Justice issues in Europe - Justice Committee Contents

4  Information management and data protection

91.  Over the last 10 years there has been significant growth in the collection, storage and sharing of information in Europe and between Europe and the rest of the world for law enforcement purposes, assisted by many technological developments.[180] The Ministry of Justice identified significant benefits of greater information exchange including, more effective and more efficient action to combat terrorism and crime, quicker and safer travel and immigration procedures, and better experiences for citizens living, working, studying or doing business abroad.[181] Existing instruments which enable the movement of personal data in the area of criminal justice at EU level include automated sharing of DNA files; access to criminal records and mutual recognition of convictions and the European arrest warrant.

92.  The European Data Protection Supervisor, Peter Hustinx, whom we met on our visit to Brussels, told us that he believed that, while the post-Lisbon decision-making processes might speed up the passage of data protection legislation, it might also result in greater compromise. We felt it was important to consider with our witnesses whether existing legislation and the Stockholm programme proposals strike the right balance between data protection and data management and utility from technology and the protection of privacy. Commissioner Reding has stated her belief that the EU "cannot expect citizens to trust Europe if we are not serious in defending the right to privacy".[182]


93.  The European data protection directive, agreed in October 1995, set out basic principles of data protection, for example, the right to access and the right of correction, rectification and deletion if data are erroneous or the date for their lawful use has expired.[183] Under the directive, each member state must set up its own data protection authority to monitor adherence to these principles; in the UK this function is performed by the Information Commissioner. The directive did not originally cover criminal law and will not automatically apply to justice issues despite the Lisbon Treaty having come into force. The 2008 Framework decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, which, as its title suggests, does apply specifically apply to justice, is restricted to police and judicial data exchanged between authorities and systems in member states and at the EU level.

94.  We have encountered two broad issues arising from the existing legislation. First, the directive is thought to be out of date; some witnesses considered that the entry into force of the Lisbon Treaty provided an opportunity for a review to bring the directive "into the 21st century".[184] Secondly, EU data protection law for justice is deemed inadequate.[185] For example, while the European Data Protection Supervisor has welcomed the adoption of the framework decision, which must be implemented by member states by 27 November 2010, he saw it "only as a first step". He has declared that "unfortunately, the level of data protection achieved in the final text is not fully satisfactory", highlighting in particular that it does not apply to member state domestic data and explicitly excludes such exchanges as the transfer of passenger name records data to US authorities.[186]

95.  The UK Information Commissioner, Christopher Graham, agreed that there is no comprehensive data protection law which covers justice issues, describing the approach to data protection in this area as "tinkering at the edges", with specific provisions being introduced at the level of an organisation or for a specific database.[187] While he also sees the framework decision as an improvement he regarded it as an "ad hoc solution" and "complex, opaque and ineffective."[188] He told us this contributes to "significant divergence in the standards of data protection in the area of justice and law enforcement across Europe, as well as a degree of confusion as to which standard applies" in any given instance.[189] The Information Commissioner is also concerned that where new legislation is introduced: "on too many occasions the proposed surveillance, information sharing or data collection led solution does not actually address an identified problem and have been introduced on the basis of 'something must be done'".[190]

96.  There is no single authority for supervising data protection safeguards in this area. The nature of the supervision of compliance with data protection rules is dependent upon which pillar each EU law enforcement agency came under prior to the Lisbon Treaty. With the exception of Eurojust, those agencies that came within the third pillar, for example Europol[191] which handles criminal intelligence, have their own data protection authority on which the UK Information Commissioner is represented. In the case of Eurojust officers from data protection authorities across Europe are not directly involved; its supervisory structure consists of three representatives drawn from judicial nominations—which could include national data protection commissioners or their representatives—from each member state.[192] Agencies that came within the first pillar, for example Eurodac, a database of fingerprints of applicants for asylum and illegal immigrants, are supervised directly by the European Data Protection Supervisor.

97.  The Ministry of Justice agreed that existing supervisory systems are piecemeal but suggested that this did not mean they were inadequate.[193] Mr Faull told us that he saw the Information Commissioner's Office, and national data protection offices in other member states, as a sufficient mechanism for the enforcement of European data protection initiatives.[194] He therefore believed that the EU has a "well-functioning" institutional system to protect citizens' personal data. This assumes that the existence of data protection initiatives and authorities for supervising data management alone results in a consistent and reliable system of adequate safeguards. Yet, Professor Juliet Lodge, Director of the Jean Monnet European Centre of Excellence, University of Leeds, told us that the effectiveness of data protection authorities varied greatly.[195] Clearly more needs to be done to embed higher and more consistent standards. The Information Commissioner's Office called for a merger of supervisory systems for data protection at European level.[196] The Government explained that it had clarified this position with the Information Commissioner and understood this to refer to the possibility of more coordinated supervision rather than the creation of a single system.[197]

