In the unseen realm: transnational intelligence sharing in the European Union - challenges to fundamental rights and democratic legitimacy.
INTRODUCTION I. THE RIGHT TO PRIVACY AND DATA PROTECTION IN THE EUROPEAN UNION A. Multi-layered Protection of Human Rights B. Privacy and Data Protection in the International Layer--The Council of Europe Instruments. C. Privacy and Data Protection in the Supranational Layer II. THE EUROPEAN UNION AS AN ACTOR ON THE GLOBAL INTELLIGENCE STAGE III. TWO INTELLIGENCE NETWORKS: EUROPOL AND THE SCHENGEN INFORMATION SYSTEM (SIS) A. Europol 1. Mandate 2. Europol as an Intelligence Network B. The Schengen Information System C. Data Protection within E.U. Intelligence Networks 1. Europol and Data Protection 2. Data Protection and the Right to Privacy in the SIS IV. INTELLIGENCE NETWORKS CONNECTED: THE CHALLENGES OF INTEROPERABILITY CONCLUSION
In a "new world order" (1) of global information, global travel, and global threats, the creation and expansion of transnational intelligence networks have become necessary and constitute significant changes within the world of intelligence. (2) In addition to the increased quantity of networks, the nature of networks has also changed: formerly improbable partners are sought; (3) bilateral and multilateral cooperation are both expanding; (4) and police and intelligence services are increasingly interconnected, eroding the former lines between domestic and foreign. (5) These developments are exemplified and clearly visible in the European Union. However, while most transnational intelligence networks operate in secret and are negotiated without legislative involvement, (6) intelligence networks in the European Union are set up and operate relatively openly and thus make a good case study for the analysis of transnational intelligence networks and their implications for fundamental rights.
The development of these networks in the European Union has gained momentum since the early 2000s and especially since the 9/11 terror attacks. The collection, processing, and exchange of data and intelligence play key roles in an all-embracing E.U. security strategy that is focused on the anticipation of risks "in a frightening fog of ... threats." (7) At the same time, formerly "neutral" policy areas, such as immigration or travel, are framed as part of security policy so that border control becomes border security. (8) The general aim has become identifying the "unknown suspect." (9) While these developments were criticized early on by academics and data protection watchdogs for their implications on privacy, they received generally little attention by the European public. Since 2013, however, concerns for privacy and data protection have been more in the spotlight than ever: In June 2013, the revelations of mass surveillance of individuals in the European Union and the United States created a broad awareness of issues that relate to data protection. Moreover, the annulment of the Data Retention Directive (10) by the European Court of Justice in April 2014 may have set the tone for a new spirit of data protection in the European Union. The groundbreaking judgment illustrates the fragility of any measures that fail to protect the right to data protection and privacy. (11) In December 2014, the transition period of the Treaty of Lisbon ended--the CJEU will thus have jurisdiction over all matters of police and juridical cooperation. Furthermore, the low turnout for the elections for the European Parliament in May 2014 and the success of E.U.-skeptic candidates illustrate that the Union has a serious legitimacy problem. It has thus become a political necessity to bridge the gap between the Union and its citizens and to overcome the apparent deficit of trust. One step is certainly to assure E.U. citizens that their constitutionally guaranteed rights are respected when intelligence is shared to ensure their security.
It has been claimed that Europe is the "[o]ne place to look for a constructive response to the liberal flaw of transnational networks." (12) However, this picture has to be spoiled as privacy and data protection are put under tremendous pressure through the network character of transnational intelligence sharing in the European Union. In order to illustrate this pressure, this paper presents and analyzes two important--if not the most important--intelligence networks in the European Union: the European Police Office (Europol) and the Schengen Information System (SIS II). (13)
Both networks store and exchange a vast amount of information (14) on, inter alia, individuals travelling to the European Union, applying for visas, suspects, convicted criminals, and victims. It will be shown that despite the European Union's multi-layered data protection regime, intelligence sharing in and between those networks falls through the legal gaps left by this regime. This creates a situation where E.U. citizens cannot always rely on the guarantee of their right to data protection and privacy. The network character of intelligence sharing in the European Union exacerbates this situation. Not only are network participants inside and outside the territory of the European Union connected, but networks of very different characters are interconnected as well. This makes it hard to follow the trace of information, creating opacity where, whether intentionally or unintentionally, data protection provisions become obsolete. (15)
This paper is structured into four parts: Part one will present the fundamental rights framework of privacy and data protection that forms the general standard the European Union--and thus its networks--has to live up to. Special emphasis is put on the distinction between the right to privacy and the right to data protection--and also on the unraveling of the different layers of fundamental rights protection. Part two will introduce the European Union as an intelligence actor and highlight the development of intelligence networks in the Union. Part three highlights the set-up, the legal framework, and the structure of Europol and SIS II; discusses their data protection frameworks; and highlights problem areas inherent in the systems. Part four is devoted to a discussion of how the network character and thus the connections of the different network participants inside and outside the European Union challenge European data protection principles.
I. THE RIGHT TO PRIVACY AND DATA PROTECTION IN THE EUROPEAN UNION
The most fundamental rights at issue in intelligence gathering are the right to privacy and the right to data protection. Before introducing the fundamental rights protection framework in the European Union, it should be noted that there is a difference between these two rights. While privacy and data protection might seem synonymous at first glance, they are "twins but not identical." (16) They serve many of the same objectives as the violation of privacy, such as unauthorized surveillance and personal data processing. They can also cause individuals to feel monitored and subsequently change their behavior. This can, for instance, have detrimental effects on the freedom of expression and the freedom of speech. However, privacy is generally viewed as a broader concept than data protection and should be treated separately from it. (17) The protection of personal data can be seen as an evolution of the right to private life arising from developments in technology, both in the public and the private sector. This evolution made it apparent that there needed to be further protections for individuals from third parties and particularly from the State. (18)
It is important to understand the cultural and societal development of the right to data protection. Though often misperceived, the right to data protection does not merely refer to "ownership" over data and information (19) held about an individual person, (20) but rather to "informational privacy" (21) and the right to informational self-determination. (22) Legally, informational self-determination refers to the basic individual right to decide freely what information about oneself should be communicated to others and under what circumstances. (23) The right has its roots in the acknowledgement that we as individuals are the sum of all the information about us (24) and is thus rooted in an understanding that the development of one's own personality is not only an internal but also a communicative process. Part of our personality is thus created by the information we choose to communicate to others. This "selective presentation" (25) allows us to communicate different aspects of our personality to different audiences. The more precise another person's perception of us, the harder it is to counter this image with our own notion of personality. (26) This becomes evident with certain special characteristics such as religion, political opinions, or sexual preferences, as these often bring with them a set of stereotypes that stand in the way of actually looking at a person. (27) During National Socialism in Germany in the 1930s, for example, the State collected vast amounts of supposedly "objective" information about certain "groups" in society. By ascribing data and information to these persons, specific and artificial identities were created. Individuals were made "gypsies" or "Jews." Information about individuals was thus alienated from the individual; the individual lost the ability to create his or her identity. (28)
The right to informational self-determination was first recognized as a constitutionally guaranteed right in 1983 by the German Constitutional Court in its famous Population Census Decision (Volkszahlungsurteil). (29) However, the German state of Hessen had already passed its first data protection legislation in the 1970s--this was the first data protection legislation in Europe. (30) In the Population Census Decision, the right to data protection and informational self-determination was derived from the constitutionally guaranteed rights to the free development of one's own personality (31) and the protection of human dignity. (32) The court held that each individual has the right to show and to hide aspects of her personality and the nature of the information about the person is irrelevant; only the individual's consent to the collection and the communication of that information matters. This approach should influence the drafting of data protection legislation in Europe considerably. The right to data protection in Europe is consequently understood to entail the right of the individual to generally decide when and under what circumstances personal information is made available--data processing is thus only allowed when it is provided for by law or when the data subject has consented. (33)
When comparing regulatory approaches to data privacy and data protection between the United States and the European Union, the U.S. approach is--generally speaking--less restrictive than the E.U. approach. (34) In the context of data collection by police and intelligence services, for example, the right to privacy in the United States regulates the collection of information stringently. The use of such information, however, is not regulated due to a number of exceptions for law enforcement and intelligence activities. In the European Union, by contrast, "the government's access to and use of personal information is regulated as a data processing continuum in which no stage is considered less harmful than the next." (35) Under the jurisprudence of the European Court of Human Rights (ECtHR), the mere storage of data can constitute an interference with the right to private life, protected under Article 8 of the European Convention on Human Rights (ECHR), even if there is no evidence that the data was used to the detriment of the data subject, or even at all. (36) Moreover, data protection rights cover all personal information, as opposed to only certain types of information gathered using particular intrusive means. (37) As Bygrave puts it, Europe is "home to the oldest, most comprehensive, and most bureaucratically cumbersome data privacy laws." (38) The laws are not only complex but also very much a subject in transition, which can make it difficult to keep up with their current status. The following section will give a brief outline of the main legal framework and highlight some particularities of the fundamental rights protection with regards to the intelligence activities of the European Union in the framework of police and judicial cooperation.
A. Multi-layered Protection of Human Rights
Human rights in the European Union are protected through a pluralist legal system, characterized by "heterarchy not hierarchy." (39) From an individual's perspective, there are thus different co-existing "layers" of protection: a national, international, and supranational layer. (40) The national layer refers to the constitution and the national fundamental rights norms of the respective E.U. Member State. The various international human rights regimes the respective Member State is part of comprise the international layer. In the context of privacy and data protection, the Council of Europe is the most relevant and developed organization. The body of European Union law serves as the supranational layer of protection. The distinction between supranational European Union law and international law might not seem obvious. It originates in the status of the European Union as an object sui generis of international law, where the European Union "constitutes a new legal order ... the subjects of which comprise not only [M]ember [S]tates but also their nationals." (41) Thus, as opposed to international law, individuals can derive rights from the provisions of the E.U. treaties that can be enforced at the national level. E.U. law can therefore directly affect individuals. (42) Furthermore, E.U. law has supremacy over the national laws of the Member States. (43)
The borders between the different layers of human rights should not be regarded as impermeable. Rather, one should imagine them as membranes that allow for a "flow" of rights between the systems of protection. From the perspective of the European Union, the layers create the sources of human rights protection. The Member States' national layer of protection, however, creates human rights obligations only indirectly to the European Union as the constitutional traditions of the Member States form general principles of E.U. law. (44) To determine the obligations of the European Union and its institutions in the right to data protection and private life, the most relevant layers of protection are the ones provided by E.U. law and the international layer, namely the human rights regime provided by the Council of Europe. (45)
B. Privacy and Data Protection in the International Layer--The Council of Europe Instruments
Regarding the right to privacy and to data protection, the instruments of the Council of Europe still play the most significant role for the European Union. All E.U. Member States are simultaneously members of the Council of Europe, and the Court of Justice of the European Union has from a very early stage of integration recognized the important role the European Convention of Human Rights (ECHR) plays as a common denominator among the Member States. (46) With the Treaty of Lisbon, the ECHR was incorporated into the general principles of E.U. law and thus has the same status as the founding treaties. (47) Further, provisions were made for the accession of the European Union to the Convention. After accession, the European Court of Human Rights (ECtHR) in Strasbourg will have jurisdiction over European Union actions. However, case law of the Strasbourg court has already shaped the interpretation of fundamental rights in the European Union to a large extent. (48) The main provision protecting the right to private life is Article 8 ECHR. Although it is essentially a general privacy protection provision, (49) the term "private life" has been afforded a broad scope by the ECtHR and goes beyond the classical right to be free from intrusion into one's private home to cover the collection of personal information and secret surveillance as well. (50) There is an impressive body of ECtHR case law where the court regulates data processing and collection by Member State security and intelligence agencies and reaffirms basic data protection principles.
