In our experience the EU faces a growing number of challenges to be solved. The EU is a supranational organization which is based on the cooperation of the Member States. Member States have individual (and different) interests, while the European community has collective (and quite colourful) interests. All issues in the EU and in the Member States are political. It is difficult, almost impossible to solve the problems in a common, single way. Therefore the common trust must be enhanced.[1] How can the EU become more effective? What measures should they take and what support should Member States be given? We try to answer these questions in connection with the Prüm Treaty.
The main problem is to find the right balance between ensuring the safety while protecting the human rights of citizens. Law enforcement agencies claim more rights for a more effective cooperation. However, on the other side human rights must be secured. Personal data may only be processed if it is absolutely necessary for the purpose of the protection of constitutional or fundamental rights and if data processing is proportional to the purpose wanted. [Council Framework Decision 2008/977/ JHA Art. 3 (1)-(2)] However, we think, it is important to analyse not only the number of personal data, but the content beyond them, the involved people and the time of data processing, as well.
In our opinion, not only the differentiation between personal and sensitive data is necessary, but also the differentiation of biometric data, because they need special care.[2] It has not yet been defined by law, nevertheless its processing and its storage differ from that of other personal data. This study examines the exchange of DNA profiles and dactyloscopic data - as biometric data - in the EU.
- 135/136 -
We have analysed several of the documents of international and European police cooperation and we reached the conclusion that also data processing with the purpose of crime prevention and law enforcement are not differentiated. During our research we have only found the Prüm Decision[3] which distinguishes data processing for law enforcement and for crime prevention purposes. The Decision defines the applicable circle of data depending on the aim of data processing.
One can say that the Prüm Decision is one of the biggest achievements of criminal cooperation in the EU. However, it does not work (efficiently). We will attempt to answer what the reasons are and what its future may be.
Our research is based not only on EU or national laws and analysis of professional literature, but we interviewed several national experts as well, who use the Prüm-system in their professional practise. Firstly, our study shows the progress of the Prüm-system. After the evaluation of its operation thereof, we describe our national, that is, Hungarian experience, and then we define its pros and contras. Finally, we draw up certain practices which should be followed in the future.
The conclusions of the Tampere European Council of October 1999 asserted the need to enhance the exchange of data between EU countries in the field of criminal cooperation. This target was confirmed by the Hague Programme of November 2004, as well. The Hague Programme declared the "principle of availability" which means that "throughout the Union, a law enforcement officer in one Member State who needs information in order to perform his duties can obtain this from another Member State and that the law enforcement agency in the other Member State which holds this information will make it available for the stated purpose, taking into account the requirement of ongoing investigations in that State". [I. 2. title]
The Prüm Treaty of 27 May 2005 on the stepping up of cross-border cooperation, particularly on cross-border crime and illegal migration, signed by Germany, Spain, France, Austria and the Benelux countries, lays down the procedures for more efficient data exchange in the framework of crime prevention and criminal investigations.
The provisions of the Prüm Treaty were incorporated into the EU law by the Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (Prüm Decision).
- 136/137 -
The Prüm Decision regulates a special kind of cooperation, because it sets out provisions with regard to the direct access to DNA profiles[4], dactyloscopic data and certain vehicle registration data in order to enhance cross-border cooperation between Member States' police and judicial authorities to combat cross-border crime more effectively. The aim of the Decision is to identify certain people and according to this procedure the EU countries' authorities could obtain the necessary information, including sensitive data, too.
The Prüm Decision sets out the rules of data protection.[5] The aim of data processing is defined: the aim of the processing of fingerprints and vehicle registration data is crime prevention and law enforcement. In the case of DNA profiles exclusively law enforcement is mentioned as a purpose. [Council Decision 2008/615/JHA Art. 2 (1), Art. 8, Art.12 (1)] Thus the Prüm Decision is the only legal source which differentiates between the purpose of law enforcement and the purpose of crime prevention.
Member States have direct access to the national vehicle registration data which reforms the criminal cooperation, by whichthe "principle of availability" declared in the Hague Programme comes to effect. This could be an important milestone in the criminal cooperation in the EU.
The Prüm Decision sets out provisions for the Member States to create DNA database. The difficulty with this question is that national regulations are very different.
