Legal base	—
Document originated	20 July 2010
Deposited in Parliament	27 July 2010
Department	Home Office
Basis of consideration	Minister's letter of 13 October 2010
Previous Committee Report	HC 428-ii (2010-11), chapter 12 (15 September 2010)
To be discussed in Council	October 2010
Committee's assessment	Politically important
Committee's decision	Not cleared; further information requested

Background

7.1 The removal of internal border controls through the creation of an EU internal market and the establishment of the Schengen free movement area has been accompanied by a range of measures to strengthen external border controls and enhance police, judicial and customs co-operation to tackle cross-border crime within the EU. Many of these measures depend on the cross-border exchange of data.

7.2 Since 2001, growing awareness of the terrorist threat within the EU has accelerated co-operation between national law enforcement authorities. The Justice and Home Affairs Council concluded in November 2009 that "effective and secure cross-border exchange of information is a pre-condition to achieve the goals of internal security in the European Union".[56]

7.3 A multiplicity of systems for the cross-border exchange of information, however, carries risks in terms of personal data protection, invasion of privacy, lack of coherence and duplication. As a result, the Stockholm Programme, which the European Council approved last December and which establishes the EU's priorities in the area of freedom, security and justice[57] for the period 2010-14, recognised "the need for coherence and consolidation in developing information management and exchange" systems and invited the Commission and Council to implement an EU Information Management Strategy based on a strong data protection regime.[58] The European Council also invited the Commission to evaluate existing instruments for the exchange of information with a view to determining whether there was a need to develop a European Information Exchange Model.

The Commission Communication

7.4 The Communication provides, for the first time, a comprehensive overview of EU instruments in the area of freedom, security and justice which regulate the collection, storage and exchange of personal data for law enforcement or migration purposes. The Commission's analysis leads it to make a number of observations about the features common to most EU information management systems and to suggest a "core set of principles" which should serve as a benchmark for evaluating existing systems and for considering future policy proposals. The need to safeguard the right to privacy and to ensure effective protection of personal data features prominently in the core principles.

The Government's view

7.5 In his Explanatory Memorandum of 9 August, the Minister for Immigration at the Home Office (Damian Green) welcomed the Communication but noted that "information exchange is not an end itself but a means of working towards providing greater public good — in combating crime, in facilitating legitimate travel, in doing business abroad, and in managing identity". He emphasised the need for effective data protection and transparency about the collection, retention and use of personal information in order to "strike the correct balance between private and public interests".[59]

7.6 The Minister indicated that the UK would be unlikely to participate in a number of the new information management systems foreseen in the Communication, but would continue to advocate the introduction of a system for sharing Passenger Name Record data within the EU. He considered the Commission's core set of principles to be uncontentious but also provided a useful additional list of factors which the Government would take into account when evaluating existing EU information management systems or future initiatives.

The Committee's view

7.7 The Committee also welcomed the Communication and the Commission's elaboration of a set of core principles for future policy development, noting in particular the emphasis placed on the right to privacy and personal data protection as well as respect for the principles of subsidiarity and proportionality. The Committee invited further comment from the Minister on the following issues:

• whether he considered that existing EU instruments described in the Communication provided an effective standard of data protection;
• what implications adverse Constitutional Court rulings in Germany and Romania on the Data Retention Directive might have for the retention of communications data in the UK;
• whether he agreed with the Commission that continued piecemeal development of EU information systems could provide adequate and effective data protection and privacy safeguards; and
• whether he also agreed with the Commission's assertion that EU solutions (such as the Commission's s-TESTA or Europol's SIENA applications) for exchanging information provided the best guarantee for data security.

The Minister's letter of 13 October

7.8 The Parliamentary Under Secretary of State for Crime Prevention (James Brokenshire) says he believes that the measures referred to in the Communication generally provide an effective level of data protection, but that there are disparities between them, for example, as regards data security and retention, as well as some overlap of functions. He adds:

"The Commission's plans for a new data protection instrument are likely to provide the opportunity to ensure the principles set out in the Communication can be embedded in the legal framework where appropriate. We believe that this will also be an opportunity to review the standards in the existing instruments to consider whether they could be updated and improved."

7.9 The Minister notes that the German Constitutional Court considered that the way in which Germany had transposed the Data Retention Directive 2006/24/EC into national law was unconstitutional, but adds that "the court also ruled that there was sufficient latitude within the Directive to enable it to be re-transposed in a way that was consistent with the German Constitution." He says that, in the UK, communications data is accessed through the Regulation of Investigatory Powers Act 2000 (RIPA) and that the Government is satisfied that "we have the necessary structures in place to ensure that communications data retained under the Directive is accessed in accordance with the law and only when it is necessary and proportionate to do so."

7.10 The Minister understands the Committee's concern about the piecemeal development of EU information systems and expresses the view that

"future developments in this field should take place within an agreed strategic framework such as that being implemented currently under the EU's Information Management Strategy. This should help ensure a more consistent approach is taken towards future developments. It should also ensure that appropriate data protection is taken into account, that information exchange is governed by principles of proportionality and necessity, and that any proposed schemes are appropriate and cost effective."

7.11 On ensuring the security of data exchanged across borders, the Minister explains that the Commission's s-TESTA is the base network for the UK's connection to many EU information sharing systems (including the second generation Schengen Information System — SIS II — once it becomes operational). The Government is continuing to discuss issues of security and accreditation of S-TESTA with the Commission, "but in the meantime the Cabinet Office has issued guidance to all relevant Government Departments requiring them to conduct individual risk assessments before using s-TESTA, taking account of issues such as the volume and sensitivity of the data being exchanged" . The Minister adds that the SIENA data communications network is not used as an EU system platform outside of Europol, but that "the UK would want to assess SIENA fully if it is presented as a platform option for any reviewed system or new initiative".

Conclusion

7.12 We thank the Minister for his response. We note that there is a possibility that the Commission will introduce a new data protection instrument. We believe that this provides the Government with an important opportunity to press for the inclusion of clear and transparent standards of data protection which adequately safeguard individuals' right to privacy.

7.13 We note that the Minister does not comment on the judgment of the Romanian Constitutional Court which went further than the German Court in ruling that the generic obligation created by the EU Data Retention Directive[60] to retain communications data for a minimum of six months was unconstitutional because it violated rights protected by the European Convention on Human Rights, notably the right to respect for private and family life and correspondence, and the right to freedom of expression. We should be grateful if the Minister would tell us what, if any, implications that judgment is likely to have on the legality of the EU data retention regime established by the Directive. Meanwhile, the Communication remains under scrutiny.

57   The area of freedom, security and justice covers EU policies on visas, asylum and immigration, judicial co-operation in civil and criminal matters, and police co-operation. See Articles 67-89 in Title V of Part Three of the Treaty on the Functioning of the European Union. Back

58   See the Stockholm Programme, paragraph 4.2.2, Council document 17024/09. Back

59   Minister's Explanatory Memorandum, paragraph 36. Back

60   Directive 2006/24/EC, OJ L 105, 13.4.2006, p.54. Back