Parliamentary oversight of security and intelligence agencies in the EU

One of the reasons for the lack of posts on this blog the past months is that I co-authored this large study (446 pages), together with Aidan Wills, for the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE). The study came out today, and also includes a number of attachments written by national intelligence oversight bodies.

Abstract: This study evaluates the oversight of national security and intelligence agencies by parliaments and specialised non-parliamentary oversight bodies, with a view to identifying good practices that can inform the European Parliament’s approach to strengthening the oversight of Europol, Eurojust, Frontex and, to a lesser extent, Sitcen. The study puts forward a series of detailed recommendations (including in the field of access to classified information) that are formulated on the basis of indepth assessments of: (1) the current functions and powers of these four bodies; (2) existing arrangements for the oversight of these bodies by the European Parliament, the Joint Supervisory Bodies and national parliaments; and (3) the legal and institutional frameworks for parliamentary and specialised oversight of security and intelligence agencies in EU Member States and other major democracies.

We will present the study at the LIBE Committee at 15h on Monday the 3d of October. An Interparliamentary Committee Meeting on  “Democratic Accountability of the Internal Security Strategy and the Role of Europol, Eurojust and Frontex” will be held on Wednesday 5 October from 15.00 to 18.30 and on Thursday 6 October from 9.00 to 12.30 in the Hemicycle of the Paul-Henri Spaak building of the European Parliament as well, which is open to the public. You can register for this meeting until the 29th of September.

European Commission Operational Guidance on taking account of Fundamental Rights in Commission Impact Assessments

Read it here.

Two fundamental privacy problems with the SWIFT agreement and Europol’s role in it?

EUROPOL’s Joint Supervisory Body recently performed its first inspection at Europol regarding the TFTP Agreement, which entered into force in August 2010. The TFTP Agreement gave the JSB a new task – to monitor whether Europol respects the provisions of personal data protection principles in the TFTP Agreement when deciding on the admissibility of the US’ requests to SWIFT. Europol is tasked with verifying whether the US’ requests are proportionate and necessary – according to conditions laid down in the TFTP Agreement. Europol can therefore approve or deny the transfer of SWIFT data to the US.

Under Article 34(1)3 of the Europol Council Decision, the JSB is tasked with reviewing Europol’s activities in order to ensure that individuals’ rights are not violated by the storage, processing or use of data held by Europol.

At its meeting of 11 October 2010, the JSB mandated a team to inspect Europol’s implementation of the TFTP Agreement, including all related items. The inspection took place in November 2010.

The inspection team found that some data protection requirements were not being met. The most important finding of the inspection was that the written requests Europol received were not specific enough to allow it to decide whether to approve or deny them. It was found that the US requests were too general and too abstract to allow proper evaluation of the necessity of the requested data transfers. Despite this, Europol approved each request it received. One of the JSB’s recommendations is, therefore, that Europol should contact the US Treasury Department to ensure that all future requests for SWIFT data comply with the criteria set out in the TFTP Agreement. The JSB concluded that proper verification of whether the requests are in line with the TFTP Agreement – on the basis of the available documentation – is impossible.

Europol advised that orally-provided information plays a role in its verification of each request. This information is provided to certain Europol officials with the stipulation that no record is made. This kind of procedure prevents JSB from checking whether Europol could have rightly come to its decisions. The JSB was therefore unable to evaluate whether the amount of data transferred to the US from SWIFT was proportionate and necessary, as required by the TFTP Agreement. The significant involvement of oral information renders proper internal and external audit, by Europol’s Data Protection Office and the JSB respectively, impossible.

The report was a cause of concern at the European Parliament. MEP Alexander Alvaro said:

As Members of Parliament we feel betrayed reading this report.We voted in favour [of this agreement last year] in the trust that both parties would apply the adopted agreement”, which “concerns the transfer of sensitive data belonging to our citizens”, he stressed, adding that “the credibility of Parliament and of this committee are being jeopardised. This is about trust and confidence of the public in what the EU did and is capable of doing here”.

