Documents considered by the Committee on 11 July 2018 Contents

5Interoperable EU information systems for security, border control and migration management

Committee’s assessment

Legally and politically important

Committee’s decision

Not cleared from scrutiny; further information requested; drawn to the attention of the Home Affairs Committee and the Justice Committee

Document details

(a) Proposal for a Regulation establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration)

(b) Proposal for a Regulation establishing a framework for interoperability between EU information systems (borders and visas)

Legal base

Articles 16(2), 74, 78(2)(e), 79(2)(c), 82(1)(d), 85(1), 87(2)(a) and 88(2) TFEU, ordinary legislative procedure, QMV

Department

Home Office

Document Numbers

(a) (39366), 15729/17 + ADDs 1–3, COM(17) 794; (b) (39368), 15119/17 + ADDs 1–3, COM(17) 793

Summary and Committee’s conclusions

5.1The Commission has proposed two Regulations which are intended to make existing and planned new EU information systems in the field of migration and security interoperable so that information can be shared more rapidly. Its aim is to close the information gaps and “blind spots” which hinder effective cross-border security cooperation. The first proposed Regulation on the interoperability of EU asylum and law enforcement information systems, document (a), covers two existing EU information systems (the Eurodac asylum database and the police cooperation parts of the Schengen Information System — SIS II) and one new EU information system which is expected to be agreed shortly (the European Criminal Records Information System for Third Country Nationals — ECRIS-TCN). It would also apply to a limited extent to Europol data and to certain Interpol databases (such as the Stolen and Lost Travel Document database). The UK participates in Eurodac and SIS II and has opted into the proposed ECRIS-TCN information system.

5.2The second proposed Regulation on the interoperability of EU border control and visa information systems, document (b), covers existing or proposed new EU information systems in which the UK is unable to participate as they are based on parts of the Schengen rule book dealing with border control and visas which do not apply to the UK. These are the border control provisions of SIS II, the Visa Information System (VIS), the EU Entry/Exit System and the European Travel Information and Authorisation System (ETIAS).

5.3The proposed Regulations have four operational objectives:

5.4The proposals would establish:

5.5The Commission makes clear that interoperability “does not mean pooling all data or collecting additional categories of information”. Nor would it allow information held in one system automatically to be shared across all other systems. Rather, “interoperability is about a targeted and intelligent way of using existing data to best effect while at the same time ensuring full respect of fundamental rights, in particular data protection requirements”.33 The Commission anticipates that it may take until the end of 2023 to develop and test all the technical components needed to make EU border, migration and security information systems interoperable.34

5.6In his Explanatory Memorandum of 25 January 2018, the Minister for Policing and the Fire Service (Mr Nick Hurd) explained that proposed Regulation on the interoperability of EU asylum and law enforcement information systems — document (a) — was subject to the UK’s Title V (justice and home affairs) opt-in Protocol and the UK’s Schengen opt-out Protocol. If the Government wished to participate, it would need to opt into the non-Schengen elements of the proposal — Eurodac and ECRIS-TCN — within the three-month opt-in deadline which expired on 21 May. The UK would be automatically bound by the Schengen elements of the proposal — SIS II — unless the Government decided to opt out within the same three-month period. Whilst broadly supporting the Commission’s aims, he anticipated that the interoperability proposals would require “significant investment and technical changes” and said that the Government would need to consider whether the “additional benefits” for the UK and the “likely level of usage” by UK law enforcement and immigration officials would be sufficient to justify “the high costs”.35 He confirmed that the UK is not entitled to participate in the proposed Regulation on the interoperability of EU border control and visa information systems, document (b), as it is based on parts of the Schengen rule book in which the UK does not take part.

5.7In his letter of 30 May 2018, the Minister informed us of the Government’s decision to participate in the proposed Regulation on the interoperability of EU asylum and law enforcement information systems — document (a) — to “maximise the benefits to the UK from access to these databases”. He did not address the questions we raised in our Report chapter agreed on 28 February concerning:

5.8Our questions, and the Minister’s response in his letter of 28 June, are set out in detail at the end of this chapter. In summary, the Minister tells us that:

Our Conclusions

5.9We are disappointed that it has taken the Minister four months to provide a substantive response to the questions we raised in February and that he has only written after a “general approach” has been agreed. We remind him that we expect to receive an update on the progress of negotiations before, not after, the Council agrees its mandate to begin negotiations with the European Parliament. We ask him whether the UK voted for the general approach and whether the compromise text agreed makes any substantive changes to the original Commission proposals.36

