MR DAVID SMITH, MR LEE TAYLOR, PROFESSOR STEVE PEERS, MS BELINDA LEWIS, MS HARRIET NOWELL-SMITH AND MR PETER THOMPSON

23 JANUARY 2007

  Q280  Martin Salter: Should there be?

  Ms Lewis: It is an enormous question and to answer that we would need to look at the knock-on effects for the UK for data sharing in the UK and also for the UK justice system.

  Q281  Martin Salter: Professor Peers, what is your view on this?

  Professor Peers: The dual criminality issue is very important to the issue of mutual recognition in criminal matters but, for the reasons just set out, it is not relevant to data protection. If one of your constituents decided to deny the Holocaust and they found themselves the next day subject to house search, ordered by the Austrian police (as they could be under the European Evidence Warrant) and subsequently a European Arrest Warrant was issued for their arrest, their assets were frozen and so on—all of which is possible under EU measures which are already adopted or agreed—then you would say, "Hold on, this was not a crime in the UK. Why should they be penalised for making this statement in the UK simply because Austria believes it to be illegal?" There is a whole series of examples like that, like euthanasia and so on. Why should we hand over someone to Ireland, for instance, to be prosecuted for performing abortion services in the UK which are legal here? If that prosecution took place or arrest warrants were issued and so on and assets were frozen because of that, I think there would be a lot of objections to that taking place and a lot of objections to mutual recognition on criminal matters taking place with a lack of harmonisation of criminal law. But, as was said, it is not exactly a data protection issue.

  Q282  Martin Salter: What are the grounds for refusing to cooperate and to send data?

  Ms Lewis: Under the Data Protection Framework Decision there is no obligation to comply with a request for information. You can refuse to cooperate because there is no obligation on you to do so.

  Q283  Martin Salter: What purpose does it have, if you can just opt out of it?

  Ms Lewis: It is more about how than what. It sets out the rules governing how you would protect it, how you would exchange data and how you could use it once you had made the decision to share that data, but it does not tell you what you can and cannot decide to share.

  Professor Peers: Other measures do. There are mutual assistance measures, mutual recognition measures, police cooperation measures already adopted or being agreed and negotiated which do set out obligations to share the information on request. The Data Protection Framework Decision would say that because we have harmonised to a sufficiently acceptable standard, you cannot refuse the request on data protection grounds. It is the same sort of logic that applies in the first bit of the Data Protection Directive for private companies mostly. You cannot prevent data crossing borders because the directive sets a sufficiently high standard. The idea is that you harmonise the national law in order to facilitate the free movement of the data.

  Q284  Martin Salter: If the treaty is incorporated into an EU framework, will the Data Protection Framework Decision replace it or will they run side by side?

  Mr Thompson: I was at the Dresden discussion at the informal where the German Presidency did indeed suggest that the Prüm Treaty be extended into EU law. There was some support amongst Member States for that, but, as it is an informal council (to use the jargon) they do not make proper decisions. The Presidency have said they will come up with more formal proposals which they will put to the next Justice and Home Affairs Council which is in February, but they did not suggest at all that this meant that they were then thinking of either dispensing with the Data Protection Framework Decision or moving it to the slow lane or anything like that, so we have heard nothing from the German Presidency to suggest that, although they are clearly keen to make progress on Prüm, they are going to sideline the Data Protection Framework Decision. This is a sort of apples and oranges comparison in a way. The Prüm Treaty is designed to encourage the sharing of DNA, fingerprint and vehicle registration data, with the aim of intensifying cross-border police cooperation, particularly the fight against terrorism, cross-border crime, illegal migration. As Belinda and others have said today, the Data Protection Framework Decision is very different kind of instrument. It is designed to put in place broad minimum standards across the piece in the third pillar, so having one does not necessarily undermine the other. They are trying to do different things.

