SCHENGEN DATA PROTECTION AUTHORITY: NO PHONE NUMBER, NO SECRETARIAT, NO POWERS
The first activity report of the Schengen countries’common data protection authority, the Joint Control Authority (JCA) confirms what many have feared: the control authorities have no powers to sanction violations of data protection rules, its independence is constantly put into question, its efforts to carry out its task are often obstructed by various Schengen bodies, its budget is low, its staff small. As the various European and international structures of police and security cooperation and information exchange are steadily growing and linked up with each other, the prospects of effective data protection seem ever bleaker.
"We are a little body, with two representatives from each country, we have no secretariat, we do not even have a phone number. According to the text of the convention [Schengen Implementing Agreement: SIA] we do not either have anything to threaten with when we discover that somebody is breaching the agreements". This is how Georg Apenes, the head of Norway’s data protection authority, describes the working conditions of the JCA.
Mr Apenes’s comment on the Schengen countries’ police data bases is no more enthusiastic: "My impression is that, in our eagerness to catch the big sharks, we are getting ourselves equipment reminiscent of a drag net for shrimp fishing".
The Norwegian data protection commissioner’s views seem to be widely shared by his colleagues in the other Schengen countries. Despite its diplomatic wording, the first activity report of the JCA mirrors considerable irritation.
A constant struggle for independence and a sufficient budget of its own
The JCA describes its activity report as "an unfinished report on a step by step negotiation with the Member States aimed at establishing in practice the independence and authority of [the JCA] which watches over the respect of the rights of persons whose data are being exchanged". According to the report, since the application of the SIA in 7 member states in March 1995, the JCA concentrated its "main effort" on obtaining guarantees with respect to its independence, as well as on encouraging cooperation between national data protection bodies in order to enable the exercise of the right to obtain information, and on supervising the central support unit (C-SIS) of the Schengen Information System (SIS) in Strasbourg.
Already in October 1995, the JCA demanded that it be assigned a budget of its own to enable it to carry out its tasks in total independence. After a month of waiting the JCA was given a negative answer by the Schengen Central Group (this powerful body of high officials can be described as the Schengen correspondent to the EU "third pillar" K.4 Committee). In April 1996, the JCA presented a draft budget amounting to 4,250,000 Belgian francs. Among others the budget plan included such modest items as setting up a secretariat and a register of the JCA’s files, hiring meeting premises, and employing a translation service. Another important item concerned sufficient financial means for calling in external experts for carrying out control tasks. Only after lengthy examination by various Schengen bodies was the draft budget finally approved "in principle" by the Schengen Executive Committee (Committee of Ministers), but its amount was drastically reduced to 2,839,950 Belgian francs. Among others things, the travel expenses of the data protection commissioners to their annual meeting in Strasbourg were cancelled. No wonder then, that "due to a number of, above all, financial problems", the JCA’s first activity report covers two years instead of one as initially planned.
Documents denied, control of C-SIS interrupted by French security guards
The JCA has time and again met with a remarkable lack of cooperation from the various Schengen bodies and national authorities. It seems that some Schengen bodies show little esteem for the JCA’s control activities. Among other things, since 1995, the JCA repeatedly and insistently requested a number of documents which are essential for the understanding and application of the SIA and the operation of the SIS. According to the report it often met with considerable difficulties in trying to obtain some of these documents in time. "In spite of its complaints" the JCA is still waiting for some of them, "particularly those of the Steering group and the Permanent Working Party".
The JCA’s lack of authority was particularly highlighted through an incident in October 1996. An investigation group of computer experts mandated by the JCA visited the premises of the C-SIS in Strasbourg in order to carry out a comprehensive monitoring operation in accordance with the tasks of the JCA. The check operation was broken off after only three days, when French security officials ordered the expert group to leave the premises. The French authorities justified this manu militari expulsion by claiming that only the members of the JCA and not external experts mandated by the JCA were entitled to carry out such checks. The immediate consequence was that the JCA investigators had "too little time to check a large number of documents and data", in particular since they were not allowed to make copies of the files in question for later examination outside the C-SIS centre. Thus, a thorough check of the C-SIS never took place.
The French action drew a sharp reaction from the JCA which resulted in a number of meetings between the JCA and the Central Group, at which the JCA also discussed "other problems encountered in its efforts to carry out its tasks in a satisfactory way". Since the JCA, according to the SIA, has no authority to force any changes of practice, it will be interesting to see whether the Schengen Central Group and the Executive Committee take into account any of the JCA’s complaints
Mention is made in the report of observations by various national data protection authorities. The French data protection commission pointed to difficulties encountered in seeking to carry out effective checks in the N-SIS (national unit of the SIS) on whether data originating from other member states have actually been entered for purposes in accordance with the prevailing rules or not. German data protection commissioners complained that there were problems regarding the application of Article 103 of the SIA. This Article states that a record of every tenth communication of personal data must be kept in the system for a certain period in order to enable later checks by the data control authorities. The German data protection authorities also claimed that, in flagrant violation of Article 102 SIA, personal data from the SIS that should have been deleted after the conclusion of a search were transferred to various national registers for other purposes.
All these observations give rise to serious concern. They indicate that some of the most instrumental provisions of the SIA aimed at enabling data control and protection are actually not effective in practice.
