This article is co-authored by Pieter Cleppe and Leopold Traugott. It was originally posted on CapX, where the authors write in their personal capacity.

23 November 2015

The attacks in Paris have predictably resulted in a whole set of new proposals to deal with the enormous challenge to fight violent salafi terrorism. Apart from the question whether we should give up liberty for more security and still deserve both in case we do, there is the question whether it’s a good idea to centralise security provision and in particular hand it over to the European Union. Here’s why we should be wary to trust the EU with this.

The experience with the EU’s data retention directive should serve as a warning not to let the EU take care of our data

The EU already has a lot of powers in the area of justice and police matters, which we discussed with Open Europe in our 2009 research paper “How the EU is watching you”. One good example is the infamous “Data Retention Directive”, which requires telephone operators and internet service providers to store data regarding every phone call, text message, email and website that their users access and make it available to government authorities. This was passed in 2006 despite warnings by academics from the Dutch Erasmus University that ‘in virtually all cases’ the police could get all the traffic data they needed, based on average availability of telephony traffic data of 3 months.

The European Parliament, supposedly a check on the EU machine, happily approved the rules, which however ended up in trouble when facing proper democratic checks: national parliaments and national Constitutional Courts. Sweden’s Parliament postponed the implementation of the directive, leading to Sweden having to pay a fine of 3 million euro to the EU in 2013. Already in 2009, Romania’s Constitutional Court declared the EU directive “unconstitutional”, something which its German counterpart did in 2010, criticising the absence of safeguards for privacy. Only four years later, in 2014, did the EU’s own top court, the European Court of Justice (ECJ), come to a similar conclusion and annulled the legislation. The EU Commission has said it isn’t planning new EU data retention legislation.

The conclusion which should be drawn from the experience of the EU’s data retention directive should be obvious: there are insufficient checks and balances present at the EU level to trust it with policies governing an area so sensitively linked with the rule of law. Only the force of national democracy could reign in this dangerous piece of legislation.

Deciding to store data is one thing. Sharing them across Europe yet another

The perpetrator of the recent attempted terrorist attack on the Thalys – train between Amsterdam and Paris was known by the security services of Spain and France, but this intel hadn’t been passed on to their colleagues in the Netherlands. Also a number of the terrorists acting in the Paris attacks were known – and interrogated – by the Belgian authorities. So it would make sense for national security services to share more intel on suspected terrorists, countering their mentality to jealously guard their secrets.

During the last year however, the focus at the EU level has oddly been more on sharing info of innocent citizens. EU countries are currently trying to agree on a Passenger Name Records (PNR) database. The idea is that member states would not only collect and retain information on anyone flying into or out of the EU but would also share the data. Over 60 different kinds of data of travellers would be collected, including their travel routes, IP-addresses, hotel bookings and diet preferences. This despite the EU’s top court’s own ruling that data retention without any link to a certain risk or suspicion isn’t proportionate and that human rights campaigners have warned that creating lists of people with alleged similar characteristics “usually produces mismatches”, which may end up in wrongful arrests.

One of the supposed safeguards would be that “PNR data may only be used for the purpose of fighting serious crime and terrorist offences”. It’s likely that this safeguard won’t be respected in reality. The “European Arrest Warrant”, another EU scheme whereby countries decided to extradite their own nationals to other EU states via a very simple procedure, was also supposed to be limited to these kind of offences. In reality however, European Arrest Warrants have been issued also for minor crimes, as for example theft of a piglet.

Another EU initiative is the Prum Convention, an agreement which allows for the automatic exchange of DNA, fingerprints and vehicle registration data among EU member states. Already before the attacks in Paris, France has demanded to have fingerprints and facial scans of everyone entering or leaving the EU collected. The EU’s Prum scheme currently has an error rate of 67% in fingerprint matching, due to the fact that it only requires six fully matching elements, while the UK system requires 10, for example. This was one of the reasons why the UK opted out of it in 2014.

The UK Parliament will later this year vote on whether the UK signs back up to it. The UK Home Office has warned that British police risk being overwhelmed with DNA and fingerprint requests from other EU  countries, while there could be an increased risk of innocent Britons being accused of crimes since some EU countries use lower quality DNA matching criteria than the UK.

Many people would agree storing data can make sense, but only if there are proper democratic checks in place. It can be questioned if Parliaments from other countries will be as keen to monitor how their security services deal with data from non-nationals as they would be when dealing with data from nationals. Whether the European Parliament can be trusted to monitor EU data sharing, I’ll discuss next.