  Q285  Martin Salter: Could I ask a question which off the Data Protection Framework Decision. There is a piece in today's Times about concerns of NHS regulators and NHS managers about NHS staff recruiting from outside of the EU, put in positions obviously, particularly if they were clinical staff, where they would be dealing with vulnerable people and sick people who may not have undergone the same rigorous checks that we would expect of people in those positions coming from EU countries. Is there anything in that framework at all that can ensure the validity of someone coming from a third world country, for argument's sake, and having been convicted of offences against vulnerable people who therefore in the normal course of events would not be eligible or allowed to be working with patients who are working in the medical sphere? Is there anything that can be done or is done to check that the information given to hospitals or the primary care trusts is accurate? Or do they have to take it on trust?

  Mr Smith: In simple terms, the Data Protection Framework Decision does not make any difference to that. If a third country (outside Europe) is willing to provide that information to the UK, there is no data protection reason why it should not be taken by the UK and put on our systems here if it is necessary for protecting people in the UK. I think very often the problems are, if you like, logistical and practical ones rather than legal ones.

  Q286  Martin Salter: There is nothing obliging a non EU country to provide that information at all.

  Mr Smith: No.

  Q287  Martin Salter: There is no real cast-iron way of insisting on it or checking on it.

  Mr Smith: No. You do raise an interesting point and this applies in a number of these areas. We are talking very much about EU issues here but very often we are addressing global problems. Sometimes we need global solutions and it is hard to see where those might come from.

  Professor Peers: The Council of Europe's Mutual Assistance Convention does deal with criminal records, so if you are talking about other European countries there is a mechanism to check the criminal records of other European countries, but, of course, for Africa, Asia and so on there is not.

  Q288  Mr Benyon: Leading on from what Martin was talking about, do you think there is a need for an index of third country nationals who are convicted in the EU, so that at least we can catch that group of people if they come and try to work with vulnerable people in this country?

  Professor Peers: That is an important question. The Commission did release a paper on this last year and they seemed to be addressing that issue separately from the issue of criminal records of EU citizens. I think there is a legal reason for that, because the Council of Europe Convention on Mutual Assistance which I just mentioned functions by means of exchanging information on the criminal records of citizens of the contracting parties, so we get information on our own citizens who commit crimes abroad—of course, we might then lose it in a pile of 27,000 records, but as a principle that is how it works. The idea within the EU is to try to deal with that more efficiently as between the Member States, but we do not then have that information on non contracting parties to that convention and the development of the inefficiency only applies to citizens of EU Member States. In the interests of protecting the public, therefore, I think it is useful to be able to know what information exists/is relevant on third country nationals who live within the European Union, subject, of course, to data protection safeguards that no one is wrongly identified as a child molester or whatever. A system should be put in place. In fact, that is a big gap, because the Council of Europe Convention does not deal with it, it only deals with citizens of the contracting parties. At least there will be some information on Russians and Turkish people and so on but none, as I said, for non Europeans. I think it is important to think about how to deal with that issue, particularly because you have the facilitation of the movement of third country nationals within the Schengen area more than to the UK, but inevitably many of them visit the UK or they have the right to come here if they are family members of EU citizens, for instance, or they can come here quite easily if they are not subject to a visa. Therefore, it is quite useful to develop a system that we can have in the near future.

  Q289  Mr Benyon: Belinda Lewis, you will be aware of the issue on Passenger Name Records relating to the US request and how, through the European Court of Justice, it has now been declared a third pillar rather than a first pillar issue. To which information does and does not the agreement with the US provide access? Do we accept a lower data protection standard in third countries than in EU Member States? Is this acceptable?

