Introduction
INTERPOL is recognized as an international organization with legal personality, a permanent structure, and independent decision-making authority. Its operational core lies in facilitating international police cooperation, primarily through the exchange and processing of data related to criminal matters. The present essay develops a working concept of shared responsibility in this particular context.
INTERPOL’s legal framework is defined by two main instruments: its constitution and the Rules on the Processing of Data (RPD). Article 2 of the constitution defines the Organization’s aims, notably to “ensure and promote the widest possible mutual assistance between all criminal police authorities within the limits of the laws existing in the different countries” and to “establish and develop all institutions likely to contribute effectively to the prevention and suppression of ordinary law crimes.”Footnote 1 Further, Article 3 prohibits INTERPOL to “undertake any intervention or activities of a political, military, religious or racial character.”Footnote 2 The Organization’s General Secretariat and the other organs must conduct their operations accordingly.
At the heart of INTERPOL’s mandate lies the exchange of criminal data. This exchange occurs through a complex, centralized information infrastructure. The INTERPOL Information System is governed by the RPD, which “apply to all data-processing operations performed in the INTERPOL Information System.”Footnote 3 The RPD sets out data processing standards and a regulatory scheme detailing each actor’s roles and responsibilities. Article 5 of the RPD outlines the distribution of responsibilities between the General Secretariat and member states, acting through their National Central Bureaus (NCB) as the source or recipient of data. Each actor bears full responsibility for its own processing activities, including the accuracy, lawfulness, and security of data.
This distribution of functions raises significant legal questions regarding compliance and allocation of responsibility. While INTERPOL operates as a centralized system—meaning that decision-making authority and operational control are concentrated within a single entity, mainly the General Secretariat—the data it processes originate from decentralized sources, that is, from multiple independent national authorities. The legal framework thus foresees a partnership model, but the boundaries of responsibility—especially in cases of erroneous or unlawful processing—remain complex and at times ambiguous.
The data in question, as defined in Article 1(2) of INTERPOL’s RPD, encompass “any item of information, irrespective of its source, relating to the constituent elements of ordinary-law crimes, the investigation and prevention of such crimes, the prosecution of offenders and punishment of offences, and any information pertaining to missing persons and unidentified dead bodies.”Footnote 4 Article 36 of the Constitution further establishes the Commission for the Control of INTERPOL’s Files (CCF), an independent body tasked with ensuring that personal dataFootnote 5 are processed in accordance with the applicable regulations.
This essay examines the legal framework governing compliance with data rules and the allocation of responsibilities within INTERPOL. The discussion is structured around four key areas: first, the legal challenges arising from the current distribution of responsibilities; second, possible safeguards and alternatives, including the scope of INTERPOL’s due diligence obligations; third, INTERPOL’s responsibility in applying or refraining from applying corrective measures; and fourth, the legal implications of linking members’ institutional participation to compliance with data rules.
Legal Challenges Arising from the Current Allocation of Responsibilities
The existing framework for allocating responsibilities between INTERPOL and the various actors engaged in its activities is grounded in the RPD, which delineate the respective roles and obligations of each entity. In this regard, the state source of data (which sends the data), the General Secretariat (which manages the processing of data through INTERPOL’s channels and ensures that the conditions for the processing of data are duly observed), and the recipient states (which receive the data) are each to be considered fully responsible within the scope of their respective functions. More precisely, Article 5(5) provides that “[t]he source shall be fully responsible for the data it processes in the INTERPOL Information System, regardless of the method used for such processing, and for the consequences directly resulting from such processing, and shall take appropriate measures to correct any incorrect processing of data.” Article 5(6) affirms that “INTERPOL shall be fully responsible for any unauthorized or incorrect use and/or storage of data by INTERPOL and for the consequences directly resulting [therefrom] …, and shall take appropriate measures to correct any incorrect processing of data by the Organization.” Finally, Article 5(7) stipulates that “[r]ecipients of data processed in the INTERPOL Information System shall be fully responsible for: (a) any action taken at the national level based on data they have received; (b) taking the appropriate measures so that data received are immediately updated at the national level once they have been informed of any modification or deletion.”
This framework gives rise to fundamental legal questions such as the following: what is the appropriate course of action when a source transmits information that contravenes INTERPOL’s Constitution and/or its core objectives? How should the Organization respond when such information complies with the domestic law of the source state but nonetheless violates INTERPOL’s internal legal norms? Potential legal incompatibility issues may arise. This happens in case of misuse of INTERPOL mechanisms by certain states.Footnote 6 A recent report has indicated that in 2021, 1,615 alerts were rejected or deleted out of the 23,716 issued. As publications decreased more rapidly than removals, the proportion of abusive requests appears to be rising.Footnote 7 These trends raise concerns about wether INTERPOL’s legal framework provides sufficient guidance to resolve these issues.
