Documents considered by the Committee on 28 February 2018 Contents

9Interoperable EU information systems for security, border control and migration management

Committee’s assessment

Legally and politically important

Committee’s decision

(a) Cleared from scrutiny

(b) and (c) Not cleared from scrutiny; further information requested; drawn to the attention of the Home Affairs and the Justice Committees and the Committee on Exiting the European Union

Document details

(a) Commission Communication: Twelfth progress report towards an effective and genuine Security Union;

(b) Proposal for a Regulation establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration);

(c) Proposal for a Regulation establishing a framework for interoperability between EU information systems (borders and visas)

Legal base

(a)—

(b) Articles 16(2), 74, 78(2)(e), 79(2)(c), 82(1)(d), 85(1), 87(2)(a) and 88(2) TFEU, ordinary legislative procedure, QMV

(c) Articles 16(2), 74, 77(2)(a), (b), (d) and (e) TFEU, ordinary legislative procedure, QMV

Department

Home Office

Document Numbers

(a) (39380), 15861/17, COM(17) 779; (b) (39366), 15729/17 + ADDs 1–3, COM(17) 794; (c) (39368), 15119/17 + ADDs 1–3, COM(17) 793

Summary and Committee’s conclusions

9.1The EU has developed various information systems to strengthen controls at the external Schengen border, improve the way in which asylum and migration are managed and enhance internal security. These systems were developed for specific purposes and do not work together effectively, creating information gaps and “blind spots” which terrorists have been able to exploit. Since 2016, the Commission has been developing proposals to make existing and planned new EU information systems interoperable so that information can be shared more rapidly. The Commission Communication—document (a)—describes the progress made in three areas:

9.2The Communication is accompanied by two proposed Regulations which seek to implement the recommendations made in May 2017 by a high-level expert group on information systems and interoperability.132 The first—document (b)—covers two existing EU information systems (the Eurodac asylum database and the police cooperation parts of the Schengen Information System—SIS II) and one new EU information system which is expected to be agreed shortly (the European Criminal Records Information System for Third Country Nationals—ECRIS-TCN). The UK participates in Eurodac and SIS II and has opted into the proposed ECRIS-TCN information system. The second—document (c)—covers existing or proposed new EU information systems in which the UK is unable to participate as they are based on parts of the Schengen rule book dealing with border control and visas which do not apply to the UK.

9.3The aim of the proposed Regulations is to ensure that police and immigration officers “have the right information at the right time to do their job”.133 According to the Commission’s First Vice-President (Frans Timmermans):

“Speed counts when it comes to protecting our citizens against terrorism and saving lives. At this moment our EU information systems for security and border management are working separately which slows down law enforcement. With our proposal they will become fully interoperable. That means that law enforcement anywhere in the EU will be able to work directly and instantly with all the available information.”134

9.4The Commission makes clear that interoperability “does not mean pooling all data or collecting additional categories of information”. Nor would it allow information held in one system automatically to be shared across all other systems. Rather, “interoperability is about a targeted and intelligent way of using existing data to best effect while at the same time ensuring full respect of fundamental rights, in particular data protection requirements”.135 The Commission anticipates that it may take until the end of 2023 to develop and test all the technical components needed to make EU border, migration and security information systems interoperable.136

9.5The Minister for Policing and the Fire Service (Mr Nick Hurd) tells us:

“Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period the Government will continue to negotiate, implement and apply EU legislation.”137

9.6He explains that the proposed Regulation on the interoperability of EU asylum and law enforcement information systems—document (b)—is subject to the UK’s Title V (justice and home affairs) opt-in Protocol and the UK’s Schengen opt-out Protocol. This means that if the Government wishes to participate, it will need to opt in to the non-Schengen elements of the proposal—Eurodac and ECRIS-TCN—within the three-month opt-in deadline which will expire on 21 May. The UK will be automatically bound by the Schengen elements of the proposal—SIS II—unless the Government decides to opt out within the same three-month period.

