MR DAVID SMITH, MR LEE TAYLOR, PROFESSOR STEVE PEERS, MS BELINDA LEWIS, MS HARRIET NOWELL-SMITH AND MR PETER THOMPSON

23 JANUARY 2007

  Q246 Mrs Dean: Good morning everyone. I am Janet Dean. In the absence of the Chairman, I have been asked to chair this morning's session. I am very grateful to you all for coming along. I wonder if we could start by asking you to introduce yourselves. Perhaps one person from each organisation would be appropriate.

  Mr Smith: I am David Smith, Deputy Information Commissioner. In introducing myself, may I apologise on behalf of Mr Thomas, the Commissioner, that he cannot be here himself. I am accompanied by a colleague, Lee Taylor.

  Q247  Mrs Dean: Professor Peers.

  Professor Peers: I am Professor Steve Peers. I work at the University of Essex Human Rights Centre and I have an interest in data protection law in general and in EU justice and home affairs law in general as well.

  Q248  Mrs Dean: Belinda Lewis.

  Ms Lewis: If you do not mind, Chairman, could I defer to my colleague Peter Thompson to introduce us, please.

  Mr Thompson: My name is Peter Thompson. I am head of the Department of Constitutional Affairs' EU and International Division. We are responsible for the strategic coordination of all of the department's EU business. We were very mindful, in thinking how we approached this Committee, that you would ask to speak to officials who have been directly involved in the negotiations on the Data Protection Framework Decision and so with me are two of my colleagues, Belinda Lewis from the Information Rights Division, who has been heading up the policy aspects of that negotiation, and Harriet Nowell-Smith, our legal adviser on that matter. Without taking up too much of your time, I wonder if it might be helpful if I said something about the relationship between the Home Office and the DCA on the kind of third pillar instruments you are talking about. Given the general thrust of your committee, I think that might be helpful.

  Q249  Mrs Dean: That would be very helpful.

  Mr Thompson: DCA has the lead on data protection policy issues and that is why we lead for the Government in the negotiations in the EU on the Data Protection Framework Decision and the Home Office work closely with us, but the Home Office have the lead on many operational aspects and of course are the department with responsibility for the police and the like. On many of those other instruments, you will find the Home Office in the lead and the DCA providing input on the data protection policy aspects. I hope we can be as helpful as we can today but there may be times when you start to ask what, in effect, becomes an operational question and there will be a limit to how much we can say there that is useful.

  Q250  Mrs Dean: Thank you very much. Could I turn to Professor Peers. In your view, is crime going unchallenged because of a failure to share information effectively at an EU level?

  Professor Peers: Of course police officers might be the best people to answer that question and staff members of your Europol and so on. My assumption, based on the number of measures which are already in force, is that there cannot be very many cases, if there were any, where that already is the case. We already have Europol established and Eurojust and we have fairly developed system of mutual assistance and operational request for sending information between the police authorities, so I very much doubt whether there is a gigantic number of cases which would call for a really radical change in the system of exchanging personal data between police forces.

  Q251  Mrs Dean: Are problems with data sharing between EU Member States technical, for example, making national systems interoperable, or political, in that there has not been enough will to share information?

  Professor Peers: I think a combination of both. There are some reasons traditionally why states would not share information and also some difficulties in perhaps being able to find the information in a national system. It is not simply a question of making systems interoperable but in having a national system which can easily be accessed via the person who is being contacted. She might then have to contact several other people or find who to contact in order to find that information, so that might lead to a lengthy process. I suppose, if you want to speed things up, it is also necessary to have a more coherent system at a national level.

  Q252  Mrs Dean: Does anyone else wish to comment on the issue of data sharing in that way?

  Mr Smith: There clearly are some technical problems. There may be political problems as well. The UK is not yet a member of the Schengen information system. That has been on the cards for a number of years now and my understanding is that it is essentially technical problems that have stood in the way of that. They are not necessarily only technical problems in the UK; they are technical problems in the central system and enabling it to expand further. I wonder if I might also comment briefly on the question of whether more information sharing would be helpful. I am not sure it is for me to argue the case but one of my tasks at the moment is that I am Chairman of the Data Protection Supervisory Body of Europol. We do carry out inspections at Europol and I know if you ask the analysts at Europol they would say very clearly that they do not receive enough data from Member States. Some Member States are very much better contributors than others. This is not, if you like, the tracking down of particular crimes and particular criminals; this is the gathering together of intelligence, to analyse the intelligence, to look for patterns. I think, if you asked them, they would say that they could do a better job if they had more information available to them.

  Q253  Bob Russell: Professor Peers, what difference will the principle of availability make to the data the UK can request and give out? Will the principle make it harder to protect sensitive data?