The European Parliament isn’t an effective check on any future EU security apparatus

The European Parliament has been complicating handing over data to the US, voting down the “SWIFT” deal on banking data transfers to the US, while applauding a recent ECJ ruling against handing over consumer data to the US through the “Safe Harbour” deal. Still, the impression remains that for some of them this may have been more inspired by anti-American instincts than a genuine concern for privacy, given that the same assembly’s Civil Liberties and Justice Committee approved a draft for PNR only in July, while also having rubber stamped the data retention directive, as discussed.

Instead of standing up for civil liberties, some of the nominally “liberal” MEPs seem to be keen to create a police apparatus at the EU level, with Swedish MEPs Cecilia Wikström and Jasenko Selimovic now calling for a “European FBI”. That’s coming from the “liberal” ALDE faction, which supposedly cares about civil liberties.

Already now there is a whole range of EU intelligence services, which face little democratic supervision, something which has been criticised by former independent Austrian MEP Martin Ehrenhauser, without much result however. Whereas Europol and Frontex are subject to some parliamentary oversight, the Intelligence Analysis Centre (IntCen), the Satellite Centre (SatCen), the Intelligence Directorate (IntDir) and the Situation Room are not. They are part of the European External Action Service (the EU’s Foreign Ministry), and do not even disclose their budget.

When the European Parliament’s Budget Committee had the chance to force them to disclose their budgets, the Committee declined to do so, according to Ehrenhauser, who added that the creation of IntCen’s predecessor, “SitCen”, even violated EU Treaty Law.  Instead of at least scrutinizing the finances of these embryonic secret services, MEPs prefer to call for giving them more powers instead, something the EU Commission now also wants, demanding to create “a European CIA”. This despite the fact that IntCen has been criticized for the quality of its reports, as Member State officials are quoted saying “they receive the same level of information and analysis but faster through magazines (e.g. Time, the Economist, Newsweek) or open source news providers.”

To those having watched the European Parliament more closely, this all won’t come as a surprise. As opposed to more critical member states such as the UK, the Netherlands and Sweden, the institution happily approves the EU’s spending of 144 billion euro every year, despite the stringent criticism of the EU’s own accounting body, the EU Court of Auditors. Is this an institution which could be trusted to stand up against a security apparatus? Asking the question is providing the answer.

Assuming all EU member states have the same level of justice protection can lead to serious miscarriages of justice, as witnessed by the experience of the European Arrest Warrant

The “European Arrest Warrant”, pushed through right after 9-11 by the Belgian EU presidency, basically forces states to extradite their own citizens if asked to do so. The problem is that it falsely assumes that all member states of the European Union offer the same standards of legal protection and equally fair trials – a thought so naïve it can only be taken serious in Brussels.

The reality unfortunately looks different: when a British citizen was extradited to Portugal for a crime allegedly committed, his trial over there was described by British judges as “an embarrassment and a violation of his right to a fair trial.” NGOs have expressed concern about the EAW being used to punish petty crimes instead of fighting terrorism or cross-border crime. Particularly Poland has drawn criticism for its excessive use of European Arrest Warrants, having issued thousands more Warrants than any other country.

Making the whole thing even more bizarre, one can be extradited in another EU member state for something which doesn’t even constitute a crime in one’s home state, something Austrian cartoonist Gerhard Haderer  had to learn the hard way. In 2005, he was convicted to a six month sentence in Greece, after depicting Christ as a binge-drinking friend of Jimi Hendrix, surfing naked while high on cannabis. The artist didn’t even know that his book, The Life of Jesus, had been published in Greece until he received a summons to appear in court in Athens. In the end, only an appeal to the Greek Supreme Court saved him from ending up in a Greek jail without having committed a crime. Taking into account the increasing number of “hate speech” laws introduced in various European countries, and the unclear legal status of online commentary, it doesn’t take too much fantasy to imagine some of the dangers.

Another case saw British student Andrew Symeou being extradited to Greece in July 2009 to face charges in connection with the death of a young man at a nightclub on a Greek island, after Symeou had already returned home to the UK. Andrew was extradited despite evidence that the charges were based on statements extracted by Greek police through the violent intimidation of witnesses, who later retracted their statements. He spent over ten months in terrible conditions in a Greek prison, was released on bail but then remained unable to leave Greece. He was finally cleared only months later, four years after the facts. Given that the Greek legal document requesting extradition was flawless, there was no way UK courts could have denied his extradition, apart from perhaps refusing to implement EU rules, something a number of EU countries initially tried.

The human consequences resulting from a misplaced trust of EU member states in each other’s justice systems should carry a warning not to repeat this mistake. Cooperation on justice and police matters isn’t a bad idea in itself, but ultimate control over this sensitive policy area should always firmly remain with national democracies.