Although the Convention is a "living instrument," there was a need to address the privacy challenges of new surveillance and data gathering techniques. The Council of Europe therefore passed Convention No. 108 for the Protection of Individuals with regard to Automated Processing of Data (Convention 108) in 1981. (51) It is the first international treaty dealing explicitly with the right to data protection. (52) The European Union acceded to the Convention in June 1999, and it now provides the underlying legal data protection framework of various E.U. instruments. (53) The Convention establishes a number of data protection principles including, inter alia, that data must be (1) obtained and processed fairly and lawfully; (2) stored for specific and legitimate purposes and not used in a way incompatible with those purposes; (3) adequate, relevant and not excessive in relation to the purposes for which they are stored; (4) accurate and, where necessary, kept up to date; and finally (5) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored. (54) The Convention further requires Member States to establish provisions concerning "special categories" of data--data revealing, for instance, ethnicity or religious beliefs--and a sanction and remedy system for persons concerned. (55)
Convention 108, however, allows for derogation from the data protection principles in the context of state security measures when the derogation constitutes a "necessary measure in a democratic society in the interest of protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences." (56) Derogations are further allowed when the rights of the data subject and the freedoms of others need to be protected. Because these derogations exclude all data processing and exchange in the area of police and judicial cooperation, the Council of Europe passed the non-binding Recommendation R(87)15 regulating the use of personal data in the police sector. (57) The Recommendation includes privacy-protective principles; for example, the collection of information should be limited to what is necessary "for the prevention of real danger" (58) and the data collected and stored for police purposes should be used for those purposes only. (59) Although a number of E.U. legal documents dealing with police and judicial cooperation refer to the Recommendation in their recitals, it should be kept in mind that the Recommendation is not legally binding, and it is difficult to tell to what extent member states have to comply with it. (60)
Currently, Convention 108 is under revision to include newer developments in surveillance and data collection technology. The draft proposal has been welcomed for providing the principles of proportionality and minimalism; that is, that no more data be collected than is absolutely necessary for the achievement of the prescribed tasks. (61) The revisers of the Convention are also discussing widening the concept of "individual consent" to mean "free, voluntary, informed and revocable at any time" to acknowledge power imbalances between the data subject and the data collector, e.g., an employer and a job applicant. (62)
C. Privacy and Data Protection in the Supranational Layer
The right to data protection is enshrined in both E.U. primary law (63) and E.U. secondary law. (64) Since the Treaty of Lisbon incorporated the E.U.'s Charter of Fundamental Rights into the body of primary law, the right to private life (Art. 7 CFR) and the right to data protection (Art. 8 CFR) apply to all areas of E.U. law.
According to Article 8 CFR, data must be processed fairly, for specified purposes, and on the basis of the consent of the person concerned or some other legitimate basis established by law. (65) The right to data protection is not an absolute right. Limitations are possible if they are lawful and the essence of the right is respected--that is if they are proportionate and necessary and serve to either protect the rights and interests of others or the genuine interest of the European Union. (66)
There are differing theories on why the right to data protection was added to the E.U. Charter instead of copying and pasting the wide interpretation of the right to private life of the ECtHR. The CJEU's Advocate General Kokott points out that the scope of data protection in the ECHR and the Charter is different and that the Charter offers a wider substantive scope of the right to data protection than the Convention. (67) Contrary to the right to privacy, the right to data protection is not context-dependent. (68) Furthermore, the concept of personal data also includes data relating to unidentified but identifiable persons. (69)
A specific right to data protection is also provided by Article 16 of the Treaty of the Functioning of the European Union (TFEU). The inclusion of the right to data protection in the Treaty and in the Charter of Fundamental Rights was an important development with regards to data exchange in the framework of police and judicial cooperation as it applies to all areas of E.U. law. (70) However, Article 16 TFEU still provides for a number of exceptions for data collection and processing in the context of police and judicial cooperation. For instance, if the rules on the protection of personal data "could have direct implications for national security," Declaration No. 20 of the Lisbon Treaty demands that this should be taken into "due account." (71) Additionally, Declaration No. 21 emphasizes that "specific rules" on data protection may be necessary in the field of police and judicial cooperation. (72) Although these Declarations are not legally binding, they clarify that in the view of the Member States, the former third pillar framework (73) is not a normal area of law where the general framework for data protection applies. Furthermore, there are specific exceptions for certain Member States. (74)
The right to data protection was shaped more precisely with two secondary law data protection instruments. The most important one is the Data Protection Directive (also known as Directive 95/46). (75) The Directive introduced a comprehensive vision of what the protection of data should involve and specified in great detail the data protection rules from which Member States cannot derogate. (76) It reiterates, for example, the data processing principles of Convention No. 108, (77) requires Member States to set up independent data protection supervision authorities, and lays down a large number of attributes for such an authority. (78) However, qua its nature as a directive, Member States are left a "margin for manoeuvre," (79) to "determine more precisely the conditions under which the processing of data is lawful." (80) Furthermore, Directive 95/46 is not applicable to security related data processing (81) and does not apply to data processing and sharing in the context of intelligence or police and judicial cooperation.
The gap the Data Protection Directive left for data processing in the context of police and judicial cooperation was supposed to be filled with the Data Protection Framework Decision. (82) However, the document has been described as "anodyne and toothless" (83) and its scope limited: The protection only applies to internal situations and not within cross-border data exchange. Furthermore, the level of protection awarded by the Framework Decision is low. Although the processing of personal data by law enforcement authorities may require some specific adaptations of general principles of data protection (for example, allowing the use of personal data for crimes other than those for which they were collected), the Framework Decision establishes broad exceptions to some of the obligations of the data controllers, for example, allowing the processing of personal data "for any other purpose" provided that the transmitting Member State consents to this procedure. (84) This creates the effect that individuals are not protected by the Framework Decision in all circumstances, and it has been questioned how these limitations would work in practice. (85)
The E.U. secondary law regulatory framework for data protection is currently under major reform. Two instruments wait to be adopted: a General Data Protection Regulation, (86) which is to replace the Data Protection Directive, and a Police and Criminal Justice Data Protection Directive, which is to replace the Framework Decision. However, both instruments are under intense negotiation. Never before has so much intense lobbying been conducted in the European Union. (87) The European Parliament and the Council presented more than four thousand amendments to the draft in the first readings. It is thus not yet clear what the outcome of the negotiations will be. However, it seems that the proposed Directive for data processing in police and judicial cooperation will not substantially improve the standard of data protection in comparison with the Framework Decision it is to replace, even though it will apply to cross-border data exchange. (88) Although the instruments were supposed to be adopted in 2013, according to Union officials, adoption is expected in the summer of 2015 at the earliest.
Summing up, there are two standards of data protection in the European Union: the general standard and the standard applicable to data collection, processing, and sharing in the context of security-related activities. The general framework of protection is provided by the ECHR's Article 8, the E.U. Charter's Articles 7 and 8, and Article 16 of the TFEU. These provisions have general application and have thus a constitutionally fundamental status. Furthermore, the European Union is party to the Council of Europe's Convention No. 108. On the level of secondary law, Directive 95/46 specifies the data protection principles for the European Union. A number of exceptions exist, however, with regards to data collection, processing, and sharing in the E.U.'s framework of police and judicial cooperation.
First, derogations from Art. 8 ECHR are allowed to safeguard national security. The same applies to Arts. 7 and 8 CFR. Furthermore, the scope of Convention No. 108 does not include data processing in the framework of police and judicial cooperation. Second, although Art. 16 TFEU is part of the provisions of general application in the E.U. Treaties and should thus apply to all areas of E.U. law, the protocol provisions on data sharing in the framework of national security and police and judicial cooperation could limit the effect of certain sector-specific rules, and it is thus contested whether Art. 16 TFEU really can live up to its promise of a stable and comprehensive framework of data protection in the European Union." Third, the Data Protection Directive does not protect personal data in the context of national security and police cooperation, and the Framework Decision only applies to data processing within one Member State. There are thus gaps in the otherwise tightly knit net of data protection rules in the European Union.
To fill those legal gaps, the legal instruments creating the E.U. intelligence networks contain a number of ad hoc data protection provisions. Likewise, Europol and the Schengen Information System established their own specialized data protection regime. Whether these regimes comply with the general right to data protection and the right to privacy will be analyzed in the third part of this article, as it is first necessary to understand the structure, set up, and legal nature of intelligence networks in the European Union.
II. THE EUROPEAN UNION AS AN ACTOR ON THE GLOBAL INTELLIGENCE STAGE
The intelligence capability of the European Union has often been questioned or regarded as weak. (90) This is partly due to the fact that much of the intelligence produced and shared within the European Union is personal information "from mundane sources ... rather than the traditional currency of high espionage." (91) The debate about the nature of intelligence within the European Union thus mirrors a more general debate within the intelligence community about the difference between intelligence and information. (92) In the relevant E.U. documents, the terms intelligence and information are used interchangeably; intelligence is defined as "any type of information or data which is held by law enforcement authorities" and "any type of information or data which is held by public authorities or private entities and which is available to law enforcement authorities without the taking of coercive measures." (93) The German language version of these papers translates intelligence as Erkenntnisse, which rather refers to (police) findings and insights. In the Danish language version, the term efterretninger is used, which refers to national security and military intelligence. However, in both the German and the Danish language versions, the terms intelligence and information are equated with each other as well.
Despite certain pitfalls that come with the equation of intelligence and information, (94) the Union approach seems to come quite close to the actual work of intelligence and police services within the European Union. Technological developments in data mining have made personal information more accessible and important. "Big data" is now a keyword in policing (97) and intelligence. Intelligence fusion centers rely on big data from a variety of sources--both from public and private actors--and merge them into one database, making it impossible to trace back the original data source. (96) This paper thus follows the E.U. definition in perceiving intelligence widely as information or research that makes government policy or operations more effective. (97) It is argued that the essence of intelligence lies at the level of analysis and assessment. Lacking operational capacity, it is thus in this sphere of "data-veillance" and data mining that the European Union has evolved as an intelligence actor.
However, the European Union does not only challenge perceptions of what intelligence is but also of who intelligence actors are: The main role is played by networks with differing degrees of formalization, such as E.U. agencies (98) and information exchange schemes in the area of policing and border control. Conceptualizing them as intelligence actors refers to their activities of data and information collection, management, and processing to extract overarching analyses that rely on the early identification of threats. (99) The aim is to prevent serious crime and terrorism. Originally, these networks were created as police and border control networks. However, they take on a pro-active, future-oriented, and intelligence-led approach to crime fighting, (100) while at the same time re-defining and widening the perception of "threats." (101) This is in line with the European Internal Security Strategy (ISS) that embraces an outlook of "prevention and anticipation which is based on a proactive and intelligence-led approach." (102) Law enforcement and border control actors collect, process, and share data. They also produce intelligence products such as risk analyses, threat assessments, and situation reports. (103) Thus the lines that formerly separated border control, police, and intelligence actors are vanishing on the E.U. level.