9.7The Minister anticipates that the Commission’s interoperability proposals will require “significant investment and technical changes”. Whilst he broadly supports the Commission’s aims, he says that the Government will need to consider whether the “additional benefits” for the UK and the “likely level of usage” by UK law enforcement and immigration officials are sufficient to justify “the high costs”.138

9.8These are highly technical proposals but their impact could be far-reaching if they achieve the Commission’s goal of closing information gaps and removing the blind spots which hinder effective cross-border security cooperation. Our focus at this stage is on:

The impact of interoperability on individual rights

9.9The Commission’s legislative proposals are based on recommendations made last May by the High-Level Expert Group on Information Systems and Interoperability. Commenting on these recommendations, the EU Counter-Terrorism Coordinator (Gilles de Kerchove) underlined the need for “a paradigm shift in the way we deal with information systems”, adding:

“Given the threat picture, the current fragmentation of EU databases and the separation of border security, migration and counter-terrorism purposes of databases no longer reflect reality.”139

The European Data Protection Supervisor (“EDPS”—Giovanni Buttarelli) adopted a more cautious approach, describing the Commission’s vision of interoperability as “ambitious” and entailing “a fundamental change to the current architecture of large-scale IT systems”. He indicated that the proposed biometric matching service would require further “careful analysis” and that the proposed common repository of identity data raised “serious” data protection issues. The EU Fundamental Rights Agency made clear that “any interoperable solution or solutions selected for EU information systems will need to be designed in a manner which does not unduly affect core data protection principles”.140

9.10Now that the Commission has published its proposals on interoperability, we ask the Minister:

UK participation in document (b)

9.11The UK is only entitled to participate in document (b). The Minister indicates that the main factors informing the Government’s decision on participation are the prospective additional benefits that interoperable information systems would bring the UK set against the “high costs”. Both factors are contingent on the timetable for adopting and implementing the proposals and the outcome of negotiations on a post-exit transitional/implementation period. The Commission originally envisaged making EU security, border and migration information systems interoperable by 2020. The proposals indicate that it may take until 2023 for these systems to be fully interoperable, making any benefits for the UK highly uncertain. We ask the Minister:

9.12If the Government decides not to participate in document (b), the Minister says it will be important to ensure that “non-participation does not preclude individual access to the information systems that the UK is currently participating in”.141 We ask him whether he considers that a decision not to participate might put the UK at risk of being ejected from these systems.

Brexit implications

9.13We do not consider that it is feasible to disentangle the Government’s decision on participation in document (b) from its longer-term aspiration for a post-exit strategic treaty on security and law enforcement cooperation. The Minister recognises that participation in document (b) would entail “significant investment and technical changes”. It is difficult to see how the Government could justify making a substantial investment unless it intends to negotiate continued UK participation in EU security and migration information systems post-exit. We ask the Minister to:

9.14We note that the bulk of funding to implement the proposals would come from the EU’s post-2020 budget and would be allocated to the EU agency (eu-LISA) responsible for delivering interoperable systems. If the UK were to participate in document (b) beyond a transitional period ending in December 2020, it would doubtless be required to make a financial contribution for several years beyond 2020 but would have no say in setting the overall expenditure limits. We ask the Minister what assessment he has made of the potential costs for the UK after 2020.

9.15Except for the Schengen Information System, the remaining five information systems covered by the Commission proposals focus exclusively on third country (non-EU) nationals, meaning that their impact on British citizens will differ before and after Brexit. The Minister considers that the Commission proposals increase the functionality of the underlying systems and so do not constitute a “fundamental change”. It is clear, however, that substantially more data on British citizens will be held on EU information systems post-exit than is currently the case. It is imperative that the Government engages seriously with any concerns expressed by the EDPS and Fundamental Rights Agency on data protection standards and safeguards and on the means for obtaining redress if data is inaccurate or used inappropriately.

9.16One of the safeguards highlighted by the EU Fundamental Rights Agency is the need to ensure that “the rules on sharing of data with third countries as laid down in the individual legal instruments are adhered to in the case of interoperability”. Article 48 of both Commission proposals provides:

“Personal data stored in or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party.”

We ask the Minister:

9.17We clear the Commission Communication—document (a)—from scrutiny. Pending further information, we are holding both legislative proposals—documents (b) and (c)—under scrutiny. We draw this chapter to the attention of the Home Affairs Committee, the Justice Committee and the Committee on Exiting the European Union.

Full details of the documents

(a) Commission Communication: Twelfth progress report towards an effective and genuine Security Union: (39380), 15861/17, COM(17) 779. (b) Proposal for a Regulation establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration): (39366), 15729/17 + ADDs 1–3, COM(17) 794. (c) Proposal for a Regulation establishing a framework for interoperability between EU information systems (borders and visas) and amending Council Decision 2004/512/EC, Regulation (EC) No 767/2008, Council Decision 2008/633/JHA, Regulation (EU) 2016/399 and Regulation (EU) 2017/2226: (39368), 15119/17 + ADDs 1–3, COM(17) 793.

Background

9.18The EU has established three centralised information databases which underpin cooperation on asylum, border management and law enforcement:

9.19A new EU Agency—eu-LISA—was set up in 2012 to oversee the operational management of these information systems and ensure effective, secure and continuous data exchange between Member States.144 Each system has its own founding instrument which contains detailed rules on the information that can be stored in each database, the purposes for which it may be used, and data protection requirements. The systems cannot communicate with one another through the exchange of data or sharing of information unless their founding instruments allow them to do so.

