Legal base	Articles 30, 31 and 34(2)(b)EU; consultation; unanimity
Department	Constitutional Affairs
Basis of consideration	EM of 19 April 2007
Previous Committee Report	(a) HC 41-i (2006-07), para 3 (22 November 2006), HC 41-xi (2006-07), para 1 (28 February 2007) and see (26911) HC 34-xxxvi (2005-06), para 4 (19 July 2006); HC 34-xiv (2005-06), para 2 (11 January 2006), HC 34-x (2005-06), para 5 (16 November 2005) (b) None
To be discussed in Council	No date set
Committee's assessment	Legally and politically important
Committee's decision	(a) Cleared; (b) Not cleared; further information requested

Background

4.1 Following our consideration of an earlier version of this proposal on the transfer of personal data for the purposes of police and judicial cooperation in criminal matters, we considered the then current version (document (a)) on 22 November 2006 and 28 February 2007. We noted that it closely followed the terms of Directive 95/46/EC of the European Parliament and the Council (the Data Protection Directive)[8] and provided for common standards for the processing of data in the framework of police and judicial cooperation in criminal matters under Title VI of the EU Treaty.

4.2 We agreed with the Minister that the then current version represented an improvement and welcomed the deletion of a provision which would have delegated to a committee chaired by the Commission the power of decision as to whether a third country offered an adequate level of data protection for the purpose of authorising the transfer of data to that country.

4.3 We noted, nevertheless, that a number of basic questions, such as the scope of the proposal and its application to the transfer of data to third countries, remained to be resolved. In particular, the question of whether the scope of the proposal should be confined to the transfer of data between Member States, or whether it should cover data which is processed in a purely domestic context, remained unresolved. We agreed with the Minister that no suitable legal base appeared to exist under the EU Treaty for a proposal which would apply to the purely domestic processing of data, but noted the intention by Government to give a "political undertaking" that it would apply to domestic data provisions on processing comparable to those in the proposal. We were concerned that this carried the risk of being seen to acknowledge the existence of a power under the EU Treaty to regulate purely domestic processing, and considered that it should be made entirely clear on the face of any new version of the proposal that it did not so apply .

4.4 In relation to the transfer of data to third countries, we noted the Minister's explanation that the Government did not wish the proposal to apply to such transfers of "home grown" data (i.e. data generated in the UK and not supplied by another Member State). We noted the Minister's statement that the current text of the proposal restricted its application to data supplied to the UK by another Member State. We agreed with the Minister that this was the desired result, but said we would consider whether it had been achieved in the expected revised version.

The revised Framework Decision

4.5 The revised draft Framework Decision (document (b)) in some instances addresses our concerns, but in others creates a number of difficulties. Although the proposal is defined (in Article 1(2)) as applying "when personal data are transmitted between Member States", a new recital (recital 6a) states that Member States "will also apply the rules of the Framework Decision to national data-processing, in order that the conditions for transmitting data may already be met when the data are collected".

4.6 The apparent limitation under Article 1(2) to data which is transmitted between Member States (or to institutions and bodies established under Title VI EU) appears to be inconsistent with the breadth of other provisions of the proposal. For example, Article 2 defines the key concept of "processing" as "any operation … performed upon personal information" and Article 3 (1) limits the collecting and processing of data to lawful purposes "established explicitly under Title VI" and provides that data may be processed only for the purpose for which the data was collected. In neither case is there any explicit (or implied) limitation to data which is transmitted between Member States or to EU institutions.

4.7 Similarly, the rules in Article 3(2) on further processing, in Article 4 on corrections, in Article 5 on erasure and blocking and in Article 6 on time limits are not confined to data which is transmitted, but apply to data which is processed, and so are capable of applying to purely domestic situations. The same result appears to arise from the provisions of Article 7 on the processing of special categories of data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or concerning health or sex life) and those of Article 8 concerning the making of automated decisions having an adverse legal effect on a data subject.

4.8 Articles 9 to 12 are concerned with the transfer of data to the competent authorities of other Member States or to EU bodies established under Title VI EU (such as , for example, Eurojust) and provide for the verification of data, time-limits for erasure and review and the recording and logging of transmissions.

4.9 Article 13 restricts the purposes for which transmitted data may be further processed. The principal rule is that data may be further processed only for the purposes for which it was transmitted, but there are a number of important exceptions to this general rule. Accordingly, transmitted data may be used for the prevention, detection or prosecution of offences other than those for which the data was transmitted. The data may also be used for other judicial and administrative proceedings "directly related to purposes referred to in Article 3(1)" (i.e. for purposes established pursuant to Title VI),[9] for the prevention of an immediate and serious threat to public security, or for any other purpose with the consent of the transmitting authority.

4.10 Article 14 sets out a new rule for the transfer of transmitted data to third countries. Under the previous proposal, such transfers could take place if there had been a decision that the data protection standards were adequate in the country concerned. The requirement for an "adequacy" decision as a condition for transfer has now been removed and replaced with a requirement that the consent of the transmitting Member State be obtained before the data is transferred.

