The Principle of Availability

32.  The principle of availability means that "throughout the Union, a law enforcement officer in one Member State who needs information in order to perform his duties can obtain this from another Member State, and that the law enforcement agency in the other Member State which holds this information will make it available for the stated purpose…".[32] If the information is available, it must be provided; the grounds for declining to do so are extremely limited.

33.  All Member States have law enforcement agencies which collect information about individuals for use in the fight against crime. If that information is not accurate, not only is it of little or no use for that purpose, but it can be damaging to the individual concerned. As the recent problems with information stored by the Criminal Records Bureau (CRB) showed, it can be even more damaging where information is recorded against the wrong individuals. Between March 2002 and March 2006 there were 2,273 cases of individuals being wrongly listed by the CRB as having criminal records.[33] To someone who, because of being wrongly listed, has lost the opportunity of being offered a job it can be of little comfort to be told that this represented only 0.025% of the disclosures issued.

34.  The importance of having procedures for checking the accuracy of information stored is clear. Every State has mechanisms for challenging that accuracy, but the data subject cannot challenge it unless he is aware that it is being held. Whether, when and how he is so informed, how and at what stage he can challenge it, and with what likelihood of success, are all matters left to national laws. It is equally important that the information should not be abused; access to it must be limited strictly to those who need it and it must be used only for the purpose for which it was supplied. These limitations too are at present subject to national law.

35.  Terrorism and other serious crimes do not respect national boundaries, and it is therefore essential that the national law enforcement agencies of Member States should have access to information collected by the agencies of other States. Europol may also need it. But safeguards must be in place before this pooling of information can take place. If information collected under the law of one Member State and subject to the safeguards provided under that law is transmitted to another Member State, it immediately becomes subject to different and possibly lesser safeguards.

36.  In oral evidence Baroness Ashton of Upholland, the Parliamentary
Under-Secretary of State at the Department for Constitutional Affairs (DCA) responsible for data protection, told us that the United Kingdom had "a very strong and solid data protection framework".[34] The Home Secretary compared it favourably with that of other Member States.[35] This emphasises our point: we would be under an obligation to send information collected under our system, and subject to relatively stringent safeguards, to countries which might offer a much lower degree of protection. Mr Peter Hustinx, the European Data Protection Supervisor (EDPS), made the same point in oral evidence: "I noticed Baroness Ashton referring to 'robust legislation' in the UK—but this involves all Member States. You never know which data you are going to get; you never know which data you are going to share with other countries."[36]

37.  In the Hague Programme the European Council invited the Commission to bring forward proposals for implementing the principle of availability in which "key conditions should be strictly observed". These conditions included a guarantee of the integrity of the data; confidentiality of the data; common standards for access to the data; respect for data protection; protection of the individual from abuse of data; and the right to seek correction of incorrect data. And all this was to be without prejudice to the work in progress on the draft Data Protection Framework Decision (DPFD).[37] The importance of the two Framework Decisions, on the Principle of Availability and on Data Protection, going forward together was thus emphasised.

38.  The Commission brought forward proposals for both Framework Decisions in October 2005. The Framework Decision on the principle of availability deals with six categories of information (DNA profiles, fingerprints, ballistics, vehicle registration, telephone numbers and other communications data, and data in civil registers for identifying persons) which are expected to be available (either directly online, or on request) for exchange between equivalent law enforcement agencies in Member States.[38]

39.  The DPFD is intended to assist police and judicial cooperation in criminal matters. It will provide a regulatory framework for the exchange and processing of personal data between competent authorities of Member States, and for the transmission of such data to third parties. It has two main purposes: to ensure that any information that may be exchanged has been processed legitimately and in accordance with privacy rights and fundamental principles relating to data quality; and to see that the exchange of information between competent authorities is not prejudiced by different levels of data protection.

40.  In an explanatory memorandum of 1 November 2005 Paul Goggins MP, then a Parliamentary Under-Secretary of State at the Home Office, told us that "the [United Kingdom] Presidency attaches importance to ensuring coherence" between the two Framework Decisions. In a letter of 9 January 2006 he said: "It is intended that the processing of personal data under this Framework Decision [on the principle of availability] should be in accordance with the provisions of [the DPFD]".

