Documents considered by the Committee on 13 November 2017 Contents

25Developing interoperable EU information systems to enhance border management and security

Committee’s assessment

Politically important

Committee’s decision

Not cleared from scrutiny; further information requested; drawn to the attention of the Home Affairs Committee and the Committee on Exiting the European Union

Document details

Commission Communication: Seventh progress report towards an effective and genuine Security Union

Legal base

Department

Home Office

Document Number

(38726), 9348/17, COM(17) 261

Summary and Committee’s conclusions

25.1This Communication is the seventh in a series of monthly reports tracking the progress made in implementing a range of policy initiatives first set out in the Commission’s European Agenda on Security in May 2015 and supplemented a year later by a roadmap of measures to establish “an effective and genuine Security Union”. The concept of a Security Union has developed against a backdrop of terrorist attacks in some Member States, unprecedented pressures at the EU’s external borders, and a growing awareness that “the internal security of one Member State is the internal security of all Member States”.376 The aim is to develop the collective capacity of the EU and Member States to respond to threats to their security by establishing an effective framework and tools for cross-border cooperation and information sharing and preventing intelligence gaps.

25.2The EU has a number of information systems which are intended to enhance external border management and internal security. The Commission wants these systems to work better together so that border guards, customs officials, police and other law enforcement authorities are able to access the information they need when they need it. It believes that the current framework governing EU information systems is fragmented:

“Information is stored separately in various systems that are rarely inter-connected. There is inconsistency between databases and diverging access to data for relevant authorities. This can lead to blind spots notably for law enforcement authorities, as it may be very difficult to recognise connections between data fragments. It is therefore necessary and urgent to work towards integrated solutions for improved accessibility to data for border management and security, in full compliance with fundamental rights. For that, there is a need to initiate a process towards the interoperability of existing information systems.”377

25.3In its Communication, Stronger and Smarter Information Systems for Border Security published in April 2016, the Commission set out a process for achieving interoperable information systems. It established a high level group of experts drawn from Member States, Schengen-associated countries and EU institutions and agencies to identify shortcomings and information gaps in existing EU information systems and to report on the legal, technical and operational means available to make them interoperable. The expert group published its final report and recommendations in May, along with contributions by the EU Fundamental Rights Agency, the European Data Protection Supervisor and the EU Counter-Terrorism Coordinator.378

25.4The Commission’s response to the work of the expert group is set out in its latest Communication tracking the progress made in developing the Security Union. The Commission says it will seek to ensure that all centralised EU information systems for security, border and migration management are made interoperable and intends to present a legislative proposal on interoperability “as soon as possible”.379 The EU agency responsible for managing large-scale information systems in the justice and home affairs field—eu-LISAwill be given the task of making these systems interoperable by 2020. The EU Commissioner for the Security Union (Julian King) believes that the Commission’s approach “sets out a targeted and intelligent way of using the existing data to best effect”, adding:

“What we propose would be a step-change in the way we manage data for security, helping national authorities [to] better address transnational threats and detect terrorists who act across borders.”380

25.5At their meeting in June, EU Justice and Home Affairs Ministers endorsed the approach set out in the Communication and invited the Commission to bring forward legislative proposals on interoperability in early 2018, with a particular focus on:

25.6EU leaders have also called on the Commission to prepare draft legislation enacting the proposals made by the expert group on interoperability “as soon as possible”.382

25.7The Commission envisages holding further technical discussions with the European Parliament and the Council in the autumn which will focus on the operational needs of EU border management and security systems, proportionality and compliance with fundamental rights. Its goal is to reach a “common understanding” before the end of 2017 on the steps that need to be taken to achieve interoperable information systems by 2020.

25.8The Security Minister (Mr Ben Wallace) says that the UK supported the Conclusions on interoperability agreed by EU Justice and Home Affairs Ministers in June and notes that they included “calls for further work on Schengen to non-Schengen data sharing”. Whilst recognising the potential to make the exchange of data within the EU more efficient, he underlines the need for a through examination of any proposals put forward by the Commission to test whether they offer “value for money” and genuine efficiencies for UK law enforcement agencies in searching data before deciding on UK participation.