9.20The Regulation setting up eu-LISA provides that the Agency may be made responsible for the preparation, development and operational management of other large-scale EU information systems dealing with asylum, migration, civil and criminal law cooperation and cross-border police cooperation. A number of new information systems are envisaged.145 They include:

9.21The table shows which of the existing or proposed EU information systems are open to UK participation.

Information system

Schengen or non-Schengen

UK position

Visa Information System—VIS

Schengen

UK excluded

Schengen Information System—SIS II (border control component)

Schengen

UK excluded

Schengen Information System—SIS II (law enforcement)

Schengen

UK participates in existing SIS II and is also participating in a Commission proposal to strengthen the law enforcement component of SIS II

EU Entry/Exit System—EES

Schengen

UK excluded

European Travel Information and Authorisation System—ETIAS

Schengen

UK excluded

Eurodac

Non-Schengen

UK participates in the existing Eurodac database. The UK has opted into the Commission’s proposal to expand its scope

European Criminal Records and Information System—extension to third country nationals (ECRIS-TCN)

Non-Schengen

UK participates in ECRIS and has opted into a supplementary proposal extending ECRIS to third country national offenders

9.22The Commission has proposed changes to the Regulation establishing eu-LISA. One of its new tasks will be to make existing and future EU information systems for security, border and migration management interoperable by 2020, a goal endorsed by EU leaders in June 2017.149

The Commission’s proposals on interoperability

9.23The Commission describes its legislative proposals on interoperability as “a step-change not only in the way the EU manages information for security, border and migration management but also in making that data available to national authorities to ensure that they have the information they need when and where they need it”.150 The proposals encompass six centralised EU information systems, of which three (Eurodac, SIS II and VIS) are already operational and three are “on the brink of development” (the EES, ETIAS and ECRIS-TCN). With the exception of SIS II, the remaining five information systems are “exclusively focussed on third country nationals”.151

9.24The UK is only entitled to participate in document (b) covering Eurodac, ECRIS-TCN and the police cooperation parts of SIS II. This proposal also applies to a limited extent to Europol data and to certain Interpol databases, such as the Stolen and Lost Travel Document database. The UK cannot participate in document (c) which covers the visa and border control provisions of SIS II, VIS, EES and ETIAS. The Commission makes clear that national information systems (such as the Police National Computer) and decentralised EU information systems (such as the Prüm framework for exchanging vehicle registration, fingerprint and DNA data) are outside the scope of its proposals.

9.25The Commission proposals have four operational objectives:

9.26The Commission identifies four “technical components” or tools to achieve these operational objectives:

9.27These technical components would be supported by three additional features:

9.28The Commission proposals also seek to streamline and speed up the process for law enforcement access to EU asylum and migration information systems (Eurodac, EES, ETIAS and VIS) by enabling law enforcement officers to carry out out an initial search against the information stored in the common identity repository. This search would operate on a “hit/no-hit” basis, meaning that it would only flag whether data on a particular individual is held in one or more of these EU information systems. Law enforcement officers would not have direct access to any relevant data flagged up by the search, but would be required to request access on the terms specified for each information system (including prior authorisation by a designated authority).

9.29Taken as a whole, the Commission considers that its legislative proposals will:

“[…] lead to faster, more systematic access to information for authorised users, simplifying the current complex and diverse access conditions to ensure that information is more easily available to people who have the right to see it, in line with the rights set out in the legislation governing each system. They will make it easier for end-users to determine when people have been registered with multiple identities, both facilitating travel for legitimate travellers and combating identity fraud. They will make it easier for authorised officers to reliably identify third-country nationals who are entering, or who are already on, the territory of the Schengen area.”153

9.30The Commission considers that the proposed Regulations comply with fundamental rights as the provisions on interoperability complement existing EU information systems:

“Each system will keep its specific purpose limitation, access rules and data retention rules. The proposed measures will also not lead to an increase in the collection of new data. They provide a targeted and intelligent way of using existing information held in EU systems to best effect.”154

It says that the proposals “embed” all of the EU’s data protection rules and are based on the principles of “data protection by design and by default”.155

9.31The Commission estimates that it will cost around €425 million (£377 million)156 spread over nine years (from 2019–27) to implement the proposals on interoperability. Just over half (€225 million or £260 million) would be allocated to eu-LISA to develop, implement and maintain the technical features underpinning interoperability, with Member States receiving €136 million (£121 million) to adapt their national systems and provide training on how to use the interoperability features. The remaining funding would be shared between Europol (€49 million to upgrade its IT systems), the European Border and Coast Guard Agency, the EU Agency for Law Enforcement Training (CEPOL) and the Commission. The EU’s current Multiannual Financial Framework (MFF) will expire at the end of 2020. The Commission says it will re-allocate the €32.9 million (£29 million) available under the Internal Security Fund (Borders) Regulation to implement its interoperability proposals during the current MFF.