Although the RPD clearly assigns responsibility to each actor involved—aiming to ensure complete accountability—the centralized model of data processing creates significant legal complexity regarding the attribution of conduct. A key challenge lies in determining whether responsibility attaches to the member, acting through its NCB, or to INTERPOL itself, depending on the stage and nature of the data processing. In the event of dysfunction or breach, identifying the actor to whom legal responsibility should be attributed remains a critical issue. The International Law Commission noted that domestic cases have “shed light on the question of how the position of the NCB in relation to the organization should be approached for the purposes of attribution of conduct.”Footnote 8
This complexity is further heightened by the division of control and responsibility between the actors. While the data-originating member retains authority over the information it submits, the General Secretariat is responsible for ensuring that the processing, storage, and dissemination of such data comply with INTERPOL’s rules. In cross-border contexts, this division can give rise to disputes when misuse occurs. INTERPOL notices are formalized alerts used to request cooperation or share information internationally. They include Red Notices (requests “seek the location of a wanted person and his/her detention, arrest or restriction of movement for the purpose of extradition, surrender, or similar lawful action”Footnote 9 ) and Blue Notices (requests to obtain information, locate and/or identify a person of interest in a criminal investigationFootnote 10 ). These notices are not binding legal instruments but tools for information exchange. The decision to act upon a notice, including to arrest or to initiate extradition proceedings, remains entirely at the discretion of the recipient state. As such, INTERPOL bears no responsibility for enforcement measures taken by national authorities, provided the data dissemination remained within the limits of its legal framework.
Potential Safeguards and Alternatives to the Current Model
As previously discussed, within INTERPOL’s centralized system, responsibility is formally divided. In practice, however, a harmful outcome may result from the combined actions or omissions of both parties—for example, when inaccurate data from a member state are compounded by failures in INTERPOL’s verification or dissemination processes. It is in such cases that the concept of shared responsibility becomes relevant. It describes situations in which “a multiplicity of actors who participate in a partnership … contributes to a particular harmful outcome, and the responsibility for this harmful outcome is distributed separately among more than one participant.”Footnote 11
Recognizing shared responsibility within INTERPOL’s legal framework could help address gaps, such as the absence of clear mechanisms to determine liability when both a member state and the Organization contribute to a rights violation, or when errors in submitted data are compounded by failures in INTERPOL’s processing or dissemination. Such an approach would require not only conceptual recognition but also clearer procedural rules on how responsibility is allocated in practice, particularly when misconduct results from cumulative errors or omissions across multiple institutional levels.
Another essential component of INTERPOL’s compliance framework is the due diligence standard. In this context, it refers to the Organization’s duty to take reasonable procedural steps to verify that data processing within the INTERPOL Information System complies with its legal framework. It is a duty of conduct, not of result: the emphasis is on making all reasonable and available efforts to prevent a violation or, where one has occurred, to mitigate its effects.
Crucially, due diligence in this context revolves around the assessment and availability of information. A central challenge lies in determining whether, at the time of processing or review, INTERPOL had access to sufficient information to assess compliance with its rules, especially Article 3 of the Constitution. This raises a still underexplored issue: what information should INTERPOL have sought or considered? For example, in the context of a Red Notice, INTERPOL may not be aware that the individual concerned has obtained refugee status in another state, an element that would render the notice non-compliant under its policies. The absence of such information, even when not publicly accessible, may still affect the Organization’s responsibility.
Moreover, due diligence must be understood as an ongoing duty. Compliance at the time of publication does not relieve INTERPOL of the duty to act if new information emerges. This continuing obligation implies that the Organization must be prepared to re-evaluate and, where necessary, withdraw or delete data already processed. Ensuring this in practice requires adequate institutional capacity, both in human and technological terms. Artificial intelligence and data analysis tools may, in the future, assist in meeting this standard more effectively.
The responsibility to ensure compliance with INTERPOL’s legal framework does not lie exclusively with the Organization itself. Member states, as the originators of data, also have a role to play in exercising a certain degree of vigilance. In particular, Article 5(3) of the RPD stipulates that “[t]he Organization’s Members shall endeavor to exchange a maximum of information of interest for the purposes of international police cooperation, with due observance of the Organization’s political neutrality, independence and mandate ….” One may reasonably interpret the reference to “due observance” of the Organization’s political neutrality, independence, and mandate as implying, at the very least, a duty of conduct on the part of member states. According to this view, states should act in a manner that takes into account—and does not undermine—INTERPOL’s core constitutional principles. At a minimum, this could be understood as requiring member states to refrain from submitting data that might compromise the Organization’s neutrality or exceed its mandate. In this sense, the notion of “due observance” serves as a normative safeguard, encouraging member states to assess the compatibility of their actions with INTERPOL’s foundational values.