98.  Under the above arrangements, EU law enforcement agencies are not currently governed by the Data protection act 1998 or data protection laws of other EU countries. An individual must therefore apply for access to information held about them to each of the European law enforcement agencies. It is therefore unclear to EU citizens where they should go to rectify problems with adherence to the rules established in the framework decision.[198]


99.  Data protection is an area of particular priority in the Stockholm programme which proposes the introduction of a strategy to protect data within the EU and an information management strategy. However, the Information Commissioner has expressed to us his deep-seated concerns, both in written and oral evidence, that the programme does not adequately address the shortcomings of existing legislation. In particular he believes that the Commission is misguided in its focus on ensuring the "best possible flow of data within European-wide networks" and proposes that policy in this area should be aiming for better law enforcement across Europe instead.[199]

100.  The Information Commissioner argued that it would be better to revise the 1995 directive.[200] This received some support from our witnesses. For example, the editor of Privacy laws and business international newsletter, Mr James Michael, agreed that the entry into force of the Lisbon Treaty provided an opportunity to create a single set of data protection rules that applied to all EU activities.[201] We see that there is merit in this approach.

101.  As we noted above the Government has displayed considerable reluctance to renegotiate matters which have already been agreed, either under the first pillar (e.g. the directive) or the third pillar (e.g. the framework). The Government set out its support for, and perspectives on, the key elements of a European information and data protection strategy in its written evidence to us.[202] It claimed to have "led the way" in pressing the EU to evaluate existing information exchange agreements and to design an information exchange and data protection strategy to steer the direction of future proposals.[203] Its own evaluation of existing proposals, and the potential for a comprehensive EU data protection law, is that there are already extensive common data protection arrangements in place to protect individuals where member states share data.[204] Therefore, while the Ministry of Justice acknowledged that there may be a need to review the legislation which is currently in place, the Government would need convincing that there were substantial gaps and difficulties in the present provisions.[205] The Government again expressed a preference for practical measures to ensure a strong data protection regime, for example, using privacy impact assessments—which the Information Commissioner supported[206]—rather than "rush[ing] ahead" with a single data protection law and getting it wrong.[207] Responses to a recent European Commission consultation on the 1995 directive called for stronger and more consistent data protection legislation across the Union.[208]

102.  We urge the Ministry of Justice and the Information Commissioner to work towards a resolution of the current divergence in views on existing EU data protection legislation for the field of justice. We welcome the European Commission's consultation on the 1995 Data protection directive. If the directive is revised, the opportunity should be taken bring all EU law enforcement agencies under the aegis of the European Data Protection Supervisor for data protection purposes.


103.  The e-justice portal, a website that initially will function as a point of access to information on justice matters across the EU, and in each member state, is primarily for EU citizens, legal practitioners and businesses. It was expected to be launched in December 2009 but has been delayed. The first phase will include information on national and community law and procedures and will provide a link between insolvency, land and business registers in a number of member states. Further functions, for example access to criminal records and other information managed by member states in the administration of justice, are likely to be added in due course.[209]

104.  The Government believes the e-justice portal potentially offers a means of both providing information and facilitating ways of accessing judicial systems.[210] On the other hand, it considers that EU e-justice projects must be cost effective, proportional and reduce duplication by ensuring that such projects take proper account of other IT work being undertaken in the justice field so that new measures and systems are compatible.[211]

105.  The e-justice portal seeks to enhance fundamental rights, for example, by providing access to information and potentially enabling video-conferencing to be used to overcome practical problems, such as the lack of interpreters for all EU languages.[212] The Law Society raised a number of concerns about its capacity to do so, for example, in terms of the entitlement to be present at all hearings in person; the potential for watering down rights to interpretation and translation, e.g. through the use of e-translation; respecting the right to privacy; and the availability of information on means of redress; and the shortfalls of mechanical translation.[213]

106.  More broadly, the extent to which data on individuals are now shared, in particular for law enforcement purposes, has been the subject of concern by many civil liberties organisations, some of which consider that data are not being retained or processed lawfully. Mr Faull said that this was a matter of public concern, particularly as data about citizens who may be innocent are being stored and retained for future use.[214] Mrs Mole pointed out that under Article 8 of the European Convention on Human Rights every incident of collection, retention or dissemination of private data about an individual must be justified.[215] Mr Russell raised concerns about the accuracy of data being held and the relative absence of remedies for individuals who encounter errors in the data held.[216] The European Data Protection Supervisor has called for access to complaints procedures.[217]

107.  The Government should make every effort to publicise the e-justice portal. This is particularly important for victims, who should be able to gain access via the police and Victim Support, and for suspects, who should be notified by the police.


