Skip to main content
View expanded cover

European Data Protection: In Good Health? pp 143–183Cite as

Information Sharing in the Area of Freedom, Security and Justice—Towards a Common Standard for Data Exchange Between Agencies and EU Information Systems

Abstract

Information sharing, including the exchange of personal data, between European law enforcement and judicial actors in the Area of Freedom, Security and Justice (AFSJ) is increasingly growing. In addition, the access of law enforcement and judicial agencies (Europol, Eurojust) to data stored in the European information systems, such as the CIS, SIS (II), VIS or Eurodac seems to become an essential tool in the field of EU internal security policy. Without being limited by the former pillar constraints, and above all, in absence of a unified approach to data protection in the former third pillar, the main actors in this field increasingly exchange data between each other as well as with third states. The paper illustrates the existing and the planned instruments governing AFSJ data exchange as well as their compliance with data protection rules. After that it suggests some basic data protection standards which follow from the respect of Article 8 ECHR and would improve the respect of data protection rules in the field of information sharing between agencies and EU agencies and information system.

Keywords

  • European Union
  • Criminal Matter
  • Council Decision
  • Judicial Cooperation
  • Council Framework Decision

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This contribution is based on my PhD research carried out during the last years. It provides a brief overview of some of the results of the research. The complete thesis with the title: “Information sharing and data protection in the Area of Freedom, Security and Justice” is published by Springer.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-94-007-2903-2_8
  • Chapter length: 41 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   179.00
Price excludes VAT (USA)
  • ISBN: 978-94-007-2903-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   229.00
Price excludes VAT (USA)
Learn about institutional subscriptions

Notes

  1. 1.

    The term AFSJ is a political notion describing several policies brought together under the umbrella of an overarching concept. Introduced by the Treaty of Amsterdam and further developed in the Lisbon Treaty, this policy aims at offering “its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured in conjunction with appropriate measures with respect to external border controls, asylum, immigration and the prevention and combating of crime” (Article 3 (2) TEU). These political goals are practically enforced by the adoption of multi-annual work programmes (the Vienna (1998), the Tampere (1999), the Hague (2004) and the Stockholm programme (2009)), which establish general priorities and political objectives in this area. Although multi-annual work programmes are not as such binding instruments, these programmes set different political goals, which are subsequently legally implemented by the instruments available to the European legislator, primarily by way of Directives, Regulations and Council Decisions. As a result thereof, these programmes have a substantial effect on the future institutional policy and often directly influence legislative actions in this area.

  2. 2.

    The Hague programme adopted in 2004, for instance, promoted the enforced cooperation of the actors in the AFSJ and introduced the “availability principle”, which should govern law enforcement-related data exchange from then on. Bilateral agreements between EU bodies and provisions in secondary legislation were foreseen intending to exchange data and leading, amongst others, to a reinforced inter-agency cooperation. Other measures aimed to allow mutual access to databases or their common use. National databases were supposed to become “interoperable” and direct access to central EU databases such as the SIS should have been established whereby nevertheless data protection standards should have been “strictly observed” (The Hague Programme: Council doc. 16054/04 from 13 December 2004, point 2.1, pp. 18–19). As a main consequence of this instrument, which covered the period from 2005 to the end of 2009, more and more data were shared and the actors in the AFSJ worked closer together than before. The period after 2009 is now covered by the Stockholm programme valid from 2010 to 2014 endorsing the availability principle while repeating the data protection pleas (The Stockholm Programme, Council doc. 17024/09 from 2 December 2009, point 4.2.2, pp. 37–38), Compare also note from the General Secretariat to the Standing Committee on operational cooperation on internal security (COSI), final report on the cooperation between JHA agencies, Council doc. 8387/10 from 9 April 2010.

  3. 3.

    Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ 2008, L-350/60, in the following FDPJ, OJ 2008, L-350/60 represents a first step towards a comprehensive framework in this area; the FDPJ is, however, very restricted in scope as it is, for instance, not applicable to the data processing of most of the AFSJ law enforcement agencies, such as Europol and Eurojust, as well as at other AFSJ exchange systems, that is, the Schengen or the Customs Information Systems; moreover, excluded from the scope is also the internal processing of the Member States in police and criminal matters.

  4. 4.

    Four main areas stand out: policies on border checks, asylum and immigration, judicial cooperation in civil as well as in criminal matters and police cooperation (Title V Chapters 2–5 TFEU).

  5. 5.

    The Provision on police and judicial cooperation in criminal matters (former Title VI EU Treaty) are former third pillar policies whereas the provisions on asylum and immigration were regulated under former first pillar Community law (Title IV EC Treaty).

  6. 6.

    Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions—Delivering and area of freedom, security and justice for European’s citizens—Action Plan implementing the Stockholm Programme, COM(2010) 171 final, in particular p. 6.

  7. 7.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995, L-281/31.

  8. 8.

    For instance: Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, OJ 1998, L-24/1.

  9. 9.

    Article 3 (2) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995, L-281/31. This statement was clarified by the ECJ in the famous PNR case: joined cases C-317/04 and C-318/04, Parliament v. Council, [2006], ECR I-4721.

  10. 10.

    Compare for a profound analysis of the instruments of the Council of Europe.

  11. 11.

    Convention No. 108 of the Council of Europe for the protection of individuals with regard to automatic processing of personal data from 28 January 1981.

  12. 12.

    In particular the additional protocol to Convention for the protection of individuals with regard to automatic processing of personal data regarding supervisory authorities and trans-border data flows, which entered into force in 2004.

  13. 13.

    Recommendation R (87) 15 of the Committee of Ministers to the Member States regulating the use of personal data in the police sector, adopted 17 September 1987.

  14. 14.

    However, since the adoption of the Framework Decision “on the protection of personal data in the framework of police and judicial cooperation in criminal matters” (DPFD) in 2008, OJ 2008, L-350/60, certain minimum requirements also apply in the field of security-related data processing at the EU level.

  15. 15.

    See: Siemen (2006). Admittedly, it does not cover all difficulties arising in an EU law enforcement context and is the lowest common denominator as the guarantees of the ECHR apply in a public international law context, but the interpretations of the ECtHR have attained a far-reaching significance for the EU over the years and cooperation between the EU and the Council of Europe in fundamental rights matters continually improves. Compare also: De Schutter (2008). See also: joint declaration on cooperation and partnership between the Council of Europe and the European Commission from 3 April 2001, accessed July 12, 2011, http://www.jp.coe.int/Upload/91_Joint_Declaration_EF.pdf; Memorandum of Understanding between the Council of Europe and the European Union from 10 May 2007, CM(2007)74, accessed July 12, 2011, https://wcd.coe.int/ViewDoc.jsp?Ref=CM(2007)74&Language=lanEnglish.

  16. 16.