These developments have not emerged recently: Intelligence-led policing (104) and intelligence cooperation in the European Union date back as far as 1975, when some Member States initiated the so-called Trevi-Group, (105) an informal framework for the cooperation in matters of policing and criminal justice. They also assisted each other in the fight against terrorism. Intelligence cooperation, however, accelerated after the events of 9/11 and the bombings in Madrid in 2004, and initiatives calling for more intelligence cooperation were fast-tracked. (106) As a result, a dense landscape of E.U. intelligence exchange schemes has developed in the last decade. (107)
After the successful establishment of these intelligence networks, the policy goal of the Union is now to fully exploit the possibilities these networks offer. (108) Along these lines, interoperability and availability have become buzzwords and are perceived as the panacea to counter terrorism and to ensure E.U. internal security. (109) The E.U. internal security strategy foresees "an attitude of data sharing by default" (110) for the Union's law enforcement agencies. Availability in this context refers to the making available of information by Member States' authorities to other national authorities and Europol; and interoperability refers to the ability of IT-systems to exchange data and enable the sharing of information. (111) The two principles are often reframed as "information management." Like interoperability and availability, "information management" is termed in technical rather than legal terms. This falls short of the ethical challenges these policy objectives bear with them. (112)
Interoperability is framed as a purely technical term by E.U. institutions and refers to the ability of IT systems and of the business processes they support to exchange data and enable information and knowledge sharing. (113) This refers to the creation and strengthening of connections and links between actors in different networks and between networks. This purely technical view of interoperability has been challenged by a number of academics because "interoperability is [a] multi-layer concept which can be applied to data, connections, legal structures and other categories" (114) and even technical interoperability "encompasses social, organizational and semantic aspects." (115) Framing availability and interoperability as neutral principles falls short in acknowledging that IT-systems are "hybrids, combining human and technological agency." (116) In the European Union, interoperability and availability are presented as the ultimate solutions to overcome inefficiencies in the current intelligence exchange framework. Thus, interoperability in practice refers to the linking of existing E.U. databases that were created for different purposes: For instance, law enforcement and intelligence agencies get access to immigration and visa databases. As the next section will show, by framing interoperability only technically, insufficient attention has been paid to the challenges of transnational interoperability where cultural, social, organizational, and legal differences between the data-exchanging law enforcement authorities have become increasingly complex. (117)
Importantly, neither the different cultural contexts of the various information systems nor aspects of legitimacy are included in the debate. (118) This is problematic because interoperability of intelligence networks threatens the European data protection and privacy standard; not only are different legal data protection regimes connected, but interoperability threatens to render key data protection principles, such as the purpose limitation principle, meaningless. In practice, interoperability grants law enforcement authorities access to data that were collected for purposes unrelated to combating crime and that concern individuals free from criminal suspicion. (119) This leads to limitations of personal freedoms--such as limitations on free movement--and the targeting of and discrimination against individuals associated with criminal activities. While these human rights concerns are theoretical and hard to concretize, interoperability also poses a definite threat to the fundamental right to privacy and data protection, as evidenced by Europol and the Schengen Information System.
III. TWO INTELLIGENCE NETWORKS: EUROPOL AND THE SCHENGEN INFORMATION SYSTEM (SIS)
Legally, Europol and the SIS II are quite different E.U. law actors: Whereas Europol is an independent E.U. agency, the Schengen Information System is a large police and immigration database, now under the competence of eu-LISA, the E.U. Agency for large-scale IT-systems. (120) This Article, however, conceptualizes both actors as networks. A "network" is defined as a specific organizational form made up of nodal connections. (121) Nodes are separate information centers, which range from national governmental agencies to international organizations or databases. The "network lens" allows us to step outside the constraints of traditional analytical perceptions so as to appreciate the structural linkages in both the SIS II and Europol. (122) Although both Europol and the SIS II contain different information, they are structured similarly. Both have central "hubs" that connects the "nodes" within the network. In both networks, nodes are not constrained to E.U. Member states but can be government agencies, E.U. institutions, and third parties. Moreover, both networks have institutional and virtual connections to third states and international institutions on the one hand, and to E.U. databases on the other. However, whereas Europol is a highly formalized network, the Schengen Information System is more decentralized. (123)
Contrary to popular misconception, Europol is not a European police force, as it does not have any operational powers. In its formative years, Europol was therefore often described as a "toothless organization." (124) In recent years, however, Europol has evolved into the European Union's central law enforcement authority. (125)
In 1995, the European Union established Europol as an international organization through the Europol Convention. (126) The central objective was "to improve ... the effectiveness and cooperation of the competent authorities in the Member States." (127) Europol's main tasks were, inter alia, to facilitate information exchange between the Member States and to obtain, pool, and analyze information and intelligence. (128) The organization was not, however, vested with any executive powers; Europol officers could not carry guns, conduct searches, or arrest or question suspects. Exchanging information with national police forces also proved challenging, as cooperation was left to the discretion of the national police authorities, who preferred to rely on established bilateral cooperation mechanisms. (129) After the 9/11 attacks, however, Europol slowly began to establish itself as an important information hub. The Member States' executives expanded Europol's mandate and increased the types of crimes Europol was permitted to handle. In 2002, the Europol Convention was amended to allow Europol officers to participate in a limited manner in so-called Joint Investigation Teams (JITs), which consisted of police and judicial authorities of at least two Member States. (130) As a part of JITs, Europol officers are authorized to assist with criminal investigations but cannot participate in coercive measures. (131) Furthermore, the 2002 amendment enabled Europol to request Member States to conduct criminal investigations. (132)
The 2010 Europol Decision put Europol on a new legal basis. (133) The Decision substituted the Europol Convention and turned the former international organization into an independent E.U. agency. Furthermore, the Decision put Europol under the jurisdiction of the European Court of Justice and made Europol subject to both E.U. law and scrutiny from the European Parliament.
Since 2010, Europol has gained respect within the Member States, especially for its expertise on computer-related crimes. Accordingly, the Member States placed the newly established European Cyber Crime Centre EC3 under the auspices of Europol in 2013.
Europol supports national police forces in investigations that involve two or more Member States. In 2012, Europol supported nearly 16,000 cross-border investigations. (134) According to its mandate, Europol has a supportive, coordinative, and informative role. (135) Its purview covers organized crime, terrorism and other serious crimes. The list of "serious crimes" is extensive and covers, inter alia, trafficking in human beings, murder, racism and xenophobia, computer crime, and environmental crimes. (136) Europol's involvement comes mainly in the form of analytical and investigative intelligence. Europol's main task is thus to collect, process, analyze, and put into context a plethora of crime-related information and to synthesize its findings into a strategic and operative analysis for the Member States. In its self-description, Europol highlights its "unique information capabilities" and "intelligence work" (137) as its most powerful "weapon." (138) Its most important intelligence products are the E.U. Terrorism Situation and Trend Report (Te-Sat) and its Serious and Organized Crime Threat Assessments (SOCTA). Both strategic intelligence products draw on information Europol receives from the Member States and third parties, as well as information Europol creates itself to assist policy-makers in decision-making. To fulfill its mandate and connect its participating parties, Europol runs the Europol Computer System, home to Europol's largest databases, or "analytical treasure[s]: (139) the Europol Information System (EIS) and the Analytical Work Files (AWF). The Europol Computer System also includes the Index System, a quasi-search engine that can crosscheck both the EIS and the AWFs for information.
The EIS stores information about persons, events, and devices connected with a criminal case. "Persons" includes both those who are suspected of committing or have been convicted of a crime that falls under Europol's purview (140) and persons about whom "there are factual indications or reasonable grounds ... to believe that they will commit [such a] criminal offence." (141) The EIS generally receives its data from Member States, and access to the data is limited to Europol staff and liaison officers. These officers, however, can also input data directly into the system. (142)
The newest version of the EIS, deployed in 2013, can store and cross-check biometrics and cybercrime-related data. The number of records stored in the EIS has grown remarkably in the last few years, with more than 200,000 entries and approximately 10,000 searches now carried out in the system every month. (143)
The AWFs are topical files containing criminal intelligence. Their aim is to provide a focused criminal analysis and to allow Member States to collect and analyze relevant data in a specific crime area, such as Islamist terrorism, human trafficking, or money laundering. Europol obtains the raw information contained in the AWFs from either the EIS or other sources, which is then analyzed by Europol staff. AWFs also include data on many persons connected to crimes, including all persons whose data is stored in the EIS as well as witnesses and victims of crimes, contacts and associates, and persons who can provide information on the crimes concerned. (144)
2. Europol as an Intelligence Network
From its beginning, Europol was a network--its background lies with the informal Trevi-cooperation. (145) However, contrary to the Trevi network, Europol has a highly formalized structure. As its spider web logo intimates, Europol has a center, or hub, that connects a number of nodes, or actors. The hub is Europol headquarters in The Hague, where Europol staff and the national liaison officers work. Each Member State's Europol National Unit (ENU) can send one or more Europol Liaison Officers (ELO) to Europol headquarters, where they are grouped together in a Europol Liaison Bureau (ELB). ELOs are responsible for providing Europol with information and intelligence from their sending state, and relaying new information back to their local ENU. ELOs also provide advice in the analysis of intelligence concerning their sending state. Experts estimate that eighty-five to ninety percent of the ELOs are purely police-related, while the remaining officers work in customs and intelligence services. (146) Although ELOs are mainly employed to provide Europol with information, it is estimated that some information exchanges take place informally between ELOs and without Europol's involvement. (147)
In addition to Member States, third states and other agencies or organizations are also able to send liaison staff to Europol headquarters. In 2012, Europol hosted liaison officers from ten non-E.U. countries and organizations, including Interpol, the FBI, and the U.S. Secret Service. (148) In comparison, Europol has had only two liaison officers stationed in Washington D.C. and just one at Interpol's headquarters in Lyon, France since 2002.
In addition to collaborating with Member States, Europol cooperates institutionally and virtually with a number of actors both inside and outside the European Union, including Eurojust, the E.U. agency for the cooperation of judicial authorities, and Interpol. Through virtual channels, Europol is connected to other existing databases concerning law enforcement and intelligence, such as the Schengen Information System (SIS) and the Visa Information System (VIS).
B. The Schengen Information System
Whereas Europol is an institutionalized intelligence network, the Schengen Information System is harder to conceptualize as an intelligence actor. Although its network structure is quite formalized, the system is both supranational and national and thus exists through the connections of the different actors involved in the system.
The SIS was set up to compensate for the removal of internal borders in the Schengen zone. Its main purpose was to safeguard public and national security by making available to the relevant national authorities a list of persons who should be denied entry to the Schengen area. Although originally designed as a support tool, transnational demand prompted a transformation of the database into an investigative tool (149) to "maximize" its potential. (150) Thus, the SIS introduced new categories of data, namely biometric and photographic, into the system and granted access to E.U. agencies such as Europol and Eurojust. (151)
The SIS database stores information on persons, vehicles, and objects. Information is organized in the database according to one of six "alerts," including those relating to persons wanted for arrest or extradition within the European Union, (152) alerts on persons and objects for discreet or specific checks, (153) or alerts on third-country nationals for the purpose of refusing entry and stay. (154) Data that are collected, stored and processed include personal details and biometric data. While accurate data on the exact number of entries in the SIS II is hard to come by (as this information tends to be classified), the Council of the European Union estimates that in 2013 the database contained more than 46 million entries, and in 2012 the database recorded 108,951 "hits." (155) A recent report by the European Commission hails the SIS as an investigative and anti-terror tool and reports a more than thirty percent increase in the number of alerts issued for specific and discreet checks for intelligence-gathering purposes. (156)
The SIS consists of two parts: Each Member State hosts a national SIRENE bureau that enters data through a national SIS interface. The data is then pooled in a central system, from where it is re-distributed to all the Member States' interfaces. Competent authorities in the Member States can access and perform searches in the central system directly or in a copy of the data in their national system. Contrary to Europol, the SIS does not process the information contained in its database to produce new information itself. The only "active" network participants are thus the Member States.
