Examination of Witnesses (Questions 280-291)
MR DAVID
SMITH, MR
LEE TAYLOR,
PROFESSOR STEVE
PEERS, MS
BELINDA LEWIS,
MS HARRIET
NOWELL-SMITH
AND MR
PETER THOMPSON
23 JANUARY 2007
Q280 Martin Salter: Should there
be?
Ms Lewis: It is an enormous question
and to answer that we would need to look at the knock-on effects
for the UK for data sharing in the UK and also for the UK justice
system.
Q281 Martin Salter: Professor Peers,
what is your view on this?
Professor Peers: The dual criminality
issue is very important to the issue of mutual recognition in
criminal matters but, for the reasons just set out, it is not
relevant to data protection. If one of your constituents decided
to deny the Holocaust and they found themselves the next day subject
to house search, ordered by the Austrian police (as they could
be under the European Evidence Warrant) and subsequently a European
Arrest Warrant was issued for their arrest, their assets were
frozen and so onall of which is possible under EU measures
which are already adopted or agreedthen you would say,
"Hold on, this was not a crime in the UK. Why should they
be penalised for making this statement in the UK simply because
Austria believes it to be illegal?" There is a whole series
of examples like that, like euthanasia and so on. Why should we
hand over someone to Ireland, for instance, to be prosecuted for
performing abortion services in the UK which are legal here? If
that prosecution took place or arrest warrants were issued and
so on and assets were frozen because of that, I think there would
be a lot of objections to that taking place and a lot of objections
to mutual recognition on criminal matters taking place with a
lack of harmonisation of criminal law. But, as was said, it is
not exactly a data protection issue.
Q282 Martin Salter: What are the
grounds for refusing to cooperate and to send data?
Ms Lewis: Under the Data Protection
Framework Decision there is no obligation to comply with a request
for information. You can refuse to cooperate because there is
no obligation on you to do so.
Q283 Martin Salter: What purpose
does it have, if you can just opt out of it?
Ms Lewis: It is more about how
than what. It sets out the rules governing how you would protect
it, how you would exchange data and how you could use it once
you had made the decision to share that data, but it does not
tell you what you can and cannot decide to share.
Professor Peers: Other measures
do. There are mutual assistance measures, mutual recognition measures,
police cooperation measures already adopted or being agreed and
negotiated which do set out obligations to share the information
on request. The Data Protection Framework Decision would say that
because we have harmonised to a sufficiently acceptable standard,
you cannot refuse the request on data protection grounds. It is
the same sort of logic that applies in the first bit of the Data
Protection Directive for private companies mostly. You cannot
prevent data crossing borders because the directive sets a sufficiently
high standard. The idea is that you harmonise the national law
in order to facilitate the free movement of the data.
Q284 Martin Salter: If the treaty
is incorporated into an EU framework, will the Data Protection
Framework Decision replace it or will they run side by side?
Mr Thompson: I was at the Dresden
discussion at the informal where the German Presidency did indeed
suggest that the Prüm Treaty be extended into EU law. There
was some support amongst Member States for that, but, as it is
an informal council (to use the jargon) they do not make proper
decisions. The Presidency have said they will come up with more
formal proposals which they will put to the next Justice and Home
Affairs Council which is in February, but they did not suggest
at all that this meant that they were then thinking of either
dispensing with the Data Protection Framework Decision or moving
it to the slow lane or anything like that, so we have heard nothing
from the German Presidency to suggest that, although they are
clearly keen to make progress on Prüm, they are going to
sideline the Data Protection Framework Decision. This is a sort
of apples and oranges comparison in a way. The Prüm Treaty
is designed to encourage the sharing of DNA, fingerprint and vehicle
registration data, with the aim of intensifying cross-border police
cooperation, particularly the fight against terrorism, cross-border
crime, illegal migration. As Belinda and others have said today,
the Data Protection Framework Decision is very different kind
of instrument. It is designed to put in place broad minimum standards
across the piece in the third pillar, so having one does not necessarily
undermine the other. They are trying to do different things.
