download in pdf


Chiara Graziani*


Brexit and Security: What about Data Protection and Strategic Intelligence Information Sharing after the UK’s Departure?


I Introduction


As the EU Commissioner for Security Union, Julian King, remarked in June 2018,[1] maintaining the closest – and as efficient as possible – police and security cooperation after Brexit is undoubtedly a key interest of both the European Union (EU) and the United Kingdom (UK), with a view to safeguarding the security of UK and EU citizens in a world constantly threatened by international terrorism.[2] Latest events have demonstrated that negotiations in the field of security cover one of the ‘hottest’ areas in the Brexit process.[3] As known, a treaty between the EU and the UK on security matters may represent the future scenario, but its concrete framing is not free from doubts, uncertainties and debatable issues that are being discussed at the political and institutional level.

As early as in December 2016, the European Union Committee of the UK House of Lords published a report[4] in which it already pointed out the outstanding areas for future security cooperation between the UK government and the EU at the end of the UK’s exit process. Such key issues are agencies and mechanisms to share crucial intelligence and information on criminal activities (such as Europol and Eurojust); data sharing systems for law enforcement purposes (the main reference here is to the second Generation Schengen Information System, Passenger Name Records and the Prüm database); and criminal justice tools (the European Arrest Warrant is certainly the major one, but others can be mentioned, such as the European Investigation Order).

This paper focuses on the first mentioned area and, specifically, on the sharing of intelligence information and how it might be dealt with after Brexit. To this aim, this research is divided as follows.

Section II engages in the examination of the state of the art with regard to the UK’s role in security cooperation. The aim of this Section is to provide the reader with a clear idea of how crucial the issue is and how decisive the UK’s involvement proved to be over the years. In doing so, particular attention is paid to activities pertaining to the Europol area.

Section III focuses on feasible patterns of cooperation in the Europol initiative after the final exit deal. It considers potentially applicable schemes of Europol-third country partnerships with a view to a critical assessment of whether (or not) they could suit the UK’s position after Brexit. In doing so, a number of factors are taken into account, such as the fact that the UK is a major contributor of data to Europol; the accountability of Europol to the Court of Justice of the EU (ECJ); the need to take EU legislation and case law on data protection and budgetary issues into account.

Section IV hence assesses what is concretely being done. As is generally known, the UK government proposed to negotiate a treaty with the EU, aimed at providing a legal basis for future security cooperation. The way in which security issues may be influenced by the general Withdrawal Agreement, still at the draft stage, is considered as well.

Finally, some concluding remarks take stock of the findings that emerged in Sections I, II and III and consider them in light of concrete potential effects in the future. The claim of this paper is that the framing of mechanisms aimed at accessing and sharing security information through participation to agencies such as Europol should be prioritised even over other – undoubtedly vital – areas of security cooperation. This need appears to be shared also by the UK political environment. Hence, is the negotiation of an ‘omnibus’ treaty the best solution possible to serve such an aim? Would there be more efficient – and equally feasible – ways to ensure the maintenance of the UK’s role in intelligence sharing in the aftermath of its exit from the EU? Such questions are discussed in this research, which tries to answer them and highlights some points that cannot be set aside if the UK wishes to avoid a decrease in its own and the EU’s level of security after its departure.


II The UK and Security Cooperation: The State of the Art

The main EU tool aimed at protecting security by countering trans-border criminal activities is cooperation in the area of Justice and Home Affairs (JHA). Cooperation on such issues has existed since 1975, when member states established an intergovernmental committee aimed at coordinating counter-terrorism policies after the attacks perpetrated by terrorist organisations during the Olympic Games held in Munich in 1972.[5]

In 1993, what used to be a mere working group established by interior ministers of the member states[6] was institutionalised through the Treaty of Maastricht, bringing Justice and Home Affairs Cooperation within the Third Pillar.[7] Further developments can be traced to the entry into force of the Treaty of Amsterdam that, in 1999, renamed the Third Pillar ‘Police and Judicial Cooperation in Criminal Matters’ and shifted issues such as immigration, border control and asylum to the First Pillar. As is widely known, the Treaty of Lisbon, which entered into force in 2009, abolished the previously existing pillar structure and substantively re-structured the EU Treaties, now existing in their consolidated version.[8] The main innovation that the Lisbon Treaty brought with regard to JHA cooperation is that many of its areas are now addressed through the ordinary legislative procedure with the qualified majority voting of the Council and full co-legislative role of the European Parliament (EP). It has not been always like that, since, before 2009, such issues were dealt with through a procedure in which the EP had only a consultative role and member states could exercise a veto on such matters. Even more importantly, the Treaty of Lisbon subjected JHA matters to the judicial review of the ECJ. This was not possible before, since they used to escape the review of the ECJ as well as the Commission’s powers – meaning that the Commission had no way of triggering an infringement procedure if member states failed to comply with such measures. Notably, ‘Europol’s structure, operation, field of action and tasks’ are among the JHA matters that the Treaty of Lisbon subjected to the ordinary legislative procedure.[9]

