Legal base	Articles 30, 31 and 34(2)(b)EU; consultation; unanimity
Document originated	4 October 2005
Deposited in Parliament	14 October 2005
Department	Constitutional Affairs
Basis of consideration	EM of 24 October 2005
Previous Committee Report	None
To be discussed in Council	No date set
Committee's assessment	Legally and politically important
Committee's decision	Not cleared; further information requested

Background

5.1 Directive 95/46/EC of the European Parliament and the Council[8] (the Data Protection Directive) contains rules on the lawfulness of the processing of personal data as well as on the rights of the data subject, but it does not apply to activities which fall outside the scope of Community law, such as those provided for under Title VI EU on police and judicial cooperation in criminal matters. A draft resolution on personal data protection rules was considered by the Council in 2001 but was not adopted.

5.2 The Hague Programme of November 2004 and its subsequent action plan of June 2005 invited the Commission to bring forward proposals for adequate safeguards and effective legal remedies for the transfer of personal data for the purposes of police and judicial cooperation in criminal matters. At the same time, seven Member States (Germany, Austria, Belgium, the Netherlands, Luxembourg, France and Spain) concluded a cooperation agreement in May 2005 which provided for direct automated access for the law enforcement authorities of one Contracting Party to personal data held by another Contracting Party, subject to specific conditions. The agreement provides that this form of cooperation is not to apply until the data protection provisions of the agreement have been reflected in the national law of the Contracting Parties.

5.3 In making its proposal for a draft Framework Decision, the Commission draws attention on the one hand to the specific nature of data processing and data protection within the framework of police and judicial cooperation under Title VI of the EU Treaty, but on the other to the need not to "hamper consistency with the general policy of the Union in the area of privacy and data protection on the basis of the EU Charter for Fundamental Rights and of Directive 95/46/EC". The Commission also refers in this connection to the close relationship between the proposed draft Framework Decision and the Commission's proposal for a Directive on the retention of data processed in accordance with the provision of public electronic communication services, which also amends Directive 2002/58/EC.[9] The Commission further notes that by virtue of Article 3(2) of Directive 95/48/EC, the latter does not apply to the processing of personal data in the course of an activity which falls outside the scope of Community law and concludes that the most satisfactory option is a Framework Decision following the spirit and structure of Directive 95/48/EC as far as possible but also respecting the requirements of Title VI of the EU Treaty.

The draft Framework Decision

5.4 The draft Framework Decision closely follows the terms of the Data Protection Directive. It would replace the provisions of Article 23 of the Convention on Mutual Assistance in Criminal Matters between Member States of the European Union[10] and is a matter in which the United Kingdom and Ireland are taking part in accordance with Article 5 of the Protocol integrating the Schengen acquis and in consequence of the requests of those countries in 2000 and 2002 respectively to participate in some of the provisions of the Schengen acquis.

5.5 Article 1 of the draft Framework Decision describes its object as being to determine common standards for the processing of data in the framework of police and judicial cooperation in criminal matters, as provided for under Title VI of the EU Treaty. As with the Data Protection Directive, Article 1(2) requires Member States to ensure that the disclosure of personal data in neither restricted not prohibited for reasons connected with the protection of personal data as provided for in the Framework Decision.

5.6 Article 2 uses the same definitions of key terms such "personal data", "processing of personal data", "controller" and "processor" as are used in the Data Protection Directive. Similarly, Article 3 of the Directive and of the draft Framework Decision provides that the rules are to apply both to automatic data processing and to processing as part of a filing system. In the case of the draft Framework Decision, the filing systems in question are those administered by a competent authority for the purpose of the prevention, investigation, detection and prosecution of criminal offences. Article 3(2) provides that the Framework Decision is not to apply to the processing of personal data by Europol, Eurojust or the Customs Information System set up by the Convention on the use of information technology for customs purposes.

5.7 Articles 4 to 7 set out general rules on the lawfulness of processing of personal data which generally correspond to those of Articles 5 to 8 of the Data Protection Directive. However, the criteria for making data processing legitimate under Article 5 of the Framework Decision are more limited than those under the provisions of Article 7 of the Directive. Under the Framework Decision, processing is legitimate only if it provided for by law as being necessary for the fulfilment of the legitimate tasks of the authority concerned and for the purpose of preventing, investigating, detecting or prosecuting criminal offences. (Accordingly, no provision is made for processing of data with the consent of the data subject, or for compliance with a legal obligation to which the controller is subject, or where the processing is necessary for the performance of a task carried out in the public interest, or for the purposes of a legitimate interest of the controller).

5.8 Articles 8 to 18 set out a series of rules on the transmission of data to competent authorities of the Member States, requiring the verification of data before it is transmitted (Article 9), the logging and documentation of automated transmissions (e.g. on-line) and that such transmission and further processing is done only for fulfilment of the legitimate tasks of the transmitting or receiving authority and for the purpose of preventing, investigating, detecting or prosecuting criminal offences.