    Compare for instance: ECtHR, Leander v. Sweden, Application no. 9248/81 from 26 March 1987; ECtHR, Amann v. Switzerland, Application no. 27798/95 from 16 February 2000; ECtHR, Rotaru against Romania, Application no. 28341/95 from 4 May 2000; ECtHR, Panteleyenko v. Ukraine, Application no. 11901/02 from 29 June 2006; ECtHR, S. and Marper v the United Kingdom, Application nos. 30562/04 and 30566/04 from 4 December 2008; ECtHR Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision from 29 June 2006; ECtHR, C.G. and others v. Bulgaria, Application no. 1365/07 from 24 April 2008; ECtHR, Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, Application no. 62540/00 from 28 June 2007; ECtHR, Malone v. the United Kingdom, Application no. 8691/79 from 2 August 1984; ECtHR, Valenzuela v. Spain, Application no. 27671/95 from 30 July 1998.

  17. 17.

    ECtHR, Z. v Finland, Application no. 22009/93, from 25 February 1997, para 95; ECtHR, Peck v. United Kingdom, Application no. 44647/98 from 28 January 2003, para 78; ECtHR, L.L. v France Application no. 7508/02 from 10 October 2006, para 43; ECtHR, Biriuk v Lithuania, Application no. 23373/03 from 25 November 2008, para 39; ECtHR, I v Finland Application no. 20511/03 from 17 July 2008, para 38; ECtHR, S. and Marper v the United Kingdom, Application nos. 30562/04 and 30566/04 from 4 December 2008, para 103; ECtHR, C.C. v. Spain, Application no. 1425/06 from 6 October 2009, para 31.

  18. 18.

    ECtHR, Amann v. Switzerland, Application no. 27798/95 from 16 February 2000, paras 65–67.

  19. 19.

    ECtHR, Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision from 29 June 2006, para 79.

  20. 20.

    ECtHR, Sunday Times v. the United Kingdom, Application no. 6538/74, para 49 from 26 April 1979; ECtHR, Liberty and others v. the United Kingdom, Application no. 58234/00 from 1 July 2008, para 68; ECtHR Silver v. the United Kingdom, Application no. 5947/72 and others from 25 March 1983, paras 85–88.

  21. 21.

    ECtHR, Segerstedt-Wiberg and others v. Sweden, Application no. 62332/00 from 6 June 2006, paras 88–92; ECtHR, Liberty and others v. the United Kingdom, Application no. 58234/00 from 1 July 2008, para 68; ECtHR, Rotaru v. Romania, Application no. 28341/954 from 4 May 2000, para 57; ECtHR, Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision from 29 June 2006, paras 116 and 127.

  22. 22.

    ECtHR, S. and Marper v. the United Kingdom, Application nos. 30562/04 and 30566/04 from 4 December 2008, para 119; ECtHR, Segerstedt-Wiberg and others v. Sweden, Application no. 62332/00 from 6 June 2006, paras 89–92.

  23. 23.

    ECtHR, Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision, para 116 from 29 June 2006, ECtHR, Rotaru v. Romania, Application no. 28341/954, para 57 from 4 May 2000; see also: ECtHR, Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, Application no. 62540/00 from 28 June 2007.

  24. 24.

    ECtHR, Rotaru against Romania, Application no. 28341/95 from 4 May 2000, paras 55–63; ECtHR, Segerstedt-Wilberg and others v. Sweden, Application no. 62332/00 from 6 June 2006, para 121.

  25. 25.

    ECtHR, Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision from 29 June 2006, para 135: “since there is in principle little scope for recourse to the courts by the individual concerned unless the latter is advised of the measures taken without his or her knowledge and thus able to challenge their legality retrospectively”.

  26. 26.

    ECtHR, Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision, para 135 from 29 June 2006.

  27. 27.

    Article 6 (3) TFEU.

  28. 28.

    Replacing Article 251 EC, which lays down the current co-decision procedure, the ordinary legislative procedure in Article 294 TFEU assures compulsory participation of the European Parliament, additionally the Council’s acting by a qualified majority in the legislative process.

  29. 29.

    For an excellent overview of the situation of data protection after the Lisbon Treaty, see: Hijmans and Scirocco (2009). Article 9 of the Protocol No. 36 annexed to the Lisbon Treaty provides that the legal effects of the acts adopted before the entry into force of the Lisbon Treaty shall be preserved until those acts are repealed, annulled or amended. A deadline to adapt the old instruments to the new Treaty provisions, for instance, in case they do not comply with Article 16 TFEU, is not given. With respect to acts in the field of police cooperation and judicial cooperation in criminal matters adopted before the entry into force of the Treaty of Lisbon, the powers of the Commission under Article 258 TFEU (the Commission’s right to enact infringement proceedings) as well as the limited powers of the ECJ under Title VI of the former TEU shall remain the same. In this case, the transitional measure shall cease to have effect 5 years after the date of entry into force of the Treaty of Lisbon. Declaration 20 and 21 provide for the possibility to enact other data protection rules in the ASFJ than those being possibly applicable to former first pillar matters as regards national security as well as in police and judicial cooperation. Moreover, certain Member States (United Kingdom, Ireland, Denmark) complicatedly exclude the application of Article 16 TFEU in specific cases.

  30. 30.

    The European Parliament and the Council will “lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities, which fall within the scope of Union law, and the rules relating to the free movement of such data” (Article 16 (2) TFEU).

  31. 31.

    Europol and Eurojust are Europe’s law enforcement agencies, which collect personal data of criminals, but also of suspects, victims and witnesses. Frontex assures the control of the external borders of the EU and collects data of third state nationals trying to pass the border. OLAF is the Commission’s anti-fraud unit carrying out internal investigations within the EU institutions, bodies and agencies. The unit mainly collects personal data of individuals suspected of fraud.

  32. 32.

    The SIS is a database in the framework of law enforcement and immigration control, which contains data of third state nationals, but also EU nationals. The CIS serves customs control purposes and contains personal data of individuals suspected of illicit trafficking activities. The VIS serves the purpose of the exchange of visa data and entails information of third state nationals who apply for a visa to enter the EU. Eurodac stores fingerprint data of asylum seekers and should prevent that asylum seekers make multiple asylum applications in different Member States of the EU.

  33. 33.

    Council Act of 29 May 2000 establishing in accordance with Article 34 of the Treaty on European Union the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, OJ 2000 C 197/1, Article 13; to the initiation of the JIT project, see: Horvatis and Bart De Buck (2007) and Rijken and Vermeulen (2006).

  34. 34.

    Article 88 (2) (b) TFEU.

  35. 35.

    Compare recital 9 and Articles 5 (1) (d), 5 (5), 6, 8 (7) c and 54 Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37 as well as Articles 6 (b) (iv), 9 (f), 12 (2) (d), 13 (2) (5) and 25 (a) (2) Eurojust Decision.

  36. 36.

    Article 6 Europol Decision and Article 7 (4) Eurojust Decision.