While the Member States are responsible for the security and the quality of data in their national interfaces, eu-LISA, the E.U. agency for large-scale IT-systems, is responsible for the security of the central database. Mirroring the organizational structure of the SIS, supervision of the database is also double-layered. The central system is overseen by the European Data Protection Supervisor (EDPS). For the national systems the respective national data protection authorities monitor the lawfulness of the processing of personal data in the SIS. The double-layered structure complicates supervisory work because the different supervisory bodies have diverging powers. (157) On the one hand, the EDPS has the right to receive information on the data collected, the purpose for which it was gathered, and whether a transfer to a third country is planned. (158) Furthermore, in certain cases, the EDPS has the right to monitor the legality of data gathering prior before agencies begin the collection process. (159) However, states are only required to consult the EDPS, and its opinions are not binding. (160) On the other hand, the rights of national data protection authorities differ among the Member States. While all of them can oversee the work of the national SIRENE bureau, some protection authorities do not receive access to the files of all their nation's agencies with access to the database--especially when it comes to the files of national security and intelligence agencies. (161)
C. Data Protection within E. U. Intelligence Networks
SIS II and Europol were both established in the frame of police and judicial cooperation, the former third pillar characterized by intergovernmental decision-making and exclusion from E.U. supranational law. As explained above, this meant that the supranational data protection provisions did not apply in the context of data protection. Furthermore, this area of intelligence and information exchange fell under the derogation provisions from international data protection rules. Both networks therefore established their own specialized data protection frameworks.
I. Europol and Data Protection
Europol takes pride in its high standard of data protection, even though it is exempt from the main E.U. data protection instrument, the Data Protection Directive, which does not cover data exchange in police and judicial cooperation. (162) Instead, Europol operates under a specialized data protection regime, with the Data Protection Framework Decision and Convention No. 108 as lex generalis and different sets of special rules set out in the Europol Council Decision and in implementing rules as lex specialis.
Generally, responsibility for the accuracy, legality, and quality of data transmitted to Europol lies with the inputting Member State. (163) If Europol receives data from third states or third-party organizations, it assumes responsibility for that information upon its entry into one of Europol's data files. (164) Data may only be stored as long as it is necessary, and there is a provision for a general review after three years. However, the review of data and their deletion is carried out by the inputting Member State. (165) If data in the Europol data systems are inaccurate or have been obtained illegally, the Europol Decision does not provide for automatic deletion. Instead, it only requires that Europol inform the Member State or the party concerned. (166)
Personal data retrieved from Europol's files may be used by the Member States to prevent and combat crimes that fall within Europol's mandate and to prevent and combat "other serious forms of crime." (167) What constitute "other serious forms of crime" is up to individual nations to determine. However, states may use the data for other purposes only with the consent of the transmitting Member State. (168)
These data protection provisions leave some problematic areas unaddressed. One area of concern is the group of persons whose data is stored in the Europol databases. As mentioned before, data in the EIS must relate to suspects, convicted criminals, or persons suspected on "factual indications or reasonable grounds" (169) of planning to commit crimes that fall under Europol's mandate. Among data that can be stored are information about a subject's profession, fingerprints, and DNA profile. (170) In contrast to the EIS, data in the AWFs need not relate to suspects and potential criminals, but may also include contacts, associates, witnesses, victims and informants. Additionally, the category of data that may be stored and processed in the AWFs is broader than that of EIS and includes not only data such as names and physical descriptions, but also economic and financial information and "behavioral data" about lifestyles or routines that can convey such personal information as sexual orientation and religious background. (171)
It is questionable whether this practice conforms to Article 8 of the CFR, especially with its purpose limitation principle, considered to be a "cornerstone" of European data protection law. (172) Europol's policy of allowing data to be held on persons who may not have committed a crime but who are considered at risk of committing a crime in the future jeopardizes this principle. (173) Indeed, the ECtHR has previously ruled that storing biometric information of suspects and innocent persons alongside that of convicted criminals is a disproportionate interference with the right to private life. (174)
Another problem area concerns the oversight system and the rights of data subjects to have inappropriately-retained information rectified or deleted. (175) Europol operates under the scrutiny of an independent Joint Supervisory Body (JSB), which reviews its activities in order to ensure that it processes personal data in accordance with the applicable legal frameworks. Europol's JSB, which meets four times a year, is composed of up to two members of each of the independent national supervisory bodies. The JSB has free access to EuropoTs premises and can carry out on-site inspections. In practice, however, the JSB informs Europol in advance of its visits. (176) The JSB's mandate includes reviewing the permissibility of data transmission to third parties. As part of that process, the JSB gives an opinion on the adequacy of data protection regulations in the prospective partner state. The JSB also serves as an appellate body for persons who request access, correction, or deletion of data held by Europol. (177) However, the JSB only has binding powers relating to appellate cases. Europol's "track record" with regard to those cases has been mixed, with the JSB appeals committee "revealing an inconsistent approach." (178) Generally, the JSB is perceived as an appropriate and well-functioning oversight institution. (179)
The inclusion of "future criminals," suspects, and individuals associated with crimes stands out as the most problematic of Europols data protection weaknesses. Because of the networked character of Europol, these individuals' data can travel from one network participant inside the European Union to another node outside E.U. territory or end up in databases that have purposes completely different from Europols. Given that national units and liaison officers from third states get equal access privileges to all information, and that this information can be transmitted to third partners, the inclusion of these categories of persons is even more troublesome. Third parties that gain access to this information could undertake further privacy-invading measures such as surveillance based on Europol's information. (180) Furthermore, the practice also challenges Recommendation R(87) 15 of the Council of Europe, which limits data collection for police purposes to the extent necessary for the prevention of real danger or the suppression of a specific criminal offence. (181) The storage of data of criminals and possible criminals in the same database also opposes Principle 3.2. of the Recommendation, which specifies that data derived from facts should be distinguished from data derived from opinions or personal assessments. (182)
Apart from the categories of persons whose data can be entered into the information systems, a second big challenge to the right to privacy and data protection is the distribution of control rights over the data stored in the system. Control of data in the EIS is not centralized at the hub but remains with the network nodes--the parties that collect the data. Thus, only the inputting authority can alter or delete information in the EIS. The data owner is also responsible for the data being accurate, reliable, up-to-date, and in compliance with storage limits. (183) Many national authorities, instead of manually uploading data to the EIS, use so-called "dataloaders" that "grab" data and transmit it automatically to Europol. There is thus no control mechanism for Europol to check whether data on persons in the system is correct and up-to-date. Indeed, there have been a number of cases in which Member States entered false information in the EIS. In one case, even though the flawed data was discovered during an inspection by the Joint Supervisory Body, the Member State concerned did not delete the information. (184) In short, information that goes from a Member State to Europol is totally beyond the control of the network hub. As the former head of the Joint Supervisory Body pointed out in 2008, this is especially worrisome because there is a "very different approach to data protection compliance between some Member States and others." (185)
2. Data Protection and the Right to Privacy in the SIS
Like Europol, SIS II is governed by a multi-layer data protection regime. However, SIS II is slightly more complicated: Since it was set up before the Treaty of Lisbon entered into force, the network mirrors the former pillar structure of the European Union. While matters regarding visa and immigration were regulated under the "second pillar," and thus supranational, the area of police and judicial cooperation was based on the third, intergovernmental pillar. Since SIS II is both an immigration and a police database, it was built on two legal bases to reflect the two different pillars. The SIS 11 Regulation was issued under the second pillar by the European Parliament and the Council of Ministers, while the SIS II Decision was passed by the Council after consultation with the European Parliament under the third pillar. The two legal bases also resulted in two different standards of data protection.
All data collection and processing in connection with immigration and visas is thus regulated by the Data Protection Directive and the special data protection regime in the SIS II Regulation. (186) As noted above, the Data Protection Directive offers a comprehensive privacy protection framework and has a clear human rights focus. (187) For example, it places strict restrictions on the flow of personal data to third countries and imposes stringent prohibitions on the processing of data unless specific conditions are satisfied. However, the Directive is not applicable to security-related data processing and thus does not regulate SIS II data processing.
The SIS II Decision is the applicable legal framework for all data collected and processed on E.U. citizens and non-E.U. citizens in connection with police and judicial proceedings. Accordingly, all data processed in connection with these proceedings are regulated by Convention 108 and the Data Protection Framework Decision as lex generalis and the SIS II Decision as lex specialis. However, although Convention 108 provides for a relatively comprehensive legal privacy and data protection framework, it allows for broad derogations from these standards in pursuit of state security or the suppression of criminal offences. Since large parts of the SIS II Decision serve precisely this purpose, it is questionable to what extent Convention 108 governs it at all. The applicability of the Data Protection Framework to data sharing in SIS II is equally uncertain since it only applies to internal situations and not to cross-border data exchanges.
Apart from the general challenges posed by the complicated legal setup of SIS II, there are a number of specific problem areas that are caused by the networked character of the system. These involve the reasons for entering data, the kind of data entered, and the authorities entrusted with access to the data. As in the Europol databases, control over whose data is entered into SIS II remains with the participating Member State and the European Union has no influence over the decision. This is especially problematic in the context of what are known as "Article 36 alerts." In these alerts, information is entered on persons in order to subject them to "discreet checks," which allow for more intense scrutiny and surveillance measures. (188) The alerts can be issued "where an overall assessment ... gives reason to suppose that a person will ... commit serious criminal offences in the future." (189) Like Europol, SIS II stores personal and biometric information on convicted criminals, suspects, and on persons who might become criminals in the future. In addition to the problems that Europol faced with these broad categories of data subjects, analyses of Article 36 alerts show strong cultural and legal differences among Member States regarding who might become a future criminal. JSB inspections of the first-generation SIS showed, for example, great differences regarding the amount of alerts entered. (190)
Moreover, these alerts can also be entered by national security agencies. Which authorities constitute "authorities responsible for national security" is left to the Member States to determine,* 191 with large discrepancies emerging as a result. In some States, even the military police and the foreign intelligence services get access to the system. (192) This blurring of the boundaries between domestic police and foreign intelligence databases is extremely worrying from a human rights law perspective. Because the files of security agencies are secret, it is therefore hard to trace back why an alert on a person has been entered. If intelligence services can enter data in a police databank without oversight, this data can later be used to justify much more coercive measures such as surveillance or even arrest and incarceration. The practice also poses national constitutional challenges. In Germany, for example, the Trennungsgebot (law of separation) is a constitutional principle and provides that the police may not access intelligence databases and that intelligence services cannot enter information in police databases. That the domestic intelligence service can enter data into the SIS II thus conflicts with that principle. (193)
Apart from problems regarding whose data is entered into the system and which authorities may access it, there are also issues regarding the Member States' wide discretion in processing data in SIS II. They are allowed to use data for any purpose if there is a link to a specific case and "a need to prevent an imminent serious threat to public policy and public security, on serious grounds of national security or for the purposes of preventing a serious criminal offence." (194) Prior authorization from the Member State that issued the alert, however, is, necessary. Critics have pointed out that this safeguard is not adequate, since it is the derogating State that determines the need for derogation and authorizing States may not want to question matters touching on national security in another country. (195)
Serious flaws regarding data security aggravate the legal challenges to data privacy inherent in the system. The two-fold structure with a copy of the database in every participating Member State had already been identified as a risk when the database was established. (196) In January 2012, the Danish interface was subject to a hacker attack, and more than 1.2 million data sets were stolen. (197) Another incident involving the Belgian interface where employees had sold data to organized crime groups 98 shows that twenty-six national interfaces also mean twenty-six possible gateways for criminals.
