Partager le blog

Wednesday, 30 October 2013

L'échange des données Interpol, Europol et les pays arabes tiers



Dans l’imaginaire populaire, Interpol reflète les histoires d’espionnage, les films noirs, les renseignements généraux, etc.. L’avancée de la technologie a compliqué la donne, sans que cette image soit profondément modifiée. Ainsi les services de NSA et ceux d’Interpol sont parfois mis sur un même plan lorsqu’il s‘agit de parler des écoutes téléphoniques, de l’interception des  télécommunications.  

Il a suffit que les premières révélations d’Edward Snowden sur les écoutes par la NSA des bureaux de l’Union Européenne à l’étranger pour que certains puissent penser que les fichiers d’Europol (l'office européen de police) soient considérés comme accessibles aux services Américains ou que les accords Swift soient mis en cause, y compris ceux qui permettent la transmission de données bancaires des européens aux Etats unis dans le cadre de leur lutte anti-terroriste.

Or, les relations entre Europol, Interpol et les Etats tiers, qu’ils soient arabes ou asiatiques sont plus réglementées que les activités politiques des services d’espionnage qui sont des activités politiques et sécuritaires par nature. En effet, le transfert d’informations entre Interpol et Europol est possible et relève de l’information criminelle, bien que le cadre juridique soit parfois rigide et conduit à la multiplication des bases de données, de leurs cryptages et de leurs conditions d’accès.

Une évolution a eu lieu après les attentats du 11 septembre 2001 pour recevoir et envoyait des informations aux pays arabes tiers par rapport à Europol et dans les relations entre Interpol et Europol.

Europol a même publié un rapport sur les risques des attentats terroristes au sein de l'Union, tout en relativisant les risques de l'Islam radical qui est fréquemment présenté comme menace principal, dans la mesure où cette composante s’accumule avec d’autres liés aux trafic d’armes et trafic d’être humains. Europol a été aussi à l’origine de plusieurs opérations contre certains réseaux actifs pour le trafic d’être humain en provenance de l’Asie ou des pays du printemps arabe.

Cependant, beaucoup d’informations manque en raison des exigences juridiques très élevés sur le plan du respect des droits de l’homme et des protection des données, alors qu’il est possible de les surmonter en concluant des accords avec des pays tiers..
L’enjeu est important pour certains pays arabes comme la Tunisie et la Syrie, après le naufrage de plusieurs convois de réfugiés exploités par des réseaux criminelles, sous couverts d’aide humanitaire à ceux qui fuient leurs dictateurs ou leurs groupements armées intégristes.

L’article que j’ai rédigé en anglais 1999 sur ce sujet, lors d’une conférence à Hong Gong, analyse la compatibilité des régimes d’échanges d’informations criminelles entre Europol et Interpol, y compris dans le domaine du trafic d’être humains, criminalité organisée et autre formes de criminalité (blanchiment d’argent, drogue, et terrorisme etc).




RECONCILING DATA PROTECTION REGULATIONS WITH THE REQUIREMENTS OF JUDICIAL AND POLICE CO-OPERATION

21st International Conference on Privacy and Personal Data Protection

Hong Kong Convention and Exhibition Centre
China 13-15 September 1999

Mr Souheil El Zein
Director of Legal Affairs, ICPO-Interpol



Introductory remarks on the proliferation of international criminal databases and their supervisory bodies.

Over the past two decades, the mission of the International Criminal Police Organisation - Interpol has evolved in two main aspects, as a result of two major events in relation to the international exchange of personal data on persons wanted by the police authorities of Interpol member states in order to bring them before national or international courts.

The first event was the computerisation of the Organisation's criminal archives which has not ceased to progress since 1979. Interpol now benefits from a state-of-the-art criminal database known as "ICIS" (International Criminal Information System).

The second event was the introduction in 1982 of a system of personal data protection, especially the application of international regulations on the exchange of criminal information and the supervision of such information by an independent board.

These two events have paved the way for a potential and desirable reconciliation between the requirements of international law enforcement co-operation and the requirements of data protection within Interpol.

