Significant amendments to the INTERPOL Rules on the Processing of Data (RPD) were adopted during the 91st General Assembly of INTERPOL, which took place in Vienna, Austria, from November 28 to December 1, 2023. These represent the first major revisions since 2019. This article aims to provide an overview of the changes adopted and their implications.
I. Purposes of international police cooperation (Article 10)
Article 10 of the RPD establishes the permissible purposes for data processing within the INTERPOL Information System (IIS). The data within the IIS may be processed for the following purposes:
- Locating and managing the movements of wanted individuals
- Identifying persons or objects of police interest
- Supporting criminal investigations or detailing criminal history and activities
- Issuing alerts concerning persons, events, or methods linked to criminal activities
- Identifying individuals or deceased persons
- Performing forensic analyses
- Conducting security checks
- Analyzing threats, including crime trends and networks
Amendments to Article 10
The amendments to Article 10 clarify and expand the purposes for which data can be processed within the IIS:
- Clarification of security checks (Article 10(1)(g)): The text now specifies that security checks “directly pertain to international police cooperation and are aimed at preventing or detecting crime.”
- Inclusion of border management and control activities (Article 10(1)(h)): A new purpose has been introduced, authorizing the IIS to be used “to carry out border management and border control activities.”
II. Access by national entities to the IIS (Article 21)
Article 21 of the RPD outlines the conditions under which national entities may access the IIS. Only National Central Bureaus (NCBs) are entitled to authorize national entities within their countries to access and process data in the IIS and to determine the scope of their access and processing rights.
Before granting direct access, NCBs must ensure that:
- The entity is a national entity as defined by the RPD
- The entity’s activities align with INTERPOL’s aims and neutrality
- National laws permit the entity to have such access
- The entity can comply with the RPD
Amendments to Article 21
The conditions under which national entities can access the IIS have been detailed further to ensure that the access and processing rights granted are “limited, strictly necessary, and proportionate to the execution of the tasks and functions of the entity.”
III. Processing of large data sets (new Article 43-A)
A new Article 43-A has been added to the RPD, addressing the conditions for temporarily processing large data sets:
Purpose and scope: The General Secretariat can temporarily process large data sets to determine their potential interest for international police cooperation and ensure rule compliance.
Processing steps: This involves structuring, formatting, assessing, categorizing, and comparing the data against existing entries.
Processing conditions: Data must be handled within a protected environment, separate from operational data, with strict access controls. The retention period is defined by the data source but limited by the Executive Committee.
Outcome of assessment: Following assessment, compliant data may be further processed by the source of the data, while non-compliant data are deleted. The General Secretariat then informs the data source of these actions.
This new capability for INTERPOL to process large datasets could lead to handling larger volumes of data and may result in an increased number of notices issued by member countries from information initially processed in these large datasets. Additionally, this expansion in data processing might raise concerns about the quality and relevance of the data, which are common issues when dealing with extensive datasets.
IV. Use of data for administrative purposes (Article 64)
The amendments to the RPD include significant changes to Article 64, which now integrates the provisions previously found in Article 65. The revised Article 64 shifts from a system requiring prior authorization to a notification-based approach for using data for administrative purposes:
Specification by data source: The revised rules empower data sources to define what constitutes an administrative purpose under their national law.
Notification requirements: Entities intending to use data for administrative purposes must now notify the data source in advance of their intended use. This notification system is designed to streamline the administrative use of data while still providing the source with the opportunity to review and potentially object to the use of their information.
Response window: Upon receiving a notification, the data source has ten days to respond. This period provides the source with a timeframe to assess the intended use of the data and either approve it, request additional information, or object to the use.
V. Positive query results (Article 104)
Article 104 of the RPD defines the conditions and procedures for generating and notifying positive query results within the INTERPOL Information System. Article 104 was amended to specify the criteria for what should be considered as a positive query result within the IIS.
VI. Entry into force
The amendments to INTERPOL’s Rules on the Processing of Data were enacted at the close of the 91st General Assembly session. All changes took effect immediately, except for the amendments to Article 104(2), which are scheduled to enter into force on December 1, 2024.