  37. 37.

    The Framework Decision on JITs (Article 1 and recital (9) of Council Framework Decision of 13 June 2002 on JITs, OJ 2002 L 162/1 and Article 13 Council Act of 29 May 2000 establishing in accordance with Article 34 Treaty on European Union the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, OJ 2000, C 197/1) specifies that two or more Member States can set up a JIT for a specific purpose and a limited period of time to carry out investigations while Eurojust and Europol may participate in the JITs. For this purpose, participating Member States conclude mutual agreements and Europol and Eurojust organise information events and publish manuals on the concept of JITs. In their aforementioned joint JIT manual from 2009, both agencies encourage Member States to set up JITs to better coordinate cases involving several Member States. A JIT consists of law enforcement officers, prosecutors, judges or other law enforcement-related personnel and is established in the Member State in which investigations are supposed to be principally carried out. Other European Union bodies, particularly the Commission (OLAF) as well as law enforcement bodies from third states such as the FBI may additionally be involved, however, just as Europol and Eurojust, they may participate in the operation of a JIT, although they cannot lead or be a member of it. They are associated by an agreement between the agency/administration of a Member State as a party to the agreement and the relevant European Union or third state body; compare: Explanatory report on the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, OJ 2000, C 379/7 and JITs Manual from 23 September 2009, Council Doc. 13598/09.

  38. 38.

    JITs Manual from 23 September 2009, Council Doc. 13598/09, p. 10 and Eurojust Decision, Article 9 (f).

  39. 39.

    JITs Manual from 23 September 2009, Council Doc. 13598/09, p. 10, see also: Article 6 (1) Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37.

  40. 40.

    JITs Manual from 23 September 2009, Council Doc. 13598/09, pp. 26 and 27 suggesting a model agreement for the participation of Europol, Eurojust or OLAF.

  41. 41.

    Emphasis added, Article 6 (1) Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37, with regard to this problem, see: De Buck (2007).

  42. 42.

    They are vaguely mentioned in Article 6 (4) and (5) Europol Decision and Article 13 (9) and (10) Convention on Mutual Assistance in Criminal Matters as well as Article 1 (9) and (10) Framework Decision on JITs (which literally repeats the aforementioned Articles of the Convention).

  43. 43.

    Usually, the use of this information is restricted to the purpose for which the JIT has been set up and subject to the prior consent of the Member State where the information became available. Information can further be used for preventing an immediate and serious threat to public security and if subsequently a criminal investigation is opened as well as for other purposes to the extent that this is agreed between Member States setting up the team, Article 1 (10) (a)—(d) of Council Framework Decision of 13 June 2002 on JITs, OJ 2002 L 162/1.

  44. 44.

    See example of a model agreement in: JITs Manual from 23 September 2009, Council Doc. 13598/09, p. 24.

  45. 45.

    To this problem, see: Rijken and Vermeulen (2006); Mitsilegas (2009).

  46. 46.

    Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37, Article 6 (4).

  47. 47.

    Information from third States can be obtained by using the so-called Virtual Private Network (VPN) connecting Europol’s national units and offering encrypted lines with third States, see: De Buck (2007). Compare Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37, Article 6 (4) and (5).

  48. 48.

    Compare Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37, Article 6 (4) and (5).

  49. 49.

    JITs Manual from 23 September 2009, Council Doc. 13598/09, p. 10. It is worth mentioning that Eurojust’s function is not any longer restricted to a mere “interface” between national authorities, limited to horizontal cooperation given that the Eurojust Decision 2009 visibly extended its operational tasks and Eurojust’s role in JITs. For instance, Eurojust’s national members are allowed to participate in JITs and the Secretariat of the JIT Experts Network shall form part of the Eurojust’s staff, compare: Lopes da Mota (2009) and Vervaele (2008).

  50. 50.

    It seems also possible that information obtained in course of JITs is entered by the Eurojust’s national Members acting on the basis of national law and not by Eurojust officials in Eurojust’s Case Management System. This possibility would also lead to a non-regulated transfer of data from the Case Management System to the other JIT members considering that national law does not apply in this rather European context. In addition, if only Eurojust’s national members supply Case Management Information to the JIT or information stemming from Eurojust’s own analysis, the questions of information transfer from Eurojust’s Case Management System to the JIT through a member acting on behalf of Eurojust involved in the JIT is left unanswered, compare to the general data protection problems arising out of JITs: Gusy (2008).

  51. 51.

    Compare Commission Decision 1999/352/EC of 28 April 1999 establishing the European Anti-Fraud Office (OLAF) OJ 1999 L136/20 and Regulation (EC) No. 1073/1999 of the European Parliament and the Council of 25 May 1999 concerning investigation conducted by the European Anti-Fraud Office (OLAF), OJ 1999 L136/31; Article 2 (6) Commission Decision 199/352 broadly regulates that “the office shall be in direct contact with the police and judicial authorities” and Article 1 (2) Regulation 1073/1999 only refers to “assistance” from the Commission to the Member States in organising close cooperation between the competent authorities of the Member States.

  52. 52.

    Second Protocol, drawn up on the basis of Article K.3 of the treaty on European Union, to the Convention on the protection of the European Communities’ financial interests—Joint Declaration on Article 13 (2)—Commission Declaration on Article 7, OJ 1997, C-221/12.

  53. 53.

    Indeed, the Convention provides for “operational assistance” including exchange of personal data in fraud-related offences between the Commission and the Member States, but it does not specify at all the instruments to be used in this context.

  54. 54.

    If one party is associated to a JIT related to fraud, corruption or criminal offences affecting the EU’s financial interest, it shall inform the other party about its participation and propose the Member States setting up the JIT to consider inviting the other party, Practical Agreement on arrangements of cooperation between Eurojust and OLAF from 24 September 2008, point 9 (1).

  55. 55.

    Agreement between Europol and Eurojust, which entered into force the 1 January 2010, Articles 7 (2) and 8 (2), in the following Europol-Eurojust Agreement; this Agreement replaced the Agreement between Europol and Eurojust from 9 June 2004.

  56. 56.

    The EDPS in its opinion to the amendment of the Eurojust Decision rightly points to the questions of “who will be the processor?” and “who will be the controller?” within this new collaboration structure. Details to these questions are unfortunately not regulated in the Agreement as it indeed provides for the mutual association, but it does neither clarify questions of supervision in case of Eurojust’s participation in Europol’s analysis work files, nor regarding the transmission of personal data, compare: EDPS opinion on the Council Decision concerning the strengthening of Eurojust and amending Decision 2002/187/JHA from 5 December 2008, OJ 2008, C 310/1, p. 6, para 34.

  57. 57.

    Articles 7 and 8 Europol-Eurojust Agreement.

  58. 58.

    Articles 7 (2) and 8 (2) Europol-Eurojust Agreement.

  59. 59.