Since it is up to the Member States to guarantee the security of the system, there is also a theoretical possibility for private companies to get access to data. In Denmark, for instance, during the time of the hacker attack, a subsidiary of the U.S. company CSC was responsible for the security of the Danish system. Another subsidiary of the same company was not only involved in the rendition of E.U. citizens but has also been made public as a cooperation partner with the NSA. (199) Thus, it is questionable that data in the SIS II is both safe from criminal attacks and from informal exchange with third states.
IV. INTELLIGENCE NETWORKS CONNECTED: THE CHALLENGES OF INTEROPERABILITY
Both Europol and the Schengen Information System show serious flaws regarding the protection of privacy and data rights. These shortcomings are multiplied when these networks interact and flawed data travel from one database to another. Despite these risks, it has become a major policy objective in the European Union to achieve interoperability of intelligence networks. The following section will highlight some fundamental rights challenges that result from the interoperability between SIS II and Europol.
The Schengen Information System is designed as an internal Schengenarea network. Thus, data stored in the SIS II cannot be exchanged with third countries or international organizations. (200) Europol however, cooperates with E.U. Member States, E.U. agencies, international organizations, third states, and private partners. (201) Regarding the exchange with third countries, Europol has two types of agreements, depending on what kind of data can be shared. In the first category are operational agreements where the Council has given approval to the transfer of classified information and personal data. Third countries with operational agreements include the United States, Canada, and Colombia. (202) These countries have liaison officers stationed at Europol, too. In the second category of agreements are so-called strategic agreements, with, for example, Russia, Turkey, and Ukraine, which do not allow the transfer of personal data. (203) Some of these countries also have liaison officers stationed at Europol. Under the current legal framework, it is the Council and thus the Member States' national executives who decide with which countries Europol should establish relations.
In order to exchange personal information with third states, the adequacy of the data protection standard needs to be guaranteed. It is important to note, however, that adequacy does not mean equivalence--that is, the data protection standard in the other country does not need to be on the same level as in the European Union. (204) If agreements contain the exchange of personal data, the Joint Supervisory Body has to issue an opinion but cannot decide on the adequacy of data protection. (205) The criteria to determine the adequacy of the protection standard remain unclear because the documents containing the list of criteria for Europol agreements are not made publicly available. (206) There are also measures that allow for the direct transfer of data without a former agreement by the Director of Europol to safeguard essential interests in a Member State. (207)
In 2001, an operational agreement was concluded between Europol and the United States that has been heavily criticized by the European Parliament. The agreement was supplemented in 2002 to allow the sharing of personal data. The European Parliament expressed concern at that time because the United States did not afford an equal level of data protection to its citizens and was unable to produce a list of all the agencies that could request or have access to data provided by Europol. The agreement was perceived as being "rushed through" with no realistic opportunity for the European or national parliaments or civil society groups to subject the proposal to proper scrutiny. (208)
This lack of control over information flow is highlighted as the most pressing problem with Europol's agreements with third states. First of all, there is no possibility for Europol to control the way information has been obtained by partner states. (209) Second, Europol can neither control what happens to information once it has been shared with the third state nor control whether third states abide by the agreed standard of data protection.
On top of that, outside the formal data exchange agreements, the role of the liaison officers should not be underestimated. Member States and third countries with whom Europol has cooperation agreements have a number of liaison officers located within the same building. While it is inevitable that some exchanges of information take place between the liaison officers, apparently the vast majority of information exchange between liaison bureaus occurs outside the formal systems. (210) Not only does this undermine the role of Europol as an intelligence network, but it also undermines the data protection standards in place.
Regarding the inter-E.U. network connections, one of the most important relationships is that with the E.U. border control agency Frontex. For sharing personal information with E.U. agencies such as Frontex, a working agreement that regulates data processing rules is usually necessary. For these agreements, the Europol Joint Supervisory Body has to issue an opinion. However, if deemed necessary for fulfilling Europol's or the other agency's mandate, Europol can exchange and receive information without these formal agreements in place. Frontex and Europol have had informal ties since 2006 and a formal cooperation agreement was established in 2008. (211) While this agreement excluded the exchange of personal information, (212) the legal basis for Frontex was later amended to allow explicitly for the exchange of personal information between Frontex and Europol. (213) The agencies' immigration and criminal intelligence databases were thus interconnected. Through the network connection between Frontex and Europol, Europol is indirectly connected to even more nodes in an even larger network. This follows from the network character of Frontex, as Frontex itself has a number of cooperation agreements with E.U. agencies, international organizations, and third states. Among them are the European Defense Agency, Nigeria, (214) and Azerbaijan. (215) Frontex agreements are concluded as "working agreements" without the involvement of the European Parliament. Their legal status is uncertain, (216) they are not made public and the European Court of Justice has no right to judicial review over them.
Frontex mainly gathers personal data through its border operations when it stops irregular migrants whenever they try to cross the sea or land borders to the European Union. The data of these migrants could not only be shared with Frontex's partner states--from some of which the migrants fled--but can also be shared with Europol. Immigration data thus end up in a police database. The cooperation with Frontex raises more general questions regarding Europol's increased focus on irregular migration for the content of Europol's data. There is a risk that the data of irregular migrants intercepted during Frontex's operational activities may be entered into Europol's databases. This conflation of migrants and criminals in Europol's activities, leading to the stigmatization of migrants as a potential risk category, stands in tension with the E.U. Charter and E.U. principles of non-discrimination. (217)
As can be seen, Europol's network connections to other networks, irrespective of whether they are within or outside the E.U. framework and territory, already poses great challenges to the purpose limitation principle and further deprive Europol of the control over the fate of the data in its information systems. For the individual, this means that once data is entered into the Europol system and further exchanged with Europol's network partners, it can travel to very remote nodes of the network. The possibility to rectify or delete inaccurate or outdated data on oneself seems minimal, since it is practically impossible to trace where data ended up. Even if deleted from the EIS, inaccurate or outdated information could be re-introduced through the network nodes again.
The data protection challenges posed by EuropoTs networks are not limited to Europol, but also affect the Schengen Information System to a considerable degree. As mentioned before, the SIS II-Decision explicitly excludes data sharing with third countries. When the information system was designed, data sharing in general was actually not envisaged. Nonetheless, since the 1990s, the German government has advocated for access for Europol and Eurojust and proposed this again in September 2001. (218) In February 2002, plans were subsequently made to grant both agencies access to SIS. All documents relating to the surrounding discussions are not publicly available. Documents published later by NGOs such as Statewatch, however, suggest that there were in fact doubts by some delegations that feared that this access would undermine the original function of SIS. (219) In 2005, access for Europol and Eurojust to SIS was finally decided by a Council Decision under the Amsterdam third-pillar-framework; thus, the European Parliament was not involved, and there was neither a public debate about the decision-making process nor documents publicly available regarding the decision-making process. The potential future integration of E.U. databases, such as the Visa-Information-System (VIS) and Eurodac, has already been built into the design of the second-generation Schengen Information System. (220)
The SIS II-Decision grants Europol access to alerts concerning persons and objects sought in the context of police investigations, missing persons, and persons to be put under surveillance. (221) For these purposes, Europol can access and search the SIS II Database directly. When a search reveals an alert, the agency needs to inform the issuing Member State, which then has to give its consent for the use of information. (222) Only after prior consent from the Member State can Europol communicate such information to third states. There are a number of information protection provisions governing the access of Europol: Each attempt to access needs to be recorded, no data can be directly transferred or copied, and only authorized or national staff get access to the database. (223) However, as has been pointed out, the vast majority of information exchange at Europol takes place informally through liaison officers. It does not seem far-fetched to suspect that information from SIS II can be indirectly introduced into the Europol databases and then handled accordingly without formally involving the Member States.
There is also a lack of clarity regarding the applicable data protection regime in the framework on interoperability between SIS II and Europol. The SIS II-Decision refers to the Europol data protection regime which should apply for data processing by Europol. (224) The Europol-Decision, however, refers back to the SIS II-Decision as lex specialis. (225) Therefore, it is not completely clear which data protection framework applies to the SIS II-data once retrieved by Europol.
Access to SIS 11-data is generally only allowed within the scope of what Europol requires for the performance of its tasks. (226) The lack of further specification of the purpose of the access has been criticised by the European Data Protection Supervisor, especially in light of the evolving mandate of Europol. (227)
Although the provisions seem to prohibit the introduction of data to the Europol database, critics point out that this only concerns the direct introduction of SIS-data and that there is still an indirect way of asking the Member State concerned after a hit in the SIS II database to introduce the same information in Europol's database. (228) That way, the prohibition on sharing SIS-data with third states could be circumvented as the Europol Decision explicitly allows data sharing with partner countries and E.U. agencies. (229) Considering Europol's spider-web structure with a large number of network nodes, it is impossible to trace the final destination of data once introduced into the Europol Information System.
The interoperability of E.U. intelligence networks has become a focal point of interest in the European Union. In the case of the Schengen Information System, plans date back as early as the 1990s to grant Europol access to the database, (230) even though doubts were raised from the very beginning that this could undermine the original function of SIS II as an immigration control database. (231) When access for Europol was finally granted in 2005, it was the national executives in the European Union who made the decision. The European Parliament was not formally involved in the decision-making process and the documents about the discussions predating the decision have not been made public. Given that the data protection standard in SIS II and Europol leaves open some "legal black holes" where individuals cannot expect that their personal information will be protected at all times, the interoperability of both systems is problematic.
One of the key cornerstones of data protection law, the puipose limitation principle that provides that data can only be used for the purposes it was collected for, is undermined when data travels between databases. The Schengen Information System, for instance, provides that data stored in the database cannot be shared with third states or international organizations. By granting access to Europol, however, data could in fact travel to third states and international organizations, either through formal information exchange agreements or through informal exchanges via liaison officers. Moreover, since Europol also maintains a number of working agreements with other E.U. networks and agencies, which in turn have other information exchange agreements, the original source of the data and the original purpose for which it was collected gets diffused. This is problematic for a number of reasons: First of all, there is no control over the information flow, as neither SIS II nor Europol nor an E.U. supervisory body can keep track of where data ends up or for what purposes it is used eventually. Connected with this lack of information control is the problem of flawed data: Once the origin of data is diffused, it is hard to ensure that data is still current and accurate. Cases in the Schengen Information System illustrate that once data was deleted by one Member State, it was still present in the national interfaces of other Member States and thus reintroduced into the database. In one case, it took the applicants twelve years to rectify their data in the system. (212)
A third problem area is the erosion of the boundaries between security, crime, and migration: Europol as a law enforcement network cooperates, for instance, with immigration control networks. Both the Schengen Information System and Europol store data of irregular migrants alongside data of criminals in the same database. This leads to a stigmatization of migrants. Furthermore, both networks provide for the storing of information of persons who have not been convicted of a crime but are suspected of committing a crime in the future. Not only has the storage of biometric data of suspects and convicted criminals in the same database been ruled a disproportionate interference with the right to private life by the ECtHR, but there are also no protection provisions in the networks requiring that this data cannot be shared at all. In light of the vast amount of cooperation agreements of Europol, it seems more than likely that this data is also shared with third countries and agencies.
