Select Committee on European Union Fortieth Report


DATA PROTECTION: FRAMEWORK DECISION (13019/05)

Letter from Rt Hon Baroness Ashton of Upholland, Parliamentary Under-Secretary of State, Department for Constitutional Affairs to the Chairman

  Thank you for your letter of 15 December 2005[183] about the proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. I reply below to the questions you ask, and will keep you updated and supplied with revised texts as they become available.

LEGITIMACY OF PROCESSING AND ACCURACY OF DATA

  A data controller should control the accuracy of data they make available and the security of their computer systems. In relation to direct automated access to databases, this would require data controller to ensure that access links are only established with other "competent authorities." I agree that it is not possible for the data controller to ensure that each automated request complies with the requirements of Article 4 of the DPFD. It appears that the requirements of Article 9 DPFD replace rather than augment the requirements in Article 4. We will be seeking to clarify this in the Working Groups on this instrument.

  I also agree that it is not possible to verify the accuracy of information on databases to which direct automated access is provided at the moment of exchange, which implies that the contents of such databases must be maintained to a standard suitable for exchange with other Member States. The databases to which such direct access is contemplated (for example, the six listed databases in the Framework Decision on the Exchange of Information under the principle of availability, such as that for vehicle registration) are generally compiled to a high standard of accuracy. However, difficulties for data processors in ensuring accuracy arise particularly where the data processor must rely on members of the public to update their personal details. My officials are discussing with stakeholders how we might ensure that accuracy requirements in the DPFD are appropriate in this context.

  I consider that safeguards can be put in place to prevent unauthorised access to direct automated access systems; a data controller determines who has access to data, and configure that in the system. The requirements for security and confidentiality of data set out in articles 23-26 fall to holding and obtaining data controllers in the first place and secondly to the supervisory authority established in Chapter VII.

PERSONAL DATA OF NON-SUSPECTS

  The only specific rule that applies to data subjects who are not suspects appears to be Article 7(1). This provides a stricter rule against storing data for longer than is "absolutely necessary" for people in the last category in "a person who does not fall within any of the categories referred to above" (article 4(3)). This rule would not apply to all non-suspects, for example witnesses who are not suspects. The Commission has explained that article 4(3) is derived from articles 8 and 10 of the Europol Convention. They note that it is not evident why police and judicial authorities should process the data of people who are not covered by these categories for Third Pillar purposes. Although some "competent authorities" do process a great deal of data which is not connected to policing, for example, Her Majesty's Revenue and Customs process information about all tax payers, this processing would not be within the scope of this instrument. I therefore intend to ask the Commission why this category was included.

RIGHT OF INFORMATION

  I am still considering the implications of the absence of an equivalent for article 19(4) in article 20. The Committee should note that Article 30 requires the supervisory authority to monitor the application of the DPFD, including whether the restrictions in article 20 have been complied with.

  The rule in Article 11 of the Data Protection Directive, that notification be given in relation to data not obtained from the data subject "no later than the time when the data are first disclosed" is qualified by the words "in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing". I would draw the Committee's attention to Schedule 1, Part II, paragraph 2(1)(b) of the UK's Data Protection Act 1998, which states that when data have not been obtained from the data subject, the data subject should be provided with the information either "before the relevant time or as soon as practicable after that time". In the context of policing and crime prevention, I can envisage serious difficulties over contacting the data subject and reluctance to be required to do so when the need to transfer information can be urgent. I intend to further enquiries of the Commission to confirm that this is their position.

LIABILITY AND SANCTIONS INCLUDING CRIMINAL SANCTIONS

  We are still considering whether the EU has the jurisdiction to require Member States to impose criminal sanctions as proposed in this instrument. We will seek to resolve that issue before we look at what sanctions might be appropriate. You may be interested to note that the maximum penalty imposed by s. 19 of the Commissioners for Revenue and Customs Act 2005 for wrongful disclosure is two years' imprisonment.

  I note your concerns about the creation of a Committee chaired by the Commission and composed of representatives of Member States (Article 16 DPFD). I explained to the House of Commons Scrutiny Committee that the Government's position on comitology in the Third Pillar is that it must be assessed rigorously, on a case by case basis, to determine whether it would be appropriate, and in what form. Comitology has been provided for in other Third Pillar instruments and the Government is considering the position in relation to the DPFD.

  The determination of adequacy of data protection in third countries is a significant issue, which arguably needs to be decided collectively. This argument might amount to a case for the Committee. This function is very similar to that performed by the committee created under Article 31 of the Data Protection Directive, as per Article 25(4) and 25(6) of the Data Protection Directive. As I said, your concern on this point has been noted, and will be taken account of as we continue to develop the UK negotiating position.