Since this paper focuses on the UK, some remarks on such country’s stance with regard to JHA are essential. Together with Ireland, the UK decided that its participation to JHA measures should not be automatic. To this aim, it negotiated Protocol 21 to the Lisbon Treaty.[10] Protocol 21 is defined as an ‘opt-in’ instrument. Pursuant to it, the UK can choose on a case-by-case basis whether it wants to participate in the adoption and application of any proposed JHA measures. This decision is not a prerogative of the government, since procedures ensuring parliamentary scrutiny are envisaged. The UK government traditionally took a positive stance towards JHA cooperation,[11] recognising it as a key initiative to enhance security and tackle issues such as immigration and cross-border crimes. This is demonstrated by the high number of opt-in decisions in JHA initiatives taken by the UK in recent years. Nonetheless, in July 2013, the UK government decided to opt out from all measures connected to this field adopted before the Lisbon Treaty[12] and simultaneously re-join 35 of them, accepting both the enforcement powers of the European Commission and the jurisdiction of the ECJ on their implementation.[13]


1 EU–UK Cooperation in Security Matters Nowadays: A General Overview

Focusing on the tools and mechanisms related to cooperation in the area of security to which the UK currently takes part, the following can be considered as the most important ones: the EAW;[14] Europol and Eurojust; the Schengen Information System; the European Criminal Record Information System; the Prüm system; and the legal instruments aimed at the transfer and management of Passenger Name Record (PNR) data, both with regard to the EU scheme – i.e. Directive 2016/681[15] – and agreements with third countries.[16]

As stated before, the UK decision to join such measures and initiatives, although it had the chance to avoid involvement in them – by way of Protocol 21[17] – was based on a positive evaluation of their beneficial effect on the UK itself. Additionally, there is clear evidence[18] that benefits are mutual: other EU countries derive significant advantages from the UK’s participation in police and security cooperation. These are all factors that deserve to be taken into account in assessing the effects of the UK’s departure on the ‘security rate’ of the European area. Moreover, this evidently shows that cooperation between the EU and the UK on these matters should be perpetuated and, if possible, kept to the same level as nowadays. And indeed, in September 2017, the UK Prime Minister, Theresa May, suggested the possibility of a ‘transition period’,[19] immediately after exit, in which all security measures entered into by the UK would not cease to apply. Although the Withdrawal Agreement[20] takes this view into consideration and provides for a transition period, its concrete framing looks more like a situation in which the UK would retain burdens associated with being part of these measures without enjoying privileges deriving from them. Such circumstance will be better explained further in this analysis.

Before focusing on the UK’s role within Europol, it is worth setting the general context of the UK’s involvement in EU security policies. This is instrumental in understanding the added value of having the UK has a contributor to the above-listed measures regarding security cooperation. In oral evidence held before the UK House of Lords, a number of experts shed light on the importance of the UK’s role in security and police cooperation in each of these areas. Their findings, synthesising why the UK’s withdrawal would result in a significant loss for the EU’s security framework, can be divided into two main groups.

First, from a general perspective, such reports revealed that some of the measures adopted within the security cooperation framework were strongly influenced by the UK approach, which played an outstanding role in shaping them. A clear example is the PNR Directive,[21] which was adopted in 2016. In such context, the rapporteur was Lord Kirkhope of Harrogate – who is a former MEP for Yorkshire and the Humber – and the UK was a great source of inspiration for the framing of the EU PNR system. As a matter of fact, in 2011, i.e. when the Commission issued its draft proposal for the directive, the UK was the only EU country having its own national system for the collection and analysis of PNR data. It is not difficult to understand that, as soon as the UK is out of the EU, it will no longer be able to exercise such influence in debating forthcoming measures and set strategic objectives to be pursued through EU legislation and policies regarding security matters.

Second, the UK has great expertise in discovering threats to security – not comparable to that of other EU member states – and is undoubtedly in a privileged position, being part of the powerful ‘Five Eyes’ network.[22] In other words, due to its participation in such a well-known intelligence-sharing alliance with Australia, Canada, New Zealand and the US, it has access to information that other EU countries are not able to retrieve by relying only on their own capacities and sources. And, indeed, the director of the Government Communication Headquarters (GCHQ, i.e. one of the main British intelligence agencies),[23] Jeremy Fleming, has recently remarked that, only in the last year, the UK supplied essential information to disrupt terrorist attacks that would have otherwise taken place in Europe.[24]


2 Focus on Europol Activities

From the findings presented above, it is very clear that the UK’s core contribution to the field of security – and so, in parallel, major losses that would derive from its exit from the EU – is linked to intelligence information sharing. As a matter of fact, British advanced intelligence expertise and privileged relations – thanks to its affiliation to the Five Eyes network – provide major support to prevention activities carried out by EU agencies tasked with fighting transnational crime and safeguarding EU citizens’ security.

At the EU level, the most important body in charge of supporting and coordinating intelligence gathering and sharing among EU member states is Europol. This agency allows information exchange through a very sophisticated and secure platform (called SIENA and working as a messaging facility) and it performs intelligence and forensic analyses. The main database on which such information is located is called the Europol Information System (EIS). Over recent years, Europol’s activities have increasingly been relying on cyber-intelligence.[25] The crime areas on which it focuses are multiple: from terrorism to piracy, to money laundering and many other criminal activities that may need transnational cooperation if they are to be combated.