  Ms Lewis: To take the first part of your question first, about the information to which the US has access, I have brought with me copies of the PNR agreement and also a list of the data fields that the US is allowed to access and also a copy of the undertakings which sets out the data protection provisions. I passed those to the clerk. In a moment of short-sightedness, I am afraid I did not keep a copy for myself, so I will not be able to read through the 34 data fields but you have them with you. In terms of the data protection standards and whether we are accepting lower data standards when we transfer to third countries, just to take the case of the transfers under the PNR agreement to the USA, the data protection safeguards, which are set out in the undertakings annexed to the agreement, set out very clearly the provisions. It sets out what the USA is allowed to use the PNR data for, who they can share it with, how long they are allowed to retain it for and so on, and all the Member States and the Commission agreed at the end of the negotiations, at the point where we had the final draft of the PNR agreement, that that provided an adequate standard of data protection. So, for the purpose of those PNR exchanges, the USA is considered to provide adequate data protection, although across the board it is not considered by the EU to provide universally adequate data protection. You asked also about third countries and whether we accept lower standards of data protection there. In short, we do. Really we have to in order to maintain the proper flow of business. We share data with countries who would not be considered to provide adequate data protection for purposes such as extradition, also deportation, also to aid things like murder inquiries of UK citizens who are murdered in third countries and it is necessary to transfer personal data in order to continue that kind of business. It is more a question for the Home Office, in terms of the mechanics of how they pass on that data, but I can say that when we share data with a third country under those sorts of circumstances (for example, to aid a murder inquiry of a UK citizen), the data would not be shared with the whole country or indeed the whole government or even necessarily the whole police force. The UK police or whoever was relevant would share, usually with a particular named individual contact or a particular team within a particular police force or a certain division within a particular department, and we would also impose restrictions on how that data could be used. I am not aware of any reason we have to believe that those restrictions are not generally respected.

  Q290  Mr Benyon: Professor Peers, in the light of the SWIFT case—and you will be more aware of than I am: I have just read a short brief about it—how far should we cooperate in data exchange with third countries, especially the United States, if there are suspicions that such cooperation would be contrary to our own data protection standards?

  Professor Peers: I think there should be a full overview of this issue in the third pillar and in terms of law enforcement access to financial data or passenger data in general. It is not just about the United States but about other countries as well. We should really be re-thinking to the extent that they are willing to do it. The PNR agreement, if you look at it, gives a number of important data protection safeguards, except there are doubts about how well it is implemented, for instance, and also there is one area where it is weak and it does not set much restriction on the further transfer of the data to other countries or to other agencies within the United States. I think we should be stricter on saying, at the very least, that it is a model which should be applied to other agreements but tightening up those points and insisting on some more effective supervision and reporting on whether the agreement has been complied with and on further restrictions on the additional exchange of that data. We really should be digging our heels in and setting a reasonable standard as to what we considered adequate data protection with other countries. There are very good reasons to share criminal data with other countries but there are also very good reasons to say, "What are the rights for the data subject?" if someone has been misidentified and someone ends up being wrongly prosecuted, detained or wrongly refused entry. We have to consider those issues as well. It cannot be purely about giving as much information as possible without any remedies or rights for the data subject. We have to think of wrong identification and all sorts of other issues that might arise, so we have to have a balance in these agreements.

  Mr Smith: It is interesting you should mention SWIFT because we are going to see SWIFT this afternoon about these very issues. SWIFT is another example of what is, if you like, an international problem.

  Q291  Mr Benyon: Could you give us a 30-second paraphrase of what the SWIFT case was all about.

  Mr Smith: Two problems with SWIFT. They are a European organisation. They were transferring information to the United States as part of their processing operations without ensuring adequate protection. They were not looking properly at putting in place data protection measures in the States. Then, when the data are going through the States, the US authorities put subpoenas on SWIFT to make data on European citizens/European transactions available to the US authorities—and large scale amounts of data. So there are two strings to it: the need to ensure adequate data protection and the question of whether the US access is proportionate; that is, whether they wanted far too much information about people who have no connection with the United States. There clearly is an international issue about monitoring financial transactions to look for terrorism and other areas, just as there is with airline traffic. Here it is not just people flying to the States; it is an issue all over the world. We really do need some international solutions to these problems and the problems are where we get bit-by-bit solutions. Why do the US require 34 data items, and Canada say 23 and Australia say 18 and Europe setting up its own arrangement with probably a different number of data items? It is not for me to make a plea for the airlines and, in SWIFT, the financial institutions, but they are faced with a minefield. We need some international harmonisation. If I could leave you with that plea, I would be happy to do so.

  Mrs Dean: Thank you all very much. It has been a very interesting session. The Committee is very grateful to you all for the input you have had into our inquiry.