Thilo Weichert
German Union for Data-protection
Are you afraid of international car thieves, Mafia drugs bosses, plutonium smugglers, Far-Eastern cigarette traffickers or fundamentalist terrorists? Yes? Or are you afraid of a European police authority passing on information about you to the police in Portugal, Greece and Norway? No, you have not done anything wrong? Then you are just the EU citizen the governments of the EU States want. You will not have anything against the Europol Drugs Unit, the EDU, either, which in 1994 took up the fight against international crime. Nor will you have anything against the Europol Convention which the EU Council of 27 June in Cannes could not quite bring itself to sign and nor will you have any comprehension for the data protection officials carping about the EDU and the Europol Convention. Perhaps you are reminded of old saying of the German police that ‘Data protection is perpetrator protection’.
However, if you are one of those rare kinds of people who regard democratic and parliamentary accountability, the protection of the Constitution and the rule of law as principal virtues of a society, then the EDU and Europol ought to be setting off alarm bells. Not because the politicians who dreamt up the EDU and Europol and the officials working there are bad people. The head of the EDU, Mr Storbeck, is regarded as a liberal, and the Social Democrats, who are just as strongly in favour of Europol as are the Christian Democrats, cannot of course be suspected of openly advocating a police state. They are however all helping to set up a central police authority in the Hague which, unhampered by any democratic control, is to process data on millions of people without their being able to prevent it. They are helping to ensure that a Kurd standing up for his country’s independence can be branded a terrorist throughout Europe on the basis of Turkish information. They are helping to ensure that a German citizen whose car was stolen, but whom the insurance company suspects of insurance fraud, can be arrested by the Italian police as a sophisticated car smuggler when he buys a new car in Milan.
Data protectors have nothing against fighting international crime and prosecuting international criminals but we are against doing so with the aid of a police authority whose ‘job description’ harks back to pre-democratic times. This job description, the draft Europol Convention, on which the EU governments have essentially agreed, will be analysed below.
Anybody who thought that Europol would initially be responsible for dealing with economic crime, waste trafficking or illegal arms trading will be disappointed. Matters on which Europol is ‘initially’ to act are first ‘unlawful drug trafficking’, followed by trafficking in nuclear and radioactive substances, illegal immigrant smuggling, trade in human beings and motor vehicle crime’. It is somewhat surprising that drugs should be in the van of European police co-operation, as many police experts regard repression as no solution to that problem. The inclusion of action against illegal immigrant smuggling and motor vehicle crime also show that it is less the real dangers than public perceptions which have governed the choice of the first matters to be dealt with by Europol. Nuclear trafficking is also a dubious choice since the plutonium smuggling from Russia in which the German security authorities were involved. Within two years Europol is also to be dealing with terrorist activities, although nobody seems to know exactly what is to be understood by terrorism. The annex lists other forms of crime which Europol could deal with in addition to those to be dealt with initially. They include ‘racism and xenophobia, organized robbery, swindling and fraud, counterfeiting and product piracy, forgery of money and means of payment, computer crime, corruption and environmental crime’. In German law it has always been the case that official tasks have to be clearly defined. The ‘serious forms of international crime’ which Europol may deal with are however an open-ended catalogue. The ‘international’ element can be supplied by any foreign connection, and the ‘organized’ element by the involvement of more than three people. This complete lack of definition crops up again and again throughout the projected Convention.
On whom may Europol compile and pass on data under the Convention? Not only on persons suspected of having committed or taken part in a criminal offence or convicted of such an offence, but also on persons ‘where there are serious grounds … for believing will commit criminal offences’ (Article 8(1)(2)). So Europol will know about a crime before the criminal has decided to commit it. But that is not all. In ‘work files for the purposes of analysis’ Europol may also store data concerning persons who might be called on to testify or who have been the victims of offences, ‘contacts and associates’ and ‘persons who can provide information on the criminal offences under consideration’ (Article 10(1)). Storage is dependent on neither the agreement, notification of the subjects, orders by a court or public prosecutor – nothing. Not even the German Federal Criminal Office Act now in preparation provides for such comprehensive powers to store data. National units, i.e. also the ‘Land’ police forces not only may but are required to supply data but Europol data need not come from national EU police sources alone. It may also come from non-member countries (10(4)(4)), or the ICPO – Interpol. So if for example the Turkish police wants to supply data to Europol, Europol may collect that data. The draft convention does of course also assume that intelligence data will also be supplied to Europol (Article 4(5)(3)).