The protection standard for the right to private life and the right to data protection in the European Union is generally regarded as high. This standard, however, does not under all circumstances extend to intelligence cooperation. Since the E.U. intelligence networks fall under the derogation provisions and thus lower standards apply to the networks themselves, when networks are interoperable, data can travel in a legal vacuum where it is not clear what data protection standards apply. This vacuum not only undermines the protection of constitutionally guaranteed rights but also the democratic legitimacy of the European Union as a whole.
Julia Ballaschk, PhD student, University of Copenhagen, Center for Comparative and Constitutional Studies. E-mail: Julia.Ballaschk@jur.ku.dk. I would like to thank Assoc. Prof. David Jenkins for his valuable comments on earlier drafts. All mistakes in this paper are my responsibility.
(1) Anne-Marie Slaughter, A New World Order (2004).
(2) Richard J. Aldrich, Global Intelligence Co-operation Versus Accountability: New Facets to an Old Problem, 24 INTELLIGENCE & Nat'l Sec. 26, 27 (2009).
(3) The Canadian Security Intelligence Service (CSIS) has more than 250 information-sharing agreements; the CIA has "global reach, including connections to more than 400 agencies." Elizabeth Sepper, Democracy, Human Rights and Intelligence Sharing, 46 TEX. INT'L L.J. 151, 155 (2010).
(4) UN Security Council Resolution 1373 (2001) called, inter alia, for States to intensify and accelerate the exchange of operational information. S.C. Res. 1373, U.N. Doc. S/RES/1373 (Sept. 28, 2001). In the Technical Guide that the Counter-Terrorism Committee compiled to help States implement S.C. Res. 1373 in order to facilitate the exchange of information, States are encouraged, inter alia, to have in place multilateral and bilateral networks for intelligence exchange. See CounterTerrorism Comm. Exec. Directorate, Technical Guide to the Implementation of Security Council Resolution 1373 (2001) (2009).
(5) Aldrich, supra note 3, at 28.
(6) For example, the UKUSA agreement or the Club of Berne. See Sepper, supra note 3, at 157-159.
(7) Leon Hempel et al., Exchange of Information and Data Between Law Enforcement Authorities Within the European Union, 5 Discussion Paper No. 29/09 (2009), available at https://www.tuberlin.de/uploads/media/Nr_29_Hempel_Carius_Ilten.pdf.
(8) Anneliese Baldaccini, Counter-Terrorism and the EU Strategy for Border Security: Framing Suspects with Biometric Documents and Databases, 10 EUR. J. MIGRATION & L. 32 (2008).
(9) See Commission Proposal for a Directive of the European Parliament and of the Council on the Use of Passenger Name Record Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime, at 5, COM (2011) 32 final (Feb. 2, 2011), available at http://ec.europa.eu/home-affairs/news/intro/docs/com_2011_32_en.pdf.
(10) Directive 2006/24/EC, of the European Parliament and of the Council of 13 April 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks O.J. (L 105) (Data Retention Directive).
(11) Eur. Data Prot. Supervisor, Opinion of the European Data Protection Supervisor on the Future Development of the Area of Freedom, Security and Justice (2014).
(12) Francesca Bignami, Towards a Right to Privacy in Transnational Intelligence Networks, 28 MICH. J. INT'L L. 663, 685 (2007).
(13) The first generation Schengen Information System SIS I was replaced in April 2013 with SIS II. The term "Schengen Information System" refers to the present system, SIS II.
(14) As of 2012, Europol's Information System contained almost 200,000 records. Europol, EIS Europol Information System (2013), available at https://www.europol.europa.eu/content/europolinformation-system-eis-leaflet As of January 1, 2013, the SIS contained more than 46 million records. Communication from General Secretariat of the Council, Schengen Information System Database Statistics 01/01/2013 (7389/13) (2013), available at http://www.statewatch.org/news/2013/mar/eucouncil-sis-stats-7389- 13.pdf.
(15) Hempel, supra note 8, at 1.
(16) Christopher Kuner, European Data Privacy Law and Online Business 3 (2003).
(17) However, the CJEU long conflated the right to privacy with the right to data protection or treated the right to data protection as a "sub-right" to the right to privacy. See Orla Lynskey, Deconstructing Data Protection: the 'Added-Value' of a Right to Data Protection in the EU Legal Order 63, 576-581 (2014).
(18) Data Protection Working Party, Opinion 01/2014 on the Application of Necessity and Proportionality Concepts and Data Protection Within the Law Enforcement Sector (2014).
(19) This is true despite the fact that information is often considered the "new oil." See Christopher Rees, Tomorrow's Privacy: Personal Information as Property, 3 INT'L Data PRIVACY L. 220, 221 (2013).
(20) "Person" here refers to natural persons.
(21) Peter Blume, Databeskyttelsesret 27 (4th ed. 2013).
(22) "Informational self-determination" is an idea that originated in the continental European legal system and is the translation of the German term informationelle Selbstbestimmung.
(23) Wolfgang Schmale, Privatheit als Geschichte der Informationellen Selbstbestimmung, in PRIVATHEIT im DIGITALEN Zeitalter 33 (Marie-Theres Tinnefeld & Wolfgang Schmale eds., 2014).
(24) "Wir sind heute als Selbst, Individuum, Einzelner die Summe aller uber uns existierenden Informationen." Id. at 37.
(25) LYNSKEY, supra note 18, at 576-81.
(26) Marie-Theres Tinnefeld et al., Einfuhrung in das Datenschutzrecht, Datenschutz und Informationsfreiheit in Europaischer SlCHT 91 (2012).
(28) Schmale, supra note 23, at 62.
(29) Bundesverfassungsgericht [BVerwG] [Federal Constitutional Court] Dec. 15, 1983 Entscheidungen des Bundesverwaltungserichts [BVerfGE] 65, 1 (Ger.).
(30) Specifically, this occurred in 1970 in the state of Hessen and 1977 with the federal Bundesdatenschutzgesetz. Datenschutzgesetz (October 7, 1970), GVB1. II 300-10, available at https://www.datenschutz.rlp.de/downloads/hist/ldsg_hessen_1970.pdf.
(31) Article 2(1), GRUNDGESETZ FUR DIE BUNDESREPUBLIK DEUTSCHLAND [GRUNDGESETZ] [Basic Law], May 23, 1949, BGBI. 2 (Ger.).
(32) Article 1(1), GRUNDGESETZ FUR DIE BUNDESREPUBLIK DEUTSCHLAND [GRUNDGESETZ] [Basic Law], May 23, 1949, BGBI. 1 (Ger.).
(33) Tinnefeld, et al., supra note 27, at 103.
(34) For an international comparison of data privacy law, see Lee A. BYGRAVE, Data Privacy Law: An International Perspective (2014).
(35) Bignami, supra note 12, at 672.
(36) Amann v. Switzerland, No. 27798/95, [section] 69, Eur. Ct. H. R. (2000).
(37) Bygrave, supra note 35, at 109-16.
(38) Id. at 100.
(39) NICO KRISCH, The Open Architecture of European Human Rights Law, in Beyond Constitutionalism 112(2010).
(40) Giacomo Di Federico, Fundamental Rights in the EU: Legal Pluralism and Multi-Level Protection After the Lisbon Treaty, in THE EU CHARTER OF FUNDAMENTAL RIGHTS, FROM Declaration to Binding Instrument 15 (Giacomo Di Federico ed., 2011).
(41) NV Algemene Transport- en Expeditie Ondememing van Gend & Loos v Netherlands Inland Revenue Administration. Case 26/62. Reference for a preliminary ruling: Tariefcommissie-Netherlands. Case 26-62, (ECJ 5 Feb. 1963).
(43) For a preliminary ruling, see Flaminio Costa v E.N.E.L. Reference. Case 6/64, [Costa v. ENEL), (ECJ 15 Jul. 1964). See also Case 11/70, Internationale Handelsgesellschaft mbH v Einfuhrund Vorratsstelle fur Getreide und Futtermittel. Reference. Case 11-70, (ECJ 17 Dec. 1970).
(44) Case 29/69, Erich Stauder v City of Ulm. Reference for a preliminary ruling. Case 29-69., (ECJ 12 November 1969).
(45) For a more extensive discussion on which other international law instruments may create legal obligations for the European Union, see generally Tawhida Ahmed & Israel de Jesus Butler, The European Union and Human Rights: An International Law Perspective, 17 EUR. J. Int'l L. (2006).
(46) J. Nold, Kohlen- und Baustoffgrosshandlung v. Commission. Case 4/73, (ECJ 14 May 1974).
(47) See Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European community, art. 6 (3), Dec. 13, 2007, O.J. (C306) 1 ("Fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and as they result from the constitutional traditions common to the Member States, shall constitute general principles of the Union's law.").
(48) For a discussion of the past and future relationship between the ECtHR, the CJEU and the European Union, see generally Tobias Lock, The ECJ and the ECtHR: The Future Relationship Between the Two European Courts, 8 L. AND PRAC. OF INT'L CTS. and TRIBUNALS 375 (2009).
(49) The right to respect for private and family life, home and correspondence as guarenteed by Article 8 of the European Convention on Human Rights. European Convention on Human Rights, art. 8, Nov. 4, 1950 C.E.T.S. 194.
(50) Lee A. Bygrave, Data Protection Pursuant to the Right to Privacy in Human Rights Treaties, 6 Int'l J. L. & Info. Tech. 247,257-69 (1998).
(51) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Jan. 8, 1981, E.T.S. 108 [hereinafter Convention 108],
(52) As discussed in Lynskey, supra note 18, at 570-71, the Convention does not explicitly refer to the right to data protection, but instead treats data protection as a subset of the right to privacy.
(53) See, e.g., Directive 95/46/EC, of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free movement of Such Data, 2011 O.J. (C 79); Council Decision 2007/533/JHA on the Establishment, Operation and Use of the Second Generation Schengen Information System (SIS II), 2007 O.J. (L 205).
(54) Convention 108, art. 5.
(55) Id. arts. 6, 8, 10.
(56) Id. art. 9(2)(a).
(57) Council Decision 2007/533/JHA on the Establishment, Operation and Use of the Second Generation Schengen Information System (SIS II), 2007 O.J. (L 205).
(58) Council Recommendation No. R(87) 15 Regulating the Use of Personal Data in the Police Sector (1987).
(59) Id. principle 4.
(60) Stephen Kabera Karanja, Transparency and Proportionality in the Schengen Information System and Border Control Co-Operation 126 (2008).
(61) Graham Greenleaf, "Modernising" Data Protection Convention 108: A Safe Basis for a Global Privacy Treaty?, 29 Computer L. & Sec. Rev. 436 (2013).
(62) Sylvia Kierkegaard et al., 30 Years On--The Review of the Council of Europe Data Protection Convention 108, 27 COMPUTER L. & SEC. Rev. 223, 225 (2011).
(63) The term "primary law" refers to the body of E.U. law that can only be amended through an intergovernmental conference of the Member States--e.g., the E.U. treaties.
(64) The term "secondary law" refers to the legislation passed by the E.U. institutions, cf. Treaty on the Functioning of the European Union, art. 288, O.J. (C326) 47. This states:
To exercise the Union's competences, the institutions shall adopt regulations, directives, recommendations and opinions. A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States. A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods. A decision shall be binding in its entirety. A decision which specifies those to whom it is addressed shall be binding only on them. Recommendations and opinions shall have no binding force.
