Bachelor Politicologie UNIVERSITEIT VAN AMSTERDAM
The legitimization of information sharing
prac-tices between Europol and the EU: A liberty-
security dilemma
Miriam van der Vliet
Thesis Critical security studies: preemption 2014-2015 Tutor: Stephanie Simon
1 Introduction
The events of 11 September 2001 acted as catalyst towards the intensification of EU-USA cooperation in criminal matters. Both the EU and the US have re-sponded by adopting numerous measures aimed at countering the international terrorist threat. With regard to the EU, the European Police Office (Europol) is one of the agencies that plays a key role in the fight against terrorism, since countering terrorism is one of the tasks that is mentioned in the Europol conven-tion (Lavranos 2003: 259). Within three months after 9/11 an agreement on the exchange of strategic and technical information was signed between the USA and the EU that would enhance cooperation in order to prevent, detect, suppress and investigate international crimes. A year later a second agreement was signed on the exchange of personal data(Lavranos 2003:264). This thesis examines the most important tool in EU’s battle against terrorism: Information exchange. The aim is to gather a better understanding of how the securitization of data
legiti-mizes information sharing practices between the US and Europol.
Within the context of countering terrorism after the attacks of 9/11 this thesis contributes to the literature of securitization theory. One of the main points of securitization theory is that an existential threat is presented as legitimizing the use of exceptional measures to combat that threat (Peoples & Vaughan-Williams 2010: 79). This theory was originally defined by the ‘Copenhagen school’ who saw securitization as an discursive process whereby an actor attempts to con-vince an audience to accept the existence of an existential threat (Balzaq 2008:76).
Contemporary debates that revolve around the EU challenge this perspec-tive and some claim that social and political consequences occur without the ex-plicit consent of an audience (Balzacq 2008). This shift the discussion from dis-course towards the examination of policy tools. This is methodologically useful because it reveals how policy-makers transform intentions into concrete actions and it shows how the instruments they use are affected by sociological processes (Balzaq 2008:76). These tools carry underlying developments and produce effect that are often more consequential than their actual goal (Feenberg 1991: 5)
This debate is even further exacerbated by the tension that some scholars (De Goede 2008; Floyd 2012) highlight between liberty and security. “Liberal democratic governments have raised questions whether constitutional check and balances, international obligations and fundamental freedoms and rights need to be reconsidered or redefined according to the necessities of security”(Neal 2009: 335)). One the one hand it is argued that the EU is opposed to securitization practices and puts the rule of law first. However, on the other hand, if we look at the meaning of preemptive security in the war on terror and analyze some as-pects of European counter policy, it becomes clear that EU is not so reluctant in a number of security practices (De Goede 2008: 161). Preemptive security takes
2
place when actors conceptualize terrorism as an disastrous and incalculable threat that limits prevention of the threat and where these actors try to avoid damage before it actually happens (Idem: 162). The analysis of data in the EU is an example of such a controversial preemption measure.
The thesis draws upon this tension that Marieke de Goede (2008) highlights. The questions I aim to answer are: What exceptional measures were taken that
facili-tate information sharing between the US and Europol? And how is the European union being constituted to justify ‘information sharing’?
A deeper understanding of the underlying forces securitization is needed because it is not only useful to know if a policy domain is securitized but also how and in what way. The first question elaborates on one of the key measures that EU has taken in the fight against international terrorism: Information sharing agreements with the US and Europol. Information sharing is a seemingly non-violent way of immobilizing suspected terrorists. However questions have been raised about the lack of sufficient judicial and parliamentary control on those agreements on both EU- level and national level on those agreements. Moreover, the data that is being shared with the US falls under a broad category, which also includes highly sensitive data. It is questionable whether this data is being en-sured and handled with care. We may wonder how far our privacy is being breached and to what extent our data is protected by the EU. These are values that the EU is expected to uphold. There seems to be a contradiction between a data retention directive on the one hand that legitimizes the counterterrorism pol-icy of collecting telecommunications data. This is an example of data that is used by law enforcement agencies such as Europol. On the other hand the EU claims to ensure data protection by constituting a legal framework that is called the data protection directive.
I argue that data is being securitized by the counterterrorism efforts of the Euro-pean Union. This has resulted in an exceptional measure, namely information sharing practices between the US and Europol, that has had controversial impli-cations. Furthermore I argue that the EU justifies this exceptional measure with questionable implications by positioning herself as an institution that gives high priority to ensure data protection. However, there seems to be an inherent con-tradiction if we examine this in relation to her data retention directive. This data protection directive does not seem to apply for criminal and judicial data that is being used by Europol. While her data retention directive collects data with or without suspicion of a threat.
It also shows us how power in the EU is exercised by a political process through which decisions are made about security through procedures and formal and in-formal structures. Governing in the EU takes place through a reduction of the debate of data protection to a dominant frame that normalizes security initiatives.
3
In order to examine how the securitization of data legitimizes information sharing between the US and Europol, I will first start with a theoretical and con-ceptual overview. After that I will analyze how exceptional measures were im-plemented to facilitate information sharing practices. This part will concentrate on the information sharing practices between Europol and the US as policy tools for the securitization of data. Here Europol will be used as a case, since it is the main agency in the EU that facilitates the transfer of data to the US. Then I will describe how the EU justifies these exceptional measures by examining her legal framework in relation to her data protection directive and data retention di-rective.