However, Interpol is no longer the only International Organisation to co-ordinate police co-operation and to provide for the exchange of data between its member countries. With the rise in ordinary law crimes throughout the world and the means available to offenders, States are seeking to organise themselves on a regional and international basis. This can be seen from the numerous multilateral co-operation agreements. But instead of using the existing structures, subject to certain improvements, States are setting up new organisations such as Europol, Schengen or other regional entities in Asia, Eastern Europe or Latin America, without forgetting that many UN bodies are also beginning to collect data on drug-trafficking and terrorism.

As a result, we have seen the mushrooming of international criminal databases. For example, the implementation of the Schengen Agreement has already led to the creation of a computer system for information exchange between the Schengen member countries, known as the Schengen Information System (SIS). Furthermore, the concept of the Interpol database, considered as a reference archive for the efficient back-up of investigations being conducted in several different countries into a single criminal case, has been used and adapted by the Europol Convention.

This proliferation of international criminal databases has also led to a significant increase in the number of supervisory bodies responsible for protecting the individual's right of access to such archives according to different procedures and standards depending on the database that holds the information and on whether or not the national protection bodies, if any, are competent.

Whilst the end goal of the three databases is practically the same (to prevent and stop international crime in Europe and throughout the world), this goal is however undermined by the increasing number of structures and the diversity of information that does not fit together. The undermining of this goal has harmful consequences for the very mission of Interpol, which by virtue of its constitution is precisely responsible for exchanging and processing data from police sources on criminal activities of an international nature. This means that the co-operation between Europe and the rest of the world, especially via Interpol, is now considerably hindered for several reasons.

First of all, the Schengen Agreement and the Europol Convention do not allow any inter-linking of their computer systems with that of Interpol, whose network to date remains a closed network, only allowing electronic data interchange (EDI) between the General Secretariat of the Organisation and Interpol's National Central Bureaus (NCBs) which are the national points of contact of its member countries. This leads to an undeniable risk of the triple posting of data to the three systems. A State adhering to the three co-operation mechanisms should in theory consult three databases to seek a single item of information. Added to that is a second risk of a lack of harmonisation, as different information on the same case may circulate between the three systems, therefore complicating or even restricting the possibilities of reconciling such data.

In addition, there are a number of misleading preconceived ideas on data protection by Interpol, put forward by certain politicians, whereas no serious study has been carried out on the equivalence of the data protection standards applied by Interpol, Europol and Schengen.

Although it has now been established that Interpol ensures an equivalent level of data protection to that of all the most advanced European countries in this field, the same cannot be said for all its member countries. In this context, Interpol has observed a huge gap in data protection standards between the Member States of the European Union, where the rules are the most restrictive, and the rest of the world, thus hindering the co-ordination of co-operation, increasing the number of databases, diversifying the data control standards and creating obstacles to the free flow of criminal information between countries.

The question we then have to ask ourselves is how to reduce this gap between Interpol's member countries, in the field of data protection, in order to provide the best conditions for police co-operation and to release it from restrictions that are incompatible with the efficiency required in the fight against international crime that jeopardises democracy and violates human rights.

A solution must therefore be found to overcome the obstacles that are still impeding inter-connections between criminal databases run by International Organisations with identical or similar missions on an international or regional scale. This will involve a new reconciliation between the interests of the police and judicial authorities on the one hand, and on the other, the interest of individuals to live in peace, without any violation of their image or privacy that would be improper or disproportionate in relation to the end goals of the exchange of criminal data that concern or may concern them.

The aim of this document is to show that it is possible to reconcile the unreconcilable.

I.      Difficulties of reconciliation

The notion of adequate protection which is assimilated, rightly or wrongly, with the equivalent protection of criminal data, would appear to be a prerequisite for the exchange of computerized police information between Europe and the rest of the world. However, in the absence of any common methodology or established objective criteria for the assessment of the adequate level of data protection required in third countries in relation to the European Union, each State may have to assess the entire judicial, administrative or even political system of each third country concerned.

This would lead to differing assessments, put forward by each Member State of the European Union according to its relations with Europol or with other States and entities, and thus complicating the task of Interpol to find a common standard in order to overcome the unreconcilable "individualistic" concept of equivalent data protection.

