House of Commons - The Committee's opinion on the European Union Data Protection framework proposals

The Committee's opinion on the European Union Data Protection framework proposals - Justice Committee Contents

3 The draft Directive

106. The overwhelming majority of the written evidence submissions we received focused solely on the draft Regulation, as was the case during the Government's consultation.[133] However, we were able to question several of our witnesses about the draft Directive during our evidence sessions.

The basis for, and aims of, reforming the Data Protection Framework Decision 2008

107. The draft Directive would repeal and replace the existing Data Protection Framework Decision, which was negotiated in 2008, entered into force on 19 January 2009, and had to be implemented by 27 November 2010.

108. The Government's Explanatory Memorandum states:

The Commission believes that new rules governing the processing of personal data for the purpose of law enforcement and judicial co-operation are needed given the unprecedented growth of new and emerging technologies and the parallel increase in flows of information within and across national borders. The Commission also wants to provide greater consistency across Member States in the interpretation and implementation of rules governing data protection rights and contends that a harmonised set of rules will provide both greater certainty for individuals in understanding their rights and greater efficiencies in law enforcement co-operation.[134]

109. The Association of Chief Police Officers (ACPO) told us it was "rather surprised that the [Framework Decision] is going to be changed so soon after implementation", that it provided for the essential exchange of criminal conviction data with colleagues across Europe, and that the processes worked relatively well.[135]

Lord McNally, agreed with this assessment, and told us:

[W]e do think it is a bit soon after the last tweak to this in 2008 to be looking at it again. It is a matter of balance whether you say that, since you are looking at the Regulation, which is much older, you might as well take another look at the police and law enforcement Directive at the same time. It is an argument for starting from square one again with that. From what I understand, the balance of the discussions so far has been much more about what's in the Regulation [...] rather than going back to square one with the police and law enforcement Directive.[136]

110. The EU Commission's belief that a new Directive is required is based on a Commission Report which assessed the implementation and functioning of the Framework Decision.[137] Twenty Member States did not report any particular problems with the Framework Decision, whilst six Member States made comments on issues of concern to them. The Commission concluded that a new Directive could solve the practical difficulties encountered by a number of Member States in distinguishing between rules for domestic and cross-border data processing, clarify the scope and possible exemptions concerning data subjects' right to information, and strengthen data subjects' right of access through clarification and minimum harmonised criteria, while also providing exemptions to allow the police and justice authorities to properly perform their tasks. In addition, the Commission stated:

[...] under Article 16 TFEU, which enshrines the right to the protection of personal data in the EU Treaties, there is now the possibility of establishing a comprehensive data protection framework ensuring both a high level of protection of individuals' data in the area of police and judicial cooperation in criminal matters and a smoother exchange of personal data between Member States' police and judicial authorities, fully respecting the principle of subsidiarity.[138]

111. The Commission argue that the Framework Decision has a limited scope of application, since it only applies to cross-border data processing, and this can create difficulties for authorities because they are not always able to easily distinguish between purely domestic and cross-border processing. Additionally, because of its nature and content, the Framework Decision leaves a lot of room for manoeuvre to Member States' national laws in implementing its provisions, and it does not contain any mechanism to support the common interpretation of its provisions, or enable the Commission to ensure a common approach in its implementation.[139]

112. Françoise Le Bail told us that the European Commission thought it was right to have an overall framework for data protection, and because the draft Directive would enable increased harmonisation and more consistent implementation across Member States it was an important element of the overall package of reforms. She commented that the Framework Decision imposed administrative burdens as it was difficult for authorities to make a distinction between data that are domestically processed and data that are not. Furthermore, including domestic processing in the draft Directive brought consistency to the overall regime, as the current general Directive applied to domestic and cross-border processing in non-criminal matters. She also explained that the draft Directive would make data protection a reality, because if the Member States did not apply the Directive, or did not apply it in the right way, the Commission could intervene.[140]

113. The Commission contend that a Directive is the best instrument to ensure harmonisation at EU level, whilst also leaving the necessary flexibility so that Member States can implement the principles, the rules and their exemptions at national level,[141] and the Government supports this view.[142]

114. We are not convinced that there is a pressing need to alter EU law in this area, given that the Framework Decision 2008 was only recently implemented. However, it is arguable that since the general 1995 Directive requires updating, the corresponding legislation which deals with criminal matters should also be updated so that the principles in each instrument are consistent.