  While the Government agrees that there is a case for the consolidation of the Third Pillar supervisory authorities, I do not believe that this Framework Decision is the place to pursue that objective.

  The Commission addressed the issue of the non-coverage of Europol and Eurojust in Article 4.6 of the Impact assessment 13019/05 ADD 1. I largely agree with their analysis that the Framework Decision is less a harmonisation measure than one to impose minimum standards, and that including Europol and Euroust would probably hamper its introduction by adding complexities. I believe that the data protection provisions that apply to Europol and Eurojust are adequate as they stand.

  I regret that I cannot give you a detailed timetable for the adoption of the proposal at the present time, as negotiations have barely begun and Member States have not revealed their positions. I will, of course, give you an estimate of the timetable as soon as I have it.

  I hope this letter clarifies the points you have raised with me. I will, naturally, keep you fully informed of developments as negotiations continue.

20 January 2006

Letter from the Chairman to Rt Hon Baroness Ashton of Upholland

  Thank you for your letter of 20 January 2006 in which you provide a very detailed response to our questions. Sub-Committee F (Home Affairs) of the House of Lords Select Committee on the European Union has re-examined this proposal in the light of your information and the Opinion of the European Data Protection Supervisor (EDPS) at a meeting on 8 February.

  We note that you share our concern that the accuracy and quality of personal data is adequately verified. We hope you will agree that this would be better achieved by bringing the provisions concerning the verification of data quality laid down by Article 9 within the general rules on the lawfulness of personal data processing in Chapter II, so as to complement the requirements of Article 4(1). As a general rule, the Framework Decision should also ensure that the provisions on proper verification of data quality apply to all processing of personal data by law enforcement authorities, including their further transmission as envisaged by Article 11(1). As you will be aware, this is the approach suggested by the EDPS. We would further emphasise the additional safeguards recommended by the EDPS, in particular in relation to the processing of biometric data and DNA profiles. We would like to see these safeguards built into the Framework Decision since they are relevant to current legislative proposals, such as the draft Framework Decision on the exchange of information under the principle of availability, entailing the processing of biometric and DNA data.

  You will also have seen that, according to the EDPS, the criteria for data processing laid down in Article 4(4) go beyond the requirements of necessity and proportionality, as reflected in the case law of the European Court of Human Rights. As currently drafted, the Framework Decision would allow the collection of personal data simply on the ground that the competent authorities believe that such data would facilitate or accelerate the prevention, investigation, detection or prosecution of a criminal offence, rather than on the basis of a demonstrable need for it. As highlighted in the EDPS's Opinion, "almost any processing of personal data could be considered as facilitating the activities of police or of judicial authorities". We would like to see the criteria under Article 4(4) tightened so as to comply with the requirements of Article 8 ECHR.

  With regard to personal data of non-suspects, as you confirm in your letter, Article 7(1) lays down specific safeguards only with regard to time limits, and only for a limited number of persons who do not fall within any of the other categories listed in Article 4(3). While we are glad to know that you will be seeking clarification from the Commission as to why this residual category was included in the first place, we do not believe that Article 7(1) provides for satisfactory guarantees. Specific safeguards should apply to all non-suspects and should impose restrictions not only on time limits, but also on access to data and the conditions for their collection, and on the refusal of access or information to the data subject. We draw your attention to the EDPS's Opinion at paragraphs 88-92 with regard to this point.

  With regard to the rights of the data subject, we believe that these should be aligned with those provided for under other EU data protection instruments. We do not believe that the case has been made out for a less stringent requirement in the notification to be given in relation to data not obtained from the data subject, ie that he or she be notified about the data obtained or processed "within a reasonable time" from disclosure rather than at the moment of disclosure. However, we look forward to receiving clarification as to what might justify such a provision from your enquiries with the Commission. We would also welcome any insight into the implications of the absence of an equivalent to Article 19(4) in Article 20 once you have had a chance to consider this adequately.

  We will be following closely negotiations on the provisions regarding the determination of the adequacy of data protection in third countries. This is undoubtedly an issue of great and increasing significance and has been the source of litigation in relation to First Pillar measures. It is all the more important, in the context of the exchange of law enforcement information, that a robust mechanism is in place which ensures that data transfers occur only to third countries that have data protection provisions which fully match European Union and Council of Europe standards.