(65) Charter of Fundamental Rights of the European Union, art. 8, Dec. 7, 2000, O.J. (C364) 1 [hereinafter CFR],
(66) CFR, art. 52(1).
(67) Juliane Kokott & Christoph Sobotta, The Distinction Between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR, 3 INT'L Data PRIVACY L. 225 (2013).
(68) The disclosure of a name in a business context, for example, could fall out of the scope of the protection of privacy but inside the scope of the right to data protection.
(69) LYNSKEY, supra note 18, at 583.
(70) Before the entry into force of the Treaty of Lisbon, policies within the Area of Freedom, Security and Justice were scattered between the so-called second and third pillar of the European Union, which was not communitarized. The Third Pillar in particular was exempt from the main E.U. data protection legislation and was characterized by ad hoc and scattered agreements on data protection. See generally Paul De Hert & Rocco Bellanova, Data Protection in the Area of Freedom, Security and Justice: A System Still to be Fully Developed? Study for the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) (2009).
(71) Treaty of Lisbon, Declaration No. 20 on Article 16 of the Treaty on the Functioning of the European Union, Dec. 13, 2007, O.J. (C306) 1.
(72) Treaty of Lisbon, Declaration No. 21 on the Protection of Personal Data in the Fields of Judicial Cooperation in Criminal Matters and Police Cooperation, Dec. 13, 2007, O.J. (C306) 1.
(73) The expression "third pillar" refers to the former structure of the European Union, where E.U. law was divided into three "pillars." The first pillar was the supranational pillar, where E.U. law was completely communitarized. The second pillar dealt with issues such as foreign policy with supranational and intergovernmental elements. The third pillar dealt with police and judicial cooperation and had a completely intergovernmental nature, where the E.U. framework merely had a supporting role but policy decisions were completely left for the Member States to consider.
(74) The United Kingdom and Ireland, for instance, will not be bound by the data protection rules laid out in Article 16 TFEU when they carry out activities which fall within the framework of police and judicial cooperation, or Chapters 4 and 5 of Title V TFEU, respectively, if they have opted out of these areas of cooperation. For Denmark, the exception is similar but more complicated: According to Articles 2 and 2a of the Protocol No. 22 on the position of Denmark, Denmark will only be bound to the rules in the field of police and justice cooperation and to the data protection rules in that field as they were pre-Lisbon. All changes and amendments made in this area will not be binding on Denmark. Only practice will show the concrete effects of these opt-outs.
(75) Directive 95/46/EC, of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free movement of Such Data, 2011 O.J. (C 79).
(76) Bygrave, supra note 35, at 58.
(77) Directive 95/46/EC, of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free movement of Such Data, 2011 O.J. (C 79).
(78) Id. art. 28(1).
(79) Id. rec. 9.
(80) Id. art. 5.
(81) Id. art. 3.
(82) Council Framework Decision 2008/977/JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters, 2008 O.J. (L 350).
(83) Eur. Union Comm., EUROPOL: Coordinating the Fight Against Serious and Organised Crime (2008), available at http://www.publications.parliament.uk/pa/ld200708/ldselect/ldeucom/183/183.pdf.
(84) Council Framework Decision No. 977/2008/JHA of 27 November 2008, art. 11, 2008 O.J. (L 350) d.
(85) Hielke Hijmans & Alfonso Scirocco, Shortcomings in EU Data Protection in the Third and the Second Pillars. Can the Lisbon Treaty Be Expected to Help?, 46 COMMON Mkt. L. REV. 1485, 1494 (2009).
(86) See generally Klaus-Dieter Borchardt, The ABC of European Union Law 88 (2010), available at http://europa.eu/documentation/legislation/pdf/oa8107147_en.pdf (distinguishing between a regulation and a directive: A regulation is directly applicable and binding in its entirety; a directive is binding with respect to the intended result and directly applicable only under particular circumstances).
(87) Matt Warmann, EU Privacy Regulations Subject to "Unprecedented Lobbying", TELEGRAPH (Feb. 8, 2012), http://www.telegraph.co.uk/technology/news/9070019/EU-Privacy-regulations-subjectto-unprecedented- lobbying.html.
(88) Eur. Data Prot. Supervisor, supra note 12, at 5.
(89) See generally Alfonso Scirocco, The Lisbon Treaty and the Protection of Personal Data in the European Union, DATAPROTECTIONREVIEW.EU (2008), available at https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/EDPS/Publications/Speeches/200 8/08-09-19_Scirocco_Lisbontreaty_DP_EN.pdf. Alfonso Scirocco is the former legal advisor the the European Data Protection Supervisor.
(90) See Bjorn Miiller-Wille, The Effect of International Terrorism on EU Intelligence Cooperation, 46 J. COMMON MKT. Studs. 49 (2008); see also James I. Walsh, Intelligence-Sharing in the European Union: Institutions Are Not Enough 44 J. COMMON Mkt. STUDS. 625, 626 (2006).
(91) Richard J. Aldrich, Intelligence and the European Union, in THE OXFORD HANDBOOK OF THE European Union 629, (Erik Jones et al. eds., 2012).
(92) See Wilhelm Agrell, When Everything Is Intelligence--Nothing Is Intelligence, 1 The Sherman Kent Center for Intelligence Analysis Occasional Papers (2002); Philip Davies, Ideas of Intelligence: Divergent National Concepts and Institutions, in SECRET INTELLIGENCE, A READER (Christopher Andrew et al. eds., 2009); Peter Gill, Theories of Intelligence: Where Are We, Where Should We Go and How Might We Proceed?, in INTELLIGENCE THEORY: KEY QUESTIONS AND Debates (Peter Gill et al. eds., 2009); James Sheptycki, Policing, Intelligence Theory and the New Human Security Paradigm, in Intelligence Theory: Key Questions and Debates (Peter Gill et al. eds., 2009); Michael Warner, Intelligence as Risk Shifting, in INTELLIGENCE THEORY: KEY QUESTIONS and DEBATES (Peter Gill et al. eds., 2009); Michael Warner, Wanted: A Definition of "Intelligence, ", in Secret Intelligence, a Reader (Christopher Andrew, et al. eds., 2009).
(93) Council, Council Framework Decision 2006/960/JHA, 2006 O.J. (L 386) 89 (EC) (2006).
(94) See, e.g., Michael Warner, Wanted: A Definition of "Intelligence," 46 Stud, in INTELLIGENCE 5 (2002), available at http://www.cia.gov/csi/studies/vol46no3/article02.html;
(95) See, e.g., European Police Conference, Berlin, Ger., Feb. 18-19, 2014 (discussing "Big Data").
(96) Susan Freiwald, Managing the Muddled Mess of Big Data, in Big Data AND PRIVACY Making Ends Meet. Future of Privacy Forum 31, (Stanford Law School The Center for Internet and Society ed., 2013).
(97) Aldrich, supra note 91, at 629.
(98) Joanna Parkin, EU Home Affairs Agencies and the Construction of EU Internal Security (2012).
(99) Id. at 6.
(100) Id. at 32.
(101) See Baldaccini, supra note 8; see also Thierry Balzacq, The Policy Tools of Securitization: Information Exchange, EU Foreign and Interior Policies, 46 J. COMMON MKT. STUD. (2008); Adam Crawford, The Governance of Crime and Insecurity in an Anxious Age: The Trans-European and the Local, in Crime and Insecurity: The Governance of Safety in Europe (Adam Crawford ed., 2002).
(102) European Council, Internal Security Strategy for the European Union: Towards a European Security Model 22 (2010), available at http://www.consilium.europa.eu/uedocs/cms_data/librairie/PDF/QC30I0313ENC.pdf.
(103) On its website, Frontex advertises its intelligence products--its risk analyses that are published on a regular basis and are divided into public and restricted versions. See Frontex, www.frontex.europa.eu/intelligence/risk-analysis (last visited Feb. 12, 2014); see also Parkin, supra note 99, at 1, 13 (reflecting "a future oriented, proactive and prevention approach to security threats facing the EU").
(104) Intelligence-led policing is a British-inspired law enforcement theory that stresses intelligence gathering and the targeting of police resources on the worst criminals.
(105) Trevi does not only refer to the fountain in Rome where the group was set up but is also an acronym standing for "Terrorisme, Radicalisme, Extremisme et Violence Internationale."
(106) Didier Bigo et al., Justice and Home Affairs Databases and a Smart Borders System at EU External Borders: An Evaluation of Current and Forthcoming Proposals (2012).
(107) See Didier Bigo, The Field of the EU Internal Security Agencies, DlDIERBIGO, http://www.didierbigo.com/documents/challenge/challcnge.fmal.swf (last visited Mar. 3, 2015) (providing a graphical overview of the landscape of these databases and information exchange networks through 2008).
(108) Communication from the Commission to the Council and the European Parliament on Improved Effectiveness, Enhanced Interoperability and Synergies Among European databases in the Area of Justice and Home Affairs COM (2005) 597 final (Nov. 24, 2005).
(109) Id. Interoperability is not only used in the European Union but a general trend in global data sharing. For instance, the OECD Privacy Conference in 2011 was themed "Current Developments in Privacy Frameworks: Toward Global Interoperability."
(110) Bigo et al., Justice and Home Affairs Databases and a Smart Borders System at EU External Borders 20 (2012).
(111) Id. at 20-21.
(112) Id. at 21.
(113) Communication from the Commission to the Council and the European Parliament on Improved Effectiveness, Enhanced Interoperability and Synergies Among European Databases in the Area of Justice and Home Affairs COM (2005) 597 final (Nov. 24, 2005).
(114) See Hempel et al, supra note 8.
(116) Id. at 4.
(118) Id. at 5.
(119) Executive summary of the Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament and the Council entitled 'Strengthening law enforcement cooperation in the EU: the European Information Exchange Model (EIXM), 2013 O.J. (C 32) 5.
(120) EU-LISA, Annual Activity Report 2013 11 (2014).
(121) Miles Kahler, Networked Politics, Agency, Power, and Governance, in Networked Politics, Agency, Power, and Governance 5-9, (Miles Kahler ed., 2009).
(122) Claudia Hillebrand, Counter-Terrorism Networks in the European Union: Maintaining Democratic Legitimacy After 9/11 29 (2012).
(123) See Bignami, supra note 13, at 665-67. Bignami separates intelligence networks according to their degree of coordination, with "formalized" and "informal" networks at opposite ends of the spectrum. A "formalized network" is categorized as one with a central secretariat that is responsible for collecting information from the network participants, analyzing that information, and retransmitting the information to network participants. An "intermediary network" such as the Schengen Information System also possesses a central component, but only performs ministerial tasks for the network participants without conducting an independent analysis of the information received.
(124) Madalina Busuioc et al., Agency Growth Between Autonomy and Accountability: The European Police Office as a 'Living Institution,' 18 J. EUR. PUB. POL'Y 848, 853 (2011).
(125) Hillebrand, supra note 122, at 5.
(126) Convention based on Article K.3 of the Treaty on European Union on the Establishment of a European Police Office (Europol-Convention) art. 1 (1995), available at http://www.coe. int/t/dghl/cooperation/economiccrime/organisedcrime/projects/carpo/output_3_- _special_investigative_means/Europol_Convention.pdf.
(127) Id. art. 2.1.
(128) Id. art. 3.1.
(129) Mathieu Deflem, Europol and the Policing of International Terrorism: Counter-Terrorism in a Global Perspective, 23 JUST. Q. 336, 353 (2006).
(130) Council Framework Decision 2002/465/JHA of 13 June 2002 on Joint Investigation Teams 2002 O.J. (L 162).