115. The draft Directive sets out (for the purposes of police and judicial cooperation in criminal matters):

principles governing personal data processing;
rights of individuals to access their personal data, to have it rectified or erased, to object to processing and not to be subject to profiling;
the obligations of data controllers and data processors to provide information to individuals, to report on breaches of data security and to put in place technical and organisational measures;
rules on transfer of personal data to countries outside the European Economic Area (EEA) and to international organisations;
rules relating to national regulators ("supervisory authorities"), and how they will cooperate with each other and the European Commission;
remedies available to data subjects and the obligation for Member States to lay down rules on penalties, to sanction infringements, and to ensure their implementation.[143]

116. Some of the key changes that the Directive introduces as compared to the existing regime are as follows:

an extension to the scope of data processing to include domestic processing for the purpose of policing and judicial cooperation;
new definitions of key terms such as a "data subject", which includes identification of the individual by "online identifiers" and "genetic" identity;
new rights of access and information for data subjects, such as the identity of the data controller, the purpose of the data processing and the period for which the data will be stored;
an obligation for data controllers to implement "appropriate technical and organisational measures" to ensure an appropriate level of security;
a right for data subjects to directly demand the erasure of their personal data by the data controller;
an obligation on data controllers to inform supervisory authorities and data subjects of data breaches, informing the former within 24 hours of discovery and the latter "without undue delay"; and
an obligation for data controllers or processors to appoint data protection officers.[144]

Perceived weakness in comparison to the draft Regulation

117. On the face of it, the scope of the draft Directive is similar to the draft Regulation, but there are important differences and various witnesses drew attention to the relative weakness of the Directive's provisions for the protection of personal data. For example, when the legislative framework was presented, Peter Hustinx, European Data Protection Supervisor, welcomed the new steps towards data protection in Europe but criticised the rules for the police and justice area as "inadequate", and stated:

The Commission has not lived up to its promises to ensure a robust system for police and justice. These are areas where the use of personal information inevitably has an enormous impact on the lives of private individuals. It is difficult to understand why the Commission has excluded this area from what it intended to do, namely proposing a comprehensive legislative framework.[145]

118. The Information Commissioner's written evidence stated:

[D]ue to the removal or adaptation of certain provisions, we are concerned that the Directive is now weaker than the Regulation. For example, the recitals of the Directive do not include important provisions relating to the retention of personal data, and its transparency provisions are weaker than those in the Regulation.[146]

Additionally, the Information Commissioner's initial analysis paper stated:

[...] we would expect the principles to be consistent across both instruments. However, this is not the case and the recitals of the Directive fail to include important elements regarding the retention of personal data, transparency towards individuals, keeping personal data up to date, and ensuring it is adequate, relevant and not excessive. Accountability provisions requiring the data controller to demonstrate compliance are also missing. The December 2011 version also included provisions limiting access to data to duly authorised staff in competent authorities who need them for the performance of their tasks. This should be reintroduced.[147]

119. Privacy International told us:

As far as the proposed Directive is concerned [...] [w]e consider that the EU Commission drafters have failed in their duty to ensure a high level of data protection for citizens across the board. [...] Police and judicial cooperation in the context of law enforcement is an area where sensitive personal data is likely to be involved, and therefore citizens may be put at particular risk. We agree with the views of the UK Information Commissioner and the European Data Protection Supervisor in this respect.[148]

We asked Privacy International to expand on why they thought the draft Directive had a weaker level of protection in comparison to the draft Regulation, to which they answered:

[...] it seems the rationale is one of ratcheting up the existing Framework Decision 2008/977/JHA and including data processing activities by the police and judiciary on the domestic levels, as agreed in the Lisbon Treaty, but at the same time playing to various member countries' political sensibilities and current situations. The result is not satisfactory in our view. In the explanatory memorandum to the Directive the Commission emphasises the need for a more comprehensive approach to data protection in the EU and seems to conclude that this will be achieved to a certain degree by this proposed Directive as it follows the same broad principles to the Regulation. But it doesn't and in our view it will create further confusion and grey areas.[149]

120. We also asked Françoise Le Bail, European Commission, why the draft Directive was perceived as weaker than the draft Regulation. She said the level of protection was not less, but was made differently because it applied to the area of cooperation in criminal matters. She argued that the data protection authorities might have wished for one single instrument for data protection, which would have been simpler, but this would not have been the ideal solution for police cooperation.[150]

121. We agree with the Information Commissioner that data protection principles should be consistent across both the draft Regulation and the draft Directive. We recommend that during the negotiations on the legislation, the Government seek to amend the draft Directive so that this consistency is achieved.