Europol is headquartered in The Hague and was established in 1995 with the signing of the Europol Convention in Brussels. The Convention came into force in 1998, after ratification by all the EU member states. Europol became an EU agency only in 2009, when Council Decision 2009/371/JHA[26] replaced the 1995 Convention. This Decision was then superseded by a new Europol Regulation, entered into force in May 2017.[27]

Although the UK had opted out from Europol in 2013 – as a consequence of the ‘block’ opt-out from pre-Lisbon JHA measures – it re-joined it immediately after, in December 2014.[28] In 2016, the British government also decided to opt in to the new Europol Regulation, mentioned above.

The latest available data on the UK’s contribution to Europol policies, projects and operations was disclosed by the UK National Crime Agency in written evidence given to the UK Parliament in February 2018.[29] This data displays that in 2016 the UK was the second highest contributor overall (Germany being the first) and the highest contributor in some specific projects.[30] Furthermore, Europol operational projects are very often led by the UK itself.


III Existing Models of Cooperation Between Europol and Non-EU Partners

After Brexit, the UK will become a fully-fledged non-EU country and so it will fall within the category of ‘third countries’. According to the Europol Regulation,[31] only EU member states can be entitled to membership of that agency and, consequently, enjoy the privileges stemming thereof. Nevertheless, the Regulation provides for two modalities aimed at building relationships between Europol and third countries. The choice depends on the relationship that Europol has with the third country at issue.[32] These two forms of partnership are strategic agreements and operational agreements. Indeed, a third option does exist. It is a unique arrangement that Europol negotiated with Denmark, for reasons that will be clarified later.

It is now necessary to focus on how these two categories of agreements – plus the ‘hybrid’ model represented by Europol-Denmark relationship – work. This analysis is essential in order to assess whether they could be applied to the UK after Brexit to maintain efficient and feasible cooperation with the ultimate aim of ensuring security.


1 The ‘Third Country’ Model: Strategic Agreements and Operational Agreements

The two above-mentioned forms of partnership represent two different schemes and, although they may appear very similar, they differ as to the kind of the information that can be accessed pursuant to each of the two categories. They can be described as follows.

The conclusion of strategic agreements is the most basic form of cooperation. It allows the exchange, between Europol and the third country at issue, of general intelligence information. It could be information of a strategic or technical nature. Europol has strategic agreements in place with China, Israel, Russia, Turkey and the United Arab Emirates.

The latter approach, consisting of operational agreements between Europol and third countries, is more extensive. It allows the exchange of information to the same extent as strategic agreements do, but also personal data is included among the information that can be shared. Moreover, Europol’s operational partners can access most Europol services, such as SIENA, and they can also have liaison officers at the Europol headquarters. Operational agreements in place between Europol and third countries include those with Australia, Canada and the US. According to Article 25 of Regulation 2016/794 – reforming provisions on Europol’s activities, structure and governance –, operational agreements can only be concluded when one of the following circumstances is met. The first scenario that makes operation agreements possible is that the European Commission adopted a so-called adequacy decision,[33] finding that the third country guarantees an ‘adequate level’ of data protection. Alternatively, such deals are possible if the third country concluded an international agreement on the basis of Article 218 TFEU[34] ‘adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals’. Article 25 also states that existing operational agreements, concluded pursuant to the previous framework – represented by the 2009 Decision – and before the entry into force of Regulation 2016/794 continue to be valid. Notably, all of the agreements between Europol and its operational partners – being at present more than 20 – have been signed according to the 2009 rules. Therefore, the provisions that entered into force in May 2017 have not yet been applied to conclude these kinds of deals.


2 ‘Tailor-Made’ Cooperation: The ‘Hybrid’ Model and the Danish Example

The two patterns for Europol-third country cooperation addressed in the previous point represent the so-called third country model, which can be articulated in the two alternative schemes of strategic agreements and operational agreements. Nonetheless, over the years, Europol also set what can be defined as a ‘tailor-made’ model of cooperation. Indeed, this exceptional event happened only once and in a very peculiar circumstance, not being the country at issue – i.e. Denmark – a fully-fledged third country. This apparently odd situation needs further explanation.

