Friday 12 February 2010

Has anyone heard of the Stockholm Programme?



Last December, the Council of the European Union published proposals to deal with the delicate balance between an individual’s privacy and their expectation of freedom, security and justice. It’s all about bringing what were separate pillars of the European Union, each of which had their own legal cultures, closer together to share a single culture. In the terms that I want to discuss in this blog, it’s about ensuring that the principles of the Data Protection Directive we have all grown so familiar with can be extended to include issues that lurk in the corners of national security and law enforcement. And if the principles can’t be extended, then by implication, new principles will take their place.

The proposals are set out in what has become known as the Stockholm Programme, which is an 82 page document that isn’t particularly easy to read. No jokes, no pictures. Just page upon page of pretty unremitting text. (The picture on the left was taken by me - it's of Stockholm's City Hall, where the Nobel Peace Prize is awarded to a deserving recipient each year.)

For those who want to find a copy of the document on the internet, it's filed under the snappy references of CO EUR-PREP 3, JAI 896 and POLGEN 229.

The document doesn’t propose many answers – but it does recognise that a balance has to be struck between different needs. The EU must “respond to the challenge posed by the increasing exchange of personal data and the need to ensure the protection of privacy” (paragraph 2.5). This means change. What sort of change? Not sure.

The European Commission has been invited to “evaluate the functioning of the various instruments on data protection and present, where necessary, further legislative and non-legislative initiatives.” Also, it is to “consider core elements for data protection agreements with third states for law enforcement purposes, which may include, where necessary, privately held data, based on a high level of data protection.” So, presumably this paves the way for new rules regulating the way information held by a private company in one member state is to be made available to a law enforcement agency in another member state. What will happen when a private company in one member state is asked to pass information to investigators in a member state that appears to have lower standards of respect for fundamental rights then the first member state? Not sure. Is it assumed that all EU member states currently enjoy equally high standards of respect for fundamental rights (or at least they all enjoy an adequate standard) so this won’t be a problem? We’ll see.

On terrorism, the EU “must ensure that all tools are deployed in the fight against terrorism while fully respecting fundamental rights” (paragraph 4.5). But is it always appropriate to fully respect the fundamental rights of someone who has no regard for any of our rights, and is absolutely determined to commit harm on the widest scale possible? After all, the programme also requires that “measures in the fight against terrorism must be undertaken within the framework of full respect for fundamental rights so that they do not give rise to challenge.”

Or do we expect other countries to do any dirty work for us by using their own rendition programmes to obtain and provide us with information using techniques that would not be acceptable within the EU? Surely not.

The European Council also considers that “the instruments for combating the financing of terrorism must be adapted to the new potential vulnerabilities of the financial system, as well as cash smuggling and abuse of money services, and to new payment methods used by terrorists” (paragraph 4.5). Presumably this means greater surveillance on all financial types of transfers, large and not so large – and a greater reliance on automatic detection systems that flag subtle changes in an individual’s profile that may indicate terrorist activity. I wonder how many false positive reports these transfers might generate – and how many extra investigators would be required to examine these reports. From what I’ve read about terrorists, they have an alarming tendency to adapt and change their tactics. If that is the case, then who will set the flags to indicate when someone changes their pattern of behaviour to one which is more akin to the type of terrorist activity that has (probably) not yet been detected?

I’m so glad I’m not a law enforcement investigator – or a politician charged with the responsibility of dealing with a failure in the system. The odds do appear to be stacked against me.

But I welcome the chance to contribute to the debate, and will do in future blogs. I’m just sad that, given it's huge significance, the document appears to have been slipped out into the public domain without any fanfare whatsoever. Were we not expected to participate in the debate? Did I miss something? Or did the eurocrats just forget to ask us?