Theoretical framework
The concept of securitization is said to be a fusion of an endless debate between the traditionalist who on the hand, who viewed the state as the main object of security and war was the main threat to it. On the other hand is the critical securi-ty approach who called for a more broadening and deepening perspective of what is perceived to be threat (Peoples & Vaughan-Williams 2010: 5).
Securitization theory has attracted a variety of scholars that have made great con-tributions in examining the new domains that have become securitized over the last few years (Balzacq 2008; Neal 2009; Waever 1993; De Goede 2012; Buzan 1998; Floyd 2011 ).
Before we can examine how information exchange is securitized within the European Union, an understanding of previous discussions and literature is essential. The theoretical and conceptual framework I built on emphasizes the most important aspects of securitization theory and why I have chosen for a poli-cy tools approach instead of a discourse analysis.
Securitization theory
Securitization is generally associated with a group of scholars who are common-ly referred to as the Copenhagen School. Ole weaver (1993) and Barry Buzan (1998) are usually considered as the key authors on this approach. The Copenha-gen school suggests that security should be analyzed as a speech act. Here the focus is not put on whether a threat is real or not and if it really endangers a cer-tain object. But the central claim is to understand it as a process of social con-struction and a mutual understanding of what is considered as a threat. Issues can thus become security issues by the way it is presented and accepted (Peoples & Vaughan-Williams 2010: 78). The Copenhagen school defines securitization as a speech act and its success rests on three criteria that are outlined by Weaver (2000: 252). “First, an existential threat is presented as legitimizing the use of extraordinary measures to combat that threat. Second, the actor, who is in posi-tion of authority, attempts to securitize an issue to convince an audience of the
4
existence of an existential threat. Third, it is easier to pose an issue as an existen-tial threat if already carries an historical association with hostile senti-ments”(Weaver 2000: 52). We can therefore see securitization as a process that “shifts an issue out of the realm of normal politics into the realm of urgency by presenting it as an existential threat” (Peoples & Vaughan-Williams 2010: 76) and when an issue is successfully presented as an existential threat it legitimizes the use of exceptional political measures. When this is the case, authorities often claim powers that they usually don’t have or even infringe on rights and liberties and sidestepping public debate and democratic procedures (Idem.).
According to Buzan et al. (1998:25) there is always a speaker and an audi-ence. Securitization is successful when the audience accepts the threat as credi-ble. This means that some actors and institutions are better in fulfilling these cri-teria and thus better at securitization than others, because they are believed to be more credible by the audience. The actor therefore needs enough institutional and political power for their statements to contribute to the shaping of political and social relations.
However, there are some authors that do not fully agree with this approach and have raised some critiques when it comes to the analysis of the security poli-cy in the EU. Neal (2009: 336) argues that securitization in the EU is not the same as in the national political level. In the latter statements are extensively re-ported by the media and discussed in public debates. However in the EU the se-curitizing discourse that they use is often “less clear for the audience when it comes to reception, debate, legitimization and adoption of policy proposals” (Neil 2009: 335). In the EU statements are often not so out in the open and little reported and debated, except for maybe a specialist audience. This doesn’t mean that these statements don’t play a key role in EU legislation and policy-making. However, securitization in the EU and the mutual understanding of it by its audi-ence is often much more ambiguous. A problem that ‘standard securitization theory’ faces is that key speakers often are difficult to identify in the complex institutional arena of the EU. Another reason is that the EU polity and audience is fragmented. We have to question ourselves if we can even speak of a single European identity. There are different understandings of threat, security and pol-icy measures that are needed, spread over different Member states of the EU (Neal 2009:336).
According to Neil (Idem: 338) we have to ask ourselves whether the EU in-stitutions have the capacity to mobilize existential measures when we deal with an intersubjective audience. And if they can legitimize policy that would other-wise have been rejected by the audience.
Tools approach
Theirry Balzacq (2008: 76) argues that securitization in the EU takes place without the explicit consent of an audience. Threats are here intensified without a
5
discursive speech act. He claims that there are sociological processes of securiti-zation that take place in EU that the standard view does take into account. He suggests we should “shift the focus from discourse to an study of securitization by means of policy tools or instruments that EU uses to alleviate public prob-lems that are defined as threats” (Idem: 76). He argues that policy tools gives us a better understanding of securitization. It allows us to get a clearer understand-ing of how policy makers transform intentions into actions and also how the in-strument is influenced by social processes. By putting the focus on tools he be-lieves it will reveal the transformations of securitization and how this has an ef-fect on EU policy making. These tools are often the result of intense power games and even act upon a sense of consensus even if this is not the case (Idem: 78).
He defines a tool or instrument of securitization as follow: it is “an identifia-ble social and technical ‘dispositif’ or device embodying a specific threat image through which public action is configured in order to address a security issue” (Idem: 79). However not all instruments of securitization are tools in this ap-proach. Some of them do not construct threat, but are built to control an already accepted threat. As opposed, a securitizing tool “is an instrument which, by its nature or by its functioning, transforms the entity (subject or object) it processes into a threat”(Idem: 80). Every tool has its own routine set of rules and proce-dures that structure the interactions between organizations and individuals. Lester Solomon (2002:19), a ‘new governance’ scholar, describes this by arguing that these tools “by their nature already define who is involved in the operation of the policy, what their roles are and how they relate to each other”. Policy tools also assume that there is a threat, what measures we should take to control it (Balzacq 2008: 80).