As known, Denmark is a member state of the EU. Nonetheless, its relationship with the JHA area has never been smooth from the beginning for several reasons. With the Edinburgh Agreement of December 1992, Denmark announced four opt-outs with regard to measures introduced by the Treaty of Maastricht. It opted out of monetary union; EU defence policy; EU citizenship; and JHA cooperation. Nonetheless, Denmark was part of Europol for as long as it operated under Council Decision 2009/371/JHA, to which it had decided to opt in. However, after the Lisbon Treaty entered into force, Denmark negotiated Protocol No 22, which represents a particularly strong form of opt-out, which can be defined as an ‘all-or-nothing’ approach.[35] According to Protocol No 22, Denmark does not take part in the adoption of any post-Lisbon measures in the area of freedom, security and justice, unless it notifies other member states that it wishes not to avail itself of the Protocol (thus accepting the whole acquis of measures in this area). Since such an option had not been exercised when the new Europol Regulation – repealing the 2009 Council Decision – was proposed, it became evident that Denmark could no longer enjoy Europol membership, at least if it maintained the existing opt-outs. Thus, in 2015, a national referendum was held in Denmark. Specifically, people were asked whether they intended to keep the Danish opt-outs as they were, or they preferred to convert such an inflexible clause to a case-by-case scheme, substantively similar to the one adopted by the UK. Had people chosen the second option – i.e. a ‘flexible’ opt-out regime – the Danish government could have decided on a case-by-case basis whether Denmark should participate in each proposed measure. However, Danish voters determined that existing opt-outs should not be changed. At the same time, they rejected participation in the new Europol regulation. Consequently, Denmark could no longer be a member of Europol, having deliberately dismissed any possibility for its membership.

That decision by the people of Denmark put the Danish government in a quite awkward situation. On the one hand, the popular referendum was a legally binding one and its results could not be overcome nor disregarded by the government; on the other hand, being cut off from Europol represented an undeniable disadvantage for Denmark’s security.[36] It should also be borne in mind that in 2015 Denmark had been especially affected by the threat of terrorism due to February 2015’s attacks in Copenhagen.[37] Hence, Danish authorities immediately sought an agreement with Europol. The deal was concluded in a very short timeframe:[38] The Europol Management Board authorised negotiations on 17 February 2017 and the agreement was signed on 29 April 2017.[39]

Actually, the agreement concluded between Europol and Denmark is peculiar and may resemble full membership to some extent, but it is not free from conditional clauses. For example, Denmark has to continue its membership in the EU and in Schengen. Moreover, in order to maintain the agreement in place, Denmark is bound to keep accepting the ECJ’s jurisdiction and the competence of the European Data Protection Supervisor (EDPS). It has to ensure continued implementation of the Directive on cooperation in police matters[40] as well. Any failure to perform any of these obligations shall result in the termination of Denmark-Europol deal as currently framed.

As to advantages that the agreement between Europol and Denmark carries with it, they can be summarised as follows. First, Danish officers have the chance to access Europol data through a 24-hour ‘contact point’. The exchange of information shall take place ‘without delay’. Second, Denmark may be invited to Europol Management Board meeting. Nonetheless, it cannot be provided with a right to vote. Third, Denmark has the power to assign up to eight Danish-speaking staff to handle Danish requests. Fourth, is able to input and to retrieve data from Danish authorities in the Europol processing systems.


3 The Applicability of Existing Patterns to the UK after Brexit

The Section above disclosed the ways available to Europol in order to manage its relationships with third countries when cooperation is considered reciprocally vital. Yet are these schemes applicable to the UK, once it will be out of the EU? And to what extent are they suitable to meet the UK’s and EU’s need for security in a world at struggle with terrorism, but also with other very serious crimes? The answer to the first question is quite predictable if one refers to the third country model. Since the UK will become a fully-fledged third country, from a legal point of view there is no reason why the two mentioned patterns – strategic and operational agreements – could not be applied to it, as long as consensus is reached between the British authorities and the Europol Management Board. Nevertheless, as to the feasibility of a model similar to the one in place between Denmark and Europol, the following analysis shows how some difficulties may arise, although it would not be impossible to negotiate such a kind of deal. Answering the second question – i.e. the effectiveness of such a solution in terms of ensuring security – is a much more challenging task. To try to give an answer, two separate scenarios have to be considered. The first consists of assessing what would happen if the UK negotiated an agreement according to the ‘third country model’. The second evaluates how a deal similar to the one between Denmark and Europol would work, should the UK and Europol decide to engage in the negotiation of a similar tool.

Focusing on the ‘third country model’ – i.e. strategic or operational agreements –, there are a number of aspects showing that such cooperation would not be sufficient to keep (at least the essence of) existing standards of interaction between the UK and Europol. This proves true even if one takes into consideration that the most likely case would be the conclusion of an operational agreement, which is a stronger and more extensive form of cooperation compared to strategic agreements. The inability of operational agreements to ensure an adequate level of UK contribution to Europol is for a variety of reasons. First, although third countries engaged in operational agreements do have a certain extent of access to Europol information, this is not full access. Third countries can only channel information and interrogate databases. Such limited access results in a delay in receiving information. Second, no third country can lead an operational project, although it has been showed how crucial the UK’s role is in coordinating such initiatives. Third, in spite of having some form of access to information, third countries are never allowed to sit on the Europol Management Board. Hence, the UK would be deprived of the possibility to contribute to setting strategic objectives and priorities to be reached through Europol. It could not retain its right to vote either. Fourth, keeping the UK out of the operational and management activities of Europol would mean a decrease in the financial resources of the agency, since the UK’s contribution would be less significant.