MEP’s also criticized Europol’s role in supervising the agreement:

Entrusting this task to Europol “is like putting the fox in charge of the chicken coop” said Sarah Ludford (ALDE, UK). Several MEPs questioned Europol’s credibility, given that it transfers data in response to oral requests by the US authorities. MEPs asked that the Director of Europol to come to the committee to explain his views on this.

“Europol should not have been the body to oversee this – we all underlined at the time that Europol should not have been entrusted with this role”, said Stavros Lambrinidis (S&D, EL), adding that the fact that the agency only has 48 hours to answer requests would only make sense it they are “super duper”, which does not always seem to be the case.

Rui Tavares (GUE/NGL, PT), considered this a bad precedent for further agreements in this area. He stressed that Parliament must have access to the full report, including the classified sections. “We might have to engage in another battle for access to documents, but we are used to that”, he added.

National data protection commissioners weighed in as well. Here‘s German Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar:

Even the very rudimentary public part of the inspection report confirms my fears. There are huge shortcomings. Political authorities at European and national level must immediately ensure that the shortcomings that were found will be eliminated. In Peter Schaar’s opinion, the findings of the inspection focus on the question already critically asked prior to the Agreement: Can and will Europol perform the assigned watchdog function properly at all?

One week later a second control mechanism seems to have failed. According to Article 15 of the SWIFT agreement, every EU citizen has the right to know if American authorities had access to personal banking data and if so, which authorities received that information.

For the past six months, Alexander Alvaro, a member of European Parliament from Germany’s Free Democrats, has been doing a test in an attempt to obtain the information entitled to him from German authorities. The result:

“The German authorities have not yet been able to find out whether data has been accessed at all. As such, the rights of EU citizens on correction, deletion or blockage of the data are being violated.”

Read the full story at Der Spiegel.

The always nuanced Steward Baker has another take on the issue though:

European Governments Screw Up; US To Suffer Consequences  That seems to be the theme of this article from the ever-predictable Der Spiegel, which recites a bunch of alleged failures by the German government in implementing the SWIFT data agreement, then raises the prospect of suspending the agreement, thereby cutting off US access to some financial data and making the world safer for funders of terrorism.

All in all, it seems clear that Europol is not the main culprit in this case. Europol has discharged its responsibilities as foreseen by the TFTP Agreement and implemented the necessary provisions correctly. The key recommendation in the Final JSB Inspection Report seeks to motivate the US Department of the Treasury to provide even more written documentation to Europol to carry out its verification role under Article 4. This is very similar to the findings and recommendations recorded by the review team. Read the Commission’s full assessment here.

EU Commission Proposes Mandatory Transfer of Passenger Name Records

The European Commission has proposed a Passenger Name Record Directive that would require airlines to provide EU Member States with data on passengers arriving from, or departing to, countries outside the EU. Under the proposal, copies of such PNR data held on an airline’s reservation system would be transferred to a dedicated “Passenger Information Unit” in the Member State of arrival or departure, for the purpose of fighting serious crime and terrorism. The Passenger Information Unit would be an authority (or a branch of an authority) with responsibility for preventing, detecting, investigating or prosecuting such offences. The Directive would also require the Commission to undertake a study on applying these PNR transfer requirements to internal EU flights.

Statewatch analysis here.

Council of Europe: need for a global consideration of the human rights implications of biometrics

The CoE’s Committee on Legal Affairs and Human Rights is “increasingly concerned about the rapid and uncontrolled development of biometric technologies”. It stresses the need to strike an appropriate balance between security and the protection of human rights and fundamental freedoms, especially the right to privacy. In its report, the Commitee says:

Given that at European level the legal framework regarding the use of biometric data remains vague, Council of Europe member states should take further measures to improve it. In particular, they should adopt specific legislation in this area, produce a standardised definition of “biometric data”, put in place supervisory bodies and promote multi-disciplinary research.