The Prüm Decision, beside the tools of effective criminal cooperation also defines the requirements of data protection such as the requirement of certain purposes, the rights of the people concerned, etc. [Council Decision 2008/615/JHA Art. 34-40][6]
The European Agenda on Security states that the Prüm Decision is a "key to detecting crime and building an effective case", also mentioning that the EU supported Member States in their implementation by financial and technical means. However, many of them failed to fulfil their obligations. [COM(2016) 230 final] Therefore the system based on Prüm Decision does not work in several Member States, and it also undermines the essence of this measure. Criminals use these loopholes, therefore they can easily circumvent the Prüm-system. Therefore the EU will treat the Prüm Decision as a priority.[7]
- 137/138 -
However, the EU strengthens its cooperation not only with its Member States, but with other countries as well. In this spirit, the EU signed an agreement with Iceland and Norway in order to foster their criminal cooperation.[8] Recently negotiations were conducted with Switzerland and Lichtenstein, too.[9]
Member States must establish national DNA analysis files for the purpose of investigating criminal offences. DNA profiles "are a letter or number code that represents a set of identification characteristics of the non-coding part of an analysed human DNA sample".[10] It is an important factor that no DNA profile should be sent to the other Member State, but a reference data. Reference data should be made available to other EU countries' authorities. This reference data consists of the non-coding part of the DNA (which is chromosome regions that are not expressed genetically) and of a reference number that does not let an individual be identified. Thus, automated search is an online access procedure to the databases of the EU countries. These searches are carried via national contact points by comparing DNA profiles, but only in a hit/no-hit manner. In the hit/no-hit procedure the parties grant each other limited access to the reference data in their national DNA and fingerprint databases and the right to use these data to conduct automated checks of fingerprints and DNA profiles. Thus we can ascertain that the personal data related to the reference data is not available to the requesting party. [Council Decision 2008/615/JHA Art. 3, 9]
"If the search provides a match, the national contact point carrying out the search receives the reference data in an automated manner. If no profile is found for a particular individual who is under investigation or against whom criminal proceedings have been brought, the requested EU country may be obliged to establish a DNA profile for that individual."[11]
Furthermore, Member States must also make available their reference data related to fingerprints. EU countries must also establish a database called automated fingerprint identification systems (AFIS). Dactyloscopic data means "fingerprint images, images of fingerprint latents, palm prints, palm print latents and templates of such images that are stored and dealt with in an automated data-
- 138/139 -
base". Similarly to DNA searches, national contact points carry out the search by comparing dactyloscopic data on a hit/no-hit basis.
Supply of further personal data relating to the reference data is carried out according to the mutual legal assistance (MLA) regulated in the requested EU country.
As we have mentioned earlier, unlike to the supply of DNA and fingerprints, Member States have direct access to the national vehicle registration data via automated online searches.[12]
Since the end of the 5 year transitional period of the Lisbon Treaty (according to Protocol 36 of the TFEU) in December 2014, the Commission now has the power to ensure that Member States fulfill their legal obligations in the area of police cooperation as well. The Commission will therefore treat this area as a priority in using its powers to ensure the correct implementation of EU law.
Hungary implemented the rules of the Prüm Decision by the Act XLVII of 2009 on the system of the criminal records (hereinafter: Act on criminal records), which came into effect on 30[th] June 2009 and which regulates the database of dactyloscopic data and DNA profiles, too. [Act on criminal records § 35] The Act on criminal records does not determine the intended legal fate of personal data processed according to the former act[13]. One can say that these data are exlex. The two acts regulate the data processing in different ways. The question arises then: could the database regulated by the former act be imported to the register system of the Act on criminal records? The legal basis to that is missing because the legislator did not regulate it in the interim regulations of the Act. This is why the Hungarian Institute for Forensic Sciences handles about 75.000 DNA profiles without applying the new Act on criminal records, and thus the Institute shares only the DNA profiles registered after the coming into effect of the act. According to Act CXXX of 2010 on legislation, if rights and commitments are arisen by a new legal norm, the legal norm shall contain interim regulations in order to apply them in an existing legal relation. [Act CXXX of 2010 § 15(1) a)]
The Act on criminal records sets out important data protection rules. The database of dactyloscopic data and DNA profiles does not comprise identification data. They are stored by the Central Office for Administrative and Electronic Public Services (KEK KH). [Decision 276/2006. (XII. 23.) Government § 7] The database contains only
- 139/140 -
a) the name of the criminal offence,
b) the time and the place of perpetration,
c) the name of the investigation and prosecution authority,
d) the reference number of the file and
e) the fingerprints (palm prints) or residual material and the DNA profiles.
Furthermore, every case has an identification code. [Act on criminal records § 41(1), § 56] The importance of the identification code is that the EU countries' authority can refer to this identification code if the search finds a match with the personal data. The national contact point sends it to the organization which has the competence to fulfil this request. In Hungary it is the Hungarian Institute for Forensic Sciences.
The form of request and the form of performing the request is not determined by EU law. However, the Hungarian Act on criminal records lays down the form and the elements which the transmission form should contain.