5.10As we made clear in our earlier Report, the benefits and costs that interoperable information systems would bring the UK are contingent on the timetable for adopting and implementing the proposed Regulations and on the outcome of negotiations on a post-exit transitional/implementation. In previous correspondence with our counterpart Committee in the House of Lords, the Minister questioned whether the proposed Regulations would be adopted before the UK leaves the EU in March 2019.37 This now appears to be a possibility — the Minister indicates that adoption could take place “before the end of the year”. The timing is important as, under the draft EU/UK Withdrawal Agreement, the proposed Regulation on the interoperability of EU asylum and law enforcement information systems — document (a) — will only apply to the UK during the post-exit transition/implementation period (ending on 31 December 2020) if it is “binding on and in the UK” before exit day. Assuming this to be the case, we again ask the Minister:

5.11If the proposed Regulation on the interoperability of EU asylum and law enforcement information systems — document (a) — is adopted after the UK’s exit from the EU, the draft EU/UK Withdrawal Agreement provides that cooperation shall be based on the relevant third country provisions.38 These state that “personal data stored in or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party”.39 We ask the Minister whether the Government is pressing for changes to these provisions during negotiations and to explain how he envisages overcoming these restrictions on third country access to data held in EU information systems once the UK has third country status.

5.12Pending further information, the proposed Regulations remain under scrutiny. We ask the Minister in his next update to provide details of the European Parliament’s position. We also look forward to receiving progress reports on trilogue negotiations once they are underway. We draw this chapter to the attention of the Home Affairs Committee and the Justice Committee.

Full details of the documents

(a) Proposal for a Regulation establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration): (39366), 15729/17 + ADDs 1–3, COM(17) 794. (b) Proposal for a Regulation establishing a framework for interoperability between EU information systems (borders and visas) and amending Council Decision 2004/512/EC, Regulation (EC) No 767/2008, Council Decision 2008/633/JHA, Regulation (EU) 2016/399 and Regulation (EU) 2017/2226: (39368), 15119/17 + ADDs 1–3, COM(17) 793.

Background

5.13The proposed Regulations encompass six centralised EU information systems, of which three (Eurodac, SIS II and VIS) are already operational and three are “on the brink of development” (the EES, ETIAS and ECRIS-TCN). With the exception of SIS II, the remaining five information systems are “exclusively focussed on third country nationals”, meaning that post-exit, they are likely to include the data of British citizens.40 A new EU Agency — eu-LISA — was set up in 2012 to oversee the operational management of large scale justice and home affairs information systems and will be responsible for making the systems interoperable.41 Each system has its own founding instrument which contains detailed rules on the information that can be stored in each database, the purposes for which it may be used, and data protection requirements. The systems cannot communicate with one another through the exchange of data or sharing of information unless their founding instruments allow them to do so.

5.14The table shows which of the existing or proposed EU information systems are open to UK participation.

Information system

Schengen or non-Schengen

UK position

Visa Information System — VIS

Schengen

UK excluded

Schengen Information System — SIS II (border control component)

Schengen

UK excluded

Schengen Information System — SIS II (law enforcement)

Schengen

UK participates in existing SIS II and is also participating in a Commission proposal to strengthen the law enforcement component of SIS II

EU Entry/Exit System — EES

Schengen

UK excluded

European Travel Information and Authorisation System — ETIAS

Schengen

UK excluded

Eurodac

Non-Schengen

UK participates in the existing Eurodac database. The UK has opted into the Commission’s proposal to expand its scope

European Criminal Records and Information System — extension to third country nationals (ECRIS-TCN)

Non-Schengen

UK participates in ECRIS and has opted into a supplementary proposal extending ECRIS to third country national offenders

The Minister’s letter of 28 June 2018

The impact of interoperability on individual rights

5.15Our earlier Report noted that the Commission’s legislative proposals were based on recommendations made in May 2017 by the High-Level Expert Group on Information Systems and Interoperability and drew attention to observations made by the EU Counter-Terrorism Coordinator (Gilles de Kerchove), the European Data Protection Supervisor (“EDPS”—Giovanni Buttarelli) and the EU Fundamental Rights Agency. We asked the Minister:

5.16The Minister says that the Commission proposals are “an evolution of existing capability and not a radical change of approach”:

“The proposed systems will clearly make a difference in closing information gaps by improving the linking of data between databases. This in turn will prevent individuals creating multiple identities through such exploitation. The systems however are building on the underlying databases. Member States uploading data will still own that data, in line with the legislation setting up the underlying databases, with all the requisite responsibilities that entails. This also means all the existing safeguards for each individual database will remain for those underlying databases [and] also continue to apply data connected to those databases.”

“The UK has been vocal throughout the process on the importance of data protection. What has been proposed in the draft legislation is in line with best practice and the Law Enforcement Data Protection Directive (LE DPD). It will ensure proper use of the systems and effective audit of all usage.”