The Committee of Ministers could, amongst other things, revise the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in order to adapt it to the challenges stemming from the development of biometric technologies.

Tightening links between the external and internal aspects of EU security

A note from the Hungarian EU presidency to the Standing Committee on operational cooperation on internal security (COSI) describes the desires of the Presidency to tighten the links between the external and internal aspects of EU security.  On the list is:

* Enhancing the exchange of personal and strategic information and criminal intelligence between EU civilian crisis management missions and relevant EU agencies, namely Europol, Eurojust and Frontex. How can data-sharing be enhanced in a context where civilian CSDP missions have no legal personality, information is often classified, Frontex is not allowed to exchange personal data, and only some of Europol’s formal agreements with third countries extend to the sharing of personal data?

* Involving JHA actors, including COSI and the relevant agencies in the early phase of the planning process, during the conduct and the review process of EU civilian crisis management missions including lessons learned. What are the main political and legal barriers that prevent FSJ actors from contributing to the planning and monitoring of CSDP civilian missions in third countries? How can FSJ actors be involved in the drafting of Crisis Management Concepts (CMC) and Concepts of Operations (CONOPS)?

* Integrating threat and risk assessments supplied by a variety of actors. The EU has anexcellent opportunity to utilise its current resources; crisis management missions, both civilian and military, have been developing their analysis capabilities, and it is suggested developing a toolkit to support the implementation of an ILP process in host countries where civilian CSDP missions are deployed. How can the various intelligence products supplied by specialised actors and agencies, such as SITCEN’s country and thematic reports, EUROPOL’s (S)OCTAs and TE-SAT reports, FRONTEX’s risk assessments and the Mission Analytical Capabilities’ (MAC) assessments, be streamlined so that actors dealing with the internal and externalaspects of European security have access to the relevant information? How does the confidentiality of reporting affect actors’ access to such products?

* Advocating the interests of CSDP and FSJ actors in the EU’s changing data protection landscape. Article 16 of the TFEU on data protection applies fully to the former first and third pillars, i.e. the internal market and police and judicial cooperation in criminal matters, but it only partially covers the CFSP area, including the CSDP. Europol, Eurojust and Frontex have their own data protection supervisory mechanisms. In view of the Commission’s intention to issue in 2011 a proposal on a comprehensive new legal framework on the protection of personal data in the EU, how will the EU’s changing legal landscape affect the exchange of personal data between CSDP and JHA actors?

Another note from the General Council secretariat to COSI includes an interesting report on the cooperation between JHA agencies in 2010. The agencies prepared a report focusing on ‘future cooperation and improvements’ in 2010, and used a scorecard to implement the provisions of this report.

The scorecard includes some interesting potential points of further cooperation, especially from the point of sharing of classified information between agencies.

1. Exploring the possible use of the secure communication link between Eurojust and Europol for the exchange of information between Eurojust national desks and Europol Liaison Bureaux. Eurojust is now exploring the possibility of exchanging information directly via a SIENA account. Europol offered Eurojust the possibility to install mailboxes for 27 Liaison Bureaux for Eurojust’s direct information exchange via SIENA.

2. Undertaking the necessary steps for a possible exchange of classified information above the level of ‘restricted’. In this context progress has been made between Europol and Eurojust to agree on a table
of equivalence to exchange classified information above the level of ‘EU

3. Frontex is implementing a Secure Area Network for up to the level of EU RESTRICTED, which is foreseen to implement the handling of classified information as of beginning of 2011. Once the network is stable and all the relevant applications are installed, the next step is to interconnect the network with Member States and third parties, such as Europol, which is foreseen to be fully available by May 2011. Europol has suggested Frontex consider the possibility of becoming part of, or that they make use of, the existing accredited Europol network, which provides a secure communication channel with Member States.

