In the unseen realm: transnational intelligence sharing in the European Union - challenges to fundamental rights and democratic legitimacy.

• Author: Ballaschk, Julia

INTRODUCTION I. THE RIGHT TO PRIVACY AND DATA PROTECTION IN THE EUROPEAN UNION A. Multi-layered Protection of Human Rights B. Privacy and Data Protection in the International Layer--The Council of Europe Instruments. C. Privacy and Data Protection in the Supranational Layer II. THE EUROPEAN UNION AS AN ACTOR ON THE GLOBAL INTELLIGENCE STAGE III. TWO INTELLIGENCE NETWORKS: EUROPOL AND THE SCHENGEN INFORMATION SYSTEM (SIS) A. Europol 1. Mandate 2. Europol as an Intelligence Network B. The Schengen Information System C. Data Protection within E.U. Intelligence Networks 1. Europol and Data Protection 2. Data Protection and the Right to Privacy in the SIS IV. INTELLIGENCE NETWORKS CONNECTED: THE CHALLENGES OF INTEROPERABILITY CONCLUSION INTRODUCTION

In a "new world order" (1) of global information, global travel, and global threats, the creation and expansion of transnational intelligence networks have become necessary and constitute significant changes within the world of intelligence. (2) In addition to the increased quantity of networks, the nature of networks has also changed: formerly improbable partners are sought; (3) bilateral and multilateral cooperation are both expanding; (4) and police and intelligence services are increasingly interconnected, eroding the former lines between domestic and foreign. (5) These developments are exemplified and clearly visible in the European Union. However, while most transnational intelligence networks operate in secret and are negotiated without legislative involvement, (6) intelligence networks in the European Union are set up and operate relatively openly and thus make a good case study for the analysis of transnational intelligence networks and their implications for fundamental rights.

The development of these networks in the European Union has gained momentum since the early 2000s and especially since the 9/11 terror attacks. The collection, processing, and exchange of data and intelligence play key roles in an all-embracing E.U. security strategy that is focused on the anticipation of risks "in a frightening fog of ... threats." (7) At the same time, formerly "neutral" policy areas, such as immigration or travel, are framed as part of security policy so that border control becomes border security. (8) The general aim has become identifying the "unknown suspect." (9) While these developments were criticized early on by academics and data protection watchdogs for their implications on privacy, they received generally little attention by the European public. Since 2013, however, concerns for privacy and data protection have been more in the spotlight than ever: In June 2013, the revelations of mass surveillance of individuals in the European Union and the United States created a broad awareness of issues that relate to data protection. Moreover, the annulment of the Data Retention Directive (10) by the European Court of Justice in April 2014 may have set the tone for a new spirit of data protection in the European Union. The groundbreaking judgment illustrates the fragility of any measures that fail to protect the right to data protection and privacy. (11) In December 2014, the transition period of the Treaty of Lisbon ended--the CJEU will thus have jurisdiction over all matters of police and juridical cooperation. Furthermore, the low turnout for the elections for the European Parliament in May 2014 and the success of E.U.-skeptic candidates illustrate that the Union has a serious legitimacy problem. It has thus become a political necessity to bridge the gap between the Union and its citizens and to overcome the apparent deficit of trust. One step is certainly to assure E.U. citizens that their constitutionally guaranteed rights are respected when intelligence is shared to ensure their security.

It has been claimed that Europe is the "[o]ne place to look for a constructive response to the liberal flaw of transnational networks." (12) However, this picture has to be spoiled as privacy and data protection are put under tremendous pressure through the network character of transnational intelligence sharing in the European Union. In order to illustrate this pressure, this paper presents and analyzes two important--if not the most important--intelligence networks in the European Union: the European Police Office (Europol) and the Schengen Information System (SIS II). (13)

Both networks store and exchange a vast amount of information (14) on, inter alia, individuals travelling to the European Union, applying for visas, suspects, convicted criminals, and victims. It will be shown that despite the European Union's multi-layered data protection regime, intelligence sharing in and between those networks falls through the legal gaps left by this regime. This creates a situation where E.U. citizens cannot always rely on the guarantee of their right to data protection and privacy. The network character of intelligence sharing in the European Union exacerbates this situation. Not only are network participants inside and outside the territory of the European Union connected, but networks of very different characters are interconnected as well. This makes it hard to follow the trace of information, creating opacity where, whether intentionally or unintentionally, data protection provisions become obsolete. (15)

This paper is structured into four parts: Part one will present the fundamental rights framework of privacy and data protection that forms the general standard the European Union--and thus its networks--has to live up to. Special emphasis is put on the distinction between the right to privacy and the right to data protection--and also on the unraveling of the different layers of fundamental rights protection. Part two will introduce the European Union as an intelligence actor and highlight the development of intelligence networks in the Union. Part three highlights the set-up, the legal framework, and the structure of Europol and SIS II; discusses their data protection frameworks; and highlights problem areas inherent in the systems. Part four is devoted to a discussion of how the network character and thus the connections of the different network participants inside and outside the European Union challenge European data protection principles.

1. THE RIGHT TO PRIVACY AND DATA PROTECTION IN THE EUROPEAN UNION

   The most fundamental rights at issue in intelligence gathering are the right to privacy and the right to data protection. Before introducing the fundamental rights protection framework in the European Union, it should be noted that there is a difference between these two rights. While privacy and data protection might seem synonymous at first glance, they are "twins but not identical." (16) They serve many of the same objectives as the violation of privacy, such as unauthorized surveillance and personal data processing. They can also cause individuals to feel monitored and subsequently change their behavior. This can, for instance, have detrimental effects on the freedom of expression and the freedom of speech. However, privacy is generally viewed as a broader concept than data protection and should be treated separately from it. (17) The protection of personal data can be seen as an evolution of the right to private life arising from developments in technology, both in the public and the private sector. This evolution made it apparent that there needed to be further protections for individuals from third parties and particularly from the State. (18)

   It is important to understand the cultural and societal development of the right to data protection. Though often misperceived, the right to data protection does not merely refer to "ownership" over data and information (19) held about an individual person, (20) but rather to "informational privacy" (21) and the right to informational self-determination. (22) Legally, informational self-determination refers to the basic individual right to decide freely what information about oneself should be communicated to others and under what circumstances. (23) The right has its roots in the acknowledgement that we as individuals are the sum of all the information about us (24) and is thus rooted in an understanding that the development of one's own personality is not only an internal but also a communicative process. Part of our personality is thus created by the information we choose to communicate to others. This "selective presentation" (25) allows us to communicate different aspects of our personality to different audiences. The more precise another person's perception of us, the harder it is to counter this image with our own notion of personality. (26) This becomes evident with certain special characteristics such as religion, political opinions, or sexual preferences, as these often bring with them a set of stereotypes that stand in the way of actually looking at a person. (27) During National Socialism in Germany in the 1930s, for example, the State collected vast amounts of supposedly "objective" information about certain "groups" in society. By ascribing data and information to these persons, specific and artificial identities were created. Individuals were made "gypsies" or "Jews." Information about individuals was thus alienated from the individual; the individual lost the ability to create his or her identity. (28)

   The right to informational self-determination was first recognized as a constitutionally guaranteed right in 1983 by the German Constitutional Court in its famous Population Census Decision (Volkszahlungsurteil). (29) However, the German state of Hessen had already passed its first data protection legislation in the 1970s--this was the first data protection legislation in Europe. (30) In the Population Census Decision, the right to data protection and informational self-determination was derived from the constitutionally guaranteed rights to the free development of one's own personality (31) and...