25.9The Minister also highlights the UK’s active role in developing a set of Conclusions on EU External Action on Counter-Terrorism which were agreed by EU Foreign Ministers in June.383 His Explanatory Memorandum includes the following standard paragraph setting out the Government’s position in the period leading up to the EU’s exit from the EU:

“On 23 June, the EU referendum took place and the people of the United Kingdom voted to leave the European Union. Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period the Government will continue to negotiate, implement and apply EU legislation.”384

25.10The Minister provides no analysis of how the UK’s departure from the EU will affect its ability to cooperate with the EU and its Member States in tackling cross-border crime and security threats. Last November, the then Minister for Policing and Fire Services (Brandon Lewis) told our predecessors:

“The Home Office is looking at all areas of law enforcement and security cooperation to assess what capabilities EU measures deliver and considering the options for what that future relationship on law enforcement and security might look like. The Government has made clear that the UK will not be replicating any other nation’s model and any future relationship will be agreed in the context of the wider exit negotiations. It would be wrong to pre-empt the outcome of those negotiations and the operational impact these may have on specific areas of law enforcement cooperation. However, cooperation in this area remains a top priority—whilst we remain a member of the EU and when we leave.”385

25.11We ask the Minister to share with us the Government’s assessment of the capabilities delivered by EU asylum, border management and security information systems and the priority it attaches to securing access to each system on leaving the EU.

25.12The Commission Communication draws heavily on the findings of the report published by the high level expert group on information systems and interoperability which includes observations by the EU Counter-Terrorism Coordinator, the European Data Protection Supervisor and the EU Fundamental Rights Supervisor.

25.13The EU Counter-Terrorism Coordinator (Gilles de Kerchove) states that “a paradigm shift in the way we deal with information systems” is necessary, adding:

“Given the threat picture, the current fragmentation of EU databases and the separation of border security, migration and counter-terrorism purposes of databases no longer reflect reality.”386

25.14The European Data Protection Supervisor (“EDPS”—Giovanni Buttarelli) offers a more cautious view, describing the Commission’s vision of interoperability as “ambitious” and entailing “a fundamental change to the current architecture of large-scale IT systems”. He makes clear that “a proper information security analysis” will be necessary before implementing any changes that might endanger the security of all systems and also underlines the need for “a more consistent, coherent and comprehensive legal framework”. Whilst he expresses “no major concerns” with the proposed European search portal, provided it complies with rules on purpose limitation and access rights, he indicates that the proposed biometric matching service will require further “careful analysis” and that the proposed common repository of identity data raises “serious” data protection issues. He makes clear that “merging information from databases should not automatically lead to the merger of their objectives, conditions of processing and access management”.387

25.15In a similar vein, the EU Fundamental Rights Agency states that “any interoperable solution or solutions selected for EU information systems will need to be designed in a manner which does not unduly affect core data protection principles”. Safeguards will therefore be needed to ensure the quality of the information stored in the systems and the purposes for which it may be processed, as well as to prevent unauthorised access and unlawful sharing with third parties. The Agency makes clear that safeguards will also be needed “to ensure that the rules on sharing of data with third countries as laid down in the individual legal instruments are adhered to in the case of interoperability”.

25.16These observations demonstrate that the Commission’s vision of interoperable EU information systems by 2020 is much more than a technical exercise. Does the Minister agree with the EDPS that it would constitute “a fundamental change to the current architecture” of EU information systems? Does he consider that such a “paradigm shift” is necessary? What are the key safeguards that would be needed to ensure that individual rights are protected?

25.17We note that the UK will be a third country once it leaves the EU. We ask the Minister what assessment the Government has made of the provisions on third country access contained in the main EU data sharing instruments. Does he anticipate that the Commission’s goal of making the EU’s centralised information systems interoperable by 2020 will make it more or less difficult for the UK to negotiate access to those systems (should it wish to do so) as part of the UK’s exit negotiations?

25.18Pending further information, the Communication remains under scrutiny. We draw this chapter to the attention of the Home Affairs Committee and the Committee on Exiting the European Union.

Full details of the documents

Commission Communication: Seventh progress report towards an effective and genuine Security Union: (38726), 9348/17, COM(17) 261.

