Legal base	—
Document originated	20 July 2010
Deposited in Parliament	27 July 2010
Department	Home Office
Basis of consideration	EM of 9 August 2010
Previous Committee Report	None
To be discussed in Council	7 October 2010
Committee's assessment	Politically important
Committee's decision	Not cleared; further information requested

Background

12.1  The removal of internal border controls through the creation of an EU internal market and the establishment of the Schengen free movement area has been accompanied by a range of measures to strengthen external border controls and enhance police, judicial and customs co-operation to tackle cross-border crime within the EU. Many of these measures depend on the cross-border exchange of data.

12.2  Since 2001, growing awareness of the terrorist threat within the EU has accelerated co-operation between national law enforcement authorities. The Justice and Home Affairs Council concluded in November 2009 that "effective and secure cross-border exchange of information is a pre-condition to achieve the goals of internal security in the European Union".[40]

12.3  A multiplicity of systems for the cross-border exchange of information, however, carries risks in terms of personal data protection, invasion of privacy, lack of coherence and duplication. As a result, the Stockholm Programme, which the European Council approved last December and which establishes the EU's priorities in the area of freedom, security and justice[41] for the period 2010-14, recognised "the need for coherence and consolidation in developing information management and exchange" systems and invited the Commission and Council to implement an EU Information Management Strategy based on a strong data protection regime.[42] The European Council also invited the Commission to evaluate existing instruments for the exchange of information with a view to determining whether there was a need to develop a European Information Exchange Model.

The Commission Communication

12.4  The Communication provides, for the first time, an overview of EU instruments in the area of freedom, security and justice which regulate the collection, storage and exchange of personal data for law enforcement or migration purposes. Each instrument is described in terms of the purposes for which data may be collected, stored or exchanged; the structure of the information exchange system (some are centralised, with data collected and stored at EU level, others are decentralised); the type of personal data held; the authorities which have access to the data; rules on data retention and protection; and provision for review or evaluation.

12.5  The main instruments for the cross-border exchange of personal information are as follows:

• The Schengen Information System (SIS and SIS II) — a centralised information system but with a national part in each participating Member State. Its purpose is to help maintain public security and facilitate free movement of persons within the Schengen area. Member States may issues "alerts" (notifications) for individuals wanted for arrest for extradition; third country nationals to be refused entry; missing persons; witnesses or those under judicial summons; persons and vehicles presenting a threat to public safety or national security; lost or stolen vehicles, documents and firearms; and suspect bank notes. Between January 2008-January 2010, the number of SIS alerts rose from 22.9 to 31.6 million. SIS II, which is not yet operational, is intended to accommodate the increase in data volume and changes in the needs of its users (the Member States) and will expand the categories of data which may be entered in the SIS to include, for example, fingerprints, photographs, and copies of the European Arrest Warrant. The UK only participates in the police co-operation aspects of SIS;
• EURODAC — a centralised automated fingerprint identification system which contains the fingerprint data of asylum applicants (aged 14 or over) or of third country nationals apprehended within a Member State on suspicion of illegal entry. EURODAC may only be used to facilitate the application of the Dublin Regulation which seeks to determine the first port of entry within the EU for an asylum applicant and hence the Member State responsible for processing a claim for asylum;
• The Visa Information System (VIS) — a centralised information system with a national part in each participating Member State. Its purpose is to help implement the common visa policy and prevent threats to internal security, Although not yet operational, VIS will include data on visa applications, photographs, fingerprints and decisions of visa authorities and will use a system of biometric matching to verify the identity of visa holders and to ensure reliable fingerprint comparisons. As the UK does not participate in those parts of Schengen concerning visas and border controls, the UK will not have direct access to VIS data;
• Advance Passenger Information (API) — under a 2004 Directive, Member States may require air carriers to communicate to their border control authorities personal data concerning their passengers, such as name, date of birth, nationality, point of embarkation.[43] API data may only be held for 24 hours after the flight's arrival and may not be exchanged between Member States. The Directive is intended to improve border control and combat illegal immigration;
• Naples II Convention — the Convention provides for mutual assistance and co-operation between customs administrations to prevent and detect infringements of EU or national customs rules. Assistance may include the processing and exchange of personal data;
• Customs Information System (CIS) — a centralised information system accessible via terminals in each Member State, the Commission, Eurojust and Europol. Its purpose is to help prevent, investigate or prosecute serious violations of customs rules. Personal data held in CIS include names, aliases, date and place of birth, nationality, sex, physical characteristics, address, and any history of violence;
• Framework Decision on exchange of information between law enforcement authorities (the "Swedish initiative") — this instrument, which is based on an initiative proposed by Sweden, seeks to facilitate the exchange of criminal intelligence between Member States' law enforcement authorities by applying the principle of "equivalent access". This means that the conditions governing the supply of information to another Member State should be no more onerous than would be the case in a purely domestic or internal context;
• Prüm Decision — the Decision, which should be implemented by August 2011, provides for the decentralised exchange of DNA profiles, fingerprints, vehicle registration data and information relating to suspected terrorist attacks by means of interconnected databases in order to help prevent crime, particularly terrorism, and maintain public order;
• Data Retention Directive — the Directive requires telephony and internet service providers to retain electronic communication traffic and location data, as well as information about subscribers, for up to 24 months for use by national authorities for the purpose of investigating, detecting and prosecuting serious crime.[44] The Romanian Constitutional Court has held that data retention is contrary to the European Convention of Human Rights and declared the national implementing measures to be unconstitutional. The German Constitutional Court has also declared national implementing rules on access to, and use of, the data to be unconstitutional;
• European Criminal Records Information System (ECRIS) — a decentralised information system, not yet operational, which will interconnect Member States' criminal records databases to enable central authorities in each Member State to exchange information on new convictions and past criminal records;
• Financial Intelligence Units (FIUs) — FIUs are located within each Member State and exchange information, including details of financial transactions, for the purpose of combating money laundering and terrorist financing;
• Asset Recovery Offices (AROs) —a decentralised system of information exchange which enables AROs in each Member State to exchange information (by means of the Swedish initiative described above) which may assist in tracking and identifying the proceeds of crime; and
• Cybercrime Alert Platforms — most Member States have developed Cybercrime Alert Platforms to collect, analyse and exchange information about offences committed on the internet. Europol has developed and manages a European Cybercrime Platform to operate as an information hub and enhance data sharing with national platforms.