The Government’s position

9.32In his Explanatory Memorandum of 23 January 2018 on the Commission Communication, the Security Minister (Mr Ben Wallace) says that the Government is “generally supportive of the work to date on facilitating the interoperability of the EU’s immigration and security databases”, adding:

“We support the overarching goal of improving interoperability of systems as this prevents fraudulent, fragmented or inaccurate data propagating throughout systems. Such siloing provides opportunities to criminals and terrorists to create false identities and can inconvenience the honest traveller with inaccurate information.”157

9.33In a separate Explanatory Memorandum of 25 January 2018 on the proposed Regulations—documents (b) and (c)—the Minister for Policing and the Fire Service (Mr Nick Hurd) similarly “supports efforts to make the exchange of data within the EU more efficient and more useful particularly where this can improve security or prevent crime” and agrees with the main aims of the proposals: combating identity fraud, improving data quality and streamlining the conditions for law enforcement access.158 He continues:

“In particular, the Government welcomes that the proposal intends to make it is easier for the appropriate law enforcement officers or immigration officials to obtain all of the available information at the EU level, provided they are entitled to see it. The Government doesn’t see this as fundamental change, but the adding of increased functionality to the underlying systems which will close potential gaps between the systems.”159

9.34The Minister underlines the need to maintain “strong data protection standards”, adding:

“The Government will aim to ensure that the proposal does not compromise data ownership rules and handling codes. It is also important that data owners retain control of how their data is used. The Government welcomes the approach taken of ensuring logs are generated of users activities as this provides an effective and proportionate tool for data protection purposes.”160

9.35The Minister recognises that “the benefits associated with improving the interoperability of EU JHA [justice and home affairs] information systems need to be balanced against the potential impact on fundamental rights”, highlighting in particular the right to the protection of personal data under Article 8 of the EU Charter on Fundamental Rights (‘the Charter’) and the right to respect for private and family life under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and Article 7 of the EU Charter. He concludes that any interference with these rights is justified, not least because the proposed Regulations are “complementary to” the EU’s existing (or planned) information systems and so “should not alter or impact in any greater way on fundamental rights or human rights than is the case for such databases”.161

9.36The Minister notes that the UK is only entitled to participate in the proposed Regulation covering Eurodac, SIS II (the law enforcement aspects only) and ECRIS-TCN—document (b)—and that the UK’s Title V (justice and home affairs) opt-in and Schengen opt-out Protocols are relevant:

“Eurodac and ECRIS-TCN are not Schengen-building measures. Therefore, to the extent that the provisions of the Regulation relate to these measures, they will only apply to us if we notify the Council, within the three months of the publication of the last language version of the proposal, that we wish to opt in.

“To the extent that the Regulation builds on the police and judicial cooperation aspects of SIS II, then the UK will be bound by it unless we notify the Council, within three months of the publication of the last language version of the proposal that we wish to opt-out.”

9.37The Minister undertakes to inform us of the date on which the three-month opt-in/out deadline will expire “as soon as this becomes available”.162 Home Office officials have since confirmed that it will expire on 21 May.

9.38The Minister explains that all opt-in and opt-out decisions are taken “on a case-by-case basis, putting the national interest at the heart of the decision making process” and that in reaching a decision on participation in document (b), the Government will “consider whether there are any additional benefits to participating in the four interoperability components beyond what our current access to these databases currently provides, and whether these benefits outweigh the likely financial implications”.163 The Government will also:

“[…] assess what the likely level of usage would be of the new system by UK law enforcement and immigration officials. As the proposals are likely to require significant investment and technical changes, we will need to carefully consider whether the high costs of participating in the measure will be outweighed by the benefits that it may deliver.”164

As well as the cost to the UK in developing appropriate end-user interfaces to connect to the interoperable systems, the Government will also take into account the time needed to implement each of the interoperability components and the likely start of operations.165 The Minister anticipates that “technical implementation of the proposal could take place by 2021”.166

9.39If the Government were to decide to opt into document (b), the proposal is unlikely to have any significant implications for UK law. Some changes may nevertheless be required:

