Interpol, double jeopardy and data protection

Back to Criminal Law publications
Back to Business Crime publications

Ben Keith
5SAH, London
benkeith@5sah.co.uk

Amy Woolfson
5SAH, London
amywoolfson@5sah.co.uk

 

Introduction

The issue of Interpol Red Notices and their removal is a constant challenge for criminal lawyers. Interpol Red Notices start the extradition process and are a vital tool in law enforcement. They are nevertheless open to abuse. The most common forms of abuse are to target political opponents of regimes overseas but also for parties in bitter litigation to try to smear their opponents in civil and arbitration cases by getting access to corrupt prosecutors. The removal of a Red Notice on political or other grounds can be achieved through careful submissions to Interpol, but that does not necessarily prevent the state trying again.

However, late last year, in the WS case before the Court of Justice of the European Union (CJEU),[1] Advocate General Bobek gave his opinion on a series of questions relating to Interpol Red Notices, the principle of double jeopardy, and the EU Law Enforcement Directive.[2] The questions were referred to the CJEU by the Administrative Court of Wiesbaden, Germany. They concerned a Red Notice obtained by the United States against a German citizen in circumstances where it was said the principle of ne bis in idem or double jeopardy applied. This article examines the Advocate General’s opinion and the impact for the enforceability of Red Notices – both in the Schengen Area and in the United Kingdom.

The German court asked important questions about Interpol and data protection. While these were largely avoided by the Advocate General, they shine a light on potential data protection challenges to Interpol’s activities in the CJEU and domestic courts.

WS and the ‘protective umbrella’ of Schengen

WS is a German citizen and the former manager of a large company. He was under criminal investigation in Germany for allegations of bribery in relation to his company’s activities in Argentina. However, in 2009, the Public Prosecution Office of Munich agreed to accept the payment of a fine in relation to the investigation and closed the case.

In 2012, the US obtained a Red Notice against WS in relation to the same allegations. WS protested that the principle of ne bis in idem or double jeopardy applied, as the case had already been disposed of in Munich. The German Federal Police, who are the National Central Bureau (NCB)[3] for Interpol in Germany, agreed with WS and, in 2013, attempted (without success) to persuade the US to delete their request.

In 2017, WS brought an action before the German court. He argued that the continued existence of the Red Notice was contrary to EU law. First, it was an unlawful interference with his right to freedom of movement as he faced arrest in member states outside of Germany. Second, he argued that the continued processing of the Interpol data by Member States was contrary to the Law Enforcement Directive.

The German court referred six questions to the CJEU, in which they queried the compatibility of the Red Notice with EU law. The German court was concerned that the transfer of the personal data contained in the Red Notice into the national prosecution systems constituted the processing of personal data, which might be unlawful if not compatible with EU law and the principle of double jeopardy.

The Red Notice was eventually deleted in 2019 following a request from the US.

Advocate General Bobek noted that the question of whether double jeopardy applied to a case was fact specific. In WS’s case it was not clear that it did as the question had not been determined by a court, albeit the police were obviously sympathetic. However, he stated that where there was a determination of double jeopardy by a court in one Schengen Member State, all other member states would be bound by it. Where there is such a determination, member states must not arrest a person pursuant to a Red Notice. Advocate General Bobek described this as the ‘protective umbrella’ of Schengen.

The Advocate General’s opinion has interesting implications for the UK, where the Extradition (Provisional Arrests) Act 2020 has recently created a power of arrest and detention pursuant to a Red Notice issued by a ‘trusted country’ – of which the US is one. The UK was never a full member of Schengen, but post-Brexit it is not part of it at all. Therefore, if there was a determination of double jeopardy in a future case concerning a Red Notice obtained by the US, the requested person would be protected from arrest in the Schengen area, but not in the UK.

Data processing and double jeopardy

The German court asked whether it is lawful for member states to further process data in relation to a Red Notice where a prosecution was barred on grounds of double jeopardy. In Advocate General Bobek’s opinion it is – indeed he went further and said that it would be bizarre if the data had to be deleted, as member states would then be unaware of the protection that the requested person had from prosecution following the determination of double jeopardy. That said, there are clearly limitations on how a person’s data can be processed in such situations. It would not be lawful to continue to share data on the basis that the person was still wanted when in fact they are not.

This observation highlights the importance of NCBs keeping accurate records and making checks before further processing data received from Interpol, especially where a Red Notice may be politically motivated. In a recent case we advised on, a non-EU NCB and the UK NCB continued to share data on a requested person, even after Interpol had deleted the Red Notice obtained by the non-EU state against the client, following submissions that it was politically motivated. We argued that there was no lawful purpose for the continued processing of the client’s data in the UK. Furthermore, in the absence of an adequacy decision in relation to data protection in the non-EU Member State or appropriate safeguards, there was no lawful basis to transfer the client’s personal data outside of the EU.

Interpol and the EU Law Enforcement Directive

The fifth, and perhaps most important, question asked by the German court was ruled inadmissible by Advocate General Bobek, who said it was irrelevant to WG’s case. The German court asked whether Interpol, being an international organisation, has an adequate level of data protection for the purposes of the Law Enforcement Directive. The Law Enforcement Directive provides that data must not be transferred to a third country or international organisation unless there is either:

1. an adequacy decision from the EU Commission; or

2. ‘appropriate safeguards’ which include a legally binding instrument and a risk assessment; or

3. exceptional circumstances such as an immediate threat to public security.

It was observed that there is no adequacy decision in respect of Interpol. Indeed, as Advocate General Bobek noted, the German Court appeared to be asking the CJEU to confirm its view that Interpol does not have an adequate level of data protection under the Law Enforcement Directive.

The German Court makes an interesting and forceful argument. There does not appear to be a lawful basis for EU member states sharing data with Interpol absent ‘appropriate safeguards’ in individual member states. Arguably this applies to the UK too, where irrespective of Brexit, the Law Enforcement Directive has been transcribed into law by Part 3 of the Data Protection Act 2018.

We anticipate further challenges to the lawfulness of EU member states – and the UK – sharing data with Interpol. In relation to the UK, this could cause serious difficulty given that EU member states and the UK are now expected to share arrest warrants with one another via Interpol, the UK having lost access to the Schengen SIS II system on 31 December 2020. It should be noted that the UK is currently awaiting an adequacy decision from the European Commission under the Law Enforcement Directive. Should the Commission decline to issue an adequacy decision, further difficulties will arise.

Conclusion

Interpol is a conduit for highly sensitive law enforcement data, but Interpol is also a highly flawed and opaque organisation. NCBs in the UK and the EU who share data with Interpol must take responsibility for the accuracy and security of that data, as part of their broader obligations under data protection law.

 


Notes

[1] WS v Bundesrepublik Deutschland, case C-505/19.

[2] EU Law Enforcement Directive, 2016/680.

[3] Each Interpol member state has a National Central Bureau, responsible for coordinating the state’s activities in relation to Interpol and disseminating data about requested persons.