I.1    The difference in the assessment of the equivalent level of data protection according to European instruments

The notion of equivalent protection in the area of judicial and police information exchange tends to differ depending on whether you look at the provisions of the Council of Europe Convention of 1981[1], those of Directive 95/46/EC of 1995[2], or article 18 of the Europol Convention.

Article 9 of the 1981 Convention and article 13 of the 1995 Directive thus exempt member countries from certain principles of data protection when such a derogation "constitutes a necessary measure to safeguard national security, defence and public security [...] as well as the rights and freedoms of others".

However, some countries feel that it is possible to transpose the notion of adequate protection, under article 25.2 of the 1995 Directive, to the transfer of police information from a Member State of the European Union to third countries, whereas article 3.2 of the same Directive stipulates that it does not apply "to processing operations concerning public security... and activities of the State in areas of criminal law". To justify their point of view, the arguments of these countries are based on an opposite interpretation of article 13 of the Directive which solely provides for the right to derogate or not from data protection rules, apparently in contradiction with article 3.2 of the same Directive.

As for the Europol Convention, it only allows the communication of data by Europol to "third States and bodies" when such a measure is "necessary in individual cases for the purposes of preventing or combating criminal offences for which Europol is competent" (Article 18.1). However, this measure is only valid on an individual basis and should comply with the general principles of article 18.3 whereby the adequacy of the level of data protection afforded by third States and bodies is to be assessed by "taking into account all the circumstances which play a part in the communication of personal data, and in particular:

1)   the nature of the data;
2)   the purpose for which the data is intended;
3)   the duration of the intended processing; and
4)  the general or specific provisions applying to the third States and third bodies..."

It can thus be seen that the Europol Convention did not adopt the same mechanisms as those provided for by the Directive for assessing the adequate level required for data protection. In addition, the Act adopted by the Council of the European Union, laying down the specific provisions for the communication of personal data by Europol to third countries, stipulates in article 2§2 that it takes into account the domestic legislation and administrative practices in matters of data protection in third countries not related to the European Union, including with respect to the competent authority for data protection issues (independent supervisory board). The existence of a supervisory board is thus considered as an indispensable factor for the assessment of the level of protection offered by a third country or body.

In view of the diverging interpretations of these various provisions, sometimes allowing exemptions from certain principles of data protection, sometimes demanding specific supervisory bodies, some countries such as the USA and Canada, among others, find it unreasonable to systematically consider that an adequate level of data protection is not met by a country for the sole reason that the supervision of its police archives lies with an authority under the supervising Ministry responsible for the police force, whilst remaining subject to judicial review.

In addition, several experts have raised the issue of the possible conflicts between conventions that are likely to arise because of these interpretations. The Member States of the European Union are indeed bound by their obligation to exchange data with the rest of the world under international conventions of the UN (1988 convention on drug-trafficking, other conventions on terrorism, etc.) or those of the Council of Europe (on money-laundering in 1990, on extradition and mutual judicial assistance, or on corruption in 1998) mentioning Interpol as the official channel for the distribution of requests for arrest or of letters rogatory. The same can be said for article 8 of the European Convention on Human Rights which allows certain exemptions to the right of privacy, whereas certain European countries have given precedence to the protection of privacy, being just one branch of human rights, over other rights requiring protection such as the right to life, to justice or to security, of which the protection via Interpol necessarily entails the flow of information between European countries and the rest of the world in the interest of law enforcement.

This situation is made even more complicated by the freedom or possibility for each Member State of the European Union to choose its own restrictions on data to be transferred to other third countries, according to end purposes that are assessed within the meaning of their respective domestic law.

I.2    Restrictions on the transfer of criminal data under domestic law

Certain States of the European Union require that any member country of Interpol, without exception, should have enacted legislation in the area of data protection in order to receive data submitted by the said States to Interpol. Generally-speaking, it will be seen that some European countries have gone beyond the stipulations of European texts on this question. In this respect, several domestic statutes within Europe, and in particular the Dutch and Belgian Acts on the police force, implicitly enforce a sort of embargo on the transfer of such criminal data to countries that do not uphold the same level of data protection as these European States.