To strengthen its operational safeguards, INTERPOL would benefit from adopting detailed internal guidelines that clarify the respective responsibilities of its organs and of the member states. These instruments should establish verification mechanisms, define the elements of due diligence, and provide practical procedures to ensure ongoing compliance with Article 3. While similar frameworks already exist for partnerships with private actors and NGOs, equivalent structures should be developed to regulate member state conduct in data transmission and information handling.
Another question concerns the status of INTERPOL’s internal rules. Can they take precedence over general rules of international responsibility? The extent to which these rules form a self-contained regime under international law remains subject to debate. In the absence of express derogation, the rules reflected in the 2011 International Law Commission Draft Articles on the Responsibility of International Organizations (DARIO) apply unless it can be established that INTERPOL’s rules are the primary basis.
INTERPOL’s Responsibility in Applying or Refraining from Applying Corrective Measures
The RPD establish an internal legal framework enabling INTERPOL to take corrective measures, when “a National Central Bureau or an international entity encounters difficulties when processing data in the INTERPOL Information System or does not fulfil its obligations under the present Rules.”Footnote 12
From the standpoint of international law, these measures may qualify as “rules of the organization” within the meaning of Article 2(b) of DARIO.Footnote 13 As such, the implementation or non-implementation of these measures may give rise to questions of international responsibility, particularly when the failure to act, or the taking of disproportionate action, results in harm to a member state or a third party. However, the reliance on such internal rules must remain consistent with INTERPOL’s constitutional framework, in particular Articles 2 and 3 of its Constitution. These provisions enshrine INTERPOL’s commitment to international police cooperation “in the spirit of the Universal Declaration of Human Rights,”Footnote 14 and its strict prohibition against “any intervention or activities of a political, military, religious or racial character.”Footnote 15
The challenge lies in ensuring that the corrective mechanisms adopted under Article 131 of the RPD are applied in a manner that upholds these core principles. While states subject to such measures may avail themselves of recourse to the Executive Committee, concerns persist regarding procedural fairness and the adequacy of due process safeguards. Thus, the integration of constitutional principles into the decision-making process is not merely desirable, it should be viewed as a legal obligation.
DARIO stress this point. Article 14, for instance, underscores that an international organization may incur responsibility where it aids or assists a state in the commission of an internationally wrongful act. This raises the question: under what circumstances could INTERPOL’s inaction—or even action—be construed as contributing to a violation of a state’s international obligations, such as human rights obligations?
This query reinforces the importance of a rigorous two-tier assessment: first, the necessity of the measure (i.e., whether all cooperative and remedial avenues have been exhausted), and second, the proportionality of the response (i.e., ensuring that the selected corrective measure is the least restrictive means available and is commensurate with the gravity of the breach).
Ultimately, the broader normative question remains whether INTERPOL’s corrective practice should evolve in line with developments in international law, particularly as reflected in DARIO. Engaging with them may clarify the legal consequences of organizational conduct, especially where INTERPOL’s measures intersect with a state’s own international obligations. A careful balancing act is thus required to preserve INTERPOL’s operational effectiveness, uphold its constitutional integrity, and ensure consistency with the broader framework of international responsibility.
Legal Implications Arising from Linking Institutional Aspects to Compliance
Since corrective measures address a fundamental aspect of INTERPOL’s operational framework, an important question arises: can persistent violations of the RPD by an NCB justify restricting that state’s institutional rights—such as eligibility for elected positions, hosting statutory meetings, or voting?
Linking institutional participation to compliance introduces complex legal and political issues. Only a limited number of international organizations have adopted such mechanisms. This may reflect both legal ambiguities and political resistance towards such a mechanism.
There is nonetheless a compelling argument for reinforcing institutional compliance mechanisms. If such restrictions are perceived not as unilateral acts but rather as expressions of collective will, legal objections may be attenuated. This would require greater political alignment and a shared commitment to upholding the Organization’s rules.
Moreover, it is worth exploring whether such institutional consequences may qualify as countermeasures under international law. If so, their legality would depend on their proportionality, necessity, and objective to induce compliance. Recognizing them as lawful countermeasures could enhance INTERPOL’s legal authority while remaining within the bounds of international law. If such measures are part of the “rules of the organization,” could they instead form a lex specialis regime within the broader framework of international responsibility?
It may also be worthwhile to consider the resort to institutional sanctions that may be imposed before corrective measures are adopted. Current discussions within INTERPOL explore whether these sanctions could serve as effective responses to non-compliance. However, given that INTERPOL functions as a cooperative mechanism, it may be weakened if members are excluded or disengaged. As an organization based on communication channels and cooperation, excluding a member may carry unintended consequences (as Kristina Daugirdas explores). Therefore, alternative forms of institutional sanctions may be considered, ones that uphold cooperation while addressing non-compliance. Ultimately, any framework must strike a balance between enforcing compliance and preserving the cooperative nature of INTERPOL.
Open access