However we should also keep in mind that the selection of these tools are the result of also political and symbolic factors. According to Peters (2002: 552) “the reason they are chosen, how the operate and their effects also play an im-portant part”. But policy tools also possess certain qualities. Balzacq (2008:81) argues that by analyzing these elements, we can get a better image of the threat that public action wants to reflect by making use of them. He makes use of ele-ments where he draws upon Salamon (2002) first, “the type of good or activity”. Second, “the delivery vehicle of this good or activity”. Third, ‘the delivery sys-tem’. This could be “a set of organizations that are engaged in providing the good, service or activity”. And last, a set of rules. This could be “formal or in-formal and these rules define the relationship among the actors that the delivery system consists of” (Idem: 20
By examining the elements that instruments consist of, we can get a deeper un-derstanding of policy preferences and the direction in which public action is go-ing. Not every tool is as effective as the other. The function of an instrument has a lot of influence on how securitization takes place and the nature of a tool (Bal-zacq 2008: 81-82).
6
In sum, securitizing practices take place through the employment of poli-cy tools by securitizing actors that want to tackle a threat. By taking a closer look on the instruments we can obtain a better understanding on how these securitiz-ing actors use regulatory instruments such as regulations or constitutions that au-thorize and prohibit certain practices and capacity instruments such information exchange to tackle a threat. Counter-terrorism policy has often stressed the im-portance of data collection and this has resulted for example in changing them to existing operational models of information sharing (Balzacq 2008:78).
In examining the transformation of securitization of information exchange at the EU level this thesis concentrates not on discourse but on the practices and policy tools that were deployed inside Europol. While the variety of capacity in-struments such as databases that have been created and deployed by Europol and haven’t been unmentioned (Balzacq 2008), there is little literature on how regu-latory instruments have been used to legitimize exceptional measures. Therefore I will only examine the type of good, which in this case is the information that is exchanged between Europol and the US. The regulations that have defined the informational sharing agreement between Europol and the US. Lastly, the
deliv-ery system, in which I will examine the changes in the institutional framework of
Europol. In the first section I draw upon the supplemental agreement between Europol and the US that was signed in 2001. In the second section of this thesis I will elaborate in short on a delivery vehicle that Europol makes use of, namely the data retention directive. I will come back on this notion.
Criteria for moral securitization
As I said above, while Europol has attracted some attention from scholars, not so much work has focused on the meaning of the international agreements and even less have examined the morality of the use of these exceptional measures. We have discussed how ‘standard securitization theory’ that was outlined by Barry Buzan (1998) puts emphasis on how threats are socially constructed, rather than on if these threats objectively exist. Rita Floyd (2011:428) has developed three criteria to evaluate the moral rightness of these securitization practices. First, “securitization can only be justified as the right thing to do when it refers to an objective existential threat” (Idem: 430). We can examine this according to Floyd (Idem: 431) by examining whether the aggressor really intends to destroy a given referent object and also if the aggressor really has the means or capacity to do so. The second requirement is, that “the referent object of security morally legitimate”(Idem: 431). It is only legitimate if it is encouraging human well-being. This is the best ensured in a liberal democracy, where human rights and the freedom to promote or achieve objective value are ensured(Idem: 432) and last, the appropriateness of response. Floyd (Idem: 432-433) names the justifica-tion of established rules and regulajustifica-tions in an effort to protect referents object’s survival, as a distinguishing feature of securitization. However, the degree of an
7
response must be measured to the likelihood of a threat. The response must truly aim at addressing a threat.
Normative power
Thus in my thesis, I first examine information sharing as an exceptional practice measure and the moral implications of the exceptional practices it conveys . This raises the question if the EU is being constituted in a certain way to justify and legitimize these practices which I will examine in my second section. Here I consider the contradiction concerning the exchange of data within the EU and the implications of this tension. On the one side the EU is “inherently critical of security practices”(De Goede 2008: 162) by taking on data protection policy. On the other side the EU seems to be a “world leader rather than reluctant follower” (Idem: 161) in securitizing information exchange by applying legal frameworks that encourage data retention.
Marieke de Goede (2012: 214) has made some great contributions to the securitization debate in the EU. She stresses that critical attention towards the EU’s security programs remains urgent by arguing that the Swift affair has led the EU to position itself as a global normative power that promotes values of privacy and data protection. However this normative positioning also contributes to acceptance and legitimacy of controversial security programs. De Goede (Idem: 225) argues that the respect for privacy and data protection legitimizes security practices by proposing procedures and frameworks in which these prac-tices take place. By combining these pracprac-tices with the insistence on respecting privacy and data protection and applying the rule of law, the EU at the same time solidifies security practices. Thus these practices “transform it from a secret or temporary initiative into a permanent security system governed by the rule of law”(Idem: 226). In the second part of this thesis I will examine if there is such a tension in the EU when it comes to ‘securitization of data’. Here I will examine the data protection directive that was adopted in 1995 (Directive 95/46/EC) and the contradictions it conveys in relation to the data retention directive that was adopted in 2006 (Directive 06/24/EC)
Analysis
Introduction analysis
Securitization processes frame a certain issue as an existential threat and there-fore legitimizes the use of exceptional measures (Peoples & Vaughan-Williams 2010: 76). As I said before, securitization doesn’t always take place through spe-cific discourses, but also take place through the use of certain tools. EU counter-terrorism policy has had important impacts, on our fundamental rights and priva-cy, by securitizing data through exceptional information sharing practices with the US.