Q285 Martin Salter: Could I ask a
question which off the Data Protection Framework Decision. There
is a piece in today's Times about concerns of NHS regulators
and NHS managers about NHS staff recruiting from outside of the
EU, put in positions obviously, particularly if they were clinical
staff, where they would be dealing with vulnerable people and
sick people who may not have undergone the same rigorous checks
that we would expect of people in those positions coming from
EU countries. Is there anything in that framework at all that
can ensure the validity of someone coming from a third world country,
for argument's sake, and having been convicted of offences against
vulnerable people who therefore in the normal course of events
would not be eligible or allowed to be working with patients who
are working in the medical sphere? Is there anything that can
be done or is done to check that the information given to hospitals
or the primary care trusts is accurate? Or do they have to take
it on trust?
Mr Smith: In simple terms, the
Data Protection Framework Decision does not make any difference
to that. If a third country (outside Europe) is willing to provide
that information to the UK, there is no data protection reason
why it should not be taken by the UK and put on our systems here
if it is necessary for protecting people in the UK. I think very
often the problems are, if you like, logistical and practical
ones rather than legal ones.
Q286 Martin Salter: There is nothing
obliging a non EU country to provide that information at all.
Mr Smith: No.
Q287 Martin Salter: There is no real
cast-iron way of insisting on it or checking on it.
Mr Smith: No. You do raise an
interesting point and this applies in a number of these areas.
We are talking very much about EU issues here but very often we
are addressing global problems. Sometimes we need global solutions
and it is hard to see where those might come from.
Professor Peers: The Council of
Europe's Mutual Assistance Convention does deal with criminal
records, so if you are talking about other European countries
there is a mechanism to check the criminal records of other European
countries, but, of course, for Africa, Asia and so on there is
not.
Q288 Mr Benyon: Leading on from what
Martin was talking about, do you think there is a need for an
index of third country nationals who are convicted in the EU,
so that at least we can catch that group of people if they come
and try to work with vulnerable people in this country?
Professor Peers: That is an important
question. The Commission did release a paper on this last year
and they seemed to be addressing that issue separately from the
issue of criminal records of EU citizens. I think there is a legal
reason for that, because the Council of Europe Convention on Mutual
Assistance which I just mentioned functions by means of exchanging
information on the criminal records of citizens of the contracting
parties, so we get information on our own citizens who commit
crimes abroadof course, we might then lose it in a pile
of 27,000 records, but as a principle that is how it works. The
idea within the EU is to try to deal with that more efficiently
as between the Member States, but we do not then have that information
on non contracting parties to that convention and the development
of the inefficiency only applies to citizens of EU Member States.
In the interests of protecting the public, therefore, I think
it is useful to be able to know what information exists/is relevant
on third country nationals who live within the European Union,
subject, of course, to data protection safeguards that no one
is wrongly identified as a child molester or whatever. A system
should be put in place. In fact, that is a big gap, because the
Council of Europe Convention does not deal with it, it only deals
with citizens of the contracting parties. At least there will
be some information on Russians and Turkish people and so on but
none, as I said, for non Europeans. I think it is important to
think about how to deal with that issue, particularly because
you have the facilitation of the movement of third country nationals
within the Schengen area more than to the UK, but inevitably many
of them visit the UK or they have the right to come here if they
are family members of EU citizens, for instance, or they can come
here quite easily if they are not subject to a visa. Therefore,
it is quite useful to develop a system that we can have in the
near future.
Q289 Mr Benyon: Belinda Lewis, you
will be aware of the issue on Passenger Name Records relating
to the US request and how, through the European Court of Justice,
it has now been declared a third pillar rather than a first pillar
issue. To which information does and does not the agreement with
the US provide access? Do we accept a lower data protection standard
in third countries than in EU Member States? Is this acceptable?