Impact assessment

122. The European Commission's impact assessment, which covers both the draft Regulation and the draft Directive, has been received with a high degree of scepticism. Table 5 of that impact assessment provides an overview of how the envisaged changes to the current regulatory framework will contribute to overall simplification. It states that the Directive will have "no impact on administrative burden[s]".[151]

123. The MoJ's Summary of Responses contains its own assessment of the draft Directive in a "Checklist for analysis on EU proposals". It states:

The overall impact is likely to be substantially negative, though it is difficult to place a number on it. The proposals are likely to impose new costs on criminal justice system agencies and the ICO. Though some measures are designed to aid good practice, many of the new obligations appear disproportionate and unnecessary leading to an overall negative outcome.[152]

These issues are explored in more detail in the accompanying Annex, Assessment of impacts, in particular identifying the groups likely to be affected.

The proposal will impact on public authorities ("competent authorities") that processes personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. [...] Competent authorities include all Criminal Justice System (CJS) agencies, including the Police, Crown Prosecution Service, HMCTS, Probation, Youth Offending Services, Prisons, agencies with powers of prosecution and the judiciary.

It is likely to affect the Police and other law enforcement authorities with regard to the processing of personal data. In particular, the scope of the legislation is being extended to include internal/domestic processing: all data transfers between domestic UK police forces (for example, data sent from the Metropolitan Police to South Yorkshire Police). This was previously not covered by the 2008 DPFD.

Suspects, defendants, victims, witnesses will also be affected by the proposals by continuing to have their personal data protected by the law, with recourse to either a supervisory authority or the courts when their rights are infringed. This proposal therefore impacts on the civil liberties of citizens in general.

The Information Commissioner's Office (ICO), the UK's supervisory authority that regulates inter alia data protection policy, will also be affected. There is a widening of the powers of the ICO and more areas where it will need to regulate and therefore both its scope and resource requirements will be increased.[153]

124. In paragraphs 31-37, we considered the impact assessments of both the Commission and the UK Government in relation to the draft Regulation. We repeat our recommendation here in relation to the draft Directive:

We call on the European Commission to work with the UK Government, the governments of other Member States, and other stakeholders, and to pool resources, expertise and information, so that a full assessment of the impact of the proposals can be produced.

Application to the United Kingdom

125. The Government's position is that, as the proposals stand, they only apply to the UK in the limited circumstances where data sharing is done under Title V measures in the area of police and judicial cooperation in criminal matters that bind the UK.[154] The Government's Explanatory Memorandum states:

It is important to note, however, that Article 6a of the UK and Ireland's Title V Protocol (Protocol 21 TFEU) is likely to mean that there is a limited application of the Directive to the UK (and Ireland). Although no final position has been agreed with the Commission, current UK legal opinion of Article 6a of the Protocol means that the Directive will only apply in instances where data processing is being carried out pursuant to an EU measure that binds the UK. This necessarily excludes internal processing from applying to the UK if this legal opinion is accepted. It also means that any rights exercised in regards to internally-processed data, such as rights of access to Police data, will not apply to the UK.[155]

The then Minister, Mr Crispin Blunt MP, told the House on 24 April "We believe that the limiting effect of Article 6a on the aspects of the directive that relate to data exchanges within the United Kingdom means that we should be content to be part of it, which will of course substantially reduce the costs identified in the impact assessment".[156] Mr Blunt told the European Scrutiny Committee:

we believe our understanding to be shared by the Commission. In order to try and reinforce our belief and what we understand to be the Commission's belief as to the correct interpretation of Article 6(a), we want to get that written on to the face of the Directive in the negotiations that are ongoing. [...] There is obviously a very small risk that if we did not get it written on to the face of the Directive, we could then find ourselves with different parts of European institutions [...] attempting to apply it.[157]