The inflexible position that these countries have adopted between themselves should thus prevent the communication of police information from their own territory to any country that they do not consider to have equivalent provisions on data protection, whether this communication is made via Interpol or Europol, directly between police authorities or by any other means. This situation can indeed be compared to that of an embargo, or to an undisclosed measure of extraterritorial enforcement, whereby a country seeks to impose a domestic law or regional convention on the rest of the world. Legally-speaking this is not possible without the universal ratification of a regional convention which in any case is not open to other countries.

Confronted with these positions, the intermediate solution adopted by Interpol is as follows: given the fact that third countries in relation to the European Union will not all enact provisions on data protection in the years to come, the General Secretariat of the Organisation has sought to make the incorporation of data into the Organisation's archives more acceptable to countries that are concerned about data protection, allowing such data to be forwarded to any interested countries in response to a request therefrom with a statement of grounds for such request.

A selective database has thus been set up at Interpol in which each country can ask the General Secretariat to store data, designating the other countries that will be allowed access to it. Similarly, Interpol has to comply with the wishes of each police authority that supplies data with respect to the restrictions on access to such data. It would therefore not allow a third country in relation to the European Union to have direct or indirect access to any information from Europol, should the latter consider that the said country does not fulfil its required criteria in the area of data protection.

However, the problem has not yet been solved, because Interpol's role has been turned into that of a manager of restrictions, and this entails certain disadvantages. In the absence of any harmonisation of the restrictions imposed on the communication of data to third countries in relation to the European Union, the application of the principle of reciprocity has already driven certain third countries to refuse to allow Member States of the Union to gain access to data. The flow of information between the European Union and the rest of the world is already slow, thus impeding investigations in progress and serving the cause of criminal networks, but this flow may even be suspended altogether, resulting in a two-speed international police co-operation. It would thus lose out in terms of efficiency.

So the idea of basing the exchange of information purely on reciprocity would subject this exchange to a series of restrictions and would only ensure co-operation with States that do not apply any restrictions at all or only with respect to data on their own nationals. However, the exchange is likely to be blocked by some, because of the impossibility of complying with certain excessive and improper restrictions that do not even allow the disclosure of information via Interpol on a case-by-case basis. From the point of view of the General Secretariat of Interpol, considered by the Organisation's Constitution as an international centre for the prevention of international crime, there is therefore a serious risk that any information received by Interpol from certain Member States of the European Union may remain blocked at the General Secretariat, without any possibility of it being forwarded to third countries, unless such countries in Asia, Latin America and the Middle East enforce the same level of data protection as Interpol and Europol.

We can therefore ask ourselves whether international police co-operation via international organisations should really have to suffer from serious restrictions on the exchange of information until the full harmonisation of the various domestic legislations on data protection.

II.    Reasonable remedies

Such demands would seem excessive, at least in certain cases, due to an inflexible application of the notion of "equivalent" level of data protection. Unless an objective and universal method is devised for assessing the adequate level of protection for judicial and police data, the flow of criminal information will remain subject to subjective assessments, mixing local criteria (corruption in a department, absence of direct access to data, whether or not the police force has an I.T. department, etc.) with criteria of a more political nature (whether or not the relations with third countries are friendly, an assessment of the political system in the said country, etc.).

The aim of this part of the presentation is to prove that an assessment of the compliance, in each third country, with the basic principles of data processing, such that the adequate protection of data is ensured, can be achieved by other means promoted by Interpol, not just those that may lead to a reprehensible breakdown in international police co-operation.

II.1. Harmonisation rather than international uniformity

It would not be feasible to ask all the States throughout the world to apply rules that have been decided and implemented, with certain discrepancies to boot, by fifteen European States in the light of their own specific history and structure. This would amount to demanding a single identity of foreign law.

The condition demanded by the Member States of the European Union with respect to third countries seems difficult to accept, except for certain Eastern European countries that are currently seeking to meet the conditions of preliminary admission to the European Union.