108.  The volume of EU decisions which require or facilitate greater movement of data about individuals suspected of offences is likely to continue to increase under the Stockholm programme and greater emphasis will be placed on the use of information and communication technologies, including automated data transfer. As more and more data is collected and shared electronically, the risks that data are either inaccurate or held insecurely increases as data protection safeguards are diminished. We explored the question of balance between privacy and security and how it can be achieved in practice with several of our witnesses. According to the Information Commissioner, the UK has been characterised as adopting an unnecessarily pragmatic approach to negotiations on data protection, with insufficient recognition of the need for privacy, but the Commissioner considered that it is "unhelpful to hide behind the need for privacy".[218] Mr Stephen McCartney, Head of data protection promotion, Information Commissioner's Office, explained that some member states approach data protection in a "codified manner" but in his experience these were philosophical, rather than practical, differences.[219]

109.  Nevertheless, there are some genuine concerns that the balance between getting utility from technology while protecting privacy is not currently right. Professor Lodge directed an EU research programme on "balancing security and liberty"[220] and concluded from the research that "questions of automated data transfer raise serious issues about the technology itself, data management, and the impact of [information and communication technologies] on the way we are governed."[221] On the basis of this research she has focused her concerns about the use of these technologies on the weakness inherent in the technologies themselves rather than the motivations of those using the data. She has described such technologies as "unacceptably vulnerable to hostile incursions" and has suggested that as a result, before any system to exchange information is set up, the design of the technology must start from the premise of "baking in security" as the primary goal.[222]

110.  Professor Lodge and Mr Michael emphasised the relative merits of information technology in facilitating stronger safeguards for holding and transferring personal data. Mr Michael suggested that technological devices which encrypt data may be more effective in protecting the privacy of communications than data protection legislation.[223] Professor Lodge told us that while it is possible to "bake-in" high data protection standards to new systems, data protection safeguards can also be compromised by technology. For example, data degrades over time relative to upgrades in software and technology, and by the outsourcing of data management, a practice which she believed was increasing in the EU.[224] She explained that data protection standards can become unravelled as data are moved between law enforcement agencies: "the data mining, data slicing and regeneration of new data which then becomes the property of a third company, who knows where, is a huge danger and citizens do not realise how dangerous it potentially is."[225]

111.  Government has advocated "privacy by design" where "new proposals incorporate from the start the idea of data protection: what the data will be used for and why" as a key part of an information management strategy.[226] This accords with the views of both the European Data Protection Supervisor[227] and the European Commission.[228] However, Professor Lodge did not believe that security and privacy concerns were sufficiently high on the list of objectives for those who commission, or develop, systems to exchange information.[229]

112.  While we support the need for clear statements of purpose on data protection, what happens in practice is more important. Technology undoubtedly offers tremendous opportunities for both transferring data quickly and building in safeguards for privacy. Nevertheless data protection standards can be compromised by technology as well as by regulation. Although the Government advocates "privacy by design", we were surprised to learn that utility is given far greater weight than the incorporation of fundamental security measures in the development of some EU information management systems. We urge the Government to be more conscious of this in its discussions regarding developments in e-justice.


113.  Professor Lodge has argued that while it is laudable to establish principles for data protection, they are hard to police, to control and to make accountable:

the proliferation of fuzzy public-private cooperation and arrangements also means that audit trails and management codes on data handling, access, verification, authentication, storage and transmission open the door to greater insecurity as well as inadequate controls to ensure the accountability at a public political level for what happens to data that citizens provide. [230]

Her research questioned the plausibility of claims made regarding the robustness of such systems against fraud by their developers and raised doubts about the way in which politicians extol the virtues of technological applications to the public: "MPs and MEPs must be the custodians and guardians of liberty, accountability, responsibility, trust and security" in relation to automated information exchange. [231]

114.  There is also the potential for data to be used for purposes other than those for which they were originally collected. For example, in the home affairs field, the European Union Committee drew attention to this problem in its comments on a proposal for widening access to a central database of fingerprints of asylum seekers and illegal immigrants (Eurodac). The Committee questioned whether it was justifiable to use a database for purposes other than for those which it was originally intended.[232]

115.  The Ministry of Justice believes that there is scope for loosening limitations on the UK's ability to use information obtained in relation to EU nationals for any purpose other than the criminal proceedings for which they have been requested, for example, to enable the sharing of criminal records information to protect children and vulnerable adults through employment vetting and barring.[233] The NSPCC raised specific concerns about the lack of provision to ensure that information on convicted child sex offenders could be exchanged between member states and called for the Framework decision on sexual abuse, sexual exploitation of children and child abuse images to be revised to include provisions which could contribute to resolving this problem.[234] Despite its importance, the requirement for unanimity prevented the adoption of an earlier Framework decision on the recognition of prohibitions arising from convictions for sex offences against children.[235]

The European Criminal Records Information System

116.  Professor Lodge raised concerns about how data are categorised in centralised data systems.[236] The European Criminal Records Information System (ECRIS), established in April 2009, enables member states to access information from the criminal records database of each individual state. In structuring the system this way, rather than creating a new centralised EU database, it was envisaged that the storage and exchange of personal data would be kept to a minimum. Each country is responsible for, and controls, its own databases and the way they interconnect with those in other member states. The safe functioning of the system requires data protection laws in each state to accord with EU standards and the efficient functioning of each national data protection authority.

