At the 92nd General Assembly in Glasgow in November 2024, INTERPOL introduced significant amendments to its Rules on the Processing of Data (RPD). This article outlines the most notable updates and their potential impact on INTERPOL’s activities and applicants.
Beneath the Surface: The General Secretariat’s Limited Role in Direct Messaging
One of the most significant yet understated responsibilities of the INTERPOL General Secretariat is managing the INTERPOL Information System. Under Article 22 of the RPD, the General Secretariat not only administers the system but “ensure that the conditions for processing data in the Organization’s databases are duly observed.” Article 22(5) highlights that the Secretariat is tasked with conducting spot checks, addressing processing incidents, and maintaining the integrity of INTERPOL’s police databases.
At the 2024 General Assembly, a new provision—Article 22(6)—was introduced, further delineating the General Secretariat’s responsibilities concerning direct exchanges of data between member countries. The provision states:
“It shall manage INTERPOL’s communications infrastructure to enable direct exchanges of data through the INTERPOL Information System. Notwithstanding any obligation applicable to it… its role shall be limited in the following manner:
(a) It shall ensure the security of such data exchanges…
(b) It shall take action to examine and ensure compliance… when it becomes aware of a potential violation…
(c) … It shall not access INTERPOL’s communications infrastructure for the content of the direct exchanges without explicit authorization by the entity concerned.”
While the language may appear technical, its implications are substantial. The amendment reinforces the General Secretariat’s limited access to direct messages exchanged between National Central Bureaus (NCBs), unless explicitly authorized or alerted to potential rule violations.
The Three Pillars of INTERPOL Communication: Notices, Diffusions, and Messages
Understanding the amendment requires revisiting how INTERPOL’s communication system operates. Requests for cooperation and international alerts are primarily communicated through three channels: notices, diffusions, and direct messages.
1. Notices
Notices are formal alerts issued by member countries and disseminated to all INTERPOL members. They are often used for broader, publicized cooperation, such as Red Notices, which can even be made publicly available.
2. Diffusions
Diffusions are more targeted communications sent directly to one or several NCBs. These messages are also recorded in INTERPOL’s police databases, providing a formal record while limiting their audience to specific recipients.
3. Direct Messages
Direct messages allow NCBs to exchange information securely through INTERPOL’s I-24/7 system. Unlike notices or diffusions, direct messages offer flexibility:
- With the General Secretariat copied: The Secretariat may record the message in INTERPOL’s databases, assuming prior consent from the sending NCB. Consent is presumed when the Secretariat is a recipient.
- Without the General Secretariat copied: Messages remain private between the NCBs, and the Secretariat has no access unless explicitly authorized.
Article 9 of the RPD emphasizes that NCBs are responsible for ensuring compliance with INTERPOL rules before sending direct messages. However, the question arises: if the Secretariat is not copied, how are compliance checks conducted?
Compliance in the Shadows: Challenges with Direct Messaging Oversight
Every year, member countries exchange approximately 28 million free-text messages via INTERPOL’s secure I-24/7 system. These messages represent a vast and largely unmonitored volume of communication.
The new Article 22(6) explicitly states that the General Secretariat cannot access message content unless authorized or aware of a potential rule violation. This clarification effectively shields the Secretariat from responsibility for the content of these exchanges. Instead, compliance rests solely with the NCBs.
This creates what might be called the “hidden part of the iceberg”—a vast dimension of INTERPOL’s communication system operating with minimal oversight. Millions of messages flow annually, relying almost entirely on the assurance in Article 9(3):
“National Central Bureaus or international entities shall, prior to sending a message, ensure that it is in conformity with the present Rules.”
The amendment to Article 22 reaffirms this reliance, clarifying that the Secretariat’s role is limited to ensuring the security of the communication infrastructure and intervening only when potential violations are brought to its attention.
For practitioners and applicants, this framework raises questions. With the Secretariat’s oversight limited to exceptional cases, the onus falls on individual NCBs to self-regulate, posing significant challenges in ensuring consistent adherence to INTERPOL’s rules. The question remains: how can potential violations within this largely unmonitored system be effectively addressed?
Expanding Use of Publicly Available Information: New Definitions and Responsibilities
The 2024 amendments to the RPD introduced important changes concerning the use of publicly available information. These amendments clarify the conditions under which such information can be recorded in INTERPOL’s databases, placing new obligations on the General Secretariat and member countries.
New Definition: Publicly Available Information
The amendments added a new definition in Article 1(29), defining “publicly available information” as:
“Information, not subject to any legal restriction, which is obtained without special legal status or authority, and which includes, but is not limited to, news and media sources, books and journals, online materials, academic materials, commercial databases, and subscription services available to any member of the public.”