12.6  The Communication also describes the role of Europol[45] and Eurojust[46] in relation to the detection, investigation and prosecution of serious crime and the information management tools at their disposal, as well as international agreements concluded by the EU on Passenger Name Record (PNR) data and on Terrorist Finance Tracking which make provision for the supply of personal data to certain third countries, such as the United States, Canada and Australia.

12.7  The Communication previews a number of initiatives proposed in the Commission's Action Plan to implement the Stockholm Programme, including the possibility of new PNR Agreements with the United States, Australia and Canada; introduction of a PNR system within the EU; introduction of a new Entry/Exit System for short-stay third country nationals entering the EU; a Registered Traveller Programme for frequent travellers to the EU from third countries; an EU terrorist finance tracking programme; an Electronic System of Travel Authorisation for non-visa third country nationals; and a European Police Records Index System.

12.8  The Commission draws a number of preliminary observations, based on its overview of existing or planned information management systems within the EU. According to the Commission, relatively few systems depend on the collection or storage of personal data at EU level.[47] In most cases, personal data are collected and stored nationally and EU instruments determine the conditions under which the data may be exchanged between Member States or transferred to a third country. Core features of most systems include purpose limitation (to ensure that data may only be used for the limited purpose specified) and controlled access to data. The proliferation of databases has, however, resulted in some overlap of functions and revealed highly variable periods of data retention (from as little as 24 hours for API data to as much as 15 years under the PNR agreement with the United States). Moreover, the nature and frequency of review or evaluation of each information management system varies from one instrument to another.

12.9  The Commission observes that, to preserve the security of information exchanged across European borders, "Member States prefer EU solutions".[48] The Communication mentions two systems for secure data exchange. The first — s-TESTA (Secure Trans-European Services for Telematics between Administrations) — is a Commission-funded data communication network for the exchange of encrypted information. The second — SIENA — is an application developed by Europol to share sensitive information for law enforcement purposes.

12.10  The Communication concludes with a proposed "core set of principles" which the Commission suggests should serve both as a benchmark for evaluating existing EU information management systems and for considering future policy proposals. Substantive principles include:

• Safeguarding fundamental rights — especially the right to privacy and personal data protection. Future policy should be based on the "privacy by design" approach which seeks to embed data protection in the design of the instrument, limit data processing to what is necessary for the proposed purpose, and grant data access on a "need to know" basis;
• Necessity — all future policy proposals should include an assessment of their likely impact on the right to privacy and personal data protection, explain why such an impact is necessary, and why the solution proposed is proportionate to the legitimate aim of maintaining internal security within the EU, preventing crime or managing migration;
• Subsidiarity — the Commission will seek to ensure that any new proposals comply with subsidiarity and proportionality, including, in the case of new international agreements, an assessment of the proposal's likely impact on relations with the particular third country; and
• Accurate risk management — information management systems can help to manage risk but the assessment of risk must be based on evidence and include a test of necessity and a purpose limitation.

12.11  In addition to these substantive principles, the Commission proposes "process-oriented principles" which should include a rigorous analysis of cost-effectiveness, involvement of a wide range stakeholders, a clear allocation of responsibilities (notably at the design stage) and systematic inclusion of review clauses to ensure that information systems continue to serve the purpose for which they were designed.

12.12  The Commission states that it has launched an "information mapping exercise" to assess the practical operation of systems for exchanging criminal intelligence between Member States which will provide the basis for a further Communication on the European Information Exchange Model in 2012.

