12 Information management in the
area of freedom, security and justice
(31838)
12579/10
COM(10) 385
| Commission Communication: Overview of information management in the area of freedom, security and justice
|
Legal base |
|
Document originated | 20 July 2010
|
Deposited in Parliament | 27 July 2010
|
Department | Home Office
|
Basis of consideration | EM of 9 August 2010
|
Previous Committee Report | None
|
To be discussed in Council | 7 October 2010
|
Committee's assessment | Politically important
|
Committee's decision | Not cleared; further information requested
|
Background
12.1 The removal of internal border controls through the creation
of an EU internal market and the establishment of the Schengen
free movement area has been accompanied by a range of measures
to strengthen external border controls and enhance police, judicial
and customs co-operation to tackle cross-border crime within the
EU. Many of these measures depend on the cross-border exchange
of data.
12.2 Since 2001, growing awareness of the terrorist
threat within the EU has accelerated co-operation between national
law enforcement authorities. The Justice and Home Affairs Council
concluded in November 2009 that "effective and secure cross-border
exchange of information is a pre-condition to achieve the goals
of internal security in the European Union".[40]
12.3 A multiplicity of systems for the cross-border
exchange of information, however, carries risks in terms of personal
data protection, invasion of privacy, lack of coherence and duplication.
As a result, the Stockholm Programme, which the European Council
approved last December and which establishes the EU's priorities
in the area of freedom, security and justice[41]
for the period 2010-14, recognised "the need for coherence
and consolidation in developing information management and exchange"
systems and invited the Commission and Council to implement an
EU Information Management Strategy based on a strong data protection
regime.[42] The European
Council also invited the Commission to evaluate existing instruments
for the exchange of information with a view to determining whether
there was a need to develop a European Information Exchange Model.
The Commission Communication
12.4 The Communication provides, for the first
time, an overview of EU instruments in the area of freedom, security
and justice which regulate the collection, storage and exchange
of personal data for law enforcement or migration purposes. Each
instrument is described in terms of the purposes for which data
may be collected, stored or exchanged; the structure of the information
exchange system (some are centralised, with data collected and
stored at EU level, others are decentralised); the type of personal
data held; the authorities which have access to the data; rules
on data retention and protection; and provision for review or
evaluation.
12.5 The main instruments for the cross-border
exchange of personal information are as follows:
- The Schengen Information
System (SIS and SIS II)
a centralised information system but with a national part
in each participating Member State. Its purpose is to help maintain
public security and facilitate free movement of persons within
the Schengen area. Member States may issues "alerts"
(notifications) for individuals wanted for arrest for extradition;
third country nationals to be refused entry; missing persons;
witnesses or those under judicial summons; persons and vehicles
presenting a threat to public safety or national security; lost
or stolen vehicles, documents and firearms; and suspect bank notes.
Between January 2008-January 2010, the number of SIS alerts rose
from 22.9 to 31.6 million. SIS II, which is not yet operational,
is intended to accommodate the increase in data volume and changes
in the needs of its users (the Member States) and will expand
the categories of data which may be entered in the SIS to include,
for example, fingerprints, photographs, and copies of the European
Arrest Warrant. The UK only participates in the police co-operation
aspects of SIS;
- EURODAC
a centralised automated fingerprint identification system which
contains the fingerprint data of asylum applicants (aged 14 or
over) or of third country nationals apprehended within a Member
State on suspicion of illegal entry. EURODAC may only be used
to facilitate the application of the Dublin Regulation which seeks
to determine the first port of entry within the EU for an asylum
applicant and hence the Member State responsible for processing
a claim for asylum;
- The Visa Information System (VIS)
a centralised information system with a national part
in each participating Member State. Its purpose is to help implement
the common visa policy and prevent threats to internal security,
Although not yet operational, VIS will include data on visa applications,
photographs, fingerprints and decisions of visa authorities and
will use a system of biometric matching to verify the identity
of visa holders and to ensure reliable fingerprint comparisons.
