14 May 2018
- Agreements would allow exchange of personal data with countries including Algeria, Egypt and Turkey - MEPs concerned over making deals with dictatorships - Council amends draft decisions: but will paper safeguards be enough?
The European Commission has proposed agreements that would let policing agency Europol exchange personal data with eight countries across the Middle East and North Africa - but the political situation and lack of data protection rules in many of them has raised the alarm amongst MEPs and human rights advocates.
Personal data and dictatorships
The proposed agreements (full documentation at the end of this article) would establish legal bases for the transfer of personal data between Europol and Algeria, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia and Turkey.
According to the Commission's proposals, the agreements are a priority:
"The current instability in the region, especially the protracted conflicts in Libya, presents a significant long-term security threat to the EU that needs to be addressed urgently. This concerns both the effective fight against terrorism and related organised crime, and migration-related challenges such as the facilitation of irregular migration and trafficking in human beings. Cooperation with local law enforcement is critical to addressing these challenges."
However, the compliance of "local law enforcement" with the human rights standards that govern action by European law enforcement authorities is questionable, to say the least.
Amongst the countries are two dictatorships (Algeria and Egypt) and all of the countries are rated as being either "not free" or "partly free" by Freedom House, with the exception of Tunisia and Israel - both ranked as "free".
Lack of data protection laws
Meanwhile, only four of the eight countries (Israel, Morocco, Tunisia and Turkey) appear to have specific data protection laws, according to reports published by the law firms DLA Piper and Taylor Wessing.
A draft data protection law has been under discussion in Egypt in recent months, although a report in Egypt Todaynotes that the interior ministry will be exempt from the measures:
"representatives from the Interior Ministry called for not applying the law to the personal data and information collected by the ministry for reasons related to national security, especially when dealing with cases of drug trafficking and terrorism. The committee approved the ministry’s request."
Turkey has a data protection law in place - introduced in 2016 in part to try to bring the country into line with EU standards - but the academic Akin Ünver told the newspaper Hurriyet that it suffers from serious problems:
"the government’s 2016 version is a regression from the 2014 law. One of the biggest problems is that it introduces too many exceptions to liberties and freedoms and to the government’s restrictions on collecting citizens’ data."
Presentation in the European Parliament
A Commission official presented the proposals to the European Parliament's civil liberties committee (LIBE) on 25 April, stating that the recommendations for negotiations are "driven first and foremost by operational needs," reiterating a point made in the Commission's 11th report on Security Union, published in October 2017 (pdf).
The few MEPs who made interventions, however, did not seem entirely convinced by the plans.
Birgit Sippel, from the Socialists & Democrats group, noted that the EU is "a union of values" that "has to set some level of protection for personal data" and should not "sell out fundamental rights" in the name of law enforcement cooperation.
"Even if one of those countries has a functioning data protection organisation or system, will that system also be there when we are talking about serious crime and terrorism? Because we know in some countries they have exceptions... even within Europe," Sippel pointed out.
Cornelia Ernst remarked that her group - the left-wing GUE/NGL - sees the need for information exchange, but:
"we do have serious concerns when it comes to Egypt, Turkey… exchange of personal data, sensitive data, without a legal basis for data protection in that country isn't just something that can be waived through."
She declared that: "Turkey is just a no-go on the basis of the current situation that reigns there" and that the GUE/NGL group would "fight tooth and nail to avoid this going through," particularly as an agreement would undermine various resolutions agreed by the Parliament concerning the human rights situation in Turkey.
In written questions to the Commission, MEPs from the liberal ALDE group have noted the "questionable human rights records" of some f the countries in question, and have asked whether the Commission will undertake "impact assessments to examine in depth the risks posed by transfers of personal data to each third country," noting that:
"The UN Committee against Torture has pointed to grave deficiencies in some of the eight countries in relation to reported cases of acts of torture and ill-treatment, the conditions of places of detention, the use of coerced evidence, and the lack of basic safeguards for detainees."
Prior to the committee's debate, the civil society organisation EuroMed Rights also issued a statement noting its concern over the proposed agreements.
The European Data Protection Supervisor's view
A representative of the European Data Protection Supervisor (EDPS) was also present at the LIBE committee hearing, noting that there are vast discrepancies between the eight countries not only in terms of their political situation, but with regard to data protection laws.
For example, while the European Commission has approved an adequacy decision on Israel (meaning that it provides a level of protection equivalent to that available in the EU) and Morocco has a fairly well-established data protection law (albeit with some limitations), there are others which are "just starting their way towards data protection" (Algeria and Tunisia), while some countries have "their own path as far as data protection is concerned" (Turkey).
The EDPS made clear that there is a need for "concrete and specific safeguards that will not be theoretical," for which independent oversight is essential - something which may be difficult in countries with no data protection framework.
A host of recommendations for the agreements were set out by the data protection body in an opinion published in mid-March (pdf).
Council amends decisions to incorporate safeguards
The Council has already begun making amendments to the Commission's proposals for decisions authorising the opening of negotiations and setting out directives for those negotiations, with the most recent round of amendments finalised at the beginning of May (these are LIMITE documents and are available at the end of this article).
The texts concerning a proposed agreement with Jordan have so far been subject to significantly more discussion and revisions than those concerning any other country.
It seems that with regard to every country, however, Member States' delegations have taken heed of the EDPS' recommendations and have inserted some clauses that would require more stringent data protection safeguards than initially foreseen by the Commission (see full documentation below).
Whether those countries with no existing, formal data protection framework will be able to implement those requirements - and how exactly their attempts to do so will be monitored - is not specified in the draft texts, although each of the draft negotiating directives includes a provision requiring that the agreements include "provisions on monitoring and periodic evaluation of the agreement".
It also remains to be seen whether this will be enough to satisfy critical MEPs, given that the political undesirability of legitimising the actions of the security forces of countries such as Algeria, Egypt and Turkey may carry more weight than any data protection safeguards that might be inserted.
The recently-amended documents were due to be discussed on 4 May at a meeting of the JHA Counsellors working group - which does not publish, nor in some cases even produce (so that they can be later requested by the public), minutes of its meetings.
Some years ago a series of articles published by Statewatch examined proposed agreements between Europol and Brazil, Georgia, Mexico and the United Arab Emirates (UAE), and highlighted that:
"While Europol is obliged to ensure adequate levels of data protection in the countries with which it makes agreements, questions have been raised by MEPs, human rights organisations and activists over the nature of European cooperation with countries where political institutions and police forces have dubious human rights records, make use of questionable and sometimes illegal practices and techniques, and have track records of corruption and political repression."
In 20 December 2017 the European Commission adopted eight proposals to serve as the basis for negotiations with Algeria, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia and Turkey on cooperation with Europol, including the exchange of personal data.
The proposals have now been sent to the Council, which has to adopt individual texts for each country to serve as mandates for negotiations between the Commission and the authorities of each of those countries.
In February, the coordinators of the different groups in the European Parliament's civil liberties committee (LIBE) decided to monitor the negotiations for the agreements and to draft its own reports on the negotiation guidelines.
The Parliament must gives it consent to the negotiating mandates drawn up by the Council before the Commission can begin negotiations.
European Data Protection Supervisor: Opinion 2/2018 on eight negotiating mandates to conclude international agreements allowing the exchange of data between Europol and third countries (14 March 2018)
Proposed and amended decisions on opening negotiations and negotiating directives
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.