Information Sharing and Data Protection in the Area of Freedom, Security and Justice . Franziska Boehm Information Sharing and Data Protection in the Area of Freedom, Security and Justice Towards Harmonised Data Protection Principles for Information Exchange at EU-level Dr.FranziskaBoehm UniversityofLuxembourg InterdisciplinaryCentreforSecurity,ReliabilityandTrust(SnT) 6,rueRichardCoudenhoveKalergi 1359Luxembourg Luxembourg [email protected] [email protected] PrintedwiththesupportoftheFNRLuxembourg ISBN978-3-642-22391-4 e-ISBN978-3-642-22392-1 DOI10.1007/978-3-642-22392-1 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2011941399 #Springer-VerlagBerlinHeidelberg2012 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation,broadcasting, reproductiononmicrofilmorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9, 1965,initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violations areliabletoprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotective lawsandregulationsandthereforefreeforgeneraluse. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Acknowledgements Thisthesisistheresultofmyworkasaresearchassistantfrom2007to2011under the guidance of Professor Herwig Hofmann at the University of Luxembourg. ItwasdefendedinApril2011. First and foremost, I wish to express my gratitude to my supervisor, Professor HerwigHofmann.Hissupportandguidanceduringtheyearsofmyresearchhave madeitpossibleformetowriteandfinishthisthesis.Myprofoundthanksgotohim forhisconfidenceinmywork.Itwasalsoanextraordinaryprivilegetohavebeen guidedbyProfessorSpirosSimitiswhonotonlytookpartinmyjury,butwhowas alwaysavailablefordiscussionsoverthelastfewyearswhenIneededhisadvice. He and his publications have been a constant inspiration and an important guide during the research. I would like to express my deepest appreciation and I pro- foundlythankhimforhisencouragementandhisindispensableadvice.Iwouldalso liketothankMarkCole,AssociateProfessorattheUniversityofLuxembourg,for hisinvaluablecommentsandhiscontinualacademicsupportoverthelastyears.He alwayshadthetimetodiscussandwasopentomyideas.Thethesiswouldlookfar lesscompletewithouthiscontributions. TheideafortheresearchdatesbacktomyyearsattheUniversityofGießenwhere Iwrotemymasterthesisonadataprotectionrelatedtopicunderthesupervisionof Professor Thilo Marauhn, who continuously supported my scientific interest and whomIthankforhissupportalsointheframeworkofmythesis.HielkeHijmans fromtheEuropeanDataProtectionSupervisorandProfessorStefanBraum,atthe University of Luxembourg, took part in my Jury and gave tips and advice along theway.IamlikewiseindebtedtoGarthHallandLawrenceSirywhoimprovedthe legibilityofthemanuscript.Theirannotationshavebeenalwaysveryhelpful. VerywarmthanksgotomycolleaguesattheUniversityofLuxembourg.Ihave madegoodfriendsinthisfacultyandIamdeeplygratefulforthemomentsIhave sharedwithyou,beitforachatorascientificdiscussion.Itisdifficulttomention names, some are Dr. Florence Giorgi, Sandra Schmitz, Lawrence Siry, Miroslava Borissova, Jenny Metzdorf, Dr. Roger Tafoti, Mariana Ignatescu and Dr. Isabelle v vi Acknowledgements Ruedabuttherearemanymore,andIwouldliketothankallofthemfortheirhelp, time and encouragement, especially during the final stage of the PhD. Of course, friends from outside the University, especially from Berlin and Gießen deserve a special mention as well. Without their moral, emotional and social support, this thesis would never have been written. Ida Danke, Julia Horla¨nder, Johanna Schmidt, Maike Gappa, Christin Noak, Lars Hoffmann, and Ole Westphal are onlyafewBerlinfriendsofsomanyothers.ThorstenDreimann,MarkusBerliner, InesHeylmann,Dr.KaiPurnhagenandTilKappenaswellasJuliaHeieis,Andrea Kristekova,Jan Lizak,Jo¨rgPiper,Anja Pavlenko,MartinFaix andSoniaKienitz, allofwhomImetinGießen,supportedmeineveryimaginableway.Ialsowould like to thank my family, especially my parents, Evelyne and Clemens, and my sisters,AnninaandNina,fortheirconstantandunconditionalsupport.Ioweallof youmorethanjustthementioninginthethesis. Mostofall,IamparticularlythankfultoDr.TobiasLochen,whostoodalways bymethroughthelastyearsandwastherewhenIneededhissupport.Hespentso manyhoursreadingthemanuscriptandencouragingmeindifficultmoments.Iam morethangratefulforhiscompanionshipandhisbeliefinme. Finally,withouttheindestructiblebeliefinmyabilitiesshowntomebymydear grandparents,GertrudandGeorgLibor,Iwouldhaveneverhadthestrengthtostart (andtofinish)thePhDproject.Theirconstantsupportandencouragementhasled metothisresult.Thisbookisthereforededicatedtothem. Luxembourg FranziskaBoehm Contents Introduction .................................................................. 1 I.BriefBackgroundonDataProtectioninEULaw ....................... 3 II.WhatistheAreaofFreedom,SecurityandJustice? .................... 6 III.ResearchTopic:InformationSharingintheAFSJ andDataProtectionRights .............................................. 8 IV.Terminology ............................................................ 12 V.LimitationsoftheResearch ............................................ 15 VI.Sources ................................................................. 16 VII.OutlineoftheResearch ................................................ 16 A DataProtectionStandardintheAFSJ ................................. 19 I. BriefHistoricalReviewandReasonsforDataProtection ......... 19 II. CouncilofEurope:Art.8ECHR,ConventionNo.108 andRecommendationR(87)15 .................................... 22 1. DataProtectionGuaranteesofArticle8ECHR .................. 25 2. DataProtectionElementsandRestrictionswith RegardtoArticles5,6,10and13ECHR ........................ 84 3. ConventionNo.108fortheProtectionofIndividuals withRegardtoAutomaticProcessingofPersonalData ......... 92 4. RecommendationNo.R(87)15Regulating theUseofPersonalDatainthePoliceSector ................... 