    Article 8 (3) Europol-Eurojust Agreement.

  60. 60.

    Eurojust’s mandate refers to list of crimes for which Europol is responsible and which is laid down in Article 3 Europol Decision, compare Article 4 (1) Eurojust Decision.

  61. 61.

    Article 9 (2) Europol-Eurojust Agreement. Article 11 (1) and (2) of the Europol-Eurojust Agreement 2010 clarifies that: Europol shall associate experts of Eurojust to participate within the activities of Europol’s analysis work files, in particular when Eurojust initiated the opening of the respective file. Eurojust may also request to be associated with the activities of a particular analysis group.

  62. 62.

    The transmission of personal data to other authorities was only allowed when it was particularly supervised and restricted to the transmission of data arousing the suspicion that specific facts, as opposed to mere factual indications, pointing to the fact that this person has committed a crime, compare: Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision, paras 42–43 and 123–129 from 29 June 2006; Article 14 (4) Europol-Eurojust Agreement, however, lays down that the transmission of data revealing racial origin, political opinions or religious or other beliefs, or concerning health and sexual life shall be restricted to absolutely necessary cases and that such data shall only be transmitted in addition to other data.

  63. 63.

    According to Article 18 (3) Europol-Eurojust Agreement, transmitted data shall be deleted when they are no longer necessary for the purpose for which they were transferred or when they are not necessary for the tasks of the receiving party or when no decision has been taken within 3 months after receipt (Article 16 (4)); a retention review must take place within the first 3 years of storage and when the storage exceeds 3 years, an annual review has to be implemented, see Article 18 (5) Europol-Eurojust Agreement.

  64. 64.

    Eurojust registered 1,372 new cases in 2009, compare Eurojust annual report 2009, p. 50 and Europol had 88,419 objects stored in the EIS and initiated 8,377 cases in 2008, compare Europol annual report 2008, pp. 33–35.

  65. 65.

    Administrative Arrangement between the European Police Office (Europol) and the European Anti-Fraud Office (OLAF) from 8 April 2004, accessed July 12, 2011, https://www.europol.europa.eu/sites/default/files/flags/european_anti-fraud_office_olaf_.pdf.

  66. 66.

    OLAF annual report 2009, ninth activity report for the period 1 January 2008–31 December 2008, section 4.6.2, p. 59.

  67. 67.

    Article 24 (1) Europol Decision.

  68. 68.

    Regulation 45/2001 is restricted in scope and refers only to personal data transfer between Community bodies, which represent bodies established under the former first pillar and does not include Europol or Eurojust.

  69. 69.

    Regrettably, neither Commission Decision 1999/352/EC establishing OLAF nor Regulation 1073/1999 includes transfer provisions regulating the personal data exchange with third states or agencies such as Europol. Article 10 Regulation 1073/1999 refers to the forwarding obtained in course of internal investigations to the bodies, offices and agencies concerned by the investigation, however, this provision does not take the data exchange in the framework of criminal or judicial cooperation into account. Rules on the transfer to agencies are nowhere to be found in OLAF’s instruments.

  70. 70.

    Strategic cooperation agreement between the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union and the European Police Office from 28 March 2008; in the following: Europol-Frontex Agreement from 28 March 2008.

  71. 71.

    According to Article 2 Europol-Frontex Agreement: 1. “Strategic information” includes, but is not limited to: (a) enforcement actions that might be useful to suppress offences and improve the integrated border management of the Member States of the European Union; (b) new methods used in committing offences, in particular, those threatening the security of external borders or facilitating illegal immigration; (c) trends and developments in the methods used to commit offences; (d) observations and findings resulting from the successful application of new enforcement aids and techniques; (e) routes and changes in routes used by smugglers, illegal immigrants or those involved in illicit trafficking offences covered by this agreement; (f) prevention strategies and methods for management to select law enforcement priorities and (g) threat assessments, risk analysis and crime situation reports. 2. “Technical information” includes, but is not limited to: (a) means of strengthening administrative and enforcement structures in the fields covered by this agreement; (b) police working methods as well as investigative procedures and results; (c) methods of training the officials concerned; (d) criminal intelligence analytical methods and (e) identification of law enforcement expertise.

  72. 72.

    Article 1 Europol-Frontex Agreement from 28 March 2008.

  73. 73.

    For instance: conditions on the further use and transfer of the transmitted information may be imposed on the receiving party, just as Europol shall only supply information to Frontex “, which was collected, stored and transmitted in accordance with the relevant provisions of the Europol Convention and its implementing regulations” though the latter apparently deals with personal data. Compare: Article 5 para 3 et 8 Europol-Frontex agreement.

  74. 74.

    For instance with: the Central Bank, Commission, Monitoring Centre for Drugs and Drug Addiction, OLAF.

  75. 75.

    Pursuant to its Article 22 (3).

  76. 76.

    House of Lords Europol report, European Union Committee, 29th report of session 2007–2008, “Europol: coordinating the fight against serious and organised crime”, published 12 November 2008, p. 80.

  77. 77.

    Final report of COWI (European consulting group) from January 2009 preparing an external evaluation of Frontex provided for in Article 33 of the Council Regulation (EC) No. 2007/2004 of 26 October 2004 establishing Frontex, p. 48, accessed July 12, 2011, http://www.frontex.europa.eu/specific_documents/other/, joint operations are described as a “good example of integrated analyses by Europol and Frontex” and are regarded as a working practice in which intelligence and operations are brought together as closely as possible”. To the details of the cooperation between Europol and Frontex.

  78. 78.

    Final report of COWI (European consulting group) from January 2009 preparing an external evaluation of Frontex provided for in Article 33 of the Council Regulation (EC) No. 2007/2004 of 26 October 2004 establishing Frontex, p. 48, accessed July 12, 2011, http://www.frontex.europa.eu/specific_documents/other/.

  79. 79.

    The proposal to amend the Frontex regulation should eventually put this exchange on a legal basis. Nevertheless, even if the proposal enters into force, personal data exchange with Europol or other Union agencies or bodies would generally require the conclusion of a new cooperation agreement. Compare: Proposal for a Regulation of the European Parliament and the Council amending Council Regulation (EC) No. 2007/2004 of 26 October 2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (FRONTEX) from 24 February 2010, COM (2010) 61 final.

  80. 80.

    Proposal for a Regulation of the European Parliament and the Council amending Council Regulation (EC) No. 2007/2004 of 26 October 2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (FRONTEX) from 24 February 2010, COM (2010) 61 final and Council document 2010/0039 (COD), 8121/10, proposal for a regulation of the European Parliament and the Council amending Council Regulation (EC) No. 2007/2004 establishing a European Agency for the Management of operational cooperation at the external borders of the Member States of the European Union (Frontex) 29 March 2010.

  81. 81.

