The issue of INTERPOL Red Notices and their removal is a complex area for criminal lawyers. INTERPOL Red Notices start the extradition process – and are a vital tool in law enforcement – but they are open to abuse. In particular, the targeting of political opponents by undemocratic regimes – or parties in bitter litigation, trying to smear their opponents in civil and arbitration cases, by getting access to corrupt prosecutors. The removal of a Red Notice can be achieved through careful submissions to INTERPOL, but that does not necessarily prevent the state trying again.
The long-running case involving INTERPOL and the issue of double jeopardy was dealt with by the CJEU in WS v Bundesrepublik Deutschland (case C-505/19). In May, the CJEU’s Grand Chamber gave their judgment in the case. In doing so, the CJEU has confirmed an important limit to INTERPOL’s reach, whilst raising the possibility of further data protection challenges to Red Notices in the EU and the UK.
WS is a German citizen and the former manager of a large company. He was under criminal investigation in Germany for allegations of bribery in relation to his company’s activities in Argentina. However, in 2010, the Public Prosecution Office of Munich agreed to accept the payment of a fine in relation to the investigation and closed the case.
In 2012, the USA obtained an INTERPOL Red Notice against WS. WS protested that the principle of ne bis in idem or double jeopardy applied, as the case had already been disposed of in Munich. Each INTERPOL member state has a National Central Bureau, responsible for coordinating the state’s activities in relation to INTERPOL and disseminating data about requested persons. The German Federal Police, who are the National Central Bureau (“NCB”) for INTERPOL in Germany, agreed with WS – and, in 2013, attempted to persuade the USA to delete their request – without success.
In 2017, WS argued that the continued existence of the Red Notice was contrary to EU law. Firstly, it was an unlawful interference with his right to freedom of movement, as he faced arrest in member states outside of Germany. Secondly, the continued processing by member states of the INTERPOL data was contrary to the Law Enforcement Directive. The German Court referred six preliminary questions to the CJEU, five of which it declared admissible and answered.
The Red Notice was eventually deleted in 2019 following a request from the USA.
The Grand Chamber’s Judgment
The Grand Chamber held that, where a court in a Schengen member state had made a determination of double jeopardy, other member states were bound by it. Where a court in one member state had made such a determination, other member states must not arrest a person pursuant to a Red Notice, as it would amount to ‘further prosecution’ – and thus an unlawful restriction on the person’s freedom of movement.
The Grand Chamber also observed that the fine WS paid to the Public Prosecution Office of Munich was an out of court disposal, capable in principle of raising the bar of ne bis in idem, but not itself a determination of a court. The Grand Chamber were not prepared to say it would never be permissible to arrest a person subject to a Red Notice where there was an unresolved question of ne bis in idem. Where there was a risk that a requested person would otherwise abscond, it might be necessary to arrest them to establish whether they were in fact protected by ne bis in idem.
In relation to data protection, the court stated that it would likely be unlawful to record a person’s personal data in a wanted list if they were protected from further prosecution by a judicial determination of ne bis in idem, unless there was some clear indication that the person was not to be further prosecuted. This is because the processing of the data would no longer be necessary for law enforcement purposes. The court also noted that a person in such circumstances would have a right (under the Law Enforcement Directive) to request deletion of their personal data. However, the court disagreed with the contention that the Law Enforcement Directive required a wholesale deletion of a person’s data once the principle of ne bis in idem was established, let alone where it was simply raised as an issue.
Transfer of personal data to INTERPOL
In their fifth question to the CJEU, the German Court asked whether INTERPOL has an adequate level of data protection for the purposes of the Law Enforcement Directive. This question was ruled inadmissible:
The Law Enforcement Directive provides that data must not be transferred to a third country or international organisation unless there is either:
1. An adequacy decision from the EU Commission, or
2. ‘Appropriate safeguards’ – which include a legally binding instrument and a risk assessment, or
3. Exceptional circumstances such as an immediate threat to public security.
It was observed that there is no adequacy decision in respect of INTERPOL. It was not suggested that the ‘appropriate safeguards’ or exceptional circumstances grounds were made out.
The Grand Chamber noted that the point did not expressly arise on the facts of this case – the data transfer had been from INTERPOL to the member states rather than the other way round. In ruling this question inadmissible, the CJEU carefully sidestepped the question of what lawful basis there is for transferring personal data to INTERPOL. However, in our view, this is a point which is not going to go away. It is equally relevant in the UK, where, irrespective of Brexit, the Law Enforcement Directive has been transcribed into law by Part 3 of the Data Protection Act 2018.
Furthermore, regardless of what obligations INTERPOL itself has under the Law Enforcement Directive, EU member states and the UK are bound by it. WS’s case highlights the importance of NCBs keeping accurate records and making checks before further processing data received from INTERPOL, especially where a Red Notice may be politically motivated.
In a case we recently advised on, a non-EU NCB and the UK NCB continued to share data on a requested person, even after INTERPOL had deleted the Red Notice obtained by the non-EU state against the client, following submissions that it was politically motivated. We argued that there was no lawful purpose for the continued processing of the client’s data in the UK. Furthermore, in the absence of an adequacy decision in relation to data protection in the non-EU State or appropriate safeguards, there was no lawful basis to transfer the client’s personal data outside of the European Union.
INTERPOL is a conduit for highly sensitive law enforcement data, but too often it lacks the proper checks and balances that such data processing requires. The Law Enforcement Directive provides a useful avenue to challenge the effect of INTERPOL Notices and Diffusions by empowering requested persons to hold NCBs in the UK and EU to account for their processing of INTERPOL data. This is a valuable tool in and of itself, as well as where ne bis in idem may apply.