I am writing to share with you the European Commission's recent decision on the compatibility of the UK's e-Borders Programme with European Directives on Data Protection and Free Movement of Persons. This letter should be read in conjunction with the Commission's letter of 17 December.[18]

  I am delighted that the Commission have reached the conclusion that the e-Borders Programme does not breach EU Directives on Data Protection and Free Movement of Persons. You will see that the Commission's letter is a detailed one that covers a lot of ground. We therefore thought that it would be helpful to set out our view of what this means for e-Borders and what it means for you as a national data protection authority.

  The principal complaint on Data Protection grounds against e-borders was that there was no legal basis in EU law for travel document information (TDI) which is collected and held by a passenger carrier established in another Member State to be transferred to the UK under the e-Borders Programme. We have always strongly refuted this, arguing that existing law—specifically the Data Protection Directive—already provides the necessary legal framework to allow for this flow of data.

  The Commission's letter makes clear that for the transfer of data to the UK authorities, a legal basis must be found in the legislation of the Member State in which the processing takes place. For carriers departing the UK, the processing will take place in the UK, and so the Data Protection Act 1998 will be the applicable legislation. Those carriers will be under a legal obligation under UK law, in terms of article 7(c) of the Data Protection Directive, to transfer the data.

  By contrast, where a carrier's service departs from another Member State to the UK, and where data is collected and held in that Member State, the data protection law of that Member State should provide the necessary legal base. The Commission's opinion is that article 7(e) and (f) of the Data Protection Directive can be relied on as the legal base for the transmission of such data to the UK. As set out in the Commission's letter, co-operation in the fight against illegal immigration or customs offences, or assisting another Member State in carrying out its law enforcement policy can constitute a public interest for the purposes of article 7(e). The interests of a public authority of another Member State can also constitute a legitimate interest for the purposes of article 7(f). Article 7(e) and (f) should be reflected in the national law of each Member State transposing the Data Protection Directive, and such transposition should be consistent with the Commission's opinion about the scope of article 7(e) and (f).

  The Commission's letter also makes clear that the Member State in which the processing takes place must acknowledge the public interest or the legitimate interest for the purposes of article 7(e) and (f). We are pleased to note the Commission's view that such acknowledgement can take can take the form of an opinion of a national data protection authority or a governmental decision.

  I enclose a paper summarising the legal analysis provided by the UK to the Commission on the compatibility of the collection of data by e-borders with the Data Protection Directive.[19]

  You will see, on page two of the Commission letter, that we have given a number of assurances to the Commission, although we have always been clear that e-Borders must not breach the fundamental rights of EU citizens and their family members to travel freely across the EU. We are satisfied that we can give effect to these assurances without changing UK law, and we have made this clear to the Commission. UK law already gives full effect to EU rights of free movement and data protection. It is also sufficiently flexible to enable us to comply with the assurances in full. Our comments in response to the assurances are as follows:

— Passengers who are EU citizens or their family members will not be refused entry/exit or incur sanctions in any way on the basis that their passenger data is unavailable to the UK authorities for whatever reason.

  E-borders enables the quicker transit of passengers, including EU citizens and their family members, through the UK border because their arrival will already have been notified to the UK authorities in advance. By implication, this means that EU citizens and their family members who do not wish carriers to provide their TDI in advance to the UK will not be able to take advantage of this enhanced border control process. They will therefore be dealt with according to the normal border controls applying to EU citizens and their family members. For such persons, admission will only be refused in accordance with Directive 2004/38/EC and the rights set out in Chapter VI of the Directive will be respected. This Directive has been transposed into UK law by the Immigration (European Economic Area) Regulations 2006.

— Carriers will not incur sanctions if they are unable to transmit data through no fault on their part.

  Sanctions are aimed at carriers who do not cooperate with e-borders and carriers who have in place systems to collect data will not need to fear prosecution where they are prevented from supplying data in an individual case due to no fault on their part. Further, in all cases there is a statutory defence available to a carrier of having a reasonable excuse for failing to comply with a request to provide data (which is set out in section 27(b)(iv) of the Immigration Act 1971 as amended in respect of a request made by an immigration officer and section 34(1) of the Immigration, Nationality and Asylum Act 2006 in respect of a request made by a police officer).

  We will work with carriers to ensure they are able to deal with the exceptional cases where EU citizens and their family members do not wish a carrier to provide their data to e-borders.

— Carriers will be instructed by the UK authorities not to deny boarding to travellers, regardless of their nationality, who do not communicate API data to the operator, and that the provision of API data to operators is neither compulsory nor is made a condition of purchase and sale of the ticket.

  e-Borders operates compatibly with the rights given by EU law to EU citizens and their family members. It is not an authority to carry scheme, and it is not used to instruct carriers to deny boarding to EU citizens and their family members who do not wish their TDI to be provided by the carrier to the UK in advance.

  Conditions of carriage remain a matter for the carrier. The Commission's letter does not affect a carrier's ability to collect data under its conditions of carriage and in compliance with international and European obligations arising from transport instruments such as the Convention on International Civil Aviation 1944 (as amended) and Council Directive 98/41/EC of 18 June 1998 on the registration of persons sailing on board passenger ships operating to or from ports of the Member States of the Community.

— UK authorities will make available to persons travelling to/from the UK the information required by Article 10 of Directive 95/46/EC and will also assist the carriers to communicate this information to travellers.

  We will ensure that these provisions are communicated at ports and on the UKBA website and assist the carriers in communicating them to travellers.

— A single contact point will be established by UK authorities to allow data subjects to exercise their data protection rights.

  A single point of contact for subject access requests has been established for e-Borders. This is managed by the UK Border Agency (UKBA) Data Protection Unit on behalf of all the agencies involved in the e-Borders Programme. A link from the front page of the e-Borders section of the UKBA website:

   (http://www.ukba.homeoffice.gov.uk/managingborders/technology/eborders/) directs data subjects to the details of how to apply for their data, and such an application is made in the first instance to UKBA. The revised e-borders code of practice on the management of information collected from carriers will reflect the updated arrangements for subject access requests.

— Appropriate safeguards will be applied to transfers of data to third countries, in line with what is requested by the UK data protection authority.

  UKBA consults the UK Data Protection Authority, the Information Commissioner's Office (ICO), when developing international data sharing arrangements. We would put in place a range of appropriate safeguards for the rights and freedoms of data subjects, in particular ensuring compliance with each of the data protection principles and other legal requirements. All data transfers would have to comply with the UK's Data Protection Act 1998.

  e-Borders is a matter of great importance to the UK Government and I should be grateful for your consideration of the issues raised in this letter. The UK has always maintained that the e-borders scheme is compatible with EU law. Pending resolution of the complaint to the Commission, we have not pursued sanctions against carriers operating into and out of the UK. We are pleased that the Commission have confirmed that e-borders can operate compatibly with EU Directives on Free Movement and Data Protection. We therefore look forward to full compliance with UK law by carriers when they are requested to provide the relevant information.

  Should you be asked to give an opinion as to whether there is a legal base for the transmission to the UK of data relating to flights departing from your Member State and which is collected and held by a carrier established within your jurisdiction, we strongly believe that you will be able to conclude that such a basis exists, in line with the Commission's views about the provisions of the Data Protection Directive.

19   Not provided to the Committee. Back