126. The Annex assesses the impact of the Directive on the basis that the UK will be subject to the domestic processing provisions, and as such has reached the conclusion that the overall impact will be substantially negative.[158]

127. The Association of Chief Police Officers (ACPO) told us "[w]hat has yet to be made clear is whether the Directive will apply only to the UK in circumstances where data is being shared for the purposes of an EU instrument and not when we are sharing information purely for domestic reasons. Clearly, if this were to impact on day to day exchange of information between forces, the ramifications would be significant and come at a high cost".[159] However, they go on to say, "we believe that providing the Directive does not impact upon domestic processing, that the impact will not be severe".[160]

128. It needs to be clear beyond doubt that exchange of information between UK law enforcement agencies is not covered by the Directive, and the Government's negotiating stance should seek to ensure that the exemption of the UK from provisions relating to domestic processing is written into the Directive. In order to clarify the position, the Ministry of Justice should provide an impact assessment of the draft Directive on the basis that domestic processing does not apply to the UK.

Practical impact on competent authorities

129. Ian Readhead, Director of Information, Association of Chief Police Officers, said in oral evidence, "in relation to the exchange of European conviction data, I want to impress upon you first how important that is and the kind of work we are undertaking at present". He continued by explaining how records of previous convictions in other Member States could be produced in UK courts, to aid a prosecution in this country. UK police forces could also track offenders across Europe, so that if an individual was arrested and returned to a Member State on a European Arrest Warrant, the case would be followed. If the individual was convicted of a serious offence, the police would notify the UK Border Agency who would be able to prevent the individual's re-entry to the UK. In a similar way the police were able to track sex offenders across Europe. He said "[t]hrough all of these processes [...] we try proactively to put in place schemes to try and monitor offending behaviour on a European level to protect local communities".[161]

130. However, Mr Readhead expressed concern about how the draft Directive could change current practices. He stated:

The Directive uses four principles in relation to how we can use data: it talks about the execution of criminal penalties, investigation, detection and the prosecution of criminal offenders. It doesn't talk about common law. If we had a paedophile offender released from prison who goes to live on a caravan park, we go to the caravan park; we talk to the local families who are in caravans; we tell them, "There is a paedophile here." We do that unashamedly because we have to protect communities and protect vulnerable persons and children. This Directive, written in the way it currently is, in our view would prevent us from doing that. [...]

It prevents us [from making that kind of disclosure] because of the prescriptive nature of the Directive. As we read this, those areas do not permit us to use our common law powers anymore, because, effectively, the argument would be that we are no longer processing data in accordance with either this Directive or the Regulation. That is a real concern to us because there is huge value in exchanging information with other agencies.[162]

131. Françoise Le Bail, European Commission, told us the Commission believed that the draft Directive would reinforce and greatly simplify the operations of law enforcement agencies, reiterating that the data protection principles would remain the same and there would still be distinctions in how Member States transposed the draft Directive.[163] Her colleague, Marie-Hélène Boulanger, Head of the Data Protection Unit, added:

We believe that having more common grounds among Member States and more common understanding about which data protection requirement conditions will apply to the law enforcement authorities, especially in the framework of the law enforcement cooperation, will simplify cooperation between law enforcement authorities, will foster this cooperation and will also have an important impact on the efficiency of law enforcement cooperation.[164]

132. During oral evidence, the Information Commissioner's Office stated:

[W]hen whatever comes from Brussels is applied in the UK, the Government do have a choice as to what rules they apply to policing domestically. Even if we are not part of the Directive for policing domestically, we will still have data protection law in the UK for domestic policing, just as we do at the moment. Our position will be that that should be closely aligned to the Brussels regime, even if it is not mandatory on the UK to follow that approach, because that makes it easier for individuals and for us as the regulator. [...]

I think you can align the principles and the basic operation. I do not think any of the witnesses so far have really questioned any of the basics. It is the administrative burdens that go with it that are the problems. I do think we could [...] take a proportionate approach to how that is applied in the UK so that the principles are there. It doesn't stop the exchange of data with Europe because we have different rules, but we don't necessarily apply all the detailed prescription that has caused so much concern. [...]