8
We may ask ourselves how the EU justifies information sharing since they convey practices that are out of the ordinary and indeed controversial. Here I draw upon a tension that is constituted within the legal framework of two direc-tives that seem to contradict each other: the data protection directive and the data retention directive. Further examination shows that power in the EU is imple-mented in a political process through which decisions are made about security through procedures and formal and informal arrangements.
What exceptional measures were taken that facilitate information sharing between the US and Europol?
After 9/11, the EU experienced some changes concerning initiatives aimed at promoting information sharing among law enforcement, security, and border control to fight against transnational crime and terrorism (Balzacq 2008: 77). A good example to illustrate the changes of securitization, is the information transfer as a result of Europol- USA agreement. The growing cooperation has also led to a change of institutional design of Europol after 9/11. In this section I will describe the implementation of instruments and in what way extraordinary measures have been taken (the policy tools of securitization). Here I will look at what data is being transferred with the US; which regulations support this trans-fer and what institutional changes have occurred within Europol as an organiza-tion that facilitates this data transfer.
“Europol is a European law Enforcement organization that supports coopera-tion between member states in the EU when it comes to terrorism, drug traffick-ing and other serious forms of international organized crimes”(Kaunert 2010: 653). The Europol Convention was drawn up in 1995 in Brussel, but wasn’t fully ratified by all member states until 1999. The legal mandate gave Europol the tasks of “improving the effective cooperation among police authorities of the member states to prevent and combat serious crimes” and to “investigate crimi-nal areas such as drug trafficking and other forms of crime, such as terror-ism”(Kaunert 2010: 654). However, at that time the fight against terrorism was still debated among EU member states. It was only Spain that called for terror-ism to be included in the tasks of Europol, as a support for their fight against the ETA (Euzkadi Ta Askatusauna). Thus, by September 1994 it was agreed not to include terrorism in Europol convention. In 1999 Spain succeeded in including to fight against terrorism in the Europol Convention. However, the definition of terrorism still remained legally vague. It was not until 9/11 that terrorism politi-cally defined in the EU’s Framework Decision on combating terrorism (Kaunert 2010:654).
9
Agreement between the US and Europol after 9/11
Europol has a legal status and can therefore enter into binding agreements under international law with third states and other international organizations. It’s key function is to facilitate information sharing (Kaunert 2010: 659). Europol has signed two important agreements on information sharing in relatively short time span: a strategic and an operational agreement. The first agreement was signed in 2001 and concerns the exchange of technical and strategic information. The goal was to “enhance the cooperation between the EU member states –acting through Europol and the USA in preventing , detecting, suppressing and investigating international crimes” (Europol-US agreement 2001: 1). The second ‘operational’ agreement was approved by the Council and signed in 2002 after negotiations with USA on the exchange of personal data (lavranas 2003: 264).
According to Paul de Hert and Bart de Schutter (2008: 319) the first agreement was “reserved for countries with questionable human rights or data protection records” and therefore less useful from a policing perspective. How-ever, they question on what basis Europol distinguishes between states that fall under the first and states that fall under the second agreement. They claim that Europol has made exchanges of data with countries that do not provide an ‘ade-quate’ level of protection according to the standards that are set by the EU. By applying this double system Europol tries to solve problems of data protection (Idem: 320).
Lavranas (2003: 264) argues that the approval of the agreement was “marked by secrecy, little discussion and under time pressure”. He illustrates this by referring to critical voices that were raise by the UK and in Holland but were disregarded both by the Dutch and British government. These critical voices didn’t agree with the agreement between Europol and the USA. For instance, the Dutch government claimed that the agreement didn’t have any binding effect and therefore didn’t need approval from the parliament (Idem: 265). In the UK these voices expressed that there was not enough time for scrutiny and comments by experts organizations. It turned out to be already a done deal by the time the agreement text appeared in UK. The chairman of Europol’s Joint Supervisory Body (JSB) even stated that the agreements were marked by the urgency of 9/11 attacks. Moreover, he stressed the fact that USA does not have a central authority that takes care of the supervision of the use of personal data and the absence of adequate data protection regulations (Mitsilegas 2003: 517).
These voices were suppressed by referring to a prior consent, which means that Europol may only transfer information to third states with the mem-ber states consent. However, there seems to be a tension with this claim. “that consent may be withdrawn at any time if the data has not been communicated by a member state” (Lavranos 2003: 268) according to the Europol Convention. In other words, member states do not have fully control over the information that is exchanged between the Europol and the US. Moreover, article 7 of the
agree-10
ments states that information shall only be supplied to ‘competent’ US federal, state and local authorities (Europol-US agreement 2001). However, Lavranos (2003: 266) argues that this is an ambiguous concept. And it makes us question what is a ‘competent authority’ and what is not. He fears that is would mean that neither Europol or the EU has any control over which US authority may use the information that is being transferred and for what purpose.