Background

25.19Our earlier Report listed at the end of this chapter provides an overview of existing EU information systems in the justice and home affairs field. Some are centralised at EU level with national interfaces in each participating Member State; others operate through a decentralised network of national information systems.

25.20The most important centralised EU information systems are the Schengen Information System (used for border management and law enforcement purposes), the Europol Information System (a criminal information and intelligence database), the Visa Information System (containing data on applicants for short-stay visas) and the Eurodac database (containing the fingerprints of asylum applicants). Proposals for two new centralised EU information systems are under negotiation. The proposed EU Entry-Exit System would record entry and exit data for all third country nationals travelling to and from the Schengen area. The proposed European Travel Information and Authorisation System (ETIAS) would gather advance information on individuals who do not require a visa to travel to the Schengen area. Both are expected to be operational by 2020.

25.21The most important decentralised EU information systems are “Prüm”, which provides for the exchange of DNA, fingerprints and vehicle registration data, systems for collecting Passenger Name Record (PNR) data and Advance Passenger Information (API), and the European Criminal Records Information System (ECRIS) which enables the sharing of information on criminal convictions recorded against EU citizens. In addition to these decentralised EU systems, Interpol maintains a global database of stolen and lost travel documents which member countries are able to search.

25.22None of the EU’s existing information systems are interconnected. The Commission Communication on Stronger and Smarter Information Systems for Borders and Security identified shortcomings in the functionalities of the systems (what they can do), gaps in the information they collect, and complexity and fragmentation resulting from “the various institutional, legal and policy contexts in which the systems have been developed”.388 So, for example, the purposes for which an information system may be used depend on the scope of the EU Treaty provisions on which it is based—an expansion of the scope of existing systems will in most cases require the addition of further legal bases. Moreover, not all Member States are connected to all EU information systems. The UK participates in all the decentralised EU information systems—Prüm, PNR, API and ECRIS. As, however, the UK is outside the Schengen free movement area, it is unable to participate in EU systems which are a development of the Schengen rule book on visas and border controls. The UK is therefore excluded from VIS, those parts of the Schengen Information System dealing with border control, and new proposals establishing an EU Entry/Exit System and the ETIAS. The UK participates fully in Eurodac, Europol and in those parts of the Schengen Information System dealing with law enforcement.

The Commission Communication

25.23The Commission makes clear at the outset that any strengthening of EU information systems must comply with the EU Charter of Fundamental Rights and EU data protection rules. Since publishing its earlier Communication, Stronger and Smarter Information Systems for Borders and Security in April 2016, the Commission has taken action in three areas.

25.24First, the Commission has encouraged Member States to make full use of existing EU information systems whilst proposing a number of changes to strengthen the Schengen Information System, transform the Eurodac asylum database into a broader tool for combating irregular migration and extend the scope of ECRIS to include information on the offending history of third country (non-EU) nationals in the EU. The changes proposed remain under negotiation.389 The Commission expects to present a supplementary ECRIS proposal in June 2017 to establish a centralised system for the exchange of criminal record information on third country nationals.390 It also intends to task eu-LISA with implementing its proposals on the interoperability of centralised EU information systems for security, border and migration management.391 The Commission makes clear that it will continue to focus on the full implementation and application of existing EU information systems and examine ways to improve their functioning and effectiveness.

25.25Second, the Commission’s proposals to establish an EU Entry/Exit System and a European Travel Information and Authorisation System (ETIAS) by 2020 are intended to fill “significant information gaps” on third country nationals crossing the EU’s external borders. The Commission urges the Council and European Parliament to conclude negotiations before the end of 2017.