Compliance with certain data protection rules, or a certain form of commitment to comply with such rules, should not be seen by the other countries as a "eurocentric" luxury that may impede any co-operation with countries that do not even have computer databases to store their police information.
The assessment of the adequate level of data protection should include, among other criteria, a weight factor of cultural difference. There is a considerable worldwide gap between, on the one hand, the ideas of European countries in the area of data protection, and on the other, the understanding of this issue by the other countries and their own specific priorities. The idea of data protection is not deeply rooted in the culture of such countries as it is in Europe. Most of these countries are experiencing major economic difficulties and are striving to overcome the lack of administrative resources. Some of them are confronted with problems of illiteracy and famine. For these countries, data protection is by no means a priority and it may even appear as a luxury that only countries with few problems can afford. The current situation is thus likely to continue, and both Europol and Interpol cannot but accept it and draw any appropriate conclusions for their own ways of working.

Whilst it can be said that Interpol should make allowances for European positions with respect to third countries, and should therefore find a practical solution to ensure the exchange of data between Europe and the rest of the world, it is also necessary to weigh up the respective interests in order to achieve a balance. The solutions should be universal, forward-looking and flexible, in order to persuade countries to implement the basic principles in the area of data protection. Third countries in relation to the European Union can efficiently adhere to the policy of data protection in several different ways. It would be legally and politically wrong to suggest otherwise, at the expense of the efficiency of international police co-operation.

The harmonising of the law on the protection of personal data for police purposes cannot stem from negative conditions of reciprocity, but from international codification.
In this respect, Interpol's principles in the area of data protection, as given in the Organisation's Rules of Procedure, reflect the potential reconciliation between the requirements of international co-operation in law enforcement and the requirements of data protection, as laid down by the UN guidelines in 1980, the Council of Europe Convention in 1981, Recommendation R 87 (15) of the Council of Europe in 1987 and the EC Directive of 1995. Interpol's Rules of Procedure do not however create any international law obligations. This can be explained by the fact that whilst the internal regulations laid down by the ICPO-Interpol are binding on all its bodies, and especially on its General Secretariat, they are not binding on any member countries that send or receive information exchanged via the National Central Bureaus (NCBs) which will only comply with their own domestic legislation. However, some of them have not enacted any laws that provide an equivalent level of data protection to that of the European legal system, even though they comply with Interpol procedures for information exchange, to be able to benefit from its assistance.

The ideal solution would thus be to introduce an international convention, laying down the rights and obligations of countries in the area of police co-operation and the protection of personal data, that each country would be invited to ratify under the aegis of Interpol. However, the drafting of such a convention, on which Interpol is working, takes time. What can still be achieved in the meantime?

To overcome the negative reciprocity situation and enable international police co-operation to play its role to the full, the ICPO-Interpol is continuing to propose solutions that seek to reconcile the rules of data protection, as laid down within its organisation and in Europe, and the requirements of international police co-operation.

Interpol has thus entered into several regional modernisation agreements with African, Arab, and Latin American countries, in order to provide them with data-processing equipment designed to speed up the exchange of information, provided the use of such equipment complies with the principles of data protection laid down in the Organisation's Rules of Procedure.

In this way, the ICPO-Interpol is attempting to promote its principles in the area of data protection, which have been derived from the ten policy guidelines of the UN and do not differ from European principles, by seeking to extend the compliance with Interpol rules beyond its internal legal system. It is necessary however to be pragmatic in meeting the declared aims of police co-operation, and this is possible with the notion of an "adequate" level, as opposed to "equivalent" level, of data protection. It provides the guarantee that the data will be used and forwarded by Interpol in compliance with the principles laid down in the Member State of the European Union, and more specifically by Interpol or the Europol Convention.

II.2. The role of the Supervisory Board for the control of Interpol's archives in the harmonisation of an adequate level of data protection for European and third countries.

Interpol's main mechanism in this area is based on the guarantees offered by the Supervisory Board for the internal control of Interpol's archives, whose duties are well explained in its activity reports, distributed to participants at this Conference and also to be found on the Internet. These guarantees should encourage a new assessment of the adequate level of data protection required of Interpol's member countries, because the control of data exchanged via Interpol between Europe and the rest of the world is one of its universal attributions.

n    The universal nature of the standards of control for Interpol's archives

One of the most important questions with respect to Interpol's role is to know what rules are applied by Interpol to ensure that its own action complies with human rights and the protection of data exchanged for the purposes of international police co-operation, at the same time as supervising the effective application of these standards.