Type of good: Personal information
In order to assess the implications on data protection of the second agreement, it is necessary to take a closer look at the articles that it contains. Ar-ticle 2 (Europol-US 2001) defines ‘personal data’ as “any information relating to identified or identifiable natural person”. This includes sensitive information such as “race, political opinions, religious or other beliefs, or concerning health and sexual life” (Europol- US agreement 2001: 6) but this may only be provided when such data is relevant for the purpose of “prevention, detection suppression, suppression and investigation of criminal offences”(Europol- US agreement: 5). This term is defined extremely broad according to Lavranos (2003: 267). He uses DNA profiles as an example. They are not mentioned in the agreement as a sen-sitive category and so they fall under the second article and thus are not protect-ed to be usprotect-ed only when relevant. This is controversial since DNA profiles carry information about a person’s characteristics such as race, color, sex etc. and are considered to be highly sensitive data (Idem: 268). According to Mitseligas (2003: 520) the agreement also enables the sharing of a wide variety of data that is not just restricted to data that is associated with ‘the war on terror’ but it can hold ‘any offence’.
Indeed, the exchange of data is limited through the use of purpose speci-fication. This means that different data must by processed related to the different circumstances and may only be provided when such data is relevant for the in-vestigation of criminal offences. However here we see how securitization takes place. Information based on facts has become equal to data that is gathered from personal opinions. This data varies in terms of accuracy, but is expected to target the same criminals. The terrorist threat is thus addressed “by handling data that in normal circumstances is cannot be linked” (Balzacq 2008: 95). Moreover, we can question if this information leads to an ‘objective threat’ or merely to a ‘per-ceived threat’ (Floyd 2011). The data that is collected is so wide ranged that a minor criminal offence or even his/her political believes could lead to the per-ception that the subject of investigation is a terrorist threat. In addition, we can question ourselves to what extent these indicators of personal information are not only discriminative but are also based on stereotypes (Bovenkerk 2011: 128). Does the selection of data that is being transferred than really relate to an ‘objec-tive threat’.
11
Delivery system: Europol’s institutional changes after 9/11
The legal structure of Europol is based on a number of international trea-ties which led to time consuming amendment procedures that required the ratifi-cation of all EU member states before they could be adopted. It also required an unanimity of votes for altering these treaties, which often delayed the decision making process, “since there was always at least one member state that objected to the amendment proposals” (Lavranos 2003: 261). In December 2006 the Eu-ropean Commission proposed to change the legal basis of Europol for a council decision which would replace the Europol Convention. This would mean that the EU would now decide whether or not information transfer can be allowed and not Europol anymore (De Hert & De Schutter 2008: 321). Thereby it would transform it from a treaty to an EU law instrument according to Lavranos (2003: 261). Changes to Council decision could be made without the ratifying proce-dures in all the member states, since measures based on Council decisions can already take place through a majority voting. Lavranos (2003: 261) argues that this would mean that member states could adjust faster to new developments to increase the tasks or the capacities of Europol. He stresses that this would “elim-inate any parliamentary involvement by national governments”(Idem: 261). De Hert & De Schutter (2008: 321) also argue that this sidesteps consultation of EU representatives of EU data protection representatives.
Floyd (2011: 432) argued that securitization often justifies the neglect of es-tablished rules and regulations to ensure survival. However, securitization may only be justified when the degree of response is genuinely aimed at addressing the threat. It seems here that the institutional changes to Europol have enormous implications for parliamentary involvement, one of the main values of a liberal democracy. Europol has the right to be a self-regulator in the name of ‘security’ at the expense fundamental liberal rights.
“Securitization is argued to lift issues above ‘normal’ politics, in order to legiti-mate issues that would otherwise be disputable”(Balzacq 2008: 93). In this sec-tion we have passed through some excepsec-tional measures that Europol has under-gone. These measures have had controversial implications. It has become clear that the agreement on data exchange between Europol and the US is vague and ambiguous. As a result, there is hardly any control over the flow of information that is transferred and how this data is processed in the US. In addition, the agreement was signed under a lot of time pressure and secrecy, which placed it above the accountability of normal politics and into ‘realm’ of urgency. This leads to serious doubts whether our data is actually ‘adequate’ protected. The term ’personal information’ is so broadly defined, that it appears to have no fil-ter. Besides that it is highly questionable that this information will lead to an ob-jective threat, it is also morally disputable since it categorizes everybody as
po-12
tential criminal suspect. In addition, the institutional changes that make it easier to adjust to new security challenges seem to prevail over parliamentary scrutiny.
How is the European union being constituted to justify ‘information shar-ing’?