  Professor Peers: I think the answer depends on the way in which the principle of availability is implemented. If it is implemented according to the Commission's proposal it would apply to additional categories of types of data but if it is implemented, as I suspect it will be, in accordance with the Treaty of Prüm being applied to all Member States—but that seems already to have been agreed and in fact there are legislative proposals on the table this week already for the Article 36 committee of Council—then we will be starting just with the DNA, fingerprints and vehicle registration information. That really is a profound change because then you have automatic and uncontrolled access by the police forces of each Member State to the databases of each other Member State as regards, at least, DNA, fingerprint and vehicle access information. The idea is to extend that to other categories like civil registry information as well. You have, in a sense, a fishing expedition, of police forces being able to take an entire database of information in a way which they cannot now because they are essentially currently restricted to sending specific requests in specific cases to other countries. You would certainly hope that every police force in the European Union would restrict itself to only searching for very important information where it has legitimate reasons to search. But I suspect there is a risk that in some cases some uncontrolled fishing expeditions will take place. That is the risk from the data protection point of view. Of course there will probably be some advantages from a law enforcement point of view on the other hand.

  Q254  Bob Russell: I presume you have been following the fallout of our hearing from a week or two back. Do you think, as a result of last week's investigations into conviction records, the implementation of the principle of availability and faster exchange of data on convictions will be an increased priority for the Home Office?

  Professor Peers: From the EU point of view, technically, the question of exchange of information on criminal convictions is dealt with by a separate proposal. It is not technically covered by the principle of availability. The idea will be to have slightly different processes, giving each Member State's law enforcement authorities access to criminal conviction databases of all the others, but it seems that both issues were already a priority for the German Presidency even before what happened in the Home Office and I would expect what will happen in the Home Office is that they will respond to this latest scandal by trying to deal with things more efficiently until they are diverted perhaps by the next scandal or by the splitting up of the Home Office—which will doubtless take lots of time and resources to deal with as well. That is the answer, that these things are technically separate but proceeding quite quickly in parallel.

  Q255  Bob Russell: Is the UK pushing ahead with aspects of the principle of availability to your knowledge? I have in mind, for example, making DNA or fingerprinting available without the accompanying data protection measures.

  Professor Peers: Last year what is called the G6 states, the five biggest Member States, had what I have described in my written evidence as one of their "secret" meetings and they discussed the idea of pushing ahead with the principle of availability without the framework decision on data protection. I think, as they have now taken a different course, we are going to have, instead, the Treaty of Prüm turned into EU law, perhaps without the Data Protection Framework Decision, but that remains to be seen. At least the Treaty of Prüm does have some data protection provisions of its own. I think they are insufficient as compared to the Data Protection Framework Decision—at least the Commission's original proposal, which of course might be watered down anyway. In any event, the problem is that they are in some respects insufficient. If I may name the areas: particularly the powers of supervisory authorities are dealt with in the Data Protection Framework Decision and not in the Treaty of Prüm; the issue of further processing of data is dealt with in the framework decision but very weakly in the Treaty of Prüm; equally, the transfer of data to non EU states is dealt with quite strongly in the original proposal for a framework decision and quite weakly in the Treaty of Prüm—although it looks like it will emerge in the framework decision to have a quite weak provision on that issue as well. There are several other issues, like the right to information, which are more properly dealt with in the framework decision but not quite dealt with as fully in the Treaty of Prüm—although, again that might be watered down during discussions in the framework decision. The framework decision is a moving target, so it is difficult to say whether it would set sufficiently high standards, but at least it has the potential to if you went back closer to the Commission's original proposal.

  Q256  Bob Russell: From your point of view, can the moving target still be hit, or can the shortcomings you have identified not be resolved to your satisfaction? Is there still a chance they can be?

  Professor Peers: I am sure it is technically possible that the framework decision could set a higher level of protection than the worst-case scenario, but I think something close to the worst-case scenario is more likely than something close to the best-case scenario.

  Q257  Bob Russell: Thank you. Mr Thompson, what are the implications for data protection of an increased drive for information sharing with EU colleagues, in particular biometrics?

  Mr Thompson: Do you mind if I defer that question to my colleague Belinda Lewis?

  Q258  Bob Russell: However you want to play it.

  Ms Lewis: With regard to biometrics, biometric data is essentially another form of personal data, so the current data protection provisions would apply. In the UK that is the Data Protection Act. We would regard some biometric data to be sensitive personal data, so the highest standards of data protection under the Data Protection Act would apply. If we were looking to exchange that biometric data with other EU Member States at the moment Convention 108, the Council of Europe convention, would apply, but, once it is agreed, the Data Protection Framework Decision would apply. The Data Protection Framework Decision also has special provisions in order to protect more efficiently sensitive personal data which we would regard some biometric data to be.

  Q259  Bob Russell: That would be iris, fingerprints, DNA.

  Ms Lewis: Yes, that is right.