In sum, considering the UK as any other third country – Australia, the US and many others – engaged in an operational partnership with Europol would result in a sharp decrease of security for the whole European area.[41]

So, what about negotiating a ‘tailor-made’ agreement, as Denmark did? The legal feasibility of an identical deal deserves more discussion than that necessary in relation to operational agreements. As a matter of fact, such a kind of ‘bespoke’ agreement with Denmark was deemed possible, since Denmark was ‘not leaving the EU’[42] and was subject to a number of conditional clauses, to which Denmark consented, such as the jurisdiction of the ECJ. Within the Brexit negotiation process, the role of the ECJ is a very contested issue.[43] The most controversial point in this regard is that the ECJ is entitled to rule on any dispute between Europol and its members.[44] If the UK is freed of the ECJ’s review powers, the Court would lose any chance to review such cases. It is quite unlikely that the Luxembourg court would be ready to accept such a diminishment of its jurisdictional reach. In addition, since the agreement would have to be preceded by an adequacy decision, this means that the UK should keep respecting the core of EU data protection law at least, as interpreted by the ECJ’s recent decisions.[45] Moreover, even the Danish model would allow the UK to have direct access to databases, although mechanisms are set to ensure that information is transmitted without delay. Additionally, and more importantly, no right to vote would be afforded to the UK representatives, in the same way as if an operational agreement were stipulated.

In spite of such weaknesses and practical issues, some scholars[46] argued that a ‘Danish style’ agreement may represent at least a benchmark for the path to be followed by the UK.

Before trying to give some insight into patterns of future cooperation, it is worth providing an overview of what the UK government is concretely doing and how it is planning to cope with post-Brexit security issues.


IV The UK Government’s Solution: An EU–UK Security Treaty?

On 2 August 2018, the EU Commission’s Chief Negotiator for Brexit, Michel Barnier, stated: ‘[o]n security, the EU wants very close cooperation to protect our citizens and democratic societies. We should organise effective exchanges of intelligence and information and make sure our law enforcement bodies work together’.[47] Some months before, in January 2018, the Commission had listed ‘the security interest of the EU27’, ‘fundamental rights’ and ‘the equivalence of data protection standards’ among the factors that determine EU cooperation with third countries[48] and the European Council reaffirmed them as outstanding points to be considered in the March 2018 guidelines on future relations after Brexit.[49] Therefore, the EU is particularly adamant about maintaining the closest possible relationship with the UK on security issues and of ‘effective exchanges of data with Europol’.

The British government’s approach is not far from this view. In September 2017, the UK government published a ‘Future Partnership Paper’, in which it explicitly claimed the need to react with arrangements going ‘beyond the existing, often ad hoc arrangements for EU third country relationships’.[50] The most recent stance of the UK government is represented by negotiating a security treaty, giving the legal basis for continuing judicial and police cooperation in criminal matters, as announced by Theresa May in Florence in September 2017. The next Section explores such a prospective agreement, its features and legal issues.


1 Current Status of Negotiations and Legal Issues

When Theresa May first announced the intention to deal with post-Brexit security issues through a specific agreement, Theresa May remarked that it would respect ‘our shared principles, including high standards of data protection and human rights’.[51]

What the government envisages would be a comprehensive treaty on security between the UK and the EU, to be concluded within the second part of the Brexit negotiations. The main purpose of such a treaty would be to provide a ‘legal basis’ for cooperation. The UK government stated that the security treaty would respect both the decision-making authority of the EU and the sovereignty of the UK. According to the executive, forthcoming cooperation has to be based on three ‘pillars’, i.e. internal security, external security, and other forms of wider cooperation. The agreement should reflect the UK’s new status as a third country and, at the same time, minimise the loss of mutual capability and consequential decrease in citizens’ security. The treaty would replicate current arrangements on the following matters: the European Arrest Warrant, some access to the Schengen Information System and participation – it is not stated precisely under which form and conditions – in Europol, Eurojust and the PNR Directive.

There are a number of legal issues connected with stipulating an omnibus treaty on security between the UK and the EU. However, this paper focuses on four of them: the jurisdiction of the European Court of Justice; governmental accountability in stipulating it and transparency towards public opinion; the level of specificity and precision that might be reached through it; and mechanisms to deal with future measures. Each of these matters deserves separate analysis.

First, the jurisdiction of the ECJ has been a controversial point in Brexit discussions since the beginning. In January 2017 Theresa May, in announcing a ‘hard’ Brexit, seemed very convinced of the need to end the Luxembourg Court’s jurisdiction over the UK, saying that ‘laws will be interpreted by judges not in Luxembourg, but in courts across this country’.[52] This stance was mitigated in February 2018,[53] when the Prime Minister left some room for the ECJ’s case law, saying the UK would respect the ‘remit’ of the Court in its participating to EU agencies (among which Europol is included). Nonetheless, the approach of the government still casts doubt on the UK’s willingness to accept the ECJ as a dispute resolution mechanism in potential issues arising from the interpretation and application of the new security treaty – a role that the Court of Luxembourg would definitely claim. And, in any case, the treaty would be negotiated by the UK and the EU pursuant to Article 218 TFEU, which sets the procedure for the conclusion of international agreements between the EU and any third country. According to this provision, the ECJ can be called to rule on the compatibility of the envisaged agreement with EU law and, in the event of a negative opinion, the draft text cannot enter into force in its current form. Hence, it is likely that the ECJ will exercise its jurisdiction in some way, at least ‘through the backdoor’.