In the first section I examined the exceptional measures that have been adopted by the EU that relate to information sharing with the US and the implications of these measures. In this section I draw upon Marieke de Goede (2011) to exam-ine how the EU justifies these exceptional measures. She argued (2011:223) that the EU on the hand “emphasizes privacy, data protection and the rule of law”. And on the other hand this normative power that the EU rests upon, legitimizes and normalizes dubious security programs such as the sharing of information. While Marieke de goede (2011) examines this by taking a closer look at the Eu-ropean technologies of counter-terrorism, I hope to elaborate on this by examin-ing the tensions in the legal framework of information sharexamin-ing activities –in turn, it’s data protection directive and its data retention directive. Furthermore I exam-ine the implications that these contradicting directives produce.
Data protection directive
In 1995 the first instrument for data protection was adopted at EU-level. The di-rective 95/46/EC (the 'Data Protection Didi-rective') stated that some rules with re-gard to the protection of individuals that relate to the processing of personal data and the free movement of that data of all EU members. Also here personal in-formation is defined as “any inin-formation related to an identifies or identifiable natural person” (EU directive 1995: 2A). Additionally, the directive laid down some guidelines that determine the legality when processing data and severely restricts the processing of special categories (e. g. personal data revealing racial ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning sex life or health. Moreover, the directive specifies the disclosure of the data subjects. In other words, data processors must inform the persons they collect data from (Idem: 11.1). But also inform the sub-ject about the third parties to whom the data might be released (Idem: 20.1). The directive also requires member states to provide the access and opportunity for data subjects to correct incomplete or inaccurate data (Idem: 12.2).
It seems as if through this protection directive the rights to privacy are ensured and at the same time companies and other organizations will be able to transfer personal data throughout the EU (De Hert & De Schutter 2008: 305). However according to article 3, it does not apply to processing of personal data in the case of justice and home affairs, nor do these regulations apply for activities and bod-ies outside the community law (De Hert & De Schutter 2008: 309). The policy
13
areas of the EU fall within three distinct pillars. The first pillar relates to com-munity law and second and third are intergovernmental (Balzacq 2008: 95). This means that the directive established a clearly defined regulatory framework for commercial activities but this does not necessarily applies for police and judicial cooperation in criminal matters that fall under the third pillar. De Hert and De Schutter (2008:310) argue that the EU lacks a standard-setting for protection leg-islation. And while Europol and other agreements all include detailed data pro-tection rules and processes in their own texts that have a lot of similarities with the data protection directive, they are still “adapted skillfully to their specific purposes” (idem.)
The directive states that all personal data that is transferred outside the Union must be ensured ‘adequate protection’. In other words, it only prevents the data to countries outside the union that are considered to provide ‘inadequate‘ protection. This brings us to another problem. There is no independent us data protection authority in the VS. The US is thus by definition considered ‘inade-quate’. However, preventing the exchange of business data to the US is widely considered unthinkable (De Hert and De Schutter 2008: 314).
As a result the European commission adopted the ‘safe harbor principles’ (Idem: 315) in July 2000. This is an example that shows how the EU proclaims to provide a safeguard that protects data sharing to the US, however also here these principals only apply to commercial data. The principals specify the condi-tions for the protection of data in the US concerning the transfer of data from the EU to the US. By agreeing to the safe harbor principals, US businesses such as Microsoft will be able to collect and transfer data between the US and EU mem-ber states (Idem.)
However we must take the legal consequences of this uncertainty into ac-count. Over the last several years US laws were created that allowed the Ameri-can authorities to have access to the data of non - AmeriAmeri-cans. This, in combina-tion with the emergence of cloud services for example have sharply increased privacy violations from the US. The analysis of several surveillance programs and US national security legislation that was provided to the committee of civil liberties, Justice and Home Affairs (LIBE), a standing committee in the Europe-an Parliament, indicates that surveillEurope-ance activities that are conducted by US au-thorities “continuously disregarded the fundamental rights of non-us citi-zens”(Bowden 2013:10). This affects all the data of persons that have been pro-cessed via “surveillance of communications but also cloud computing technolo-gies” (Idem: 7)
For instance, in 2001 the US passed a law that has significantly extended the power of law enforcement agencies in the US to gather domestic intelligence inside the US. This was called the USA PATRIOT ACT. Also the Foreign Intel-ligence Surveillance Amendment Act of 2008 (FAA) was specifically aimed at investigating data of NON- US citizens that live outside the US (Idem: 12). The latter defined “foreign intelligence information” as: information with respect to
14
foreign-based organization or foreign territory that relates to, and if concerning a United States Person is necessary to the conduct of foreign of the unites states. In other words, any data that may assist the US foreign policy may be retrieved “over ordinary lawful democratic practices” (Idem:19). These laws make it im-possible for cloud providers to follow the privacy principles on which the safe harbor agreements is founded. However cloud providers still advertise with Safe harbor certification with the claim that this legalizes transfers of EU data into US clouds.