The Government's view

12.13  In his Explanatory Memorandum of 9 August 2010, the Minister for Immigration at the Home Office (Damian Green) welcomes the Commission Communication but says that "information exchange is not an end itself but a means of working towards providing greater public good — in combating crime, in facilitating legitimate travel, in doing business abroad, and in managing identity". He adds that "it is important to strike the correct balance between private and public interests. Effective data protection must be a prerequisite for information sharing, along with transparency about the collection, retention, and use of personal information".[49]

12.14  The Minister indicates that the UK would be unlikely to participate in a number of the new information management systems foreseen in the Communication, such as the Entry/Exit System, Registered Traveller Programme and Electronic System of Travel Authorisation which would all build on parts of Schengen in which the UK does not participate. The Government would also want clear evidence that a new European Police Records Index System would add value to the existing system for the exchange of criminal intelligence based on the Swedish initiative.

12.15  The Government would, however, continue to advocate the introduction of a system for sharing Passenger Name Record data within the EU and is urging the Commission to bring forward a proposal in 2010 rather than 2011 as indicated in the Communication.

12.16  The Minister considers the Commission's core set of principles to be uncontentious but also sets out an additional list of factors which the Government would take into account when evaluating existing measures or future initiatives. These are:

• "The necessity and overlap of systems in operation, planned or proposed at EU level and their practical application in the UK;
• The impact on UK system structures where they mirror EU systems;
• The benefits and risks of centralised and decentralised systems, including the base applications used and control rights granted;
• Data retention and data protection;
• How best to review an existing or proposed mechanism against another;
• The impact on Member State right of initiative, bilateral agreements and co-operation, and international agreements;
• The benefits and risks of profiling;
• Best-practice on cost-effectiveness and engaged policy development;
• The role of the IT Agency in the context of this review; and
• The impact of any future changes to the purpose or functionality of existing EU data exchange legislation, including the use of repeal and replace proposals and the resulting impacts on UK participation and opt-in".[50]

12.17  The Minister notes that the Communication does not have any immediate legal, financial or policy implications for the UK and that any future proposals arising from the Communication will be subject to scrutiny.

Conclusion

12.18  We welcome the Commission's Communication which sheds light on what is already an extensive network of EU information systems providing for the exchange of personal data for a variety of law enforcement purposes relating to migration and crime. We also welcome the Commission's elaboration of a set of core principles for future policy development and the emphasis placed on the right to privacy and personal data protection as well as respect for the principles of subsidiarity and proportionality.

12.19  We note that the Minister raises no objection to the Commission's core principles and that he also emphasises the need for effective data protection as a pre-requisite for information sharing. In addition, the Minister sets out a further list of considerations which the Government would wish to take into account when evaluating existing or future EU information exchange systems.

12.20  Constitutional Court rulings in Germany and Romania on national legislation implementing the Data Retention Directive suggest, however, that some existing EU instruments fall short of both the Commission's core set of principles and the additional considerations set out by the Minister. We therefore ask the Minister to tell us whether he considers that the existing instruments described in the Commission's Communication provide an effective standard of data protection and, in particular, what implications the Constitutional Court rulings may have for the retention of communications data in the UK.

12.21  We would also welcome the Minister's views on two assertions made by the Commission in its Communication which are likely to influence the development of future EU information management and exchange systems. First, the Commission states that "policies in the area of freedom, security and justice have developed in an incremental manner, yielding a number of information systems and instruments of varying scope, size and purpose. The compartmentalised structure of information management that has emerged over recent decades is more conducive to safeguarding citizens' right to privacy than any centralised alternative".[51] Does the Minister agree that continued piecemeal development of EU information systems can provide adequate and effective data protection and privacy safeguards?

12.22  Second, the Commission states that "for exchanging information across European borders, Member States prefer EU solutions" and refers to the Commission's s-TESTA and Europol's SIENA data communications networks. We ask the Minister whether he agrees that the use of these networks provides the best guarantee for data security.

12.23  Pending the Minister's replies to our questions, we shall keep the Commission Communication under scrutiny.

41   The area of freedom, security and justice covers EU policies on visas, asylum and immigration, judicial co-operation in civil and criminal matters, and police co-operation. See Articles 67-89 in Title V of Part Three of the Treaty on the Functioning of the European Union. Back

42   See the Stockholm Programme, paragraph 4.2.2, Council document 17024/09. Back

43   Directive 2004/82/EC, OJ No. L 261, 6.8.04, p.24. Back

44   Directive 2006/24/EC, OJ No. L 105, 13.4.06, p54. Back

45   Europol is the European Police Office based in the Hague which is responsible for collecting and analysing criminal intelligence concerning serious international crime. Back

46   Eurojust comprises national prosecutors, magistrates and police officers and works closely with Europol and with national prosecuting authorities to help with the investigation and prosecution of serious cross-border and organised crime.  Back

47   The Commission has proposed a draft Regulation establishing a new EU Agency for the operational management of three of these centralised IT systems - SIS II, Eurodac and VIS. The draft Regulation remains under scrutiny (see 31456). Back

48   Commission Communication, page 23. Back

49   Minister's Explanatory Memorandum, para 36. Back

50   Minister's Explanatory Memorandum, para 41. Back

51   Introduction to the Communication, para 7. Back