    Proposal for a Regulation of the European Parliament and the Council amending Council Regulation (EC) No. 2007/2004 of 26 October 2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (FRONTEX) from 24 February 2010, COM (2010) 61 final, Article 2; Eurosur is the planned European Border Surveillance System, for more details, see: Commission staff working paper, report on progress made in developing the European Border Surveillance System (EUROSUR) from 24 September 2009, Sec (2009), 1265 final and analysis of the Commission communications on future development of Frontex and the creation of a EUROSUR, briefing paper from policy department C, citizens` rights and constitutional affairs, civil liberties, justice and home affairs, Directorate General internal policies of the Union from June 2008.

  82. 82.

    Impact assessment accompanying the proposal for a Regulation of the European Parliament and the Council amending Council Regulation (EC) No. 2007/2004 of 26 October 2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (FRONTEX) from 24 February 2010, p. 34.

  83. 83.

    Compare for more details: opinion of the European Data Protection Supervisor (EDPS) on the proposal for a Regulation of the European Parliament and the Council amending Council Regulation (EC) No. 2007/2004 establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (FRONTEX) from 17 May 2010.

  84. 84.

    Compare press release 11916/11, Presse 192 from 23 June 2011, accessed July 12, 2011, http://www.consilium.europa.eu/uedocs/cms_Data/docs/pressdata/en/jha/122983.pdf.

  85. 85.

    Last verified on 30 June 2011.

  86. 86.

    Practical Agreement on arrangements of cooperation between Eurojust and OLAF from 24 September 2008, point 6.

  87. 87.

    Practical Agreement on arrangements of cooperation between Eurojust and OLAF from 24 September 2008, point 14.

  88. 88.

    Theoretically, the EDPS and possibly Eurojust’s JSB are responsible for this task, it would not do any harm to the parties to mention them in the agreement. A particular problem in this context relates to the fact that the responsibility for personal data transfer from Eurojust to OLAF lies only with the national member and not with Eurojust, having for consequence that supervision is becoming increasingly difficult and can usually not be exercised by Eurojust’s JSB.

  89. 89.

    Mutual information duties apply and include the notification duty of the other party about corrections or deletions made, including the reasons therefore. In addition, regarding cases in which one of the parties assumes that information received is not accurate, not up to date or should not have been transmitted, the other party has to be warned. A further provision consists of the requirement to inform a third party, to which transmitted data have been transferred, about any deletions or corrections made concerning this data. Finally, the time limits of the storage bases on the respective rules of the parties, compare practical Agreement on arrangements of cooperation between Eurojust and OLAF from 24 September 2008, point 15.

  90. 90.

    The SIS for security purposes with regard to EU as well as to third state nationals, CIS for customs control, VIS for the exchange of visa data and Eurodac for the exchange of fingerprint data of asylum seekers.

  91. 91.

    Council Decision 2005/211/JHA of 24 February 2005 concerning the introduction of some new functions for the Schengen Information System, including in the fight against terrorism, OJ 2005 L-68/44, Article 1 referring to Articles 95, 99 and 100 Schengen Convention, OJ 2000, L-239/19 (persons wanted for extradition, persons or vehicles placed under surveillance or subjected to specific checks as well as to objects sought for the purpose of seizure or use in criminal proceedings).

  92. 92.

    Up to 69 data elements can be, for instance, stored in an analysis work file at Europol.

  93. 93.

    Articles, 41, 42 and 43 SIS II Decision 2007/533; the scope of the access relates to persons wanted for arrest or surrender purposes, persons and objects for discreet checks or specific checks as well as to objects for seizure or use as evidence in criminal proceedings Eurojust has additionally access to data of missing persons.

  94. 94.

    Articles 42 (1) and (6) SIS II Decision 2007/533. This might be partially due to the fact that only national members of Eurojust can access the SIS II database, then integrating the data in the Eurojust system, but it does not explain why a reference is entirely lacking.

  95. 95.

    “The only provision that enables Eurojust access to SIS data appears to be an unpublished non-legally binding declaration annexed to the Eurojust Decision (which we have asked to see but have never received)”, compare: House of Lords, Select Committee on European Union Written Evidence Sub-Committee F (Social Affairs, Education and Home Affairs), letter from the Chairman to Bob Ainsworth, MP, Under-Secretary of State, Home Office, Schengen Information System: new functions, (9407/02 and 9408/02) from 9 April 2003.

  96. 96.

    Article 41 (3) SIS II Decision 2007/533.

  97. 97.

    Europol’s legal basis, for instance, limits further clarifications to the simple provision that the legal instruments of the relevant partner databases shall govern Europol’s use of the data as well as its access conditions, “in so far as they provide for stricter rules on access and use” than those of the Europol Decision. Compare Article 21 Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37.

  98. 98.

    Articles 41 (5) and 42 (4), (5) and (7) SIS II Decision 2007/533.

  99. 99.

    Compare Article 41 (3) SIS II Decision 2007/533.

  100. 100.

    Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the VIS by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences, OJ 2008, L-218/129 (in the following: VIS access Decision 2008/633).

  101. 101.

    Article 3 (1) VIS Regulation 767/2008, OJ 2008, L-218/60.

  102. 102.

    The VIS access Decision 2008/633 entered into force in September 2008 and was not, contrary to VIS Regulation 767/2008, which is a former first pillar instrument, adopted by using the co-decision procedure, but formed part of the “VIS legislative package” agreed between the European Parliament and the Council in 2007 after two and a half years of negotiations. The reason therefore can be found in the legal basis of the instrument, which is governed by Title VI of the EU Treaty dealing with police and judicial cooperation in criminal matters, more specifically the Decision bases on Article 30 (1) (b) and 34 (2) (c) EU. Treaty; thus the Council alone could decide about the adoption of the instrument.

  103. 103.

    The offences are further detailed in two Framework Decisions, which list a range of different crimes, not always corresponding to those of the Europol Decision. Terrorist offences means the offences under national law corresponding or being equivalent to the offences listed in Article 1–4 Framework Decision 2002/475 on combating terrorism (OJ 2002, L-164/3) and serious criminal offences embraces the forms of crimes corresponding or being equivalent to those referred to in Article 2 (2) Framework Decision 2002/584 on the European Arrest Warrant (OJ 2002, L-190/1).

  104. 104.

    Europol’s tasks are described in Article 5 (1) (a) Europol Decision and mentions that Europol has the task to “obtain, collate and analyse information and intelligence”.

  105. 105.

    Mainly corresponding to Article 14 Europol Decision, which stipulates the conditions for collection, processing and utilisation of personal data in analysis work files.

  106. 106.