25.26The third strand of work concerns the interoperability of EU information systems. The Commission explains that a high level group of experts was invited to address the legal, technical and operational challenges of four possible options:

25.27The Commission welcomes the final report of the expert group and says it will take forward work on three of the four options considered by the group: a European search portal (the single search interface), a shared biometric matching service and a common identity repository containing biographical data such as name, date of birth and gender. It says that this approach would not lead to the interconnectivity of all EU information systems and accepts that the fourth option—interconnected information systems—should only be considered on a case-by-case basis, adding that the proposed EU Entry/Exit System includes provision for automatic consultation of VIS in the interests of “data minimisation and data consistency”. The Commission makes clear that each information system must keep its specific data protection provisions, “with specific rules on access for competent authorities, separate purpose limitation rules for each category of data and dedicated data retention rules”.392

25.28Following recent changes to the Schengen Borders Code, Member States are required to run a check against relevant databases (principally the Schengen Information System and Interpol’s Stolen and Lost Travel Documents database) each time an EU citizen enters or leaves the Schengen area. The expert group recommended further analysis of the feasibility and proportionality of systematically recording the time and place of these external border crossings by EU citizens to help reconstruct the travel history of individuals suspected of criminal or terrorist activity. The Commission rejects this recommendation on the grounds that it is neither necessary nor proportionate, but leaves the door ajar should circumstances change. It will, however, consider the need for a centralised EU repository of information on long-stay visas, residence permits and residence cards to assist Member States in checking their validity. The Commission also says it will explore the technical, operational and legal aspects of interoperability with EU customs information systems.

25.29The Commission considers that there is scope to streamline the rules on law enforcement access to different EU information systems and has been tasked by the Council’s Committee of Permanent Representatives to the EU (COREPER) with developing a comprehensive framework which ensures “consistency, effectiveness and attention to operational needs”.393

25.30The Commission envisages eu-LISA playing “a crucial role” in ensuring the interoperability of EU information systems and a high level of data quality and intends to propose legislation to strengthen its mandate in June.394 It will also present a legislative proposal on interoperability “as soon as possible”, following a public consultation, which will include an assessment of the impact on fundamental rights and data protection, and a proposal to revise the legal base of the Visa Information System. The Commission makes clear that the effective implementation of interoperability depends on securing “stable” legal bases for all relevant EU information systems.

25.31The Commission Communication concludes with a brief overview of the progress being made on other aspects of the Security Union. The main developments include:

The Minister’s Explanatory Memorandum of 13 July 2017

25.32The Minister notes that the Conclusions agreed by Justice and Home Affairs Ministers in June called for progress on the following three priorities set out in the final report of the High Level Expert Group (“HLEG”) :

25.33He continues:

“We support the Conclusions, which include calls for further work on Schengen to non-Schengen data sharing and reiterate the key point that information should not be shared between EU systems without the agreement of the Member State that provided it.

“The HLEG proposals have the potential to make the exchange of data within the EU more efficient. The Government would need to extensively examine any practical proposals in order to identify how any new systems would function in practice. We would then assess if these new systems would make UK law enforcement agencies’ searching of data more efficient and if it would represent value for money before making a decision on if the UK would join the new systems.”398

25.34The Minister also expresses the Government’s support for Conclusions on EU External Action on Counter-Terrorism which were agreed at the June Foreign Affairs Council:

“The Conclusions highlight EU efforts in countering terrorism and violent extremism. In particular, the Conclusions call for further work on strengthening cooperation with key strategic partner countries and organisations, increasing engagement in the field of Preventing and Countering Violent Extremism, and supporting Communication Service Providers and industry to increase their efforts to address online recruitment and radicalisation. Additionally the Conclusions were supportive of the ongoing work on foreign terrorist fighters, calling for greater sharing of information and experience, as well as stressing the need to improve aviation security standards in priority third countries. The UK was fully engaged in negotiating the Conclusions and we are supportive of them.”399

25.35Turning to the other areas mentioned in the Commission Communication, the Minister:

25.36The Minister notes that Member States are preparing to implement the EU PNR Directive and that the High Level Expert Group has recommended a feasibility study on developing a centralised system to facilitate connectivity with air carriers. He continues:

“The UK has, over ten years, developed its national capability to acquire and process air passenger data through direct connectivity with airlines—and is not intending to alter that approach.

“The implementing decision adopted by the Commission on common protocols and data formats that air carriers may use when transferring passenger name record data to Member States’ Passenger Information Units has drawn upon both established international standards and some data formats and non-proprietary protocols that are not used widely. The established international standards for transmission protocols and data formats are already being used by airlines transferring data to the UK Passenger Information Unit (the National Border Targeting Centre).”404

25.37He confirms that the Council agreed a general approach on the ETIAS in June and that the Commission has put forward a related proposal to amend the Europol Regulation so that Europol can create and host a new ETIAS “watchlist”. This proposal is subject to the UK’s Title V (justice and home affairs) opt-in.