Of course the police have concerns about whether they are going to be able to do their job across borders, capturing criminals and so on. There are also very basic questions about protection for the citizen in their dealings with the police that arise from data protection law.[165]

133. We understand that the Directive does not apply to domestic processing by law enforcement agencies within the UK, and it should be placed beyond doubt that this is the case. We have noted the evidence of the Association of Chief Police Officers, that the Directive might nevertheless impact on the ability of the police to use common law powers to pass on information in the interests of crime prevention and public protection, and we believe that it needs to be made clear beyond doubt that it must not have this effect. We also agree with ACPO that the Directive, like the Regulation, is unnecessarily prescriptive about the structures and processes for securing data protection compliance.

General comments on the draft Directive

134. The MoJ told us it has concerns with the draft Directive as it was "presently too long and prescriptive, which we believe will represent a burdensome cost on data controllers and processors. It may not, therefore, be considered proportionate or practicable". It would therefore negotiate to remove or modify the most disproportionate and prescriptive aspects of the proposal, whilst ensuring that there was always adequate and effective protection for data subjects.[166]

ACPO told us that due to the burdens contained within the draft Directive "[t]here is a risk that such an approach may create barriers which hinder the ability to conduct effective intelligence analysis or to create excessive burdens on law enforcement agencies. [...] Affordability should be a feature of proposals being promulgated against the backdrop of austerity measures within the public sector".[167] Ian Readhead, Director of Information, Association of Chief Police Officers, expanded on this when he appeared before us:

[W]e need to be very clear that the prescriptive nature of this Directive is, in our view, excessive and is totally alien to the way in which we provide compliance with the [Data Protection] Act. [...] The Commission should not be saying, "You've got to have a data protection officer and this is the role and function of that data protection officer." What they should be saying is, "Against the backdrop of the Directive you should have compliance." How we provide compliance is a matter for us, because [...] chief constables have looked very carefully at their structures and we don't have data protection officers anymore; we have information managers who cover a whole raft of compliance areas. [...] It is compliance that is critical, not a bureaucratic process that seeks to say, "These are your structures."

In addition he said that some of the business processes stipulated by the Directive would involve significant costs at a time when public services were seeking to reduce their costs.[168]

135. However, Privacy International considered that the fundamental rights of individuals to privacy and data protection had to be taken into account alongside considerations of burdens to business and administrations. They argued that, in terms of the Directive, the Commission drafters had failed in their duty to ensure a high level of data protection for citizens across the board, and that it required radical improvement.[169] In addition they argued that the draft Directive would not achieve its aims, stating:

The rights of the individual are weaker in the case of the proposed Directive than in the case of the proposed Regulation and inevitably the transposition of the Directive in the different nations will result in the very fragmentation that the new Framework aims to avoid. In addition, these weak provisions in the case of the Directive have the potential to also undermine individual rights under the Regulation, in cases where law enforcement authorities have access to data from private entities. [...] As the result of these two differing 'legal instruments', the new Data Protection Framework suffers as a whole, because the original aim of achieving harmonised and comprehensive data protection rules is not achieved.[170]

In addition, Privacy International raised concerns that the Directive was not addressed in the 'next steps' section of the Summary of Responses, despite it requiring "major surgery in order not to undermine the whole Framework".[171] Anna Fielder, Trustee and Company Secretary, Privacy International, told us:

You could align the provisions in the Directive much more with the provisions in the Regulations. Indeed, in our analysis of the Directive, we have proposed concrete amendments for this to happen, and we would very much urge the UK, in the Council of [Ministers], to lobby and ensure that that happens. We know also that quite a lot of other Member States are not happy about the situation because it weakens their domestic Regulations as well, so I think it is still not too late to achieve some consistency.[172]

136. Françoise Le Bail, European Commission, told us that the two instruments had the same data protection principles in common, but whilst the Regulation would be directly applicable, the Directive gave Member States the flexibility to take into consideration their particular culture and type of legislation, such as the common law in the UK. She stated:

This is the reason why, although there is a huge amount of commonality, there are also a number of elements that are different because the field itself is different. But they are part of the same exercise, which is to reinforce the rights of individuals in terms of data protection. [...] We believe that, by presenting two types of legislation at the same time, we will fight against this fragmentation but we can also give the necessary flexibility.[173]

Specific aspects of the draft Directive

137. We highlight here some specific aspects of the Directive as it is currently drafted that witnesses have particularly commented on. A number of issues are broadly covered by similar aspects of the draft Regulation, which we comment on in chapter 2 of this Report.