4.11 Articles 16 to 20 are concerned with the rights of the data subject, and have been extensively recast by comparison with the previous version. As with the provisions on processing, there is no express limitation in the scope of these provisions to data which has been transmitted by another Member State, so the provisions are capable of applying to domestic processing. Article 16 requires information to be supplied to the data subject, unless this proves to be incompatible with the permissible purposes of the processing, or involves a "disproportionate effort compared to the legitimate interests of the data subject". Articles 17, 18, 19 and 20 provide for rights of access by the data subject, rectification erasure or blocking, compensation and judicial remedies respectively.

4.12 The revised draft Framework Decision contains rules on the confidentiality and security of processing (Articles 21 to 24) which are similar to those in the previous version.

4.13 As with the previous version, Member States are required to provide for one or more independent public authorities to monitor the application of provisions adopted within the national territory to give effect to the Framework Decision and the processing of data falling within its scope (Article 25). Unlike the previous version, provision is also made in Article 26 in respect of a joint supervisory authority which would be established by a Council Decision under Article 34(2)(c) EU. Article 26(3) further provides that, on entry into force of that Decision, the provisions of Article 115 of the Schengen Convention, Article 24 of the Europol Convention, Article 23 of Council Decision 2002/187/JHA setting up Eurojust and Article 18 of the Convention drawn up on the basis of Article K3 of the Treaty of European Union on the use of information technology for customs purposes would be "replaced".

The Government's view

4.14 In her Explanatory Memorandum of 19 April the Parliamentary Under-Secretary of State at the Department for Constitutional Affairs (Baroness Ashton of Upholland) explains that the current document (document (b)) is the latest revised draft of the proposal first made by the Commission in 2005, and which has been significantly amended by the German Presidency.

4.15 The Minister explains that the Government supports the principle of the proposed draft Framework Decision and is "keen for an appropriate text to be agreed as soon as possible". However, the Minister also explains that whilst some of the amendments in the new text are improvements, others "revive previous difficulties or pose new concerns". The Minister welcomes the inclusion of Article 1(2), which provides that only personal data which is transmitted between Member States or EU institutions or bodies is within the scope of the proposal, but adds that the Government is concerned by the "contradictory references and inferences" throughout the text which appear to suggest that the Framework Decision also applies to purely domestic processing of personal data. In this regard, the Minister also refers to the new recital 6a which, in her view, shows a "clear expectation that Member States will also apply the terms comparable to the [Framework Decision] to purely domestic processing of personal data".

4.16 The Minister further explains that the previous version included a mechanism for ensuring compliance with the principle that personal data was transferred only to those third countries or international bodies which ensured an adequate level of data protection, but that this has now been replaced by a requirement to obtain the consent of the originating State, with no reference to any decision on the adequacy of data protection. The Minister explains that the reasons behind the amendment and its implications, "will be discussed in greater detail at the next expert level Working Group meeting".

4.17 The Minister informs us that the Government is continuing to explore the implications of the limitations on further processing and adds that the Government has welcomed in principle the proposal for "a single supervisory body in the third pillar" and is assessing whether "resource efficiencies and standardisation might be improved without a detrimental impact on other areas of business".

Conclusion

4.18 We share the Minister's view that the revised version of the Framework Decision, although containing improvements, also revives old difficulties and raises new areas of concern.

4.19 Chief among these difficulties is the question of whether the proposal is to apply to the purely domestic processing of data. We consider that the revised text is ambiguous on this central point, which also concerns the powers of the European Union to involve itself in matters which are internal to a Member State. Article 1(2) indeed refers to data which has been transmitted by one Member State to another, but the other provisions turn on the concept of "processing" which is defined so broadly so as to include purely domestic processing. In our previous report on this matter, we considered that it should be made entirely clear on the face of the proposal that it did not apply to such domestic processing, but in the latest version this is even less clear than before. We consider that this ambiguity must be resolved, and we ask the Minister if the Government will press for it to be resolved as a condition for giving agreement to the proposal.

4.20 We note that the provisions which required a decision on the adequacy of data protection standards in a third country before transmitted data can be further transferred have now been replaced by a provision which permits such a transfer with the consent of the State in which the data originates. This appears to be a simpler and more straightforward solution, but we ask the Minister to explain whether the Government supports this approach, or whether it sees it has any disadvantages.

4.21 We note that the Government welcomes, in principle, the establishment of a single supervisory body at EU level, but we shall look forward to a more detailed assessment of its advantages and disadvantages.

4.22 We note that the Minister is consulting on the revised proposal, and we ask the Minister to provide us with an account of the views expressed, particularly by the Information Commissioner.

4.23 We clear the previous version (document (a)) on the grounds that it has been superseded, but we shall hold the current version (document (b)) under scrutiny pending the Minister's reply.

9   It is not clear if 'established explicitly pursuant to Title VI' means established under a Framework Decision or Decision, or whether it refers also to matters set out on the face of Title VI itself, such as 'racism and xenophobia', organised crime, terrorism, illicit drug and arms trafficking etc. Back