Frontex was subject to an EC/Council security inspection in September 2010: The exchange of information at level RESTRICTED can be permitted between SGC and Frontex or EC and Frontex. The fact that Frontex has implemented all the security measures to properly process RESTRICTED information was recognised by Europol even at an earlier stage. The cooperation agreement between Europol and Frontex, signed on 29 March 2008, approves the exchange of classified information at a RESTRICTED level.

Exchange of CONFIDENTIAL or above should only be envisaged after the recommendations are implemented. Recommendations were accepted by Frontex and are in the implementation phase. Frontex expects to be ready for the second EC/Council security inspection at the beginning of 2011. The outcome of the inspection may be used for concluding an agreement with Europol for exchanging classified information at level CONFIDENTIEL UE or higher.

MEP calls for impact assessment of EU counter-terrorism policies

MEP Sophie In’t Veld called for a thorough evaluation of EU counter-terrorism policies at a recent meeting of the European Parliament. She criticized in particular “costly high-tech surveillance and data gathering programmes” .

“The European Parliament has been constantly calling for a thorough evaluation of EU counter-terrorism measures. Why is it that in other areas, such as transport or regional policy, it is normal to evaluate results of the policy, but in counter-terrorism everything remains secret?” Dutch Liberal MEP Sophie in’t Veld said to EU Observer.

“It is not only state budgets that are affected, considerable costs and administrative burdens are also put on airlines, banks, telecommunication companies – who all have legal requirements to comply with in terms of counter-terrorism policies. What we want to know is if all this is really necessary,” she explains.


As a result, MEPs are likely to call for the establishment of an independent panel of experts ranging from the security world to budget and civil liberties NGOs, so as to look into the “overall cost” of counter-terrorism. In a working document she states:

The evaluation should provide a clear analysis of input and output of the counter-terrorism policies in Europe in the past decade. It should set out clearly the results of the policies, in terms of increased security in Europe, trends in terrorist activity in response to counterterrorism policies, and facts and figures relating to terrorist activity (attacks succeeded, failed, prevented) and counter-terrorism activity (arrests and convictions). The independent study must clearly distinguish between results in terms of prevention, investigation and prosecution. The evaluation must also identify where further law enforcement powers are needed or inversely where powers granted are excessive and go beyond what is necessary.

A similar exercise should be carried out for Member States counter-terrorism policies, with a particular focus on interaction with EU policies, overlap and gaps. An evaluation that does not include the national counter-terrorism policies does not give a realistic picture of the situation. Member States must better cooperate with the evaluation of EU policies and provide their input within the given deadlines, as for example for the data retention directive.


Additionally, In’t Veld criticizes the lack of democratic scrutiny over the EU’s counter-terrorism policies

Recommendation 6: The European Commission must carry out a study to establish if counter-terrorism policies are subject to effective democratic scrutiny, including at least the following issues:

  • For each measure it must be established if either national parliaments or the European Parliament had full rights and means of scrutiny, such as access to information,sufficient time for a thorough procedure, and rights to modify the proposals; the evaluation must include an overview of the legal basis used for each policy measure;
  • All existing measures to be subjected to a retrospective proportionality test;
  • Provide an overview of classification of documents, and trends in the use of classification, numbers and trends in access granted or denied to documents relating to counter-terrorism policies, as well as the documents made available to Parliament, to be consulted in a secure room;
  • An overview of the use made of external consultants and (independent) expertise, in areas such as (international) law, data protection and civil liberties, security in the context of European counter-terrorism policies;
  • An overview of the instruments for democratic scrutiny of cross border cooperation of intelligence agencies, and more specifically of SitCen, the Watch-Keeping Capability, the Crisis Room, the Council’s Clearing House, and COSI;
  • An overview of measures adopted by third countries with extraterritorial effect in the EU, such as the US Foreign Intelligence Surveillance Act (FISA), which are not subject to scrutiny by any parliament in the EU;
  • An overview of measures agreed in international governmental and non-governmental bodies (United Nations, ICAO, IATA), and existing instruments for democratic scrutiny;
  • An overview of non legislative EU (funded) activities, such as research programmes, and how they are subject to democratic scrutiny.

