information is of a particularly sensitive nature ("red list" telephone numbers, DNA evidence, holders of bank accounts, criminal records, tax information, etc), the legislation in at least some Member States

seem to require that a judicial authorisation be sought. When a request for such information comes from abroad, a letter rogatory is asked for since the type of information is considered to be "judicial"."

A report from the Luxembourg Presidency of the Council, dated 28 January 2005, says that there is"a major problem" with the proposal because in some member states data is "freely accessible" to police forces while "it is not in others". In the former data is directly accessible and can be exchanged under rules on police cooperation, while in the latter the legal system lays down judicial authorisation at different stages of police work (ie: between a "criminal intelligence operation" which has not reached the stage of establishing whether a concrete criminal act has been or may be committed and a "crime investigation" regarding a concrete criminal act).

It is clear from the survey that when it comes to "special investigative techniques" (such a phone-tapping, the bugging or rooms or the interception of communications) many member states currently require authorisation from a judicial authority.

How current police and judicial powers in member states can be squared with the "Hague Programme" (adopted on 5 November 2004) is not at all clear. It says that there should be "common standards of access to data" and that this should be exchangeable between member states under the so-called "principle of availability" - which suggests there may be an attempt to lower the standards of authorisation.

Tony Bunyan, Statewatch editor, comments:

"It is crucial that the powers of law enforcement agencies to exchange information and intelligence are subject to external control and authorisation. The alternative is that "self-regulation" - with all the dangers of abuse and misuse - will become the norm.

Equally, it cannot be right that information collected for one purpose by the requested state can be used, amended and added to by the requesting state for a different purpose and without individuals having the right to correct or amend it."


1. Replies to questionnaire on Framework Decision on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the EU, in particular as regards serious offences including terrorist acts (doc no 5815/1/05, 2.2.05, pdf)

2. Draft Framework Decision on simplifying the exchange of information and intelligence between law enforcement agencies of the member states of the European Union, in particular as regards serious offences including terrorist acts (doc no: 13869/04, 4.11.04, pdf)

3. Note from Presidency to the Article 36 Committee (doc no: 13867, 4.11.04, pdf)

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error