Second, some experts[54] questioned the extent of governmental accountability on the issue. According to this view, the fact that negotiations of this kind of measure is usually not submitted to the public opinion – for example, through public consultation or referendum – would undoubtedly damage the transparency of the government’s action in a very high number of fields, given the omnibus nature of the future treaty.

Third, it seems very complicated to encapsulate all issues connected to security in a single legal instrument. This is likely to require a very long negotiation phase and a wide range of expertise, given the extensiveness of the security cooperation field. In other world, negotiating on Europol is different and requires dissimilar steps, skills and procedures than negotiating on PNR, for example, and other matters. Therefore, this treaty runs the risk of needing too long a time to be arranged or, alternatively, being rushed into the necessary steps for its conclusion without a proper and in-depth examination of the miscellaneous issues that it is expected to include.

Fourth, the treaty would cover measures in the security area in place until the moment it enters into force. What about the future? Of course, the EU institutions will continue working on security cooperation in the future. Consequently, new tools will be in place as well as others amending or replacing the existing ones. This aspect should be very well regulated in the treaty, in order to avoid a gap or a lack of updates in the UK–EU cooperation policy.


2 The Influence of the Withdrawal Agreement

As declared at the beginning, the Withdrawal Agreement does have some influence on the post-Brexit management of security cooperation with the EU, specifically with regard to Europol. The Withdrawal Agreement will be the legal tool through which, pursuant to Article 50 TEU, consensus reached on exit conditions will be consecrated.

The Withdrawal Agreement provides for a ‘transition period’. In this time, the UK will remain subject to EU law, including participation in justice and home affairs – limited to the existing opt-ins. Nonetheless, such participation will not be full and the regulation of the relationship with Europol clearly demonstrates this. As a matter of fact, the UK will be allowed to continue cooperation with Europol, but it will not be permitted to participate in the governance of the agency and to setting its strategic objectives. This appears to be nothing but a ‘diminished’ form of membership, based on the very models addressed above, i.e. the third-country pattern (specifically, in the form of an operational agreement).

That clause – currently represented by Article 122 of the exit deal’s text – poses two main problems. First of all, after a transitional period following this framework, it could be more complex to regain a status as close as possible to ‘full’ membership. Second, even if a more extensive deal is achieved in the future, there would still be a ‘gap’ in cooperation, represented by that period of ‘diminished’ membership. Actually, the rationale behind the transition period could be the need to take time and give political actors on the scene the necessary timeframe to negotiate the acceptable conditions of such a unique relationship. This is undoubtedly a necessary and desirable step. Nonetheless, the transition period will undoubtedly create a gap in intelligence-sharing, with many consequences in terms of security. Even if just for a short period, restricted participation by the UK – i.e. such a key contributor – could cause major drawbacks, should security threats emerge during that phase.


V Conclusion

This paper has explored the key role that the UK has played, since its initial opt-in in Europol, in the exchange and management of intelligence information at the EU level, due to both its privileged position in the ‘Five Eyes’ network and its enhanced intelligence expertise.

This research also showed that Europol cooperation is probably the most efficient tool, nowadays, for the exchange of strategic information in the European area. The – nearly obvious – consequence is that excluding the UK from Europol would put the EU – both as an institution and with regard to its member states – in an extremely worrying situation. As a consequence, careful and efficient planning of Europol–UK relations should be regarded as a priority over the next months.

The analysis of potential forms of cooperation between Europol and third countries revealed that – as argued by many experts in the field – none of them would be entirely appropriate to meet the current needs in relation to the UK situation after Brexit. In parallel, the examination of the Danish model clarified that, although it is commonly considered as a peculiar form of participation that is not far from membership, its concrete features demonstrate that this model is still far from resembling the relationship existing among Europol members and the agency itself. Moreover, the Danish model seems far from achievable by a state that, in the future, will no longer be within the EU. As underlined above, it was considered possible in relation to Denmark for the very reason that such country, notwithstanding its complicated history of opt-outs, is still an EU member. Instead, the situation with regard to the UK is quite tricky. On the one side, a higher level of interaction than the one reached by Denmark would be required. On the other side, there are legal constraints – first and foremost the fact that, unlike Denmark, the UK will leave the EU – making even reaching a Denmark-style agreement quite problematic.

