Examination of Witnesses (Questions 246-259)
23 JANUARY 2007
Q246 Mrs Dean: Good morning everyone.
I am Janet Dean. In the absence of the Chairman, I have been asked
to chair this morning's session. I am very grateful to you all
for coming along. I wonder if we could start by asking you to
introduce yourselves. Perhaps one person from each organisation
would be appropriate.
Mr Smith: I am David Smith, Deputy
Information Commissioner. In introducing myself, may I apologise
on behalf of Mr Thomas, the Commissioner, that he cannot be here
himself. I am accompanied by a colleague, Lee Taylor.
Q247 Mrs Dean: Professor Peers.
Professor Peers: I am Professor
Steve Peers. I work at the University of Essex Human Rights Centre
and I have an interest in data protection law in general and in
EU justice and home affairs law in general as well.
Q248 Mrs Dean: Belinda Lewis.
Ms Lewis: If you do not mind,
Chairman, could I defer to my colleague Peter Thompson to introduce
Mr Thompson: My name is Peter
Thompson. I am head of the Department of Constitutional Affairs'
EU and International Division. We are responsible for the strategic
coordination of all of the department's EU business. We were very
mindful, in thinking how we approached this Committee, that you
would ask to speak to officials who have been directly involved
in the negotiations on the Data Protection Framework Decision
and so with me are two of my colleagues, Belinda Lewis from the
Information Rights Division, who has been heading up the policy
aspects of that negotiation, and Harriet Nowell-Smith, our legal
adviser on that matter. Without taking up too much of your time,
I wonder if it might be helpful if I said something about the
relationship between the Home Office and the DCA on the kind of
third pillar instruments you are talking about. Given the general
thrust of your committee, I think that might be helpful.
Q249 Mrs Dean: That would be very
Mr Thompson: DCA has the lead
on data protection policy issues and that is why we lead for the
Government in the negotiations in the EU on the Data Protection
Framework Decision and the Home Office work closely with us, but
the Home Office have the lead on many operational aspects and
of course are the department with responsibility for the police
and the like. On many of those other instruments, you will find
the Home Office in the lead and the DCA providing input on the
data protection policy aspects. I hope we can be as helpful as
we can today but there may be times when you start to ask what,
in effect, becomes an operational question and there will be a
limit to how much we can say there that is useful.
Q250 Mrs Dean: Thank you very much.
Could I turn to Professor Peers. In your view, is crime going
unchallenged because of a failure to share information effectively
at an EU level?
Professor Peers: Of course police
officers might be the best people to answer that question and
staff members of your Europol and so on. My assumption, based
on the number of measures which are already in force, is that
there cannot be very many cases, if there were any, where that
already is the case. We already have Europol established and Eurojust
and we have fairly developed system of mutual assistance and operational
request for sending information between the police authorities,
so I very much doubt whether there is a gigantic number of cases
which would call for a really radical change in the system of
exchanging personal data between police forces.
Q251 Mrs Dean: Are problems with
data sharing between EU Member States technical, for example,
making national systems interoperable, or political, in that there
has not been enough will to share information?
Professor Peers: I think a combination
of both. There are some reasons traditionally why states would
not share information and also some difficulties in perhaps being
able to find the information in a national system. It is not simply
a question of making systems interoperable but in having a national
system which can easily be accessed via the person who is being
contacted. She might then have to contact several other people
or find who to contact in order to find that information, so that
might lead to a lengthy process. I suppose, if you want to speed
things up, it is also necessary to have a more coherent system
at a national level.
Q252 Mrs Dean: Does anyone else wish
to comment on the issue of data sharing in that way?
Mr Smith: There clearly are some
technical problems. There may be political problems as well. The
UK is not yet a member of the Schengen information system. That
has been on the cards for a number of years now and my understanding
is that it is essentially technical problems that have stood in
the way of that. They are not necessarily only technical problems
in the UK; they are technical problems in the central system and
enabling it to expand further. I wonder if I might also comment
briefly on the question of whether more information sharing would
be helpful. I am not sure it is for me to argue the case but one
of my tasks at the moment is that I am Chairman of the Data Protection
Supervisory Body of Europol. We do carry out inspections at Europol
and I know if you ask the analysts at Europol they would say very
clearly that they do not receive enough data from Member States.
Some Member States are very much better contributors than others.
This is not, if you like, the tracking down of particular crimes
and particular criminals; this is the gathering together of intelligence,
to analyse the intelligence, to look for patterns. I think, if
you asked them, they would say that they could do a better job
if they had more information available to them.
Q253 Bob Russell: Professor Peers,
what difference will the principle of availability make to the
data the UK can request and give out? Will the principle make
it harder to protect sensitive data?
Professor Peers: I think the answer
depends on the way in which the principle of availability is implemented.