    Article 5 (1) VIS access Decision 2008/633 dictates three cumulative access conditions for the national law enforcement and intelligence authorities: first, the access must be necessary for the purpose of prevention, detection and investigation of terrorist offences or other serious crime, second, necessary in a specific case and third, consultation must substantially contribute to the mentioned purposes. Once the national authorities comply with these requirements, a two-step access to the VIS data is stipulated in Article 5 (2) and (3) VIS access Decision 2008/633, which, at this stage of the procedure, also applies to Europol. The two-step access limits the initial search in the VIS to 11 data elements, including fingerprints. Only in the event of a hit, the other data from the visa application form, as well as photographs and the data entered in respect of any visa issued, annulled, revoked, refused or extended are open to access. Whereas the Member States have to fulfill all of the conditions of Article 5 VIS access Decision 2008/633, Europol’s access seems to be regarded as less intrusive.

  107. 107.

    However, Member States as well as Europol have to establish a list with the operating units, which are allowed to access the VIS. These units play an important role in the access procedure as they must submit a reasoned written and electronic request to the central access point established in each Member State or, respectively, at Europol to coordinate the VIS access, compare Articles 3 (3), 4 (1) and 7 (3) VIS access Decision 2008/633, OJ 2008, L-218/129.

  108. 108.

    Report from 21 May 2007 of the European Parliament on the on the proposal for a Council Decision concerning access for consultation of the VIS by the authorities of the Member States responsible for internal security and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences (COM(2005)600final—2005/0323(CNS)), Committee on Civil Liberties, Justice and Home affairs, rapporteur: Sarah Ludford, pp. 7–8, para (7) and proposal for a Council Decision from 24 November 2005 concerning access for consultation of the VIS by the authorities of the Member States responsible for internal security and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences (COM(2005)600final—2005/0323(CNS)), p. 5.

  109. 109.

    A welcomed provision, however, relates to the requirement to designate a specialised unit for the VIS access within Europol, allowing for better supervision while concentrating the request accesses at one specific entity. Such as in the SIS II, Europol’s use of the data is subject to the consent of the Member States entering the data in the VIS, Article 7 (4) VIS access Decision 2008/633, OJ 2008, L-218/129.

  110. 110.

    Due to their limited participation in the Schengen cooperation, certain Member States, such as the United Kingdom, are usually not allowed to access the VIS.

  111. 111.

    Article 6 VIS access Decision 2008/633, OJ 2008, L-218/129.

  112. 112.

    For those Member States, which have ratified it, the Additional Protocol of 8 November 2001 to Convention No. 108 should also be taken into account.

  113. 113.

    Recital (9) VIS access Decision 2008/633/JHA, OJ 2008, L-218/129.

  114. 114.

    Article 8 (1) and recital (9) VIS access Decision 2008/633, OJ 2008, L-218/129.

  115. 115.

    Article 8 (4) VIS access Decision 2008/633, OJ 2008, L-218/129.

  116. 116.

    Article 8 (4) VIS access Decision 2008/633, OJ 2008, L-218/129. There is no definition of such an exceptional case, but there are three additional criteria to be fulfilled to transfer the VIS data to third parties: the data must be necessary in a specific case, the consultation must substantially contribute to the mentioned purposes and the Member States having entered the data into the VIS must have given its consent.

  117. 117.

    Although, as the third pillar data protection Framework Decision 2008/977 is applicable to the VIS access Decision 2008/633, the latter rules must comply with those of the former one.

  118. 118.

    Article 35 Europol Decision stipulates specific rules relating to data security involving the “necessary technical and organisational measures to ensure the implementation of this Decision”. As the wording of this first paragraph of Article 35 Europol Decision suggests, the implementation of data security measures depends on the necessity of these measures. The latter are considered as “necessary where the effort they involve is proportionate to the objective they are designed to achieve in terms of protection”. Thus, data security rules are subjected to a necessity criterion whose content leaves open certain questions. Which body within Europol decides about the effort to be made and about the proportionality of this effort? Europol’s JSB is not mentioned in this context, but Article 10 (3) Europol Decision refers to the Management Board, which shall ensure that the measures and principles referred to in Article 35 Europol Decision are properly implemented. Consequently, the Management Board decides about the implementation of data security rules and in this way about the question to what extent the effort appears to be proportionate and as a result about the effort to be made to adopt a specific security measure. The internal Data Protection Officer or the JSB are not involved.

  119. 119.

    Article 14 VIS access Decision 2008/633/JHA, OJ 2008, L-218/129. Individuals interested in knowing whether their VIS data have been transferred to Europol are merely informed in the framework of the information right provided for in Article 37 VIS Regulation 767/2008. According to this Article, the notification of the applicant is broadly restricted to the fact that Europol may receive the data. There is no information duty provided for in VIS Regulation 767/2008 in the very likely case that the data are transferred to Europol after the visa applicant or the person issuing an invitation or liable to pay the applicant’s subsistence cost, has been initially informed about Europol’s possibility to access the VIS data. Consequently, information about the actual transfer of the information is not given.

  120. 120.

    Article 11 CIS Council Decision 2009/917/JHA of 30 November 2009 on the use of information technology for customs purposes, OJ 2009, L-323/20 (in the following referred to as Council Decision 2009/917, OJ 2009, L-323/20).

  121. 121.

    Articles 11 (1) and 12 (1) Council Decision 2009/917, OJ 2009, L-323/20.

  122. 122.

    Article 11 (1) Council Decision 2009/917, OJ 2009, L-323/20.

  123. 123.

    Recital (5) Council Decision 2009/917, OJ 2009, L-323/20.

  124. 124.

    Recital (5) Council Decision 2009/917, OJ 2009, L-323/20.

  125. 125.

    Recital (6) Council Decision 2009/917, OJ 2009, L-323/20.

  126. 126.

    Articles 11 (3) and 12 (2) Council Decision 2009/917, OJ 2009, L-323/20.

  127. 127.

    Article 11 (3) Council Decision 2009/917, OJ 2009, L-323/20.

  128. 128.

    Articles 11 (4) and (5) and 12 (4) Council Decision 2009/917, OJ 2009, L-323/20.

  129. 129.

    However, a responsibility to inform the supplying Member State if Europol or Eurojust have evidence to suggest that an item of data is factually inaccurate or was entered contrary to the CIS Council Decision 2009/917, applies to the body as well as the obligation to introduce security measures, compare Articles 13 (3) and 28 Council Decision 2009/917, OJ 2009, L-323/20.

  130. 130.

    Compare Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision, from 29 June 2006.

  131. 131.

    According to the CIS Convention, the CIS comprises data necessary to achieve the CIS’s aim previously mentioned, such as commodities, means of transport, businesses, persons, fraud trends, availability of expertise. The new CIS Decision 2009/917 added two new categories: items detained, seized or confiscated and cash detained, seized or confiscated. The Member States determine the items to be included relating to the each of the mentioned categories whereby the data elements, which can be entered, relate to a closed list of personal data and are divided into two groups depending on the aforementioned categories. With regard to the four first categories (commodities, means of transport, businesses and persons), 11 data elements can be stored including: names, date and place of birth, nationality, sex, number and place and data of issue of the identity papers, address, any particular objective and permanent physical characteristics, reasons for entering the data, suggested action, a warning code indicating any history of being armed, violent or of escaping, registration number of the means of transport. Data elements relating to the newly introduced last two categories (items detained, seized or confiscated and cash detained, seized or confiscated) refer to names, date and place of birth, nationality, sex and address. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership or data concerning health or sex life are excluded in any case from processing (compare Articles 3 and 4 Council Decision 2009/917, OJ 2009, L-323/20).