The limits of data protection
The report also addresses some more general and long-term problems facing effective data protection. Thus it notes that the SIA contains satisfactory rules as regards the rights of persons, data security, and the control of the computer system. However, "successive delays regarding the application of the rules have almost resulted in the system, which was steadily upgraded for the sake of efficiency, prevailing upon the application of the principles. This situation was particularly alarming because other European cooperation projects were already developing, in which the requirement of efficiency was asserted in the first line". One may guess that these sentences refer above all to the setting up of the SIS/SIRENE structure (see FECL No.49, p.4) and Europol’s various data bases.
The JCA reminds us of the fact that "complementary agreements to the SIA" [such as, e.g. cooperation via the SIRENE-structure] will gradually widen the areas of cooperation between the member states. It warns that as soon as information exchange in these new fields does not entail reports in the SIS, the relatively comprehensive and strict data protection rules of the SIA will no longer apply. Instead the national law of the member states involved in an information exchange will apply. This will make it more difficult for persons to claim their rights. Moreover, it results in a greater complexity of the mechanisms for the control of the correct application of relevant rules and comprises a risk of lack of approximation and diverging interpretation of rules between the member states. The report notes that the JCA is not in a position to reduce this risk since its task is mainly limited to supervising the SIS. Outside the SIS it can act only upon request of the member states.
While a guideline has led at least to a certain level of approximation of national data protection legislation, "governments have not agreed to anything similar with respect to intergovernmental police and justice cooperation".
A "legal labyrinth"
The complexity and variety of the rapidly growing network of international structures of police cooperation is a matter of concern for the JCA. Different international instruments that are, formally and legally speaking, not linked to each other, such as Schengen and Europol, each contain their own data protection rules elaborated case by case. "The only choice left to citizens wishing to claim their legal rights is to explore a legal labyrinth", the JCA concludes.
Results of checks and investigations by the JCA
Considering that the JCA, in the first two years of existence, had to concentrate much of its resources on more or less successfully removing the various technical and political obstacles hindering it from carrying out its tasks, it is not astonishing that the report is not very comprehensive as far as the evaluation by the JCA of the current functioning of the SIS and the correct application of the treaties is concerned. Nonetheless the report reveals a number of legal and technical deficiencies.
Data stocks in different national units not identical
The most stunning discovery made by the JCA is that the data stocks in the various N-SIS are not identical. Thus differences in the French and Luxembourg N-SIS were discovered in April 1996, but had still not been repaired by March 1996, when the JCA report was published. In the words of the JCA this situation amounts to a "systematic violation" of Article 92.2 SIA which stipulates that the data stored in each N-SIS shall be identical. The JCA is of the opinion that the proceedings for matching the data stocks of the various N-SIS are far too slow and that matching operations are carried out too seldom. As a matter of fact, the data contents of the various N-SIS are, for the time being, matched against each other only every six months and the matching operation takes several months.
The JCA is of the opinion that too many people have so-called "super user" access to the SIS, enabling them not only to obtain access to any data base of the system (operation system, data bank and net) but also to change their content in such a way that the operation cannot be traced. The trace-functions, designed to enable checks of operations after the fact and to identify the "super-user" concerned are "not being used in a proper manner", the JCA notes. All this is quite remarkable considering the fact that the JCA, the body officially charged with controlling the correct functioning and use of the C-SIS, has hitherto not even been granted "user" access, i.e. direct access to the system without the possibility of altering its contents.
The SIA authorises the copying of data for technical purposes. According to the Norwegian data protection commissioner, Mr Apenes, this has led to a proposal by Schengen bodies to send CD-ROM discs with copies of personal data drawn from the SIS to the member states’ foreign representation in order to improve the handling of visa applications. The JCA is currently carrying out a study to assess the possible effects of such duplication of SIS data on data protection and security. Among other things the practice raises questions about the proper up-dating of duplicated information and the safety of sending CD-ROMs to services outside the common Schengen territory.
SIRENE-network outside JCA scrutiny
As its predecessor, the Provisional Authority in charge of data control before the entry into force of the SIA in 7 member states in March 1995, the JCA censures the lack of a particular legal basis in the SIA for the SIRENE-bureaux. The report does not comment on the secret SIRENE manual. This might surprise at first view, but could be explained by the fact that information exchange between the member states through the SIRENE-network is not based on provisions in the SIA but on each member state’s national legislation. Consequently, the item is outside the remit of the JCA. The SIRENE-structure must indeed be considered a particularly impenetrable part of the "legal labyrinth" of police cooperation.
Recommendations
The JCA makes the following specific recommendations with respect to the SIS:
the problem of non-identical data in different N-SIS should be solved within a brief time period;
FECL 56 (December 1998): privileged ("super-user" account) access to the system should be reduced to a minimum;
FECL 56 (December 1998): systematic use should be made of the trace function;
FECL 56 (December 1998): the JCA should be granted access to the system ("user" account) enabling it to effectively carry out its control task.
More generally, the JCA demands to be given "regular and systematic information" on the development of the Schengen acquis, as well as policy objectives and technical changes. In order to ensure effective control of the system, the data protection authorities expect to receive monthly reports on the operation of the C-SIS in Strasbourg. Finally, the JCA insists that it be given swift access to all information and documents which it deems necessary for carrying out its task.
FECL 56 (December 1998):
The fact that such basic demands have not been met long ago speaks volumes about the lack of respect the Schengen ministers and their bureaucrats show for data protection, and the downright humiliating treatment the Schengen Group’s Joint Control Authority is subjected to. Indeed, the job and the status of today’s data protection commissioners are nothing to be envious of.