If it is implemented according to the Commission's proposal it
would apply to additional categories of types of data but if it
is implemented, as I suspect it will be, in accordance with the
Treaty of Prüm being applied to all Member Statesbut
that seems already to have been agreed and in fact there are legislative
proposals on the table this week already for the Article 36 committee
of Councilthen we will be starting just with the DNA, fingerprints
and vehicle registration information. That really is a profound
change because then you have automatic and uncontrolled access
by the police forces of each Member State to the databases of
each other Member State as regards, at least, DNA, fingerprint
and vehicle access information. The idea is to extend that to
other categories like civil registry information as well. You
have, in a sense, a fishing expedition, of police forces being
able to take an entire database of information in a way which
they cannot now because they are essentially currently restricted
to sending specific requests in specific cases to other countries.
You would certainly hope that every police force in the European
Union would restrict itself to only searching for very important
information where it has legitimate reasons to search. But I suspect
there is a risk that in some cases some uncontrolled fishing expeditions
will take place. That is the risk from the data protection point
of view. Of course there will probably be some advantages from
a law enforcement point of view on the other hand.
Q254 Bob Russell: I presume you have
been following the fallout of our hearing from a week or two back.
Do you think, as a result of last week's investigations into conviction
records, the implementation of the principle of availability and
faster exchange of data on convictions will be an increased priority
for the Home Office?
Professor Peers: From the EU point
of view, technically, the question of exchange of information
on criminal convictions is dealt with by a separate proposal.
It is not technically covered by the principle of availability.
The idea will be to have slightly different processes, giving
each Member State's law enforcement authorities access to criminal
conviction databases of all the others, but it seems that both
issues were already a priority for the German Presidency even
before what happened in the Home Office and I would expect what
will happen in the Home Office is that they will respond to this
latest scandal by trying to deal with things more efficiently
until they are diverted perhaps by the next scandal or by the
splitting up of the Home Officewhich will doubtless take
lots of time and resources to deal with as well. That is the answer,
that these things are technically separate but proceeding quite
quickly in parallel.
Q255 Bob Russell: Is the UK pushing
ahead with aspects of the principle of availability to your knowledge?
I have in mind, for example, making DNA or fingerprinting available
without the accompanying data protection measures.
Professor Peers: Last year what
is called the G6 states, the five biggest Member States, had what
I have described in my written evidence as one of their "secret"
meetings and they discussed the idea of pushing ahead with the
principle of availability without the framework decision on data
protection. I think, as they have now taken a different course,
we are going to have, instead, the Treaty of Prüm turned
into EU law, perhaps without the Data Protection Framework Decision,
but that remains to be seen. At least the Treaty of Prüm
does have some data protection provisions of its own. I think
they are insufficient as compared to the Data Protection Framework
Decisionat least the Commission's original proposal, which
of course might be watered down anyway. In any event, the problem
is that they are in some respects insufficient. If I may name
the areas: particularly the powers of supervisory authorities
are dealt with in the Data Protection Framework Decision and not
in the Treaty of Prüm; the issue of further processing of
data is dealt with in the framework decision but very weakly in
the Treaty of Prüm; equally, the transfer of data to non
EU states is dealt with quite strongly in the original proposal
for a framework decision and quite weakly in the Treaty of Prümalthough
it looks like it will emerge in the framework decision to have
a quite weak provision on that issue as well. There are several
other issues, like the right to information, which are more properly
dealt with in the framework decision but not quite dealt with
as fully in the Treaty of Prümalthough, again that
might be watered down during discussions in the framework decision.
The framework decision is a moving target, so it is difficult
to say whether it would set sufficiently high standards, but at
least it has the potential to if you went back closer to the Commission's
Q256 Bob Russell: From your point
of view, can the moving target still be hit, or can the shortcomings
you have identified not be resolved to your satisfaction? Is there
still a chance they can be?
Professor Peers: I am sure it
is technically possible that the framework decision could set
a higher level of protection than the worst-case scenario, but
I think something close to the worst-case scenario is more likely
than something close to the best-case scenario.
Q257 Bob Russell: Thank you. Mr Thompson,
what are the implications for data protection of an increased
drive for information sharing with EU colleagues, in particular
Mr Thompson: Do you mind if I
defer that question to my colleague Belinda Lewis?
Q258 Bob Russell: However you want
to play it.
Ms Lewis: With regard to biometrics,
biometric data is essentially another form of personal data, so
the current data protection provisions would apply. In the UK
that is the Data Protection Act. We would regard some biometric
data to be sensitive personal data, so the highest standards of
data protection under the Data Protection Act would apply. If
we were looking to exchange that biometric data with other EU
Member States at the moment Convention 108, the Council of Europe
convention, would apply, but, once it is agreed, the Data Protection
Framework Decision would apply. The Data Protection Framework
Decision also has special provisions in order to protect more
efficiently sensitive personal data which we would regard some
biometric data to be.
Q259 Bob Russell: That would be iris,
Ms Lewis: Yes, that is right.