  132. 132.

    Such provisions could, for instance, provide for a notification of the relevant national DPA about the access and transfer of the data by Europol or Eurojust. So far, in the case of Europol, in addition to its already exhaustive tasks (it issues opinions and is responsible for various other tasks: additionally to the review of compliance with individual data protection rights at Europol; it should monitor the permissibility of the transmission of data to third bodies as well as it should review the activities of Europol in its exercise of its rights to access and search data in other databases, such as the SIS II or the VIS; the JSB must also produce a report after having carried out an annual inspection at Europol; Whereby, the JSB describes inspection as a key part of its work, it also functions as an appeal committee; additionally, the JSB also interprets and examines the implementation of the Europol Decision; compare: Article 34 Council Decision of 6 April 2009 establishing the European Police Office, OJ 2009, L121/37) Europol’s JSB shall also review the activities of Europol in the exercise of its access to SIS II data.

  133. 133.

    Once the consent is given, formerly SIS II data can be entered in Eurojust’s and Europol’s databases or transferred to third states.

  134. 134.

    Compare Article 16 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; OJ 2008, L-350/6.

  135. 135.

    Compare VIS Regulation 767/2008.

  136. 136.

    Opinion of the EDPS on the SIS II proposals [2006] OJ C91/38, point 4.2.3.

  137. 137.

    Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision, para 121 from 29 June 2006.

  138. 138.

    According to Article 41 (4) SIS II Decision 2007/533.

  139. 139.

    Compare Articles 9, 22 and 23 Europol Decision.

  140. 140.

    Compare Weber and Saravia v. Germany, Application no. 54934/00 Admissibility Decision, para 79 from 29 June 2006.

  141. 141.

    Opinion of the EDPS on the SIS II proposals [2006] OJ C91/38, point 4.2.2.

  142. 142.

    Proposal for a Council Decision on requesting comparisons with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, COM (2009) 344 final from 10 September 2009, in the following: Proposal on law enforcement access to Eurodac, COM (2009) 344 final from 10 September 2009.

  143. 143.

    27 Member States plus Norway, Iceland and Switzerland.

  144. 144.

    Meijers Committee, standing committee of experts on international immigration, refugee and criminal law, Utrecht/The Netherlands, letter from 30 December 2009 to the European Parliament, Civil Liberties, Justice and Home Affairs Committee on the Proposal on law enforcement access to Eurodac, COM (2009) 344 final.

  145. 145.

    Opinion of the EDPS on the amended proposal for a Regulation of the European Parliament and of the Council concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EC) No (…/…) (establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third country national or a stateless person), and on the proposal for a Council Decision on requesting comparisons with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, OJ 2010, C-92/1, in the following EDPS opinion on the proposal of law enforcement access to Eurodac, OJ 2010, C-92/1.

  146. 146.

    The Working Party on Police and Justice (WPPJ) is a working party composed of experts from national DPA’s and works together with the Article 29 Working Party, compare: Draft Annual Report for the Year 2009, p. 4.

  147. 147.

    Examples of data exchange in absence of a legal basis was Eurojust’s data transfer in JITs or Eurojust’s access to the CIS.

  148. 148.

    Article 5 Council Decision 2008/633, OJ 2008, L-218/129.

  149. 149.

    To the requirement to define terms such as “serious crime” in a legal act, compare ECtHR case law Kennedy v. the United Kingdom, Application no. 26839/05, para 159 from 18 May 2010.

  150. 150.

    The definition of the terms “terrorist and serious criminal offences” could correspond to the offences under national law, which correspond or are equivalent to the offences in Articles 1–4 of Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism, OJ 2002, L-164/3 and to the forms of crime, which correspond or are equivalent to those referred to in Article 2 (2) of Framework Decision 2002/584/JHA on the European Arrest Warrant, OJ 2001, L-190/1. The not yet defined term “prevention of crime” needs specification and could, for instance, describe a situation in which criteria based on a verifiable prognosis, open to scrutiny by an external supervisor, suggest that somebody plans to commit a crime. Factual indications, which exclude individual assumptions or pure hypothetical reflections, should underpin this estimation.

  151. 151.

    Leander v. Sweden, Application no. 9248/81, para 55 from 26 March 1987.

  152. 152.

    Similar to Article 3 (2) Council Decision 2008/633, OJ 2008, L-218/129.

  153. 153.

    Rotaru v. Romania, Application no. 28341/954, para 57 from 4 May 2000.

  154. 154.

    Similar to Article 4 Council Decision 2008/633, OJ 2008, L-218/129. Alternatively, in exceptional cases of urgency, the special unit within the respective database may receive written, electronic or oral requests. In such cases, it shall process the request immediately and only verify ex post whether all access conditions are fulfilled, including whether an exceptional case of urgency existed. Such an exceptional case should be immediately reported to the supervisory authority of the respective database. The ex post verification shall take place without undue delay after the processing of the request.

  155. 155.

    To assure transparency and to specify the conditions for Europol, some specifications could additionally apply; Europol’s access could be, for instance, necessary for the purpose of a specific analysis in a specific case referred to in Article 14 Europol Decision or for an analysis of a general nature and of a strategic type, as referred to in Article 14 (4) of the Europol Decision, provided that the data is rendered anonymous by Europol prior to such processing and retained in a form in which identification of the data subjects is no longer possible; data obtained by Europol could be further prevented from being introduced in Europol’s Information System, exemptions to this rule should require the consent of Europol’s supervisory body; possible additional conditions for Eurojust could also relate to the restriction not to introduce data obtained in Eurojust’s Case Management System whereby exemptions to this rule should require the consent of Eurojust’s supervisory body.

  156. 156.

    Council Decision 2008/633, OJ 2008, L-218/129.

  157. 157.

    S. and Marper v. the United Kingdom, Application nos. 30562/04 and 30566/04 from 4 December 2008, para 119.

  158. 158.

    In addition, before being authorised to process data stored in the database, the staff of the authorities having a right to access the database should receive appropriate training about data security and data protection rules including being informed of any relevant criminal offences and penalties.

  159. 159.

    Article 9 (2) Council Decision 2008/633, OJ 2008, L-218/129.

  160. 160.

    Compare Article 35 Europol Decision (footnote 118).

  161. 161.