(131) Council Decision 09/371, Establishing the European Police Office (Europol), art. 6.1, 2009 O.J. (L 121)37.
(132) Protocol Amending the Convention on the establishment of a European Police Office (Europol Convention) and the Protocol on the privileges and immunities of Europol, the members of its organs, the deputy directors and the employees of Europol 2002 O.J. (C 312).
(133) See generally Council Decision 09/371, Establishing the European Police Office (Europol), art. 6.1, 2009 O.J. (L 121).
(134) Eur. Police Office, Europol Review: General Report on Europol Activities 8 Europol Review 2012. (2013).
(135) Council Decision 09/371, supra note 132, art. 2.
(136) Id., annex.
(137) Europol, https://www.europol.europa.eu/content/page/about-us (last visited Dec. 29, 2014).
(138) Europol, Data Protection at Europol 6 (2012), available at https://www.europol.europa.eu/sites/default/files/publieations/europol_dpo_booklet_0.pdf.
(139) Hillebrand, supra note 123, at 66.
(140) Council Decision 09/371, supra note 132, art. 12.1(a).
(141) Id. art. 12.1(b).
(142) Id. art. 13.1.
(143) Europol, supra note 139, at 15.
(144) Council Decision 09/371, supra note 132, art. 14.1(a)-(e).
(145) See John D. Occhipinti, The Politics of EU Police Cooperation, Toward a European FBI? (2003).
(146) Hillebrand, supra note 123, at 68.
(147) Eur. Union Comm, Europol: Coordinating the Fight Against Serious and Organised Crime. No. 29 (2008).
(148) Eur. POLICE OFFICE, supra note 135, at 14-15. The other countries and organizations are Albania, Australia, Canada, Colombia, Croatia, Iceland, Norway, Switzerland, the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF), the Drug Enforcement Administration (DEA), the Immigration and Customs Enforcement (ICE), the Internal Revenue Service (IRS), and the Naval Criminal Investigative Service (NCIS).
(149) Balzacq, supra note 102, at 84.
(150) Council Note 5968/02, Requirements for SIS, 2002, 2, available at http://www.statewatch.org/news/2002/apr/sis05968.pdf; see also Council Decision 2005/211/JHA 2001 ("The Council will examine whether to extend, in the context of counter-terrorism, SIS access to other public services.").
(151) See Council Note 5970/02, Access by EUROPOL to the Schengen Information System (SIS) 2002, available at http://www.statewatch.org/news/2002/mar/europol05970.pdf.
(152) Comission Regulation 1987/2006, On the Establishment, Operation and Use of the Second Generation Schengen Information System (SIS II), 2006 O.J. (L 381) 4, 13-15.
(153) Id. at 21-23.
(154) Id. at 13.
(155) See Council Note 5970/02, supra note 151.
(156) Report from the Comission to the European Parliament and the Council, at 9, COM (2014) 292 final (May 26, 2014).
(157) K.ARANJA, supra note 60, at 422.
(158) Council & Parliament Regulation (EC) No. 45/2001 of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by the Community Institutions and Bodies and on the Free Movement of Such Data, O.J. L 008 (2001).
(159) Id. art. 27.
(160) Id. art. 28.
(161) Joint Supervisory Auth. of Schengen, Report of the Schengen joint Supervisory Authority on an Inspection of the Use of Article 99 Alerts in the Schengen Information System (2007).
(162) See, e.g., EUROPOL, supra note 139.
(163) Council Decision 2009/371/JHA, Establishing the European Police Office, art. 29(1)(a), 2009 O.J. (L 121) 37, 52 [hereinafter Europol Decision],
(164) Id. art. 29(1)(b).
(165) Id. art. 20(1).
(166) Id. art. 29(4).
(167) Id. art. 19(1).
(168) Id. art. 19(3).
(169) Id. art. 12(1)(a-b).
(170) Id. art. 12(2)-(3).
(171) Council Decision 2009/936/JHA, Adopting the Implementing Rules for Europol Analysis Work Files, art. 6, 2009 O.J. (L 325) 14, 16-17.
(172) Data Prot. Working Party, Opinion 3/2013 on Purpose Limitation 4 (April 2, 2013).
(173) Europol Decision, supra note 164, art. 12(1)(b).
(174) S. & Marper v. United Kingdom, 2008-V Eur. Ct. H.R. at 208-09 (2008).
(175) Europol Decision, supra note 164, art. 27 at 51.
(176) Directorate General for Internal Policies, Parliamentary Oversight of Security and Intelligence Agencies in the European Union 62 (2011).
(177) Europol Decision, supra note 164, arts. 30(7), 32.
(178) Directorate General for Internal Policies, Implementation of the EU Charter of Fundamental Rights and its Impact on EU Home Affairs Agencies 72 (2011).
(179) Directorate General for Internal Policies, supra note 177, at 63.
(180) Franziska Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and Justice 184 (2012).
(181) Council Recommendation No. R(87) 15, supra note 59, 2.I-.4 (1987).
(182) BOEHM, supra note 181, at 184-85.
(183) Europol Decision, supra note 164, art. 13(2).
(184) This case involved a group of thirty-three young women whose information was in the EIS as suspects or perpetrators of criminal activity. Upon investigation, the JSB determined that they were likely victims of human trafficking. Although the JSB informed the Member State that had inputted the information, it had not been removed from the system one year later. See EUR. Union Comm., supra note 84, at 173.
(185) Id. at 174.
(186) Id. art. 2.
(187) Bygrave, supra note 35, at 58.
(188) See Council Decision 2007/533/JHA, On the Establishment, Operation and Use of the Second Generation Schengen Information System (SIS II), art. 36, 2007 O.J. (L 205) 63, 75 (hereinafter SIS II Decision) (explaining the "objectives and conditions" of Article 36 alerts).
(189) Id. art. 36(2)(b).
(190) Joint Supervisory Auth. of Schengen, supra note 162, at 6.
(191) SIS II Decision, supra note 190, art. 36(3).
(193) RUTH Weinzierl, Europaische Parallelentwicklungen als Gegenstand Menschenrechtsorientierter Evaluierung, in MENSCHENRECHTLICHE STANDARDS IN DER SICHERHEITSPOLITIK 147, 162 (Marion Albers & Ruth Weinzierl eds., 2009) (Ger.).
(194) SIS II Decision, supra note 190, art. 45(5).
(195) Karanja, supra note 61, at 217-18.
(197) Deutscher Bundestag: Drucksachen [BT] 18/1775 (Ger.).
(198) Ole Reissmann, Hacker Knackten Schengen-Datenbank, Der Spiegel, (Jan. 17, 2014), http://www.spiegel.de/netzwelt/netzpolitik/sis-hacker-kopierten-teile-der-schengen-datenbank-a944059.html (Ger.).
(199) Christian Fuchs et al., Dubioser Partner der Regierung, SUDDEUTSCHE ZEITUNG, (Nov. 16, 2013), http://www.sueddeutsche.de/politik/deutsche-auftraege-fuer-csc-dubioser-partner-der-regierung1.1820145 (Ger.).
(200) SIS II Decision, supra note 190, art. 54.
(201) Europol Decision, arts. 22-23.
(202) Other operational agreements are concluded with Albania, Australia, Macedonia, Iceland, Norway, Serbia, Switzerland, Liechtenstein, and Monaco.
(203) Other strategic agreements are concluded with Bosnia & Herzegovina, Moldova, and Montenegro.
(204) Eur. Union Comm., supra note 84, at 178.
(205) Europol Decision, art. 23(3).
(206) Christian Kaunert, Europol and EU Counterterrorism: International Security Actorness in the External Dimension, 33 STUD. IN CONFLICT & TERRORISM 652, 662 (2010).
(207) Europol Decision, art. 23(8).
(208) Directorate General for Internal Policies, supra note 177, at 49.
(209) Hildebrand, supra note 123, at 99-101.
(210) Eur. Union Comm., supra note 84, at 22.
(211) Europol, Strategic Co-operation Agreement Between the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union and the European Police Office (Mar. 28, 2008), available at https://www.europol.europa.eu/content/page/eu-agencies-135.
(212) Id. at 3.
(213) Regulation (EU) No. 1168/2011 of the European Parliament and of the Council of 25 October 2011 Amending Council Regulation (EC) No. 2007/2004 Establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, 2011 O.J. (L 304) 1, 13-14.
(214) On the human rights record of Nigeria, see Amnesty Int'l, Annual Report 2012: Nigeria (2013).
(215) On the human rights record of the Azerbaijani government, see Azerbaijan: Abysmal Record of Human Rights Continues as Activist Arrested, Amnesty Int'l (July 30, 2014), http://www.amnestyusa.org/news/news-item/azerbaijan-abysmal-record-of-human-rights-continues-asactivist-arrested.
(216) See Melanie Fink, Frontex Working Arrangements: Legitimacy and Human Rights Concerns Regarding 'Technical Relationships', 28 UTRECHT J. INT'L & EUR. L. 20 (2012).
(217) Elspeth Guild, Implementation of the EU Charter of Fundamental Rights and its Impact on EU Home Affairs Agencies, in JUSTICE AND HOME Affairs (2011), available at http://www.ceps.eu/book/implementation-eu-charter-fundamental-rights-and-its-impact-eu-homeaffairs-agencies.
(218) Statewatch, A Permanent "State of Emergency," 11 Statewatch REP. 21-22 (2001).
(219) Council Note 6890/02, Europol Access to SIS, 2002.
(220) Joanna Parkin, The Difficult Road to the Schengen Information System II: The Legacy of 'Laboratories' and the Cost for Fundamental Rights and the Rule of Law, CEPS 29 (2011), http://www.ceps.eu/system/files/book/2011 /04/SIS_II_paper_liberty_security_formattedl .pdf.
(221) SIS II-Decision, supra note 190, art. 41 (deciding Europol gets access to data concerning people wanted for arrest for surrender or extradition purposes, alerts requiring discreet checks, and alerts for objects for seizure or as evidence in criminal proceedings).
(222) Id. arts. 41(2), 41(3), 42(2).
(223) Id. arts. 41(5), 42(4)-(6).
(224) Id. recital 26.
(225) Europol Decision, supra note 164, art. 21:
"In so far as Europol is entitled under Union, international or national legal instruments to gain computerised access to data from other information systems, of national or international nature, Europol may retrieve personal data by such means if that is necessary for the performance of its tasks. The applicable provisions of such Union, international or national legal instruments shall govern access to and the use of this data by Europol, in so far as they provide for stricter rules on access and use than those of this Decision."
(226) SIS II-Decision, supra note 190, art. 43.
(227) Opinion of the European Data Protection Supervisor 2006/C, 2006 O.J. (C 91) 38.
(228) BOEHM, supra note 181, at 346.
(229) Council Decision 2009/371, supra note 203, arts. 22, 23,
(230) Statewatch, supra note 220, at 21-22.
(231) Council Note 6890/02, supra note 221.
(232) See Evelien Brouwer, The Other Side of Moon: The Schengen Information System and Human Rights: A Task for National Courts (Ctr. for Eur. Policy Studies, Working Paper No. 288, 2008), available at http://aci.pitt.edu/9375/.
|Printer friendly Cite/link Email Feedback|
|Publication:||Stanford Journal of International Law|
|Date:||Jan 1, 2015|
|Previous Article:||Regulating the surveillance state, upstream and down: a law & economics approach to the intelligence framework and proposed reforms.|
|Next Article:||Uncertainties, intelligence, and risk management: a few observations and recommendations on measuring and managing risk.|