As the UK does not participate in those parts of Schengen concerning
visas and border controls, the UK will not have direct access
to VIS data;
- Advance Passenger Information (API)
under a 2004 Directive, Member States may require air
carriers to communicate to their border control authorities personal
data concerning their passengers, such as name, date of birth,
nationality, point of embarkation.[43]
API data may only be held for 24 hours after the flight's arrival
and may not be exchanged between Member States. The Directive
is intended to improve border control and combat illegal immigration;
- Naples II Convention
the Convention provides for mutual assistance and co-operation
between customs administrations to prevent and detect infringements
of EU or national customs rules. Assistance may include the processing
and exchange of personal data;
- Customs Information System (CIS)
a centralised information system accessible via terminals
in each Member State, the Commission, Eurojust and Europol. Its
purpose is to help prevent, investigate or prosecute serious violations
of customs rules. Personal data held in CIS include names, aliases,
date and place of birth, nationality, sex, physical characteristics,
address, and any history of violence;
- Framework Decision on exchange of information
between law enforcement authorities (the "Swedish initiative")
this instrument, which is based on an initiative proposed
by Sweden, seeks to facilitate the exchange of criminal intelligence
between Member States' law enforcement authorities by applying
the principle of "equivalent access". This means that
the conditions governing the supply of information to another
Member State should be no more onerous than would be the case
in a purely domestic or internal context;
- Prüm Decision
the Decision, which should be implemented by August 2011,
provides for the decentralised exchange of DNA profiles, fingerprints,
vehicle registration data and information relating to suspected
terrorist attacks by means of interconnected databases in order
to help prevent crime, particularly terrorism, and maintain public
order;
- Data Retention Directive
the Directive requires telephony and internet service
providers to retain electronic communication traffic and location
data, as well as information about subscribers, for up to 24 months
for use by national authorities for the purpose of investigating,
detecting and prosecuting serious crime.[44]
The Romanian Constitutional Court has held that data retention
is contrary to the European Convention of Human Rights and declared
the national implementing measures to be unconstitutional. The
German Constitutional Court has also declared national implementing
rules on access to, and use of, the data to be unconstitutional;
- European Criminal Records Information System
(ECRIS) a decentralised information
system, not yet operational, which will interconnect Member States'
criminal records databases to enable central authorities in each
Member State to exchange information on new convictions and past
criminal records;
- Financial Intelligence Units (FIUs)
FIUs are located within each Member State and exchange
information, including details of financial transactions, for
the purpose of combating money laundering and terrorist financing;
- Asset Recovery Offices (AROs)
a decentralised system of information exchange which enables
AROs in each Member State to exchange information (by means of
the Swedish initiative described above) which may assist in tracking
and identifying the proceeds of crime; and
- Cybercrime Alert Platforms
most Member States have developed Cybercrime Alert Platforms
to collect, analyse and exchange information about offences committed
on the internet. Europol has developed and manages a European
Cybercrime Platform to operate as an information hub and enhance
data sharing with national platforms.
12.6 The Communication also describes the role
of Europol[45] and Eurojust[46]
in relation to the detection, investigation and prosecution of
serious crime and the information management tools at their disposal,
as well as international agreements concluded by the EU on Passenger
Name Record (PNR) data and on Terrorist Finance Tracking which
make provision for the supply of personal data to certain third
countries, such as the United States, Canada and Australia.
12.7 The Communication previews a number of initiatives
proposed in the Commission's Action Plan to implement the Stockholm
Programme, including the possibility of new PNR Agreements with
the United States, Australia and Canada; introduction of a PNR
system within the EU; introduction of a new Entry/Exit System
for short-stay third country nationals entering the EU; a Registered
Traveller Programme for frequent travellers to the EU from third
countries; an EU terrorist finance tracking programme; an Electronic
System of Travel Authorisation for non-visa third country nationals;
and a European Police Records Index System.