96 5. Conclusion:TowardsBasicECHRPrinciples forSecurity-RelatedDataProcessing .......................... 103 III. EuropeanUnionStandards ......................................... 106 1. MainDataProtectionInstrumentsintheAFSJ andTheirScope ................................................. 107 2. EUDataProtectionPrinciplesintheAFSJ .................... 127 3. Conclusion:DataProtectionRulesintheAFSJ areStillaPatchwork ............................................ 171 vii viii Contents B AFSJActorsintheLightoftheEuropeanData ProtectionStandard ..................................................... 175 I BriefBackgroundInformation ...................................... 176 II EuropeanAgenciesandOLAF ..................................... 177 1. Europol ........................................................... 177 2. Eurojust .......................................................... 214 3. OLAF ............................................................ 226 4. Frontex ........................................................... 246 5. JointSituationCentreoftheCouncil ............................ 253 6. EuropeanJudicialNetwork ...................................... 254 7. Conclusion:FragmentedDataProtectionFramework VersusIncreasingPowersoftheAFSJAgencies andOLAF ........................................................ 256 III DataProcessinginEuropeanInformationExchangeSystems ..... 259 1. TheSchengenInformationSystem .............................. 260 2. TheVisaInformationSystem ................................... 280 3. TheCustomsInformationSystem ............................... 292 4. Eurodac .......................................................... 304 5. ProposalforanAgencyManagingLargeITSystems (SISII,VISandEurodac)fromaDataProtection PointofView .................................................... 314 6. Conclusion:StagnatingDataProtectionFramework inContrasttoIncreasingFunctionalitiesofthe EUInformationSystems ......................................... 318 C CooperationandDataExchangeoftheAFSJActors andTheirCompliancewiththeEuropeanData ProtectionStandard ..................................................... 321 I Inter-AgencyDataExchangeandOLAF ........................... 322 1. Europol-Eurojust ................................................ 322 2. Europol-OLAF .................................................. 330 3. Europol-Frontex ................................................ 333 4. Eurojust-OLAF ................................................. 338 5. Eurojust-Frontex ................................................ 342 6. Conclusion:UnsatisfactoryDataProtection FrameworkinAFSJInter-AgencyInformation-Sharing ....... 342 II DataExchangeBetweenAFSJAgenciesand Europe’sInformationSystems:SIS,CIS,VISandEurodac ....... 344 1. Europol-SISIIAccess .......................................... 344 2. Europol-VISAccess ............................................ 348 3. Europol-CISAccess ............................................ 357 4. Europol-EurodacAccess ........................................ 360 5. Eurojust-SISIIAccess .......................................... 366 Contents ix 6. Eurojust-CISAccess ............................................ 368 7. Conclusion:UnbalancedInterests–LawEnforcement AccessandRespectofDataProtectionPrinciples ............. 368 D PerspectivesandSuggestionsforImprovement ....................... 371 I. KeyFindings ....................................................... 372 II. LawfulnessoftheExpandingAFSJFunctionalities ............... 379 III. LimitsofPreemptiveStoringandLawEnforcement AccesstoDatabasesofaNonLawEnforcementNature .......... 381 1. Pre-EmptiveStoringinViewoftheCase-Law ................ 382 2. NoCoherentSolutionbytheEuropeanCourtofJustice forLawEnforcementAccess ................................... 389 IV. ReformingtheSupervisoryStructureandCreatingaGeneral NotificationDuty ................................................... 393 1. TheNeedforaCentralSupervisoryAuthority ................ 394 2. UpgradingtheRightsoftheSupervisoryBody toGuaranteeEffectiveProtection .............................. 396 3. TowardsaGeneralNotificationDuty .......................... 398 V. AligningtheDataProcessingFrameworkintheAFSJ: ImprovementSuggestions .......................................... 398 1. ProceduralRequirementsandLegalBasis ..................... 400 2. CatalogueofStoredData ....................................... 400 3. AvoidingUnclearTermsandHarmonisingKeyTerms ....... 401 4. FramingtheAccessConditions ................................ 401 5. ImprovingtheProtectionofVictims,Witnesses andPersonsWhoseDataarePre-EmptivelyEntered inSecurityRelatedDatabases .................................. 402 6. IndividualRights ................................................ 404 7. Notification ..................................................... 405 8. ControlofDataRecordingandBindingSecurityRules ....... 406 9. ImprovingtheProtectionandtheTransparency ofInformationOriginatingfromPrivateParties orThirdStates .................................................. 407 10. CommonRulesontheRelationstoThirdParties .............. 407 11. ManagingtheTime-Limits ..................................... 408 12. DualControl:IntroducinganInternalDPO .................... 409 13. ImprovingtheDecisionMakingandIntroducing SunsetandReviewProvisions .................................. 409 VI. TowardsHarmonisedDataProtectionPrinciplesforIntra-AFSJ InformationExchange ............................................. 410 1. RestrictingthePurposeofTransfer ............................ 411 2. DefiningUnclearLegalTerms ................................. 411 3. DesignatingtheAccessingActorsandAuthorities ............ 413 4. HarmonisingtheAccessProcedure ............................ 413