DOMESTIC PROCESSING

138. The draft Directive extends the scope of EU law to cover domestic processing — processing purely between domestic authorities with no cross-border element, for example between the Metropolitan Police and West Midlands Police. The MoJ's written evidence stated:

Consultation with key stakeholders in the field of law enforcement and judicial cooperation has uncovered no evidence that the current lack of EU rules in this area has obstructed co-operation between Member States; or had detrimental impacts on [...] the protection of individuals. Indeed, we think that introducing prescriptive requirements for domestic processing may instead have a detrimental effect on law enforcement operations, placing onerous burdens on data controllers and huge costs on public authorities — without delivering better data protection for individuals.[174]

139. However, as explained in paragraphs 124-126, the Government are confident that domestic processing will only apply to the UK in the limited circumstances where processing is being carried out pursuant to an EU measure which binds the UK. The Government have explained it will seek to negotiate to remove domestic processing from the Directive for all Member States as a matter of policy,[175] because it does not consider domestic processing to be an area that should be regulated at the EU level.[176]

140. David Smith, Deputy Commissioner and Director of Data Protection, Information Commissioner's Office told us:

Even if we are not part of the Directive for policing domestically, we will still have data protection law in the UK for domestic policing, just as we do at the moment. Our position will be that that should be closely aligned to the Brussels regime, even if it is not mandatory on the UK to follow that approach, because that makes it easier for individuals and for us as the regulator.[177]

141. In oral evidence the European Commission explained why it believed it was now appropriate to include domestic processing under EU legislation. Françoise Le Bail told us:

[...] the framework decision doesn't cover domestic processes. From all the contacts we had, having consulted very widely for two years before putting forward these proposals, we realised from all the stakeholders we were in touch with that it is increasingly difficult to make a distinction between the data that is domestically processed and the data that is not. For the enforcement authorities themselves, this has become a great difficulty and, paradoxically, it has become an admin burden to make this distinction. We thought, having consulted widely, that this was the time to include domestic processing in it, again to create consistency in the overall regime in the same way it is done for the Regulation and, for that matter, for the current Directive.[178]

Her colleague, Marie-Hélène Boulanger, Head of the Data Protection Unit, European Commission, explained why domestic processing was not included in the Framework Decision 2008:

the framework decision is [...] a preLisbon instrument, which means that the way it was adopted [differed from the proposed] Directive. [...] [I]n order to get the consensus of all Member States at that time, it was necessary to exclude domestic processing. What I have been told by my colleagues who were there is that it was not a majority that was against it; it was the way to get a consensus on this text.[179]

142. However, Lord McNally maintained that the position of the UK - shared with allies among other Member States - was that the draft Directive should not apply to domestic processing and the Government would be negotiating for its removal in order to achieve "the best outcome for the Directive as a whole". He added, "[i]t is almost a belt-and-braces approach. We are securing our own position but we want to argue the case for keeping these matters to domestic control across the Community or the Union".[180]

143. The Government argues that the current lack of EU legislation on domestic processing has not obstructed cooperation between Member States, but the European Commission argues that it does cause difficulties for a number of Member States. We call on the Government to explain further why they are opposed to domestic processing for other Member States, given the current position that it will not apply to the UK, and to clarify what impact the changes would have on cooperation with the UK.

RIGHT TO ERASURE

144. The draft Directive differs from the draft Regulation in that it does not include the "right to be forgotten". It does contain a right for data subjects to directly demand the erasure of their personal data by the data controller if it does not conform with the data protection principles, and they will now be able to make this demand directly to the data controller.[181]

OBLIGATION TO APPOINT DATA PROTECTION OFFICERS

145. Article 30 of the draft Directive states that data controllers will be obligated to designate data protection officers (DPOs), all of whom must have "professional qualities" and "expert knowledge of data protection law and practices". The proposed Directive prescribes a list of eight tasks that the DPO will have to fulfil, including the monitoring of documentation kept by processors and controllers, to monitor the implementation of data protection policies and to consult with the supervisory authority.[182]