12.8 The Commission draws a number of preliminary
observations, based on its overview of existing or planned information
management systems within the EU. According to the Commission,
relatively few systems depend on the collection or storage of
personal data at EU level.[47]
In most cases, personal data are collected and stored nationally
and EU instruments determine the conditions under which the data
may be exchanged between Member States or transferred to a third
country. Core features of most systems include purpose limitation
(to ensure that data may only be used for the limited purpose
specified) and controlled access to data. The proliferation of
databases has, however, resulted in some overlap of functions
and revealed highly variable periods of data retention (from as
little as 24 hours for API data to as much as 15 years under the
PNR agreement with the United States). Moreover, the nature and
frequency of review or evaluation of each information management
system varies from one instrument to another.
12.9 The Commission observes that, to preserve
the security of information exchanged across European borders,
"Member States prefer EU solutions".[48]
The Communication mentions two systems for secure data exchange.
The first s-TESTA (Secure Trans-European Services for
Telematics between Administrations) is a Commission-funded
data communication network for the exchange of encrypted information.
The second SIENA is an application developed by
Europol to share sensitive information for law enforcement purposes.
12.10 The Communication concludes with a proposed
"core set of principles" which the Commission suggests
should serve both as a benchmark for evaluating existing EU information
management systems and for considering future policy proposals.
Substantive principles include:
- Safeguarding fundamental
rights especially
the right to privacy and personal data protection. Future policy
should be based on the "privacy by design" approach
which seeks to embed data protection in the design of the instrument,
limit data processing to what is necessary for the proposed purpose,
and grant data access on a "need to know" basis;
- Necessity
all future policy proposals should include an assessment of their
likely impact on the right to privacy and personal data protection,
explain why such an impact is necessary, and why the solution
proposed is proportionate to the legitimate aim of maintaining
internal security within the EU, preventing crime or managing
migration;
- Subsidiarity
the Commission will seek to ensure that any new proposals
comply with subsidiarity and proportionality, including, in the
case of new international agreements, an assessment of the proposal's
likely impact on relations with the particular third country;
and
- Accurate risk management
information management systems can help to manage risk
but the assessment of risk must be based on evidence and include
a test of necessity and a purpose limitation.
12.11 In addition to these substantive principles,
the Commission proposes "process-oriented principles"
which should include a rigorous analysis of cost-effectiveness,
involvement of a wide range stakeholders, a clear allocation of
responsibilities (notably at the design stage) and systematic
inclusion of review clauses to ensure that information systems
continue to serve the purpose for which they were designed.
12.12 The Commission states that it has launched
an "information mapping exercise" to assess the practical
operation of systems for exchanging criminal intelligence between
Member States which will provide the basis for a further Communication
on the European Information Exchange Model in 2012.
The Government's view
12.13 In his Explanatory Memorandum of 9 August
2010, the Minister for Immigration at the Home Office (Damian
Green) welcomes the Commission Communication but says that "information
exchange is not an end itself but a means of working towards providing
greater public good in combating crime, in facilitating
legitimate travel, in doing business abroad, and in managing identity".
He adds that "it is important to strike the correct balance
between private and public interests. Effective data protection
must be a prerequisite for information sharing, along with transparency
about the collection, retention, and use of personal information".[49]
12.14 The Minister indicates that the UK would
be unlikely to participate in a number of the new information
management systems foreseen in the Communication, such as the
Entry/Exit System, Registered Traveller Programme and Electronic
System of Travel Authorisation which would all build on parts
of Schengen in which the UK does not participate. The Government
would also want clear evidence that a new European Police Records
Index System would add value to the existing system for the exchange
of criminal intelligence based on the Swedish initiative.
12.15 The Government would, however, continue
to advocate the introduction of a system for sharing Passenger
Name Record data within the EU and is urging the Commission to
bring forward a proposal in 2010 rather than 2011 as indicated
in the Communication.
12.16 The Minister considers the Commission's
core set of principles to be uncontentious but also sets out an
additional list of factors which the Government would take into
account when evaluating existing measures or future initiatives.