Previous Committee Reports

None on this document, but see our predecessors’ earlier Report on the Commission Communication on Stronger and Smarter Information Systems for Borders and Security: Third Report HC 71–ii (2016–17), chapter 27 (25 May 2016).


376 See p.3 of the Commission Communication: Delivering on the European Agenda on Security to fight against terrorism and pave the way towards an effective and genuine Security Union; HC 71–ii (2016–17), chapter 29 (25 May 2016).

377 See p.4 of the Commission Communication: Stronger and Smarter Information Systems for Border Security; Third Report HC 71–ii (2016–17), chapter 27 (25 May 2016).

378 See the final report of the High-level expert group on information systems and interoperability published in May 2017.

379 The relevant EU information systems are the Schengen Information System, the Visa Information System, Eurodac, the proposed EU Entry/Exit System, the proposed European Travel Information and Authorisation System and the proposed European Criminal Records Information System (for the criminal records of third country nationals only).

380 See the European Commission’s press release of 16 May 2017 on the seventh report on progress made towards an effective and genuine Security Union.

381 See the Conclusions on improving information exchange and ensuring the interoperability of EU information systems agreed by the Justice and Home Affairs Council on 8 June 2017.

382 See the Conclusions agreed by the European Council on 23 June 2017.

383 See the Conclusions agreed by the Foreign Affairs Council on 19 June 2017.

384 See para 14 of the Minister’s Explanatory Memorandum.

385 See the Minister’s letter of 22 November 2016 to the Chair of the European Scrutiny Committee.

386 See pp.52–4 of the report.

387 See pages 49 and 51 of the report.

388 See p.4 of the Commission Communication: Stronger and Smarter Information Systems for Borders and Security; Third Report HC 71–ii (2016–17), chapter 27 (25 May 2016).

389 See our Reports on the Schengen Information System: Thirtieth Report HC 71–xviii (2016–17), chapter 1 (1 February 2017); Eurodac: Sixth Report HC 71–iv (2016–17), chapter 2 (15 June 2016), Twenty-fifth Report HC 71–xxiii (2016–17), chapter 8 (11 January 2017); Thirty-fourth Report HC 71–xxxiii (2016–17), chapter 6 (8 March 2017); and ECRIS: Twenty-fourth Report HC 342–xxiii (2015–16), chapter 10 (24 February 2016), Fourth Report HC 71–iii (2016–17), chapter 6 (8 June 2016), Fourteenth Report HC 71–xii (2016–17), chapter 4 (19 October 2016) and Twenty-second Report HC 71–xx (2016–17), chapter 8 (7 December 2016).

390 See chapter 22 (38886) of this Report.

391 See chapter 20 (38878) of this Report.

392 See p.8 of the Communication.

393 See p.8 of this Communication.

394 See chapter 26 (38882) of this Report.

395 On the new Europol Regulation, see Nineteenth Report HC 71–xvii (2016–17), chapter 1 (23 November 2016). On the Europol/Denmark agreement, see Thirty-second Report HC 71–xxx (2016–17), chapter 16 (22 February 2017); our Thirty-fifth Report HC 71–xxxiii (2016–17), chapter 12 (15 March 2017); and Thirty-ninth Report HC 71–xxxvii (2016–17), chapter 8 (19 April 2017).

396 See Twenty-sixth Report HC 71–xxiv (2016–17), chapter 13 (18 January 2017) which includes links to our earlier Reports on the proposed Directive.

397 See para 27 of the Minister’s Explanatory Memorandum.

398 See paras 29–30 of the Minister’s Explanatory Memorandum.

399 See para 31 of the Minister’s Explanatory Memorandum.

400 See para 19 of the Minister’s explanatory Memorandum.

401 See para 20 of the Minister’s Explanatory Memorandum.

402 See para 21 of the Minister’s Explanatory Memorandum.

403 See para 22 of the Minister’s Explanatory Memorandum.

404 See paras 23–4 of the Minister’s Explanatory Memorandum.




20 November 2017