If the search results in a match, the Hungarian Institute for Forensic Sciences should act carefully, because it can happen that it is an accidental match only. The Institute can decide that further examination should be made (e.g. because it can happen that both parties examined more features beneath the six compulsory characteristics, but these features are different). The Institute shall ask the requesting party for further examination. And if the result of further examination is the same (it is a match), the Institute transmits the requested data through the national contact point. [Act on criminal records § 82(1)] However, if there is no match after the further examination, requesting party should promptly inform the requested party about this fact. [Act on criminal records § 82(2)]
Beside the data stored in the criminal records the requested party should transmit identification data to the requesting party, too. [Act on criminal records § 82(2)] As the Institute does not handle these data, it should obtain them from the KEK KH. The practical problem with this is that the Institute transmits such personal data which it asks for. (In the case of data collection certain identification data are recorded by the Institute, but these data must not be stored in the record system.)
Hungary is one of those Member States which implemented the EU norm, but Hungarian law enforcement agencies complain about the fact that the norm does not contain a full set of data. Its investigation would be more effective. They have higher expectations in connection with the total operation of the Prüm-system.
Firstly, we mention the advantages of the Prüm Decision. It provides the direct access to personal data, so it could speed up the cooperation which is an important
- 140/141 -
factor in the criminal investigation. As for the data protection[14], EU countries must guarantee that personal data processed according to the Decision is protected by their national laws. Only the relevant competent authorities may process personal data. We must refer to the fact that the hit/not hit-method is appropriate for the data protection requirement because in the first stage there is no personal data processing.
The Prüm-system offers several results, as the system is able to run ten thousand searches per second. Unfortunately, not all Member States implemented these regulations. There are many obstacles to it, like the difference in the national databases (e. g. in the Netherlands there is no regulation, in Italy there is no register or the content of the database is different, in Hungary the register does not comprise the fingerprint and DNA profile of missing people) or other IT problems. As of the countries which didn't implement the Prüm-system, the criminal cooperation runs in the traditional way. [Act on criminal records § 83]
The efficiency of the Prüm-system in Hungary is decreased by the fact that the Institute cannot transmit data without request. [Act on criminal records § 67 (1), § 81 (1) b)] Furthermore, the Prüm Decision does not allow the duplication of data. The Hungarian regulation applies the individual registration mode, which means the registration is done by crimes. Thus it can happen that the DNA profile of a criminal is stored more times if he has committed more criminal offences. In the Prüm-system one person can be registered only once. Identical twins raise the problem of duplication as well. Their DNA profiles are the same, but this duplication - the biometric data of both people - can be stored.
There is no general regulation of effective criminal cooperation in the EU. The improvement in the field of cooperation is only partial; it doesn't cover the whole range of data exchange. The enhancement of cooperation is slow and uneasy, because Member States are unwilling to transfer more sovereignty to the EU.
From the point of data protection it would also be more acceptable if there was differentiation between crime prevention and law enforcement as purpose.
But perhaps things will lead to a workable solution. However, the Member States should acknowledge the advantages of criminal cooperation. The Member States are not able to overcome the terrorism by themselves, so they have a better chance together, with other organizations and countries. They should trust each other, this is their common interest.
- 141/142 -
It is beyond dispute that the Prüm-system provides many opportunities in the field of criminal cooperation, yet not all Member States acknowledge it. The basis of criminal cooperation is trust.[15] Each Member State should recognize the importance of the cooperation. The criminal cooperation needs a complex approach, as it relates to other fields as well (migration, border control policy, etc.). There are many aspects to it which should be considered: ranging from the fundamental rights[16] to the priorities of criminal investigation.
In every decision-making process, these factors should be balanced. Every Member States should acknowledge that all their individual interests cannot be expressed in the EU law. However, if the legislator(s) have passed the law, it must be followed. Whether or not the law is according to their like, it is an obligation. They agreed thereto when they joined the EU.
The EU itself is a good example how countries can cooperate with each other. Even though we emphasize that the basis of the EU is cooperation, we mustn't forget that law enforcement mechanisms is only applied against a Member State failing to fulfil its obligation.
"If the Commission considers that a Member State has failed to fulfil an obligation under the Treaties, it shall deliver a reasoned opinion on the matter after giving the State concerned the opportunity to submit its observations. If the State concerned does not comply with the opinion within the period laid down by the Commission, the latter may bring the matter before the Court of Justice of the European Union."[17] Law enforcement mechanism is the last resort.
Despite of the difficulties in the criminal cooperation, the EU must focus on closer cooperation in all possible fields. It is a good way that the EU follows the European Agenda on Security. The EU should take as many measures as possible (training and education, meetings, financial support, openness for 'best practise', information to EU citizens, national participation in decision-making processes, etc.). The cooperation must be strengthened on an EU-level (EU institutions), between the Member States, and last but not least between international organizations and third countries. These actions must be consistent with the EU concept.[18] The cooperation should not only mean implementation of the EU laws, but also new measures for the new challenges.