UK participation in the proposed Regulation on the interoperability of EU asylum and law enforcement information systems — document (a)

5.17We noted that the main factors informing the Government’s decision on participation were the prospective additional benefits that interoperable information systems would bring the UK set against the “high costs” and that both were contingent on the timetable for adopting and implementing the proposals and the outcome of negotiations on a post-exit transitional/implementation period. As the proposals themselves indicate that it may take until 2023 for EU security, border and migration information systems to be fully interoperable, we asked the Minister:

5.18The Minister says that negotiations have kept pace with the goal of reaching agreement (and securing adoption of the proposed Regulations) “before the end of the year”. The Government is “supportive of the general approach” agreed on 14 June which will pave the way to trilogue negotiations with the European Parliament. The Minister identifies a number of “technical issues” which will need to be clarified:

“For example, we believe further clarity is needed on the exemptions for police investigations from data subject access to bring them into line with the safeguards in the Law Enforcement Data Protection Directive.”

He also underlines the need for the language to be “be tidied and made more consistent throughout” and to ensure that the reporting process “does not unduly burden end users”.

5.19He reiterates the factors informing the Government’s opt-in decision:

“The Government considered the costs and benefits the system has the potential to provide, the increased functionality provided to the underlying databases, and the improved experience for end users. The closing of gaps in between the silos of current databases will improve the UK’s security through better detection of potential terrorists and serious criminals. Further, in light of the UK’s unequivocal commitment to European security, as set out in the Prime Minister’s speech in Munich earlier this year, we recognised that the UK’s participation also improves the overall system. This is because the more states that participate and the more information shared, the stronger the system will be and the greater increase in security for all.”

Brexit implications

5.20We considered that the Government’s decision on participation in document (a) could not be disentangled from its longer-term aspiration for a post-exit strategic treaty on security and law enforcement cooperation, particularly as the Minister recognised that participation would entail “significant investment and technical changes”. We suggested that it would be difficult for the Government to justify making a substantial investment unless it intended to negotiate continued UK participation in EU security and migration information systems post-exit. We asked the Minister to:

5.21The Minister recognises the importance of locating the proposed Regulations “within the wider security relationship as we depart the EU”, adding:

“The UK has been instrumental in developing the security, law enforcement and criminal justice co-operation tools which the EU has at its disposal. We want this to continue in a way that works for both the UK and for Europe and are committed to ongoing cooperation with the EU on security and law enforcement. Our relationship with the EU will change as a result of our departure and the details of our participation in practical cooperation measures that currently facilitate cooperation will be subject to negotiations.

“Our Security, Law Enforcement and Criminal Justice future partnership paper published on 18th September 2017 outlined how we are seeking a relationship that provides for practical operational cooperation; facilitates data driven law enforcement; and allows multilateral cooperation through EU agencies.”

5.22We noted that the bulk of funding to implement the proposals would come from the EU’s post-2020 budget and would be allocated to the EU agency (eu-LISA) responsible for delivering interoperable systems. If the UK were to participate in document (a) beyond a transitional period ending on 31 December 2020, it would doubtless be required to make a financial contribution for several years beyond 2020 but would have no say in setting the overall expenditure limits. We asked the Minister what assessment he had made of the potential costs for the UK after 2020.

5.23The Minister comments:

“Once adopted, eu-LISA will start developing the components in parallel to the underlying databases under construction. Once they have set out a more detailed plan and settled some of the technical choices, we will then be able to assess our own plan for technical implementation to fit eu-LISA’s timings.”

5.24We noted that the provisions in the proposed Regulations on third country access were highly restrictive. Article 48 of both Commission proposals provides:

“Personal data stored in or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party.”

We asked the Minister:

5.25The Minister observes that “the limitations on 3rd party sharing may inhibit the effectiveness of the system, or prevent Member States providing information on aliases when there is a clear and present danger of terrorist attack in a 3rd country”.

Previous Committee Reports

Sixteenth Report HC 301–xvi (2017–19), chapter 9 (28 February 2018).


31 See p.4 of the Commission’s explanatory memorandum accompanying document (a).

32 This service would not apply to the European Travel Information and Authorisation System — ETIAS — as it will not contain biometric data.

33 See the European Commission’s fact sheet on the interoperability of EU information systems for security, border and migration management.

34 See the timeframe set out on p.96 of the Commission’s legislative financial statement attached to document (b).

35 See para 20 of the Minister’s Explanatory Memorandum.

36 The Council press release issued on 14 June 2018 states that Coreper endorsed a negotiating mandate on behalf of the Council.

37 See the Minister’s letter of 23 April 2018 to Lord Boswell.

38 See Article 122(1)(a) and 122(5) of the draft EU/UK Withdrawal Agreement.

39 Article 48 of the original Commission proposals.

40 See p.5 of the Commission’s explanatory memorandum on document (a),

41 See Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, as amended by Regulation (EU) No 603/2013 establishing Eurodac.




Published: 17 July 2018