Europol is not only to become a liaison centre for the EU police forces; the European Police Office will be able to carry out investigations and analysis on its own accord. Data from the most various of sources will be merged into new Europol data to provide suspicions, enquiries, tip-offs and leads for the EU police forces and even those of non-member countries. In the process not only ‘hard’ data, i.e. definite information may be used, but also ‘soft’ information on suspicions, leads, traces, contacts, possibly relevant details and suppositions, and membership of suspicious or endangered ‘risk’ groups. Of course the national police forces already use such methods, but with Europol there is one vital difference: Europol will be out on its own, with no public prosecutor’s office or courts to direct its inquiries, no minister to answer for it, and no parliament to keep check on its activities. The Director of Europol will rule with the absolute powers of a prince. His staff will take orders only from him and from no ‘government, authority, organization or person outside Europol’ (Article 30(1)). A management board appointed by the governments may only lay down sets of conditions, but may not intervene in the actual operations. This would not be so bad if specific issues were not involved. However, Europol will be massively interfering in fundamental human rights and will be the extended, information arm of the State monopoly of power. In the Maastricht judgement the Federal Constitutional Court decided that Germany’s Basic Law does not allow of such uncontrolled and inadequately legitimite EU institutions.
This organized anarchy carries on in the rules on data processing. Europol is ideally suited for data laundering. If data are acquired under strict conditions by ‘Land’ police forces, they have to pass them on via the Federal Police Office to Europol. Once these data are stored in the joint Europol data banks they may be used for the investigation or prevention of any serious form of crime. If in individual cases, which is not so very likely, the national police forces attach restrictions on the use to which they may be put, the data need only be merged with other data to form new, laundered data no longer subject to any restrictions. If a national police force finds that the data is inadmissible, for example because they are wrong, were illegally acquired or have nothing to do with crimes, the police cannot correct them themselves. There has to be ‘collaboration’ with Europol (Article 20). If Europol has ‘further interest’ in data due to be deleted, they will remain in storage.
One might imagine that the use of Europol data would be permissible only where required to combat Europol crime. The list of these crimes is already generous enough. Far from it. Article 13 states that ‘Information and intelligence concerning other serious (whatever that means) criminal offences, of which Europol becomes aware in the course of its duties, may also be communicated’. Use by intelligence services, which the German draft still contains, is no longer expressly mentioned in the Convention. However, the leaking of data to those services is not excluded. For democratic naivety it would be hard to beat the rules on the ‘communication of data to third states and third bodies’. If a transfer of data would help combat immigrant smuggling in Algeria, the Algerian authorities may be informed. Of course the Turkish police may be given information about Kurdish ‘terrorists’, but on condition that ‘the communication of data shall be authorized only if the recipient gives an undertaking that the data will be used only for the purpose for which it was communicated’ (Article 18(5)).
The data protection rules proper are little more than a faþade; the standard of data protection is defined in terms of a Council of Europe Convention and Recommendation. There is no mention of the fact that EU States including Germany have stated reservations on the Recommendation on the protection of police data. Its provisions dwindle to the vaguest of banalities, especially on critical points such as undercover data gathering. Neither document touches on the especially sensitive aspect of processing data held in files. The earlier right to information has become a ‘right of access’ involving a highly complex procedure, which often enough rules out access (Article 19). Any Member States ‘concerned’ may refuse to have the data communicated to the person concerned. If they appeal, a joint supervisory authority may overrule the denial of Europol data only by a two-thirds majority. Otherwise it shall ‘notify the inquirer that it has carried out the checks, without giving any information which might reveal to him whether or not he is known’. This provision on information is probably more restrictive in qualitative terms than the corresponding provision applying to the German intelligence services, para. 15 of the Federal Act for the Protection of the Constitution. Any ex-post data protection check is for the most part impossible as only one in ten data retrievals is reported on, and even this data is deleted after six months (Article 16).
So what is being planned in the draft Convention is unacceptable. But how can data be protected while effectively fighting European crime? It could be quite simple: a small Europol authority would set up an information system storing references to clearly defined crimes. If a national investigating authority, after interrogating the system, is looking for useful help in its inquiries from another Member State it would approach the police authority dealing with the case, whose contact address and reference number would be stored in the computer, and after legal checks would be provided with the information it required. It would be even better if the exchange of information were to take place via the public prosecutor’s offices conducting the investigation. This system would be not only cheap and effective but also transparent, acceptable in terms of civil rights and less intrusive for the innocent, for witnesses and contacts.
Some supplementary legal safeguards would be required in a Europol Convention: defendants’ right to inspect files, an obligation to submit files to the courts, a rule to require data to be used only for the prescribed purpose, right to information and rights to correct data for those concerned. Europol should be supervised by an independent European data protection office yet to be set up.
Perhaps you are now wondering why this is not how it is being done. I do not know all the reasons. One of them might be that nobody consulted the data protectors.
Thilo Weichert is a member of the Deutsche Vereinigung fur Datenschutz and working at the office of the Ombudsman for Data-protection of Lower Saxon.