  We would also like to reiterate our view that the current fragmentation of data protection provisions in Third Pillar measures is unsatisfactory against the background of closer co-operation between law enforcement authorities, within the EU and with Third States. We take your point that the data protection provisions that apply to Europol and Eurojust are adequate as they stand, but concur with the EDPS that in the longer term the rules on data protection applicable to these agencies should be made fully consistent with the present Framework Decision.

  We are not persuaded, on the other hand, that this Framework Decision is not the place to pursue the objective of consolidating the Third Pillar supervisory authorities. Given that you seem to agree that there is a case for it, perhaps you could explain to us where the obstacles to this currently lie.

  The Committee looks forward to receiving updates on the progress of negotiations and revised drafts as soon as they become available, along with the timetable for adoption of the proposal. We would assume that the Information Commissioner has been consulted on this proposal, and would also be grateful if his views, once obtained, could be copied to us. In the meantime, we will continue to keep the document under scrutiny.

8 February 2006

Letter from Rt Hon Baroness Ashton of Upholland to the Chairman

  Thank you for your letter of 8 February, and for the further very detailed comments the Sub-Committee has made on the Proposal in the light of my letter of 20 January, and the Opinion of the European Data Protection Supervisor. These comments are most helpful, and my officials will pay close attention to them as they become relevant during the negotiations on this Proposal. At this point I cannot add much more than that, but perhaps it is worth saying that the negotiations on the Proposal are moving forward, though slowly, and may achieve a first read through by the end of the Austrian Presidency.

  You raise several points of information. Firstly, you asked about the justification for the requirement that when data has been obtained from a third party, that the data subject be notified about the data obtained or processed "within a reasonable time" after the first disclosure, rather than at the point of disclosure. The Commission explained that in the context of criminal investigations there are circumstances in which it would not be possible to comply with this requirement, and that greater flexibility is required. Such circumstances might be the difficulty in finding where an individual currently lives, balanced against the legitimate need to transfer the data in a timely manner. There is also a disproportionate effort clause, to allow for the possibility that it would prove too burdensome, or perhaps impossible, to find that out.

  You also ask about the absence of an equivalent to Article 19(4) in Article 20. The Commission indicated that as the data was not obtained from the data subject, there could be no right of information or appeal at that stage, as the data subject would not be aware that data had been obtained and processed. However, should the data subject believe that his data has been obtained and processed, then an access request could be made under the terms of Article 21, with the right of appeal to the supervisory authority if access is refused or restricted.

  As I said in my previous letter, while the government does recognise in general terms the case for unifying the Third Pillar supervisory authorities, this proposal is not intended as an inclusive measure across the Third Pillar. Indeed, the option of including Europol and Eurojust was specifically rejected by the Commission in the impact assessment attached to the Framework Decision (13019/05 ADD 1, para 4.6). EU JHA Ministers commitment is to deliver this proposal as quickly as possible, in line with the Council Declaration of 13 July 2005 on the EU response to the London bombings, and I would be concerned that raising the issue of the Third Pillar supervisory bodies, which is likely to be difficult to resolve, would hinder that process.

  You also asked about the inclusion of the residual category of personal data included in Article 4.3. Previously the Commission commented that special attention should be paid to the necessity of processing the data of persons with regard to whom there are no reasons to believe that they could contribute anything to the prevention or prosecution of a criminal offence. This applies especially to time limits for the storage of personal data as it is set out in Article 7(1), second sentence. I believe that this is a genuinely residual category, though, and is not intended to be one of wide application.

  My officials are in discussion with the Information Commissioner on these proposals, and I myself hope to discuss them with the Commissioner in the near future. As yet we do not have a detailed consideration of the proposals from the Commissioner. When I have that I will of course send it to you.

  In conclusion, I apologise for the slight delay in responding to you.

3 March 2006

Letter from the Chairman to Rt Hon Baroness Ashton of Upholland

  Thank you for your letter of 3 March 2006 in which you further address our concerns with the proposal. You also wrote that you were awaiting a detailed consideration of the proposal from the Information Commissioner which you would then kindly send to us. We have not yet received this information.

  We have, however, been in correspondence with the Information Commissioner on a number of EU instruments that raise data protection issues, and a few important remarks were made on this proposal in his letter of 21 February which we attach. We would be grateful if you could address his question on scope, i.e. that the data protection rules should apply to all processing of personal data in the law enforcement field, particularly in the light of the principle of availability. We assume this point to be still relevant to the discussion. We are aware that negotiations on the Third Pillar data protection proposal are progressing slowly and that a revised draft of the proposal may yet have to emerge. In the absence of a new text, we would be grateful if you could provide us with an update on the state of play of discussions in the Council and a tentative timetable for adoption. In the meantime, we will continue to keep the document under scrutiny.