146. The Association of Chief Police Officers' written evidence stated:

The prescriptive nature of [...] the [...] Directive is evidenced again with regard to the proposals concerning the designation of Data Protection Officers. As a matter of principle, the focus should be upon compliance not how an organisation structures itself in order to deliver compliance. At present appointed Data Protection Officers are not consistent with information management regimes contained within the Police Service. As part of the austerity programme, roles have been converged which often cover a range of portfolio responsibilities focused upon Freedom of Information, Data Protection and security. This does not mean that we have lost our focus upon adhering to the legislation but we have made management decisions on how best to deliver our compliance strategy.[183]

Ian Readhead, ACPO's Director of Information expanded on this point when he gave oral evidence to the Committee. He highlighted that administrative burdens such as these would be disproportionately heavy on smaller forces "because those smaller forces are the ones that have recruited one person to undertake a number of [...] roles. The concept that you wind the clock back to having a data protection officer is just inconsistent with the way in which you provide compliance with the legislation".[184] His ACPO colleague, Merilyne Knox, Head of Public Access Office, Metropolitan Police, explained:

One facet of my role is as a data protection officer. I take on multiple portfolios with regard to information management, and it is important that is maintained because, in order to come to an informed judgment regarding how the police force should manage its information, it should have due regard to all the information management legislation, codes of practice and so on.[185]

BI-LATERAL AND MULTI-LATERAL AGREEMENTS

147. The MoJ's written evidence sets out its policy position, that bi-lateral and multi-lateral agreements existing at the time the Directive is adopted should not be subject to renegotiation under the Directive. It argued that there are numerous international data sharing agreements in place which would require renegotiation under the provisions of the Directive.[186]

148. We asked the Information Commissioner's Office what they thought the impact of renegotiating these agreements might be. David Smith, Deputy Commissioner, answered:

Those bilateral treaties have, presumably for the most part, been entered into under our current data protection regime and should respect the requirements under that regime. As we said, the principles under the new regime are very similar so, if those bilateral agreements meet the current requirements, they won't necessarily fail to meet the new requirements. A process of review is required, but our understanding is that there are very many of these bilateral agreements. We believe that the Ministry of Justice have developed a catalogue of these; so they may be able to advise in more detail. But, clearly, those sorts of agreements should be consistent with whatever the new legal regime is and so a review at the very least would be needed.[187]

The Committee's opinion

149. From the point of view of the data subject, the draft Directive provides a weaker level of data protection in comparison to the draft Regulation. We recognise the significant differences in the handling of sensitive personal data by law enforcement authorities, but in a number of respects this lower level of protection does not appear justifiable. During negotiations, the Government should seek to amend the draft Directive so that data protection principles are as consistent as possible across both EU instruments. This will additionally ensure that the rights set out in the Lisbon Treaty are upheld.

150. The Government's position is that the Directive will have limited application to the UK, due to Article 6a of Protocol 21 of the Treaty on the Functioning of the European Union. If this is the case, we believe it will be beneficial to the UK as law enforcement authorities will not be bound by over-prescriptive measures contained within the Directive. This would also mean that EU law will not apply to the domestic processing of data, such as between police forces. Domestic processing for criminal justice matters will continue to be covered by the Data Protection Act 1998.

151. To answer the European Scrutiny Committee's specific question to us:

As currently drafted, the Directive does not sufficiently protect personal data. In particular, the level of data protection is not to the same standard as that contained in the draft Regulation which covers general data protection matters. We are concerned that it should be clear that domestic processing of data within the UK by law enforcement agencies will not be covered or restricted by the Directive, and it should also be clear that Member States have the flexibility to implement the Directive in ways which achieve its purposes through processes which are appropriate and proportionate in the national context.

133 Ministry of Justice, Summary of Responses: Call for Evidence on Proposed EU Data Protection Legislative Framework, 28 June 2012, page 8 Back

134 Ministry of Justice, Explanatory Memorandum - Directive 5833/12, para 4 Back

135 Q 1 Back

136 Q 109 Back

137 5834/12, Report from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters Back

138 Ibid, page 8 Back

139 5833/12, page 2 Back

140 Q 76 Back

141 Ministry of Justice, Explanatory Memorandum - 5833/12, page 6 Back

142 Ibid, para 21 Back

143 Ibid, para 5 Back

144 Ministry of Justice, Explanatory Memorandum - Directive 5833/12, para 6 Back