Two possible solutions could be conceived for addressing this complicated situation. Both of them are not straightforward nor easy to negotiate from a legal and strategic point of view. The first would be an amendment to the provision in Europol’s existing regulations allowing only EU member states to be full members in order to open the door to former EU member states as well. This option, albeit conceivable in theory, is very difficult to achieve in practice. As a matter of fact, a fully-fledged amendment to an act of EU secondary law would be needed, according to all the procedural steps to be followed. This would mean a long process and it would be unlikely to find easy consensus on the issue among the bodies involved in EU legislation making. The second alternative would be a bespoke agreement, similar to that with Denmark but with more extensive clauses – allowing, for example, the UK to participate in the Europol Management Board and the right to vote. Difficulties due to the UK’s ceased membership of the EU could be overcome in light of the fact that the UK was such. In other words, the speciality of clauses contained in such a hypothetical agreement – i.e. giving the UK the right to vote – could be justified by mutual trust based on relationships when the UK was still an EU member state and, hence, a full Europol member. This second option could be the most feasible one and could also be reconciled with the UK solution consisting of signing a security treaty, since such ‘bespoke’ agreement could be a part of that deal.

From a general perspective, what should be taken into account by both EU and UK bodies in framing their future security cooperation, is protecting the safety of EU and UK citizens by respecting their individual rights. The former can be accomplished through framing efficient intelligence exchange mechanisms; the latter can only be ensured if, in arranging feasible and well-functioning tools to maintain security cooperation, issues such as data protection standards and fair data processing are considered as guiding principles. Therefore, this paper also demonstrated that even an apparently technical issue, i.e. intelligence exchange through highly specialised agencies as Europol, is indeed a manifestation of the intrinsic tension between rights and security that the fight against terrorism carries with it.

* PhD Candidate and Research Fellow in Constitutional Law, University of Genoa, Italy. Email:;

[1] House of Lords, Select Committee on the European Union, Home Affairs Sub-committee, ‘Corrected Oral Evidence: Brexit: the proposed EU-UK security treaty’ 14 June 2018, <> accessed 24 March 2019, Q 115 (Sir Julian King).

[2] For an updated view on terrorism and the state of the art on the struggle against it, Fionnuala Ní Aoláin, Colm Campbell, ‘Managing Terrorism’ (2018) (9) Journal of National Security Law & Policy 365.

[3] As demonstrated by the number of public consultations held on the Brexit phenomenon. See for an overview The Consultation Institute, ‘Is Brexit Changing the Practice of Public Consultations?’ October 2017, <> accessed 24 March 2019.

[4] House of Lords, European Union Committee, ‘Brexit: the proposed UK-EU security treaty’ July 2018, <> accessed 24 March 2019.

[5] See Steve Peers, ‘The rise and fall of EU justice and home affairs law’ in Maria Fletcher, Ester Herlin-Karnell, Claudio Matera (eds), The European Union as an Area of Freedom, Security and Justice (Routledge 2016) 11.

[6] It had been named ‘Trevi’, standing for Terrorisme, Radicalisme, Extremisme et Violence Internationale. See August Reinisch, ‘The Action of the European Union to Combat International Terrorism’ in Andrea Bianchi (ed), Enforcing International Law Norms Against Terrorism (Hart Publishing 2004) 119, 122.

[7] Paul Craig, ‘Development of the EU’ in C Barnard, S Peers (eds), European Union Law (2nd edn, OUP 2017, Oxford) 9, 12.

[8] See David Phinnemore, The Treaty of Lisbon: Origins and Negotiations (MacMillan 2013).

[9] See art 88 TFEU.

[10] Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice [2016] OJ C 202/2016, 295.

[11] UK Government, ‘Report to Parliament on the Application of Protocols 19 and 21 to the Treaty on European Union and the Treaty on the Functioning of the European Union (TFEU) (‘the Treaties’) in Relation to EU Justice and Home Affairs (JHA) Matters (1 December 2009 – 30 November 2010)’ January 2011, <> accessed 24 March 2019.

[12] Protocol (No 36) on transitional provisions [2008] OJ 115/322.

[13] House of Lords, European Union Committee, ‘EU Police and Criminal Justice Measures: The UK’s 2014 Opt-Out Decision’ 23 April 2013, <> accessed 24 March 2019.

[14] Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States – Statements made by certain Member States on the adoption of the Framework Decision [2002] OJ L 190/2002, 1.

[15] Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime [2016] OJ L 119/132.

[16] For example, PNR agreements with the United States. For an overview of PNR agreements with third country, Arianna Vedaschi, Gabriele Marino Noberasco, ‘From DRD to PNR: Looking for a New Balance between Privacy and Security’ in David Cole, Federico Fabbrini, Stephen Schulhofer (eds), Surveillance, Privacy and Trans-Atlantic Relations (Hart Publishing 2017) 67.

[17] See above, para I.

[18] House of Lords, European Union Committee ‘Brexit: future UK-EU security and police cooperation’ December 2016, <> accessed 24 March 2019.

[19] Rt Hon Theresa May MP, speech on ‘A new era of cooperation and partnership between the UK and the EU’ September 2017, <> accessed 24 March 2019.

[20] On the Withdrawal agreement and how it will be dealt with by UK domestic law, Marta Simoncini, ‘Part I: The Uncertain Application of the EU Withdrawal Act 2018: From the Great Repeal to the Contingency Plan?’ IACL-AIDC Blog, 6 August 2018, <> accessed 24 March 2019.

[21] See n 15.