In this respect, the control of INTERPOL's archives, supplied by the General Secretariat on the request of the member countries, is entrusted to an independent supervisory board for the control of archives. Its attributions are laid down by the Headquarters Agreement between Interpol and France, by the Rules on International Police Co-operation and on the Internal Control of Interpol's Archives, as well as by the Rules on the deletion of police information held by the General Secretariat of Interpol.

By virtue of these texts, from 1982 onwards, the Organisation ensured the incorporation into its internal legal order of principles that are equivalent to European provisions in such matters, and that follow the ten "guidelines to personal data files kept by governmental international organisations" adopted by the UN in 1980. Interpol's compliance with these principles is set out in an appendix to this document. Interpol is thus the first International Organisation to have provided for an internal data protection system. The report (E/CN.4/1999/88) recently presented by the UN Commission on Human Rights, on the observance of these guidelines for the regulation of computerised personal data files, shows that Interpol is one of the few organisations to have introduced data protection rules that adhere to each of the said principles, as set out in the appended document.

Interpol can thus easily boast data protection rules that are extensive and already well-established, and from which a solid body of case-law has been built up over the ten years of experience of its Supervisory Board, whose duties are universal and pertain to the verification of the validity and accuracy of any information from a European or non-European country, with reference to Interpol's Constitution.

n    Verifying the protection of human rights

Interpol's Supervisory Board is thus competent to verify the proper application of article 1.2 of Interpol's Rules on international police co-operation, whose aim is "to protect police information processed and communicated within the ICPO-Interpol international police co-operation system against any misuse, especially in order to avoid any threat to individual rights".

This mission therefore goes much further than the simple role of Ombudsman between individuals. It enables the Supervisory Board to act as a body for "preventing any violation of the rights of individuals", especially in the light of article 2 of Interpol's Constitution which provides for the Organisation's main missions, adding that any police action on an international scale should remain "within the limits of the laws existing in the different countries and in the spirit of the Universal Declaration of Human Rights".

In this spirit, the Supervisory Board has on several occasions called for the deletion of certain files on individuals who were wanted in some countries but enjoyed political refugee status in others. It has persuaded countries to up-date their information by informing them of other facts confirmed by other countries, or has made these countries aware of the importance of observing the data retention periods. Finally, it has sought to direct applicants towards the judicial review of policing measures taken in their country of origin or residence, as it has no such judicial role itself.

It would therefore be untrue to say that any information from third countries in relation to the European Union is not subjected to international control within the system of police co-operation set up by Interpol. The exchange of information via Interpol does not suffer from apathy.

n    Verifying the legitimate purpose of information exchanges

The reference to the Universal Declaration of Human Rights in Interpol's Constitution has considerable effects for the Organisation's internal legal order, insofar as Interpol is only authorised to use the information it keeps for purposes that are laid down in its Constitution or the regulations by which it is governed. In this respect, article 22 of Interpol's Rules on Police Co-operation stipulates that the Supervisory Board for Interpol's archives shall verify that "any information contained in the General Secretariat's archives is recorded and processed for specific purposes".

By virtue of the above-mentioned standards, the Supervisory Board takes the place of all supervisory authorities on an international level, to verify that any information deposited by the States has been communicated to other States for specific purposes, and especially: to coordinate investigations concerning transborder organised crime, fraudulent activities, trafficking in arms, drugs, women and children, stolen works of art and cars, and international money laundering, with the aim of preventing and curbing the international crime that is rampant in the modern world and violates human rights. This guarantee should reassure European countries to the extent that they change their position concerning the conditions of their data communication to other countries, because the control by the Supervisory Board forms part of "the specific circumstances surrounding the legitimate transfer" of European data to the rest of the world and vice versa.

Instead of having doubts about the objectives of such co-operation, the control provided by the Supervisory Board should therefore be trusted in that it verifies the legitimate purpose of the information exchange. Furthermore, whilst it can be said that compliance with data protection rules is an essential factor in upholding the fundamental rights of individuals in general and protecting their privacy in particular, the aim of police co-operation is also to suppress any violations of fundamental rights and individual privacy, now constituting criminal offences in many countries. To achieve their goal, police forces need to exchange and process information on the working methods of a pedophile, or on the suspicions concerning a person accused of war crimes and raping women in KOSOVO or elsewhere, subject to the condition that such confidential information cannot in any way be diverted from its purpose of preventing and combating criminal offences.

n    The existence of a right of access to Interpol's archives, equivalent to those of Schengen and Europol.

