PRIVACY WONKS in Brussels have given the green light to a virtual European police database being dubbed a 'peer-to-peer' criminal information system. But they have been so baffled by the legal implications of P2P that they are having to call an international meeting of privacy wonks to make sense of it all.

The European Data Protection Commissioner said in an official opinion last Friday that the proposal for a European Criminal Records Information System (ECRIS) could not be rubberstamped until it was endowed with "a reference to a high-level of data protection".

Legal spaghetti has prevented the EDPS from specifying what data protection measures must be implemented by ECRIS before it could claim to be giving a " high-level" of protection.

"The problem is that the legal situation is complex because of the differences between all the member states," said a source involved in the Brussels process.

"So we don't know exactly the situation," he went on. "Its useful in this context that the EDPS get the data protection authorities of the member states together to see how it works in different countries and then give some guidance ".

The police database legislation has been rolling through the Brussels mangle for three years, with little regard for data protection, much to the displeasure of the EDPS. It is scheduled to be formally adopted by the end of the year and will unlikely wait for the spaghetti to be unpicked first.

The European Commission is also convening a committee of European member states who must clear the legislation before it can be wrapped up. ECRIS is being implemented in a hitherto desolate legal limbo, called the third pillar of European law, where EU jurisdiction is as weak as the cause of data protection. The EU will thus require its 27 states to iron out any glaring differences in the committee and then reach a unanimous decision before the database can be passed into European law.

Voodoo

The committee is unlikely to find any reason to hold ECRIS up. Even the EDPS is "quite happy" with the proposal as it stands. Since the EC published a legal framework for ECRIS in January, it has made it pay obeisance to an as yet unratified European law designed to provide data protection cover for the legal limbo were they sit.

However, the EDPS cannot say it is entirely happy with ECRIS until yet another proviso is met, and that relates again to the third pillar, the area of European law reserved for police and judicial matters that is normally the jurisdiction of member states themselves.

ECRIS is in substance nothing more than a secure network, a data interchange format and interchange software, managed by the European Commission to conduct exchanges of data between police forces and other agencies. Though the 3rd Pillar legislation will provide essential legal cover for police data sharing in Europe, it is only applicable to the activities of nation states. Indeed, nation states will be held responsible for data processing under the ECRIS legislation.

But even the third pillar legislation will give the Commission's ECRIS interchange infrastructure no legal cover whatsoever according to the EDPS. It would normally be covered by the EU's bog-standard data protection laws, but they don't work in the third pillar limbo. And the third pillar legislation won't help because that won't apply to the Commission. The EDPS is keen that the Commission should be held accountable to someone.

Hoodoo

Yet, after spending the last three years berating the Commission for neglecting to plan its police database in accordance with data protection laws, the EDPS' latest interjection appeared muted. The regulator was aware of another problem with ECRIS, but it did not raise it in its official opinion paper last Friday.

Article 9 of the database framework will prevent member states from using criminal data acquired through ECRIS for any purpose other than the one they gave as the reason for requesting it in the first place, and the EDPS has applauded this. But the legislation allows criminal data to be shared across Europe for any purpose, as long as its only for the purpose specified when requested.

There are clearly some advantages in allowing the system itself to be used for purposes other than that originally specified for it, which was to give judicial authorities information about the previous convictions of suspects of another EU nationality. (The scheme was originally forwarded by Belgium after their authorities had failed to pick up previous convictions of the French serial killer Michel Fourinet). For example, it will also be used to vet applicants for jobs with children and vulnerable adults.

But there is nothing in the legislation to prevent the system from being used to vet any job applicant for a shop-lifting offence, say, as is prevented in the UK's job vetting by the Rehabilitation of Offenders Act. Nor would it prevent, say, the provider of a public service vetting anyone for any kind of criminal conviction.

And the ECRIS proposal does specifically decree a few spurious-sounding offences be shared between member states. For example: "Offences related to committing suicide", "Insult of the State, nation or State symbols", "Abuse of alcohol or drugs", "Driving without seat belts or child seat", and "Other Offences". It will also require that agencies share information about which children have been ordered into special education institutions.

As ECRIS is being implemented under the principle of subsidiarity, which delegates as much as possible to national agencies and laws, some states may have their own ideas about what criminal data is relevant to the execution of different public functions. But the inconsistencies and contradictions between member states are the cause of the EDPS' request for a conference of national data protection authorities to unpick the spaghetti and find a common minimum standard of data protection.

Subsidiarity embodies the principle of proportionality, which is also the crucial data protection principle that decrees data should not be used for any purpose other than the one for which it was collected. The European police database appears to have burrowed out another legal limbo, nestled between the proportionality imposed on data and that imposed on the EU: that is, the proportionality of computer systems, which will become increasingly important as social information systems such as ECRIS, identity cards and so on, are found to contain greater potential than that originally envisaged by their makers. µ

L'Inqs

European framework for police database (January 2008 - pdf)
European proposal for ECRIS implementation (May 2008 - pdf)
EDPS opinion on ECRIS (pdf)

Dr Strangelove does data protection DNA database built on deceipt
UK "woefully inadequate" at handling data
Government begins to ponder how to keep our ID data safe
Sci-fi security peddled as liberty
Cops intensify kiddie DNA sweep