[22] David Jenkins, ‘The handling and disclosure of sensitive intelligence’ in Genevieve Lennon, Clive Walker (eds), Routledge Handbook of Law and Terrorism (Routledge 2015) 266.

[23] British intelligence is organized as follows. There are three main intelligence agencies: the Secret Intelligence Service (MI6); the Security Service (MI5); the Government Communication Headquarters.

[24] Ewen McAskill, Daniel Boffey, ‘Brexit row: GCHQ chief stresses UK’s role in foiling European terror plots’ The Guardian, London, 19 June 2018, <> accessed 24 March 2019.

[25] For a short overview, Chiara Graziani, ‘EU-UK Intelligence Information Sharing after Brexit’ DCU Brexit Institute Blog, 15 May 2018, <> accessed 24 March 2019.

[26] Council Decision of 6 April 2009 establishing the European Police Office (Europol) [2009] OJ L 121/2009, 37.

[27] Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA [2016] OJ L 135/2016, 53.

[28] The opt-out and subsequent re-joining were organized in such a way that no operational gap was left. Hence, there was no time in which the UK was outside the 35 measures it decided to re-join.

[29] Written evidence submitted by the National Crime Agency to the UK Parliament (PSC0009) (2018) <> accessed 24 March 2019.

[30] I.e. Europol SOC Analysis Project, Firearms, CSEA, Money Laundering, Cyber and Modern Slavery.

[31] See n 26.

[32] See extensively Mirja Gutheil et al, ‘The EU-UK relationship beyond Brexit: options for Police Cooperation and Judicial Cooperation in Criminal Matters’ Study for the LIBE Committee, 17 July 2018, <> accessed 24 March 2019.

[33] Pursuant to art 36, Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L 119/2016, 89.

[34] Regulating the conclusion of international agreements between the EU and third countries and giving the European Parliament a ‘veto power’ as to the entry into force of the agreement. See Nadine Zipperle, EU International Agreements: An Analysis of Direct Effects and Judicial Review Pre- and Post-Lisbon (Springer 2018).

[35] On the Danish opt-out, Rebecca Adler-Nissen, ‘Justice and Home Affairs: Denmark as an Active Differential European’ in Lee Miles, A Wivel, Denmark and the European Union (Routledge 2013) 47.

[36] As underlined by the representative of the Danish Ministry of Justice. Søren Pape Poulsen, ‘Møde Nr. 26. Om Konsekvenser Af Danmarks Udtrædelse Af Europol’ (2016).

[37] See generally on the 2015 attacks and reactions by democracies, Edward M. Iacobucci, Stephen J. Toope, After the Paris Attacks: Responses in Canada, Europe, and around the Globe (University of Toronto Press 2015, Toronto).

[38] As referred by Rob Wainwright, the then-Europol director, in an oral evidence before the UK Parliament.

[39] Agreement on Operational and Strategic Cooperation between the Kingdom of Denmark and Europe, <> accessed 24 March 2019.

[40] See Deirdre Curtin, ‘Brexit and the EU Area of Freedom, Security and Justice: Bespoke Bits and Pieces’ in Federico Fabbrini (ed), The Law and Politics of Brexit (OUP 2017, Oxford) 183, 190.

[41] Chloé Brière, ‘Cooperation of Europol and Eurojust with external partners in the fight against crime: what are the challenges ahead?’ DCU Brexit Institute Working Paper no 1/2018.

[42] Wainwright (n 38).

[43] See on this issues Steve Peers, ‘Dispute settlement and the ECJ in the draft Withdrawal Agreement’ EU Law Analysis, 9 March 2018, <> accessed 24 March 2019. Rt Hon Theresa May MP, ‘Speech at Munich Security Conference’ 17 February 2018, <> accessed 24 March 2019.

[44] Art 49, Regulation (EU) 2016/794 (n 27).

[45] See the following landmark decisions on data protection and exchange: Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014] ECR I-238; Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2016] 2 CMLR 2; Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others ECLI:EU:C:2016:970; Opinion 1/15 ECLI:EU:C:2017:592

[46] Curtin (n 40) 192.

[47] ‘An ambitious partnership with the UK after Brexit’ 2 August 2018, <> accessed 24 March 2019.

[48] European Commission, ‘Police and judicial cooperation in criminal matters’ 29 January 2018, <

matters_0.pdf> accessed 24 March 2019.

[49] European Council, European Council (Art. 50) (23 March 2018) – Guidelines <> accessed 24 March 2019.

[50] Rt Hon Theresa May MP, speech on ‘A new era of cooperation and partnership between the UK and the EU’ 22 September 2017, <> accessed 24 March 2019.

[51] Ibid.

[52] Rt Hon Theresa May MP, speech on ‘The Government’s negotiating objectives for exiting the EU’ 17 January 2017, <> accessed 24 March 2019.

[53] Rt Hon Theresa May MP, ‘Speech at Munich Security Conference’ (n 43).

[54] House of Lords, Select Committee on the European Union, Home Affairs Sub-committee, ‘Uncorrected Oral Evidence: Brexit: the proposed UK-EU security treaty’ 25 April 2018, <> accessed 24 March 2019.