“Article 20(1) on ‘access to the Common Identity Repository (CIR) for identification’ provides that Member State police authorities may, where empowered by national legislative measures, query the CIR using biometric data, identity data and travel document data in certain cases. If the UK chose to participate in the proposal and wished to make use of this provision, it would need to adopt legislative measures specifying the precise purposes of identity checks. In addition, it would need to designate the police authorities competent to make use of the provision and specify the procedures, conditions and criteria of such checks.”167

9.40If the Government decides not to participate, the Minister says it will be important to ensure that “non-participation does not preclude individual access to the information systems that the UK is currently participating in”.168

Previous Committee Reports

None on these documents. Our earlier Reports on the Commission’s seventh progress report towards an effective and genuine Security Union are relevant: First Report HC 301–i (2017–19), chapter 25 (13 November 2017) and Ninth Report HC 301–ix (2017–19), chapter 12 (10 January 2018).


130 The Commission has proposed changes to the Schengen Information System (SIS II), Eurodac and the European Criminals Records Information System (ECRIS) and is supporting Member States’ efforts to implement the Passenger Name Records (PNR) Directive and the Prüm Decisions establishing a framework for the exchange of vehicle registration, fingerprint and DNA data.

131 A political agreement has been reached on the EU Entry/Exit System and negotiations are continuing on the proposed European Travel Information and Authorisation System (ETIAS).

132 See the final report of the high-level expert group and the European Commission’s fact sheet on interoperability.

133 See the European Commission’s press release issued on 12 December 2017.

134 Ibid.

135 See the European Commission’s fact sheet on the interoperability of EU information systems for security, border and migration management.

136 See the timeframe set out on p.96 of the Commission’s legislative financial statement attached to document (b).

137 See para 11 of the Minister’s Explanatory Memorandum.

138 See para 20 of the Minister’s Explanatory Memorandum.

139 See Annex 5 to the final report of the High-Level Group issued in May 2017.

140 See Annexes 3 and 4 to the final report of the High-level expert group on information systems and interoperability published in May 2017 which includes the observations made by the EU Counter-Terrorism Coordinator, the EDPS and the EU Fundamental Rights Agency.

141 See para 28 of the Minister’s Explanatory Memorandum.

142 See our predecessors’ Sixth Report HC 71–iv (2016–17), chapter 2 (15 June 2016).

143 See our predecessors’ Thirtieth Report HC 71–xxviii (2016–17), chapter 1 (1 February 2017).

144 See Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, as amended by Regulation (EU) No 603/2013 establishing Eurodac.

145 See the European Commission’s fact sheet on EU Information Systems: Security and Borders.

146 See our predecessors’ Third Report HC 71–ii (2016–17), chapter 14 (25 May 2016).

147 See our predecessors’ Twenty-fifth Report HC 71–xxiii (2016–17), chapter 12 (11 January 2017), Thirty-first Report HC 71–xxix (2016–17), chapter 12 (8 February 2017), Thirty-fifth Report HC 71–xxxiii (2016–17), chapter 7 (15 March 2017) and Fortieth Report HC 71–xxxvii (2016–17), chapter 18 (25 April 2017).

148 See our First Report HC 301–i (2017–19), chapter 22 (13 November 2017).

149 See the Conclusions of the June 2017 European Council and our First Report HC 301–i (2017–19), chapter 26 (13 November 2017).

150 See p.1 of the Commission Communication.

151 See p.5 of the Commission’s explanatory memorandum on document (b).

152 See p.4 of the Commission’s explanatory memorandum accompanying document (b).

153 See the European Commission’s fact sheet on the interoperability of EU information systems for security, border and migration management.

154 See p.3 of the Commission Communication.

155 See p.22 of the Commission’s explanatory memorandum accompanying document (b).

156 €1 = £0.88723 or £1 = €1.12710 as at 29 December.

157 See para 20 of the Minister’s Explanatory Memorandum.

158 See paras 17 and 23 of the Minister’s Explanatory Memorandum.

159 See para 23 of the Minister’s Explanatory Memorandum.

160 See para 29 of the Minister’s Explanatory Memorandum.

161 See the fundamental rights analysis in the Minister’s Explanatory Memorandum.

162 See para 16 of the Minister’s Explanatory Memorandum.

163 See para 15 of the Minister’s Explanatory Memorandum.

164 See para 20 of the Minister’s Explanatory Memorandum.

165 See paras 21 and 30 of the Minister’s Explanatory Memorandum.

166 See para 22 of the Minister’s Explanatory Memorandum.

167 See the section of the Minister’s Explanatory Memorandum on the impact on UK law.

168 See para 28 of the Minister’s Explanatory Memorandum.




5 March 2018