41.  Mr Hustinx, the EDPS, issued on 28 February 2006 a closely argued formal Opinion on the Framework Decision on the Principle of Availability. He concluded:

"Any legal instrument implementing the principle of availability should not be adopted without the prior adoption of essential guarantees on data protection as included in the proposal for a Framework Decision on the protection of personal data."[39]

Volte-face at Heiligendamm

42.  The G6 ministers at Heiligendamm "highlighted the importance of improving cross-border information exchange between law enforcement authorities", and suggested focusing on DNA, fingerprints and vehicle registration data. The Conclusions continue:

"The ministers underscored that rapid implementation of the availability principle must not depend on the adoption of a framework decision on data protection in the third pillar."

43.  This statement, described by JUSTICE in their written evidence[40] as "a remark…merely en passant", was seen by them as "a cause for grave concern". We agree. To divorce the progress of the two Framework Decisions in this cavalier fashion goes against the instructions of the European Council in the Hague Programme, against the Commission proposals, and against the views of the EDPS published barely three weeks previously. It is moreover inconsistent with what was said to us less than three months earlier by a Home Office minister.

44.  We asked the present Home Secretary the reason for this abrupt reversal of policy. Dr Reid wrote:

"The Government believes that for the fight against ever-more sophisticated crime, it is important to ensure any potentially drawn-out negotiations on the DPFD do not block progress on the Principle of Availability."[41]

45.  Until 2001 data protection was the responsibility of the Home Office, but responsibility was then transferred to the DCA. We questioned the extent to which DCA ministers and officials had been consulted about this change of policy, and whether they agreed with it. In his letter the Home Secretary told us that the G6 view that the principle of availability should not be delayed by negotiations on the DPFD was "the shared position of the Home Office and DCA".[42]

46.  While we do not doubt that, by the date of the Home Secretary's letter, DCA had come to share the Home Office view that a policy change was desirable, we wondered at what stage DCA had reached this view, and in particular whether this was before the Heiligendamm meeting, or perhaps afterwards when they might have been presented with a fait accompli. Baroness Ashton assured us that the briefing carried by the former Home Secretary at the Heiligendamm meeting included a briefing provided by DCA and agreed by her "on issues particularly around data protection that were relevant at that meeting".[43] We were not told to what extent, if at all, that briefing emphasised the importance of the two Framework Decisions proceeding together.

47.  Baroness Ashton added that she did not believe the principle of availability should have to wait for the DPFD "providing (a) you are conscious that you will have to sign up to the DPFD at a Council of Ministers at some point, and therefore you need to be alive to the discussions and deliberations and to be sure it is working in that sense in tandem, and (b) therefore that you do not do something that would be outside that."[44]

48.  In oral evidence, Ms Ryan elaborated on the view expressed by the Home Secretary in his letter. She told us that the joint view of the Home Office and DCA, and indeed of the Government, was that the principle of availability and the DPFD were both priorities, and they would like to see both move forward quickly. But if negotiations on the DPFD were going slowly, they would not want the principle of availability slowed down in any way. This was the reason for the Heiligendamm statement. If this was what transpired, the principle of availability would have to be brought into force with interim data protection measures which would come under the DPFD umbrella once negotiations on this had been completed.[45]

49.  One reason why the Home Secretary was not concerned about the two Framework Decisions proceeding at different paces was that "existing data protection rules will continue to apply until the DPFD negotiations have finished". These rules are the "domestic data protection regimes for law enforcement and judicial processing that comply, at a minimum, with the Council of Europe Convention[46] on processing of personal data."[47] Baroness Ashton seemed to be of the same view.[48] But the view of Mr Hustinx was that when the principle of availability was put into practice "all the problems will emerge which normally emerge": a few countries had adequate safeguards and some did not, so that when the same data was shared it would be dealt with under different standards. This was bound to raise problems in criminal procedure investigations.[49]

50.  At their conference in Budapest on 24 and 25 April this year the European Data Protection Authorities "remind[ed] Member States that sharing personal information between their law enforcement authorities is permissible only on the basis of data protection rules ensuring a high and harmonised data protection standard at European level in all participating states". They also stressed that "existing legal instruments applicable in the EU on data protection are too general to provide effective data protection in the field of law enforcement."