Data retention directive
The Madrid and London bombings brought a significant change in the concep-tion of the threat posed by Al-Qaida and the appropriate measures to take in re-sponse to that threat (Maras 2009: 74). One of these measures was the data reten-tion directive (Directive 2006/24/EC). The retenreten-tion of traffic an locareten-tion data for law enforcement purpose is an issue that was debated for several years in the EU. It was finally adopted in March 2006. “It requires member states to oblige service providers to preserve telecommunications data such as mail, telephone and internet data for a period between six months and 2 years for access by law enforcement” (De Goede 2008: 171). The data retention directive list the main categories of data that may be retained in article 5 (Directive 2006). These cate-gories relate to data to trace and identify the source, destination, date, time, dura-tion, type of communicadura-tion, users communication equipment and the location of mobile equipment. According to De Goede (2008: 171) it is justified by the no-tion that electronic communicano-tions are a “particularly important and therefore a valuable tool in the prevention, investigation, detection and prosecution of crim-inal offences, in particular organized crime”. Furthermore, she argues that this data fits within “the precautionary security practice”(Idem.) where everybody is considered a suspect.
Prior to the bombings these measures were severely critiqued. In 2004 the Euro-pean parliament even stated that any form mass surveillance was unjustified and that only targeted measures were justifiable (Maras 2009: 77). Maras (Idem:79) argues that the data retention directive is a mass surveillance measure that pro-duces a tension between our security and our liberty. The directive provides agencies unchecked powers to conduct surveillance even when there is no basis for suspecting criminal activity (Idem: 78).
According to article 8.1(ECHR 1950) of the European convention on human rights “everyone has the right to respect for his private and family life, his home and his correspondence”. One of the main arguments of opponents is that the retention directive is not compatible with article 8 ECHR. The ECHR is binding for member states, but also for the EU (Kosta & Valcke 2006: 379). The data retention directive therefore makes use of the exception that is stated in
arti-15
cle 8.2 (ECHR 1950) that allows interference of public authorities if this is “in accordance with the rule of law and necessary in a democratic society in the in-terests of national security , public safety or the economic well-being of the country, for the prevention of disorder or crime for the protection of health or morals, or for the protection of the rights and freedoms of others” .
Maras (2009: 88) argues that “the retention of data on all EU citizens goes beyond the bounds of what is required to protect democratic institutions”, irre-spective from the fact that the retention of traffic data of those who are guilty of offences or responsible of violations of state security might be needed and in proportion to the threat of terrorism. She elaborates this by arguing that the data retention directive is so broad that it contradicts with the fundamental principle of the rule of law because it fails to provide citizens with sufficient transparency on the scope and the manner of the exercise of data retention. She draws on the jurisprudence of the Strasbourg court that protects individuals from gathering of his private information. Here the law states that the scope of data retention must be exposed to the individuals that are affected by this interference. This gives individuals the chance to accustom their behavior accordingly when they want to avoid “unwelcomed intrusions of the state” (Idem 2009: 81). Moreover, Maras (Idem) claims that it has become “increasingly difficult for individuals to avoid the use of these technologies. Individuals are subjecting themselves to surveil-lance by default”.
According to article 1.1 (Directive 2006) of the data retention directive “data is retained in order to ensure that the data is available for the purpose of the in-vestigation, detection and prosecution of serious crime as defined by each mem-ber state by its national law”. Also here the term ‘serious crime’ is undefined and left for definition by national legislation. This means that limit to the power of the data protection directive could easily stretched. The European Data protec-tion Working Party has therefore called for the implementaprotec-tion of legal safe-guards such as juridical authorization of data access on a case by case basis and on grounds of reasonable suspicion (De Goede 2008: 172).
In this section I examined how the EU justifies exceptional measures by on the hand acting as a guardian of the protection of data and on the other hand encour-aging data retention. Securitization arises when an issue is placed beyond public debate (Blazacq 2008: 93). The institutional form of securitization in the EU oc-curs within the legal framework of the EU. The data protection directive seems to be based on a clearly defined regulatory framework. However this legal framework only applies for matters within community law. Police and judicial data cooperation in criminal matters fall outside of this pillar and thus don’t fall within the data protection directive. The safe harbor principals that were adopted to legalize the transfer of commercial data to the US undermines this directive even further, since US legislation doesn’t provide the same protection even for commercial data. The Safe Harbor principles also show how the EU claims to
16
provide a data protection framework that position her as a normative power that takes data protection into account, but in reality leaves a lot of gaps open such as the contradictions with US legislation.
In the previous part of this thesis I examined how Europol transferred data to authorities in the US. This information is stored on central databases ac-quired through for instance the legal framework of the data retention directive. This retention directive obliges member states to preserve telecommunications data and is founded on precautionary security practices where everybody is con-sidered a suspect. The vague connotations easily stretch the limits that are posed by the protection directive. But it also conflicts with fundamental law principals and subjects individuals under surveillance by default.
Conclusion
The aim of this thesis was to examine how the securitization of data legitimizes
information sharing practices between the US and Europol. To answer this
ques-tion I first examined the excepques-tional measures that were taken to facilitate infor-mation sharing between the US and Europol and what the implications are. After 9/11 Europol signed an agreement to provide the US with data regarding international crimes. However, this agreement is vague in terms of defining which data is ensured to be shared with countries that are ‘adequate’ and which authorities ‘competent’ enough to ensure that the data is protected in their hands. These are definitions that need more detailed explanation and require more spec-ified conditions.
Moreover, the agreement was signed in a very short time span, which made it difficult for the national governments of member states to ask critical questions and alterations.