10 May 2006

Letter from Rt Hon Baroness Ashton of Upholland to the Chairman

  Thank you for your letter of 10 May 2006 regarding comments made by Richard Thomas, the Information Commissioner, in his letter to you of 21 February about the Data Protection Framework Decision (DPFD). You raise a number of important points and I have addressed each in order below.

  With regard to your request for the Information Commissioner's consideration of the proposed framework decision, I think there has been some misunderstanding. In my letter to you of 3 March, I noted that I would share with you any consideration of the proposal that I received from the Information Commissioner. However, I had not specifically sought a detailed consideration from the Commissioner when I wrote to you on 3 March, and have not as yet received one. My officials meet regularly with their counterparts in the Information Commissioner's Office (ICO) and I am satisfied that this is an effective way of keeping the ICO informed and provides an opportunity to discuss various issues as negotiations on the DPFD proceed. Of course, the Commissioner is welcome to contribute a written consideration at any time and may choose to do so as we progress towards a more final draft of the DPFD.

  You invited my comments on the point raised by the Information Commissioner in his letter of 21 February regarding the extent to which the DPFD might apply to all processing of personal data in the field of law enforcement, rather than simply to the exchange of personal data across borders. We are still considering the many important issues concerning the scope of the DPFD, including the extent to which it might apply to domestic data processing and the potential impact that the principle of availability might have. I think it is important to note that while it would appear that there are no objections in principle to the inclusion of domestic processing in the scope of the DPFD at this present time, we naturally need to consider very carefully the practical implications that this proposal would have for competent authorities in the UK.

  We have a number of concerns over the implications of current text for the work of our stakeholders because the Framework Decision defines the purposes for which personal data may be processed, or further processed, so narrowly it would in fact prevent a number of our organisations from fulfilling their proper duties efficiently and effectively. Many of these duties are statutory and include the protection of children, providing support to victims of violent and/or sexual offences and preventing regulatory breaches in the financial services industry. Of course, we could not commit UK competent authorities to provisions that would prevent them from carrying out their proper duties in a responsible and cost-effective manner, particularly when a number of our difficulties appear to stem simply from the different structure of our competent authorities in comparison to those in other Member States, where the police often have a wider remit than in the UK. Negotiations are therefore currently at too early a stage to be able to provide any sort of commitment on domestic processing, although we hope that progress on the proposal will be made as quickly as possible, which will enable us to clarify our position on this matter.

  In his letter of 21 February, the Information Commissioner also noted that the scope of the DPFD extends to automated and structured manual data and expressed concerns that this could lead to a reduction in protection in relation to unstructured manual data. This is because the data protection rules that apply to the current Schengen Information System (SIS), which also cover unstructured manual data, would be superseded by those in the DPFD when the SIS II is implemented. While I can understand the Commissioner's concerns, it would be very difficult to include unstructured manual files in the DPFD. The SIS applies to a limited set of exchanged data, whereas the scope of DPFD is considerably wider and, as discussed above, could also include purely domestic data processing. In these circumstances it would not be possible to apply the DPFD to unstructured manual data without imposing a huge extra burden on data controllers in the UK and throughout the EU. Of course, protection for unstructured manual data will continue to be provided through other measures such as Article 8 of the European Convention on Human Rights and national law. My officials discussed this matter on 21 June with representatives from the ICO, and noted the enormous regulatory burden this would impose on competent authorities. The ICO officials accepted that this could be a significant issue and they would need to reconsider their position.

  You also asked about progress with the DPFD. Some of the information above addresses this point; additionally, as you will know, I recently discussed the matter of progress with the House of Lords Select Committee on the European Union Sub-committee F (Justice and Home Affairs) on 7 June as part of its inquiry into the G6 meeting of Interior Ministers at Heiligendamm in March where the principle of availability and data protection were considered. I was very pleased to accept the invitation to speak to the Committee and appreciate its ongoing interest and support during negotiations on the DPFD. A number of significant amendments have already been agreed on the proposal and productive discussion on the first part of Chapter 3 took place at the most recent Working Group meeting on 20 June. Revision 5 of the DPFD was circulated yesterday and I have enclosed a copy for your information.