    Europol is the only body providing for certain basic rules in cases of third-party transfer, compare: Council Decision 2009/934/JHA of 30 November 2009 adopting the implementing rules governing Europol’s relations with partners, including the exchange of personal and classified information, OJ 2009, L-325/6.

  162. 162.

    Council Decision 2009/934/JHA of 30 November 2009 adopting the implementing rules governing Europol’s relations with partners, including the exchange of personal and classified information, OJ 2009, L-325/6.

  163. 163.

    The cooperation between national and European DPAs should include the exchange of relevant information, the assistance of each other in carrying out audits and inspections or the examination of difficulties of interpretation or application of the decision regulating the data exchange. Studying problems with the exercise of independent supervision or with the exercise of the rights of data subjects and supporting each other in cases where individuals exercise their right of access, correction, deletion and notification or drawing up harmonised proposals for joint solutions to any problems including the promotion of awareness of data protection rights would complement the cooperation. For this purpose, regular meetings resulting in an annual joint report should take place. This joint activity report should be sent to the European Parliament, the Council, the Commission and the supervisory authority managing the database and include a chapter of each Member State prepared by the national supervisory authority of that Member State containing an assessment of the cases where individuals exercised their right of access, correction, deletion and notification.

  164. 164.

    Article 19 (4) Eurojust Decision.

  165. 165.

    In case a person concerned exercises its right to challenge the accuracy of its data, the AFSJ actor or the Member State responsible should be obliged to check the accuracy of the data and the lawfulness of their processing in the database within a limited period.

  166. 166.

    Similar to Article 14 (5) VIS access Decision 2008/633 the Member State or the AFSJ actor responsible shall confirm in writing to the person concerned without delay that it has taken action to correct or delete data relating to it.

  167. 167.

    Compare Article 16 VIS access Decision 2008/633, OJ 2008, L-218/129. Such records must be subject to the necessary security requirements and should be deleted after the retention period of the data has expired. Comparable to Article 16 (1) VIS access Decision 2008/633 allowing national law enforcement authorities and Europol to access the VIS data, those records could show: the exact purpose of the access for consultation referred to in Article 5 (1), including the form of terrorist offence or other serious criminal offence concerned, the respective file reference; the date and exact time of access; where applicable that use has been made of the urgent access procedure; the data used for consultation; the type of data consulted and according to the rules of the respective AFSJ actor or to national rules, the identifying mark of the official who carried out the search and of the official who ordered the search or supply.

  168. 168.

    Compare Article 17 (1) VIS access Decision 2008/633, OJ 2008, L-218/129.

  169. 169.

    Analogous to Article 17 VIS access Decision 2008/633, OJ 2008, L-218/129.

  170. 170.

    Article 17 (4) VIS access Decision 2008/633, OJ 2008, L-218/129.

References

  • Commission communication. 2010. On A comprehensive strategy on data protection in the European Union, COM(2010) 609 final of 4 November 2010, p. 13, para 2.3.

    Google Scholar 

  • De Buck, Bart. 2007. Joint investigation teams: The participation of Europol officials. ERA Forum 8:263.

    Google Scholar 

  • De Hert, Paul, and Luc Vandamme. 2004. European police and judicial information-sharing, cooperation: Incorporation into the community, bypassing and extension of schengen. ERA Forum 5:425–434.

    CrossRef  Google Scholar 

  • De Moor, Stefan. 2009. The difficulties of joint investigation teams and the possible role of OLAF. Eucrim 3:94–99, 97.

    Google Scholar 

  • De Schutter, Olivier. 2008. The two Europes of human rights: The emerging division of tasks between the Council of Europe and the European Union in promoting human rights in Europe. Columbia Journal of European Law 14:509–560.

    Google Scholar 

  • Garside, Alice. 2011. The political genesis and legal impact of proposals for the SIS II: What cost for data protection and security in the EU?, 16, Sussex Migration Working Paper no. 30, March 2006. http://www.sussex.ac.uk/migration/documents/mwp30.pdf. Accessed 12 July 2011.

    Google Scholar 

  • Gusy, Christoph. 2008. Europäischer Datenschutz. In Alternativentwirf Europol und europäischer Datenschutz, ed. Jürgen Wolter et al., 265–280. Heidelberg: C.F. Müller Verlag.

    Google Scholar 

  • Hijmans, Hielke, and Alfonso Scirocco. 2009. Shortcomings in EU data protection in the third and the second pillars. Can the Lisbon Treaty be expected to help? Common Market Law Review 46:1485–1525.

    Google Scholar 

  • Holzenberger, Mark. 2006. Europols kleine Schwester—Die Europäische Grenzschutzagentur Frontex. Bürgerrechte und Polizei/CILIP 2:56–63.

    Google Scholar 

  • Horvatis, Lisa, and Bart deBuck. 2007. The Europol and Eurojust project on joint investigation teams. ERA Forum 8:239–243.

    CrossRef  Google Scholar 

  • Lopes da Mota, José Luis. 2009. Eurojust and its role in joint investigation teams. Eucrim 3:88–90.

    Google Scholar 

  • Mitsilegas, Valsamis. 2009. EU criminal law. 223. Oxford: Hart.

    Google Scholar 

  • Ralf, Riegel. 2009. Gemeinsame Ermittlungsgruppen, Herausforderungen und Lösungen. Eucrim 3:99–106.

    Google Scholar 

  • Rijken, Conny, and Gert Vermeulen. 2006. Joint investigation teams in the European Union, from theory to practice. The Hague: T.M.C Asser Press.

    CrossRef  Google Scholar 

  • Siemen, Birte. 2006. Datenschutz als europäisches Grundrecht. Berlin: Duncker & Humblot.

    Google Scholar 

  • Vervaele, John A. E. 2008. The shaping and reshaping of Eurojust and OLAF. Eucrim 184:3–4.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Luxembourg, Luxembourg, USA

    Franziska Boehm

Authors
  1. Franziska Boehm
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Franziska Boehm .

Editor information

Editors and Affiliations

  1. Pleinlaan 2, Brussel, 1050, Belgium

    Serge Gutwirth

  2. , TILT, Tilburg University, Warandelaan 2, Tilburg, 5037 AB, Netherlands

    Ronald Leenes

  3. Center for Law, Science, Technology, and Society Studies (LSTS), Vrije Universiteit Brussel, Pleinlaan 2, Brussels, 1050, Belgium

    Paul De Hert

  4. Research Centre for Information, Technology & Law, University of Namur, Rempart de la Vierge 5, Namur, 5000, Belgium

    Yves Poullet

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer Science+Business Media B.V.

About this chapter

Cite this chapter

Boehm, F. (2012). Information Sharing in the Area of Freedom, Security and Justice—Towards a Common Standard for Data Exchange Between Agencies and EU Information Systems. In: Gutwirth, S., Leenes, R., De Hert, P., Poullet, Y. (eds) European Data Protection: In Good Health?. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-2903-2_8

Download citation