Ms Lewis: To take the first part
of your question first, about the information to which the US
has access, I have brought with me copies of the PNR agreement
and also a list of the data fields that the US is allowed to access
and also a copy of the undertakings which sets out the data protection
provisions. I passed those to the clerk. In a moment of short-sightedness,
I am afraid I did not keep a copy for myself, so I will not be
able to read through the 34 data fields but you have them with
you. In terms of the data protection standards and whether we
are accepting lower data standards when we transfer to third countries,
just to take the case of the transfers under the PNR agreement
to the USA, the data protection safeguards, which are set out
in the undertakings annexed to the agreement, set out very clearly
the provisions. It sets out what the USA is allowed to use the
PNR data for, who they can share it with, how long they are allowed
to retain it for and so on, and all the Member States and the
Commission agreed at the end of the negotiations, at the point
where we had the final draft of the PNR agreement, that that provided
an adequate standard of data protection. So, for the purpose of
those PNR exchanges, the USA is considered to provide adequate
data protection, although across the board it is not considered
by the EU to provide universally adequate data protection. You
asked also about third countries and whether we accept lower standards
of data protection there. In short, we do. Really we have to in
order to maintain the proper flow of business. We share data with
countries who would not be considered to provide adequate data
protection for purposes such as extradition, also deportation,
also to aid things like murder inquiries of UK citizens who are
murdered in third countries and it is necessary to transfer personal
data in order to continue that kind of business. It is more a
question for the Home Office, in terms of the mechanics of how
they pass on that data, but I can say that when we share data
with a third country under those sorts of circumstances (for example,
to aid a murder inquiry of a UK citizen), the data would not be
shared with the whole country or indeed the whole government or
even necessarily the whole police force. The UK police or whoever
was relevant would share, usually with a particular named individual
contact or a particular team within a particular police force
or a certain division within a particular department, and we would
also impose restrictions on how that data could be used. I am
not aware of any reason we have to believe that those restrictions
are not generally respected.
Q290 Mr Benyon: Professor Peers,
in the light of the SWIFT caseand you will be more
aware of than I am: I have just read a short brief about ithow
far should we cooperate in data exchange with third countries,
especially the United States, if there are suspicions that such
cooperation would be contrary to our own data protection standards?
Professor Peers: I think there
should be a full overview of this issue in the third pillar and
in terms of law enforcement access to financial data or passenger
data in general. It is not just about the United States but about
other countries as well. We should really be re-thinking to the
extent that they are willing to do it. The PNR agreement, if you
look at it, gives a number of important data protection safeguards,
except there are doubts about how well it is implemented, for
instance, and also there is one area where it is weak and it does
not set much restriction on the further transfer of the data to
other countries or to other agencies within the United States.
I think we should be stricter on saying, at the very least, that
it is a model which should be applied to other agreements but
tightening up those points and insisting on some more effective
supervision and reporting on whether the agreement has been complied
with and on further restrictions on the additional exchange of
that data. We really should be digging our heels in and setting
a reasonable standard as to what we considered adequate data protection
with other countries. There are very good reasons to share criminal
data with other countries but there are also very good reasons
to say, "What are the rights for the data subject?"
if someone has been misidentified and someone ends up being wrongly
prosecuted, detained or wrongly refused entry. We have to consider
those issues as well. It cannot be purely about giving as much
information as possible without any remedies or rights for the
data subject. We have to think of wrong identification and all
sorts of other issues that might arise, so we have to have a balance
in these agreements.
Mr Smith: It is interesting you
should mention SWIFT because we are going to see SWIFT this afternoon
about these very issues. SWIFT is another example of what is,
if you like, an international problem.
Q291 Mr Benyon: Could you give us
a 30-second paraphrase of what the SWIFT case was all about.
Mr Smith: Two problems with SWIFT.
They are a European organisation. They were transferring information
to the United States as part of their processing operations without
ensuring adequate protection. They were not looking properly at
putting in place data protection measures in the States. Then,
when the data are going through the States, the US authorities
put subpoenas on SWIFT to make data on European citizens/European
transactions available to the US authoritiesand large scale
amounts of data. So there are two strings to it: the need to ensure
adequate data protection and the question of whether the US access
is proportionate; that is, whether they wanted far too much information
about people who have no connection with the United States. There
clearly is an international issue about monitoring financial transactions
to look for terrorism and other areas, just as there is with airline
traffic. Here it is not just people flying to the States; it is
an issue all over the world. We really do need some international
solutions to these problems and the problems are where we get
bit-by-bit solutions. Why do the US require 34 data items, and
Canada say 23 and Australia say 18 and Europe setting up its own
arrangement with probably a different number of data items? It
is not for me to make a plea for the airlines and, in SWIFT, the
financial institutions, but they are faced with a minefield. We
need some international harmonisation. If I could leave you with
that plea, I would be happy to do so.
Mrs Dean: Thank you all very much. It
has been a very interesting session. The Committee is very grateful
to you all for the input you have had into our inquiry.
|