5.9 Article 15 restricts the further transfer of data to third-countries or international bodies. Such a transfer may only take place if the transfer "is provided for by law clearly obliging or authorising it" and if the transfer is necessary for the purpose for which it was collected or for the purpose of preventing threats to public security or to a person except "where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject". In addition, the competent authority of the Member State which first transmitted the data must have given its prior consent to the further transfer and an adequate level of data protection is ensured in the third-country, or by the international body to which the data is to be transferred. By virtue of Article 15(2), it is for Member States to assess whether a third-country provides an adequate level of data protection, but Article 16 provides a procedure whereby such a decision may be reached by a committee chaired by the Commission. In cases where a finding is made under Article 16 that a third-country does not provide an adequate level of data protection, Member States are required by Article 15(4) to take steps to prevent any transfer of data to that third- country or international body. An exception is provided for by Article 15(6) which permits the transfer of data, notwithstanding the absence of an adequate level of data protection, if this is "absolutely necessary in order to safeguard the essential interests of a Member State, or for the prevention of imminent serious danger threatening public security or a specific person of persons".

5.10 Article 16 provides for a Committee to be chaired by the Commission with the assistance of representatives of the Member States. Drafts of measures to be taken are to be proposed by the Commission and the Committee is to give an opinion on the draft by the majority laid down in Article 205(2) EC (i.e. qualified majority). The Commission may adopt the measure if it is in accordance with the Committee's opinion, but if this is not the case, the Commission is to refer the matter to the Council which shall act by qualified majority. If the Council opposes the proposal, the Commission must re-examine it. If the Council has not acted within two months, the measure may be adopted by the Commission.

5.11 Articles 19 to 22 are concerned with the rights of the data subject to information, access, rectification, erasure and blocking. These generally correspond to the rights of the data subject under the Directive, except that under the draft Framework Decision a distinction is made between data which is collected with the subject's knowledge and data which is collected without such knowledge. However, in the latter case, the right of access is limited and information need not be supplied if this would prevent the controller from carrying out his lawful duties properly or would prejudice an ongoing investigation or public security or public order or the rights and freedoms of third parties.

5.12 Articles 23 to 26 contain rules requiring data to be kept confidential and secure, and provide for a register of data processing operations. Article 27 requires Member States to provide for a judicial remedy for any breach of the rights guaranteed to him under the national law enacted to give effect to the Framework Decision, and Article 28 makes provision for compensation for any damage suffered by reason of unlawful processing operations. Article 29 requires Member States to adopt "effective, proportionate and dissuasive" sanctions for infringements of provisions adopted pursuant to the Framework Decision. Article 29(2) requires criminal sanctions to be provided for where the infringements, notably those relating to confidentiality and security of processing, are intentional.

5.13 Article 30 requires each Member State to make provision for a supervisory authority with investigative powers and powers to conduct litigation as well as to give opinions on processing operations and to hear claims by persons concerning the protection of his rights in relation to the processing of personal data. Article 31 provides for an advisory working party of representatives of supervisory bodies, of the European Data Protection Supervisor and of the Commission.

The Government's view

5.14 In her Explanatory Memorandum of 24 October 2005 the Parliamentary Under-Secretary of State at the Department for Constitutional Affairs (Baroness Ashton of Upholland) explains that the proposal aims to improve the exchange of data while providing for the strict observance of key data protection requirements. The Minister adds that the United Kingdom, as Presidency of the Council, recognises its commitment to taking forward work that will ensure coherent standards on data protection in the light of the Hague programme, and that the Commission's proposals are intended to provide a regulatory framework for the exchange and processing of personal data between competent authorities in the Member States, and the transmission of data to third- countries and international organisations.

5.15 The Minister notes that other Member States received the proposal on 5 October and will need some time to determine their attitude towards what is a long and complex document. The Minister considers that issues which are likely to arise include the legal base and scope of the proposal, including whether it applies to the processing of data after the data has been exchanged. The Minister further explains that the Government will be seeking the views of law enforcement agencies and the Information Commissioner.

Conclusion

5.16 We note that this is a very recent proposal, and that further detailed analysis will be necessary. For our part, we confine ourselves to a few general and institutional points at this stage.

5.17 First, we ask if the Minister is satisfied that the proposal is consistent with the existing arrangements between the United Kingdom and third-countries, such as the United States or Commonwealth countries, for the exchange of data or whether it will necessitate a change to those arrangements.

5.18 Secondly, we invite the Minister to comment further on the proposed arrangement for a Committee, chaired by the Commission, to make determinations of the adequacy of data protection in third-countries. In particular, we ask if the Minister is content with the pre-eminent role given to the Commission, and whether it is appropriate to transpose the comitology arrangements to police and judicial cooperation in criminal matters.

5.19 Thirdly, we ask the Minister to comment on the need or otherwise for criminal sanctions as provided for in Article 29.

5.20 We shall hold the document under scrutiny pending the Minister's reply.

9   See (26873) HC 34-vii (2005-06) para 11 (26 October 2005). We are holding the matter under scrutiny. Back

10   OJ No. C 197 of 12.7.2000, p.3. Back