- 142/143 -
The Prüm Decision is a good example that data protection and effective criminal cooperation can get along with each other. In the hit/no-hit procedure parties grant each other limited access to the reference data in their national databases. Should there be a match; the requesting authority can file a request through the national contact point to the competent national authority.
The direct access to the national databases raises the idea of harmonization of countries' databases with the improvement of IT. A condition of that is that a unified IT channel should exist to ensure direct access to the national databases. The thought of a unified IT channel raises the question whether this this idea could lead to the foundation of a European database?
It should be emphasized that the Prüm Decision should be implemented in all Member States, which the authors think is a realistic hope. In 2015 Member States should start to adopt the five-year program in the field of criminal cooperation. It is called "Post-Stockholm Program", as the last program, which ended in 2014, was called Stockholm Program. The Post-Stockholm Program can open opportunities for stronger criminal cooperation and it could be the basis of uniform expectations and regulations. We still hope for a safer Europe. ■
JEGYZETEK
[1] Frenz, Walter: Europäischer Datenschutz und Terrorabwehr, In: Europäische Zeitschrift für Wirtschaftsrecht, 20. Jahrgang, 1. 2009. 01. 05., S. 8.
[2] Georgis, Nouskalis: Biometrics, e-identity and the balance between security and privacy: A case study of Passenger Name Record (PNR) system, In: US-China Law Review, July 2010, Vol. 7., No. 7, pp. 49-51.
[3] Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime
[4] Bellanova, Rocco: The "Prüm Process": The Way Forward for EU Police Cooperation and Data Exchange, In: GUILD, Elspeth - GEYER, Florian: Security versus justice? Police and Judicial Cooperation in the European Union, Ashgate, 2008, pp. 211-215.
[5] Papakonstantinou, Vagelis - De Hert, Paul: The PNR Agreement and Transatlantic antiterrorism cooperation: no firm human rights framework on either side of the Atlantic, In: Common Market Law Review, Vol. 46., No. 3, 2009, pp. 890-891.
[6] http://europa.eu/legislation_summaries/justice_freedom_security/police_customs_cooperation/jl0005_en.htm (downloaded: 22. 06. 2016.)
[7] http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/european-agenda-security/legislative-documents/docs/20160420/communication_eas_progress_since_april_2015_en.pdf (downloaded: 19. 08. 2016.)
[8] http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=OJ:L:2009:353:TOC (downloaded: 22. 06. 2016.)
[9] Outcome of the Council Meeting - 3473rd Council meeting - Justice and Home Affairs". Council of the European Union. 2016-06-10. Retrieved 2016-07-04.
9370/1/16 REV 1 http://data.consilium.europa.eu/doc/document/ST-9370-2016-REV-1/en/pdf (downloaded: 22. 08. 2016.)
[10] http://europa.eu/legislation_summaries/justice_freedom_security/police_customs_cooperation/jl0005_en.htm (downloaded: 22. 06. 2016.)
[11] http://europa.eu/legislation_summaries/justice_freedom_security/police_customs_cooperation/jl0005_en.htm (downloaded: 22. 06. 2016.)
[12] http://europa.eu/legislation_summaries/justice_freedom_security/police_customs_cooperation/jl0005_en.htm (downloaded: 22. 06. 2016.)
[13] Act LXXXV of 1999 on criminal records and judicial record
[14] Siemen, Birte: The EU-US Agreement on Passenger Name Records and EC-Law: Data Protection, Competences and Human Rights Issues in International Agreements of the Community, In: German Yearbook of International Law, Vol. 47., Dunckler & Humblot, Berlin, 2004, pp. 635.
[15] Conny, Rijken: Re-balancing security and justice: protection of fundamental rights in police and judicial cooperation in criminal matters, In: Common Market Law Review Vol. 47., No. 5., 2010, pp. 1487-1489., 1491.
[16] Schrader, Christian: Passenger name record: undermining the democratic right of citizens?, In: Social Alternatives Vol. 25. No. 3. 2006, p. 44.
[17] Treaty on European Union and the Treaty on the Functioning of the European Union Art. 258.
[18] Douglas-Scott, Sionaidh: The rule of law in the European Union - putting the security into the "area of freedom, security and justice", In: European Law Review, Vol. 29. No. 2., 2004. April, p. 242.
Lábjegyzetek:
[1] A szerző egyetemi docens, SZE Állam- és Jogtudományi Kar.
[2] A szerző egyetemi adjunktus, SZE Állam- és Jogtudományi Kar.
Visszaugrás