This broad definition acknowledges the increasing reliance on open-source intelligence in international police cooperation. However, it also raises questions about the reliability, accuracy, and fairness of using such information in sensitive cases.
Conditions for Recording Publicly Available Information
Article 47 outlines strict conditions for recording and processing publicly available information or data received from individuals or entities. Among the key requirements are:
- Identifying the Source: The origin of the information must be clearly identified to ensure transparency. This measure aims to prevent the misuse or misinterpretation of unverified data.
- Timestamping and Updates: The information must be time-stamped upon recording and updated or corrected as necessary. Moreover, it must be automatically deleted after a maximum retention period defined by the Executive Committee.
- Assessment Before Recording: Prior to recording, the General Secretariat must assess the information under Articles 11 and 12 of the RPD. These articles emphasize the importance of data quality, accuracy, and compliance with the organization’s rules. This requirement places a significant responsibility on the General Secretariat to ensure that public data meets INTERPOL’s stringent standards.
Shared Responsibility or Acknowledged Limitations?
Despite the emphasis on quality control, Article 47(f) introduces an important caveat:
“Prior to using any report or other output of the General Secretariat, which is based wholly or partly on such information, National Central Bureaus, national entities, international entities, or private entities should conduct, in accordance with their applicable law, their own assessment of the quality and reliability of the information on which such output was based.”
This provision highlights the inherent limitations of the General Secretariat’s assessment process, effectively transferring part of the responsibility for verifying information to member countries.
Practical Implications for Applicants
From a practical perspective, these changes mean that applicants may encounter cases where the source of the information is not an NCB, as is traditionally the case, but the General Secretariat itself. Article 47(2) explicitly identifies the General Secretariat as the source of the data when publicly available information is collected at its initiative or when the information originates from other persons or entities under specified conditions.
This shift has two important consequences:
- Access Requests: If the information against an applicant originates from publicly available sources recorded at the General Secretariat’s initiative, the Secretariat will need to be consulted during access requests.
- Restrictions on Communication: It remains unclear whether the General Secretariat will request restrictions on the communication of such information during these proceedings, potentially complicating transparency for applicants.
Limitations on Coercive Measures
A crucial safeguard in Article 47(g) specifies that:
“Information covered under this provision may not serve as the sole basis for the application of coercive measures by any National Central Bureau, national entity, or international entity.”
This provision ensures that publicly available information cannot, on its own, justify actions like arrests or extraditions. However, it also underscores the importance of thorough verification processes to avoid over-reliance on open-source data.
Handling Biometric Data: New Guidelines and Protections
The 2024 amendments introduce a significant update regarding biometric data, underscoring its sensitive nature and the need for stringent safeguards in its processing.
New Definition: Biometric Data
Article 1(30) of the RPD defines biometric data as:
“Personal data, relating to physical, biological, behavioural, or physiological characteristics, such as fingerprints, facial images, or DNA profiles, that have been subject to specific technical processing to enable or confirm the identification of an individual.”
This definition reflects the growing role of biometric data in modern law enforcement, particularly in areas like identification, crime linkage, and the prevention of misidentification during international police cooperation.
Guidelines for Processing Biometric Data
Article 42 introduces strict conditions for recording and processing biometric data, designating it as “particularly sensitive.” Under the new rules, biometric data can only be recorded in INTERPOL’s systems if it serves one or more of the following purposes:
- Identification or Confirmation of Identity: This includes verifying the identity of an individual or identifying unknown human remains.
- Preventing Misidentification: In the context of international police cooperation, biometric data is essential to avoid errors that could lead to wrongful detentions or investigations.
- Crime Linkage: Biometric data can be used to establish connections between crimes and crime scenes, aiding in investigations and prosecutions.
While biometric data offers invaluable tools for law enforcement, its sensitive nature demands robust safeguards to prevent misuse or overreach.
Prohibitions on Discriminatory Use
The amended rules explicitly prohibit the use of biometric data for discriminatory purposes. This aligns with INTERPOL’s commitment to neutrality and its broader human rights obligations under Article 2 of its Constitution. The prohibition ensures that biometric data cannot be used to target individuals based on race, ethnicity, or other discriminatory factors.
Settlement of Disputes: A Structured Resolution Framework
The 2024 amendments introduce a new procedure in Article 135 to address disputes arising from compliance decisions. These provisions establish a structured framework for resolving disagreements involving National Central Bureaus, international entities, private entities, and the General Secretariat itself.
The process emphasizes consultation as the first step in resolving disputes. If consultation fails, the General Secretariat will issue a final compliance decision. Should disputes involve broader policy questions related to the application or interpretation of INTERPOL’s Constitution, the RPD, or General Assembly Resolutions, these may be escalated to the Executive Committee. In certain cases, the Executive Committee may refer the matter to the General Assembly for resolution.