These are:
- "The necessity and overlap
of systems in operation, planned or proposed at EU level and their
practical application in the UK;
- The impact on UK system structures where they
mirror EU systems;
- The benefits and risks of centralised and decentralised
systems, including the base applications used and control rights
granted;
- Data retention and data protection;
- How best to review an existing or proposed mechanism
against another;
- The impact on Member State right of initiative,
bilateral agreements and co-operation, and international agreements;
- The benefits and risks of profiling;
- Best-practice on cost-effectiveness and engaged
policy development;
- The role of the IT Agency in the context of this
review; and
- The impact of any future changes to the purpose
or functionality of existing EU data exchange legislation, including
the use of repeal and replace proposals and the resulting impacts
on UK participation and opt-in".[50]
12.17 The Minister notes that the Communication
does not have any immediate legal, financial or policy implications
for the UK and that any future proposals arising from the Communication
will be subject to scrutiny.
Conclusion
12.18 We welcome the Commission's Communication
which sheds light on what is already an extensive network of EU
information systems providing for the exchange of personal data
for a variety of law enforcement purposes relating to migration
and crime. We also welcome the Commission's elaboration of a set
of core principles for future policy development and the emphasis
placed on the right to privacy and personal data protection as
well as respect for the principles of subsidiarity and proportionality.
12.19 We note that the Minister raises no
objection to the Commission's core principles and that he also
emphasises the need for effective data protection as a pre-requisite
for information sharing. In addition, the Minister sets out a
further list of considerations which the Government would wish
to take into account when evaluating existing or future EU information
exchange systems.
12.20 Constitutional Court rulings in Germany
and Romania on national legislation implementing the Data Retention
Directive suggest, however, that some existing EU instruments
fall short of both the Commission's core set of principles and
the additional considerations set out by the Minister. We therefore
ask the Minister to tell us whether he considers that the existing
instruments described in the Commission's Communication provide
an effective standard of data protection and, in particular, what
implications the Constitutional Court rulings may have for the
retention of communications data in the UK.
12.21 We would also welcome the Minister's
views on two assertions made by the Commission in its Communication
which are likely to influence the development of future EU information
management and exchange systems. First, the Commission states
that "policies in the area of freedom, security and justice
have developed in an incremental manner, yielding a number of
information systems and instruments of varying scope, size and
purpose. The compartmentalised structure of information management
that has emerged over recent decades is more conducive to safeguarding
citizens' right to privacy than any centralised alternative".[51]
Does the Minister agree that continued piecemeal development
of EU information systems can provide adequate and effective data
protection and privacy safeguards?
12.22 Second, the Commission states that "for
exchanging information across European borders, Member States
prefer EU solutions" and refers to the Commission's s-TESTA
and Europol's SIENA data communications networks. We ask the Minister
whether he agrees that the use of these networks provides the
best guarantee for data security.
12.23 Pending the Minister's replies to our
questions, we shall keep the Commission Communication under scrutiny.
40 Conclusions of the Justice and Home Affairs Council,
30 November 2009, Council document 16637/09. Back
41
The area of freedom, security and justice covers EU policies on
visas, asylum and immigration, judicial co-operation in civil
and criminal matters, and police co-operation. See Articles 67-89
in Title V of Part Three of the Treaty on the Functioning of the
European Union. Back
42
See the Stockholm Programme, paragraph 4.2.2, Council document
17024/09. Back
43
Directive 2004/82/EC, OJ No. L 261, 6.8.04, p.24. Back
44
Directive 2006/24/EC, OJ No. L 105, 13.4.06, p54. Back
45
Europol is the European Police Office based in the Hague which
is responsible for collecting and analysing criminal intelligence
concerning serious international crime. Back
46
Eurojust comprises national prosecutors, magistrates and police
officers and works closely with Europol and with national prosecuting
authorities to help with the investigation and prosecution of
serious cross-border and organised crime. Back
47
The Commission has proposed a draft Regulation establishing a
new EU Agency for the operational management of three of these
centralised IT systems - SIS II, Eurodac and VIS. The draft Regulation
remains under scrutiny (see 31456). Back
48
Commission Communication, page 23. Back
49
Minister's Explanatory Memorandum, para 36. Back
50
Minister's Explanatory Memorandum, para 41. Back
51
Introduction to the Communication, para 7. Back
|