One basic principle can be derived from this whole debate: any International Organisation has a duty to submit itself to the supervision of an independent body and any State has a duty to organise the supervision of the legitimate use of its data files according to the fundamental principles of its legal and judicial system.

The joint supervisory authority set up under article 115 of the Schengen agreement and the joint supervisory body provided for by article 24 of the Europol Convention, thus both have control over databases under their respective jurisdictions, on the basis of different procedures to those adopted by Interpol. The initiative taken by Interpol was subsequently followed by Europol and Schengen but subject to one difference: applicants from the member countries of Interpol will have all their applications handled in the same way, whilst those from European countries who apply to the joint supervisory bodies of Europol or Schengen will have their cases examined in accordance with the relevant domestic law of the State where the right is claimed, and with any provisions governing the database in question.

It is moreover untrue to say that the difference between the Interpol system and those of Schengen or Europol lies in the level at which the right of access can be exercised, supposedly directly in the latter cases but only indirectly in the case of Interpol. Due to the differences in legislation between the member countries of the European Union or the Council of Europe, and the tangle of convention provisions and references to respective domestic laws, the system of protection provided by the Schengen Agreement or the Europol Convention is very complex. This system is based on the recognition of several rights, whose protection should be guaranteed above all by national supervisory bodies as well as by a joint supervisory body, set up by the respective conventions.

The extent of the disclosure of information to applicants under the three systems, Schengen, Europol and Interpol, depends on the decision of the States that own the information. These States decide on the desirability of disclosing the information to the applicants and assess whether it could be harmful to the public order of a Member State or undermine the co-operation between two or more States. Applicants are thus allowed a right of indirect access which can be changed to a right of direct access to data through a procedure that is specific to each system.

Under the Interpol system, access to archives thus becomes direct in three cases:

·       the entity from which the information held by the General Secretariat originates, agrees on the disclosure to applicants of the absence or existence of an item of information concerning them in Interpol's archives;
·       the applicant is already aware of the information kept in the Organisation's archives, through an administrative or judicial source;
·       the information has come into the public domain.

However, where domestic law authorises the communication of data to the applicant, Europol can only refuse such access insofar as such refusal is necessary:

·       to enable Europol to fulfil its duties properly;
·       to protect security and public order in the Member State, or to prevent crime;
·       to protect the rights and freedoms of third parties.

This prerogative attributed to Europol, for the specific refusal of disclosure, is not even open to Interpol since one of the pillars of Interpol's regulations is based on the fact that as it is only the custodian of the police information that it receives from member countries, Interpol is required to handle such information in accordance with the demands of those countries.

So behind the diversity of the structures and procedures, there is nevertheless a similarity of principles and an equivalence of standards which, in the case of Interpol, would seem to pave the way for the universal regulation of the right of access to police archives. Indeed, the right of access to Interpol's police archives allows individuals who could not benefit from access to the police archives of their own countries, even indirectly, to exercise such a right on an international level. In this respect, the Supervisory Board for the internal control of Interpol's archives constitutes an unprecedented legal innovation.


Conclusion

The system set up by Interpol thus deserves not only to be encouraged by the commissioners for data protection, but also to be integrated into the texts of the future convention that Interpol should propose to the international community, for better reconciliation between the requirements of police co-operation and those of personal data protection. The Supervisory Board for Interpol's archives may thus become the monitoring and implementing body for the new convention, whose advantage would be to bind States by international law commitments, to harmonise national legislations and to avoid the mushrooming of subjective criteria for assessing the adequate level of data protection in a given country according to local and political circumstances, rather than objective criteria in relation to the country's compliance with international conventions for the protection of human rights against criminal offences, which forms the backbone of Interpol's activity.


[1] Convention 108 of the Council of Europe, 28 January 1981, for the protection of individuals with regard to automatic processing of personal data.
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, with regard to the processing of personal data and on the free movement of such data.