Furthermore, the agreement states, that in the case of prevention and in-vestigation of criminal offences ‘personal data’ is permitted to be shared with the US. However the articles concerning ‘personal data’ show that the definition is exceptionally broad defined, which allows Europol to endlessly stretch the term in relation to the data they define as appropriate enough within the confined def-inition, which doesn’t necessarily relate to an objective threat.
Changes within the Europol’s institutional framework, replacing the ratifying procedures by council decisions, eliminate any parliamentary involvement. It shows how even the intuitional body of Europol is adjusted to prevail the ‘ur-gency of security’ over democratic procedures and enquiry.
The second part of this thesis examined how the European Union is being
constituted to justify ‘information sharing’? in this section I draw upon Marieke
de Goede (2008) and examined the tension between the data protection frame-work on the one hand and a data retention directive on the other.
17
The data protection directive offers a legal framework that is to provide protec-tion to individuals that relate to the processing of data. This thesis showed how this directive only provides a regulatory framework for commercial activities and does not take the processing of data by law enforcement agencies when relating to criminal matters. The safe harbor principals are an example of how the EU tries to position herself as an normative power that takes data protection into ac-count debate by providing a safeguard for commercial activities that transfer data to American companies. But also here we see that there are loopholes inside the agreement that may have enormous implications for the protection of our data.
The data retention on the other hand provides a legal framework for member states to conduct securitizing practices relating to telecommunications data. There seems to be an inherent contradiction within the EU that emphasizes protection and the rule of law, but this contradicts with the data retention di-rective that gathers data based on a foundation that everybody is a possible sus-pect. This is controversial since this data could be transferred by law enforce-ment agencies such as Europol to the US where there is hardly any grounds that ensure protection as this thesis showed.
In sum the answer to the question, of how the securitization of data legit-imizes information sharing practices between Europol and the US, is that the EU offers a contradicting framework thereby successfully transformed the infor-mation sharing agreement between Europol and the US into permanent security system by lifting it above normal politics and parliamentary involvement. This contradicting framework of data retention on the one side and data protection on the other justified these securitizing practices because the decisions were made about security through procedures and formal and informal structures. Thereby, legitimation takes place through a reduction of the debate of data protection to dominant frame that normalizes security initiatives
18 Literature
Balzacq, T. (2008) The Policy Tools of Securitization: Information Exchange, EU foreign and Interior Policies* JCMS 2008 46(1): 75-100
Bovenkerk, F. (2011). Een gevoel van dreiging: criminologische opstellen. Au-gustus.
Bowden, C. (2013). The US surveillance programmes and their impact on EU citizens’ fundamental rights. European Parliament’s Committee on Civil
Liber-ties, Justice and Home Affairs (LIBE Committee), PE, 474.
Directive, E. U. (1995). 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the
EC, 23(6).
Directive, D. R. (2006). Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. Official Journal L, 105(13), 04.
Feenberg, A. (1991) Critical theory of technology.Oxford: Oxford university Press
Floyd, R. (2011). Can securitization theory be used in normative analysis? To-wards a just securitization theory. Security Dialogue, 42(4-5), 427-439.
Goede, M. de (2008) The politics of Preemption and the War on Terror in Eu-rope. European Journal of International Relations 2008 (14): 161-185
De Goede, M. (2012). The SWIFT Affair and the Global Politics of European Security*. JCMS: Journal of Common Market Studies, 50(2), 214-230.
De Hert, P., & De Schutter, B. (2008). International transfers of data in the field of JHA: The lessons of Europol, PNR and swift. Justice, liberty and security:
new challenges for EU external relations.
Kaunert, C. (2010). Europol and EU counterterrorism: international security ac-torness in the external dimension. Studies in conflict & terrorism, 33(7), 652-671.
19
Kosta, E., & Valcke, P. (2006). Retaining the data retention directive. Computer
Law & Security Review, 22(5), 370-380.
Lavranos, N. (2003). Europol and the Fight against Terrorism. European
For-eign Affairs Review 8(2): 259-275.
Lavranos, N. (2003). Europol and the Fight against Terrorism. European
For-eign Affairs Review, 8(2), 259-275.
Maras, M. H. (2009). From targeted to mass surveillance: is the EU Data Reten-tion Directive a necessary measure or an unjustified threat to privacy?. New
Di-rections in Surveillance and Privacy, 74.
Mitsilegas, V. (2003). The new EU–USA cooperation on extradition, mutual le-gal assistance and the exchange of police data. European Foreign Affairs
Re-view, 8(4), 515-536.
Neal, A. W. (2009). Securitization and risk at the EU border: the origins of FRONTEX*. JCMS: Journal of Common Market Studies, 47(2), 333-356.
Peters, B. G. (2002). The politics of tool choice. The tools of government: A
guide to the new governance, 552-564.
Peoples, C., & Vaughan-Williams, N. (2010). Critical security studies. An
Intro-duction Abingdon: Routledge.
Salamon, L. M. (Ed.). (2002). The tools of government: A guide to the new
gov-ernance. Oxford University Press.
Supplemental Agreement between the Europol police office and the united states of America and the exchange on the exchange of personal data and related in-formation (2001) Council Doc. 15231/02
Wæver, O. (2000). The EU as a security actor: reflections from a pessimistic constructivist on post-sovereign security orders. International relations theory