51.  For all these reasons we believe that reliance on national data protection laws is insufficient.

Negotiation of the Data Protection Framework Decision

52.  We asked Mr Hustinx whether he thought the DPFD was likely to be in force in time to provide safeguards for all the instruments on exchange of law enforcement information. He replied that discussions were progressing very slowly, partly because "national delegations tend to come from law enforcement areas which, up to now, largely prefer to ignore data protection". He added: "I wish that the energy that the Heiligendamm Declaration seems to invest in pushing availability [was] equally invested in ensuring that this link is respected".[50] We agree.

53.  Finland now has the Presidency. In its preliminary agenda for its Presidency, issued on 24 May, it stated:

"The principle of availability should be established as the cornerstone for information exchange from the beginning of 2008. Finland will take this project forward, paying particular attention to the data protection issues that have to be addressed in relation to police and judicial cooperation in criminal matters, before the principle of availability can be applied."

In oral evidence to us the Finnish Ambassador confirmed the importance of "comprehensive and uniform data protection provisions affecting individuals [being] created to counterbalance the principle of availability".[51]

54.  This in our view is the right combination of priorities. We were glad to hear from Ms Ryan that the Government strongly support the Finnish Presidency in pressing ahead with the DPFD.[52] Baroness Ashton has written to say that Finland hopes that negotiations will be concluded under its Presidency; it intends to hold monthly meetings from September, "and the UK has made clear its full support for this desire to quicken the pace of progress on the proposal".[53]

55.  It is entirely understandable that ministers who are primarily responsible for security and for the fight against terrorism and serious crime should want to have at their disposal all available weapons. Among such weapons is the pooling of all relevant information. But it is the sign of a mature democracy that it can proceed with law enforcement measures without disregarding the rights of individuals.

56.  Notwithstanding the pressing need to share data among the
twenty-five Member States for the purposes of fighting terrorism and other serious crime, we urge the G6 ministers not to take forward the principle of availability without ensuring adequate data protection safeguards.

57.  If the G6 ministers are unhappy about the progress of the principle of availability, the solution is for ministers to invest equal energy in negotiations to take forward the Data Protection Framework Decision. This should be treated as a matter of high priority.

58.  We urge the Government to support the Finnish Presidency in reaching agreement on data protection before the principle of availability can be applied.

33   Written Answer by Joan Ryan MP, 5 June 2006, (HC) col. 270W. Back

34   Q 14. Back

35   Letter of 6 June to Lord Grenfell, Appendix 4. Back

36   Q 28. Back

37   The Hague Programme, paragraph 2.1, agreed by the European Council on 4-5 November 2004. Back

38   Draft Framework Decision on the exchange of information under the principle of availability (Document 13413/05). Back

39   Opinion of the European Data Protection Supervisor on the Proposal for a Council Framework Decision on the exchange of information under the principle of availability (COM (2005) 490 final), OJ C 116 of 17.5.06.  Back

40   p 37. Back

41   Letter of 6 June 2006 to Lord Grenfell, Appendix 4.  Back

42   Letter of 6 June 2006 to Lord Grenfell, Appendix 4. Back

43   Q 2. Back

44   Q 8. Back

45   Q 118. Back

46   Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981). Another relevant Council of Europe instrument is Recommendation R(87)15 of 1987 regulating the use of personal data in the police sector. Convention No. 108 is considered too general effectively to safeguard data protection in the area of law enforcement. The Recommendation is of more specific relevance but, unlike the Convention, is not binding. Furthermore, neither of these instruments applies to direct automated access, nor are there clear binding rules about the further processing of transmitted data. Back

47   Letter to Lord Grenfell of 6 June 2006, Appendix 4. Back

48   Q 8. Back

49   Q 28. Back

50   Q 40. Back

51   His Excellency Mr Jaakklo Laajava, in evidence to the Select Committee on 4 July (Q 11). Back

52   Q 119. Back

53   Letter to Lord Grenfell of 27 June 2006. Back