An earlier evaluation carried out by the European Commission in July 2010 was labelled as “extremely modest” by the Dutch politician because no results were included in the document.

The Commission Communication provides information on certain measures and policies. However, this list is far from complete, it does not sufficiently cover measures taken by DGs other than JLS (such as TRAN or MARKT), nor does it give a clear idea how the measures interact, where there is overlap or – on the contrary – gaps. The Commission should also map out which measures have objectives other than counter-terrorism, or where further objectives were added to the initial purpose of counter-terrorism (mission creep and function creep) such as law enforcement, immigration policies, public health, or public order.

In its analysis, the European Commission speaks of €745 million set aside “to support policies to counter terrorism and organised crime”, but the real figures if the private sector and national governments are taken into account rises much higher than that. Under EU’s research programme, for instance, €1.4 billion are earmarked solely for security research. MEP In’t Veld recommends that the Commission: produces, before July 2011, a full and detailed report on all EU funds used for counter-terrorism purposes, directly or indirectly, including in any case the following items:

  • Expenditure specifically labelled as counter-terrorism measures
  • Expenditure for policies that include counter-terrorism activities
  • Expenditure for EU staff and agencies carrying out counter-terrorism tasks
  • Expenditure for counter-terrorism related IT systems and databases
  • Expenditure for research projects (co) funded by the EU, in the area of counterterrorism or related areas
  • Expenditure for protection of fundamental rights and data protection in the context of counter-terrorism
  • Expenditure for strengthening democracy and the rule of law
  • An analysis of the development of the above EU Budget lines since 2001


“It is fair that security firms try to make a profit out of it, but we should be informed and aware of how the taxpayer’s money is spent,” Ms in’t Veld says.

New European Commission proposal on the use of PNR data in the fight against terrorism

The proposal aims to harmonise Member States’ provisions on obligations for air carriers, operating flights between a third country and the territory of at least one Member State, to transmit PNR data to the competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. It does not require air carriers to collect any additional information from passengers or to retain any data, nor does it require passengers to provide any data in addition to that already being provided to air carriers.

According to the Commission, the necessity of using PNR data, in a limited manner and subject to strict data protection guarantees, is supported by a number of factual elements, as reflected in the Impact Assessment.
(Summary of the impact assessment here.)

Under the proposal, intra-EU flights will not be covered for now, but “the commission is likely to propose that such a step may be taken into consideration in a few years’ time, if member states so require. “

The negotations on the PNR proposal are expected to last two years.

EDPS sets out his vision for the EU’s new data protection framework

On 14 January 2011, the European Data Protection Supervisor (EDPS) issued an opinion on the Commission’s Communication on the review of the EU legal framework for data protection. In the EDPS’ view, the major driving forces of the review process should be as follows:

  • The EDPS suggests introducing a mandatory security breach notification covering all relevant sectors, as well as new rights, especially in the online environment, such as the right to be forgotten and data portability . 
  • The responsibility of organisations needs to be reinforced: the new framework must contain incentives for data controllers in the public or private sector to pro-actively include new tools in their business processes to ensure compliance with data protection (accountability principle). The EDPS proposes the introduction of general provisions on accountability and “privacy by design”;
  • Further harmonisation should be one of the key objectives of the review. The Data Protection Directive should be replaced by a directly applicable regulation;
  • The new legal framework must be formulated in a technologically neutral way and must have the ambition to create legal certainty for a longer period;he enforcement powers of data protection authorities should be strengthened and their independence should be better guaranteed across the EU.

European Arrest Warrant update

– Revised version of the European handbook on how to issue a European Arrest Warrant (128 pages, pdf)
– Implementation of Framework Decision on the application of the principle of mutual recognition to confiscation orders (country-by-country, pdf)
– Framework decision on the application of the principle of mutual recognition to financial penalties (81 pages, country-by-country, pdf)