117.  We are concerned that people caught up in EU criminal justice processes often do not know when information about them is being used or stored, or how it will be shared. We support the Commission's calls for a public awareness campaign to ensure that EU citizens are more fully aware of what happens to the data they provide and where it goes to. The Government must also have a role in this; for example, by being clear to the public about the kind of data protection safeguards it is seeking from the EU with respect to the privacy of UK citizens. The performance of the EU in this regard should be subject to the closest scrutiny by national parliaments in conjunction with the European Parliament and national and European data protection authorities.

180   Q 103 [Mr Faull] Back

181   Ev 93 Back

182   Europa speech/10/16, The challenges ahead for the European Union, keynote speech at the Data protection day,
28 January 2010 

183   Directive 95/46/EC Back

184   Q 192 [Mr Graham], Qq211,217 [Mr Michael]  Back

185   For example, see Ev 82 [Law Society]  Back

186   European Data Protection Supervisor press release, EDPS sees adoption of Data Protection Framework for police and judicial cooperation only as a first step , 28 November 2008 Back

187   Q 192 [Mr Graham] Back

188   IbidBack

189   Ev 66 Back

190   IbidBack

191   Europol is supervised by Europol Joint Supervisory Body.  Back

192   The UK is not currently one of the three. Back

193   Q 272 [Mr Denham] Back

194   Q 108 Back

195   Q 220 Back

196   Ev 66 Back

197   Q 272 [Mr Denham] Back

198   Q 216 [Mr Michael] Back

199   Q 192 [Mr Graham]  Back

200   Q 199 Back

201   Qq 211, 217 Back

202   Ev 93 Back

203   IbidBack

204   Q 42 [Ms Gibbons] Back

205   Q 271 [Mr Denham] Back

206   Ev 66 Back

207   Qq 42, 44 [Ms Gibbons, Lord Bach] Back

208   Europa speech/10/16, The challenges ahead for the European Union, keynote speech at the Data protection day,
28 January 2010 

209   See Justice and Home Affairs Council Multi-annual European e-justice action plan 2009-2013, 2009/C 75/01 Back

210   Ev 94 Back

211   Ev 97 Back

212   Justice and Home Affairs Council Multi-annual European e-justice action plan 2009-2013, 2009/C 75/01, para 24 Back

213   Ev 82 Back

214   Qq 103-104 Back

215   Q 155 Back

216   Q 153 Back

217   European Data Protection Supervisor, Opinion on the communication from the Commission to the European Parliament and the Council on an area of freedom, security and justice serving the citizen, 2009/C 276/02 Back

218   Qq 193-194 Back

219   Q 195 Back

220   Professor Lodge was director of the University of Leeds' contribution to the 'Challenge' research programme on balancing security and liberty , funded by the EU's Sixth Framework programme and involving over 20 universities across Europe. Back

221   Professor Juliet Lodge Inter-operability and Accountability in the EU, University of Leeds, July 2007  Back

222   Ibid. To establish a right to privacy as first principle and ensure that it is very difficult for data to be looked at by anyone else without prior consent. Back

223   Q 225 Back

224   Q 207 Back

225   Qq 209, 230 Back

226   Q 42 [Ms Gibbons] Back

227   Opinion of the European Data Protection Supervisor, Opinion on the communication from the Commission to the European Parliament and the Council on an area of freedom, security and justice serving the citizen, 2009/C 276/02 Back

228   See Europa speech/10/16, The challenges ahead for the European Union keynote speech at the Data protection day, 28 January 2010 Back

229   Q 224 Back

230   Professor Juliet Lodge, Inter-operability and Accountability in the EU, University of Leeds, July 2007  Back

231   Ibid.  Back

232   House of Lords European Union Committee, Fortieth Report of Session 2005-06, Behind Closed Doors: the meeting of the G6 Interior Ministers at Heiligendamm, HL Paper 221, para 25  Back

233   Ev 91  Back

234   Ev 109 Back

235   HL Paper (Session 2007-08) 62-I, para 6.17 Back

236   Q 207 Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2010
Prepared 6 April 2010