  Negotiations are necessarily taking some time in view of the vastly different police and judicial organisational structures within Member States. However, at a UK level, we are working hard to ensure that progress is made as rapidly as possible. I have spoken personally to stakeholders about their views and concerns regarding the DPFD. Officials are continuing to engage proactively with our stakeholders to ensure we fully understand the potential operational impact on the ability of our institutions and organisations to carry out their work, and to determine how we can help to move the negotiations forward. You may be interested to know that my officials provided a room document at the Working Group meeting on 20 June in order to help facilitate discussions on further data processing, the focus of a number of the Articles soon to be discussed. This contribution has been well received and the UK has been invited to present the paper for more detailed consideration at the next meeting on 7 July; I have enclosed a copy for your information. Finland will chair the meeting on 7 July, and will hold monthly meetings from September. It is Finland's hope that negotiations on the DPFD will be concluded under its Presidency and the UK has made clear its full support for this desire to quicken the pace of progress on the proposal.

27 June 2006

Letter from Rt Hon Baroness Ashton of Upholland to the Chairman

  I am writing with regard to comments received on 11 January 2006 from Jimmy Hood MP, Chairman of the Commons European Scrutiny Committee, about the Data Protection Framework Decision (DPFD). Those comments were in response to my letter to the Commons Committee of 30 November 2005 and I thought you would be interested to know the substance of our exchanges. Mr Hood MP highlighted three areas on which he welcomed further information and in my response I also provided an update on the progress of negotiations on the DPFD which may be of particular interest to you. The three areas noted by Mr Hood MP were:

  1.  The effect of the exemption in Article 15(6) of the proposal on arrangements with third countries;

  2.  The proposed arrangement for a committee chaired by the Commission to make determinations on the adequacy of data protection in third countries (the proposed "comitology" arrangements in Article 16); and

  3.  The need or otherwise for criminal sanctions as provided for in Article 29.

  The issues above reflect those raised by the Commons Committee in Mr Hood MP's letter of 18 November. In my response to him of 30 November, I provided answers to the questions raised as fully as I was able to, bearing in mind that we were in the early stages of negotiation. I also gave an undertaking to send a further account once those issues had been considered in detail by the Working Group. The Working Group has not yet begun the first reading of the Articles noted above and so unfortunately I was unable to expand on my comments of 30 November.

  However, I also undertook to keep Mr Hood MP in touch with developments on the DPFD more generally. My letter to you of 27 June, copied to Mr Hood MP on 29 June, provided a general update and I was also able to provide information about the first DPFD Working Group to be chaired by Finland, which, as you may know, took place on Friday 7 July. Discussions continued on Chapter 3, focussing on articles 10 to 14. I noted in my earlier letter to you that the UK had circulated a room document about further processing at the meeting on 20 June, and the UK delegation introduced this document to the Working Group on 7 July. The UK received support from many Member States with regard to the content of the room document and for the proposal that articles dealing with further processing should be considered as a whole, rather than delegations registering the same concerns on a series of similar articles; in addition to forming a more coherent approach to negotiations on further processing, it was also hoped that this would help to speed up negotiations. Unfortunately the agenda on 7 July was such that the time available to discuss the DPFD was cut to around half of that normally available. However, the Finnish Chair of the DPFD Working Group once again noted his keeness to make more rapid progress on the dossier and the UK naturally made its support for this sentiment known.

  This keeness to make progress has translated into an unexpected but very welcome second meeting this month on 25 July. The Presidency circulated a revised text on 13 July and has proposed that discussion at the next meeting is focussed on specific aspects of Articles 10-18. I have enclosed a copy of the Presidency's revised text for your information and hope to make sufficient progress in the next meeting to be able to soon provide you with the more detailed comments requested by Mr Hood MP on Articles 15 and 16.

  I hope this letter provides a helpful update and, as always, I would be very happy to discuss any aspect further with you.

17 July 2006

Letter from the Chairman to Rt Hon Baroness Ashton of Upholland

  Thank you for your letters of 27 June 2006 and 17 July which Sub-Committee F (Home Affairs) of the European Union Select Committee considered at a meeting on 19 July 2006. We are grateful to you for addressing the points raised by the Information Commissioner in his letter of 21 February and for providing us with an update on the state of play of negotiations.

  We would also like to reiterate that we are most grateful to you for giving evidence to Sub-Committee F as part of our inquiry on the Heiligendamm meeting. The report Behind Closed Doors: the meeting of the G6 Interior Ministers at Heiligendamm has just been published (40th Report of Session 2005-06, HL 221) and you will see that in one of the recommendations we call on ministers to treat the proposed Data Protection Framework Decision (DPFD) as a matter of priority. We are pleased to hear, therefore, that UK officials are actively engaged in moving negotiations forward and that there is hope to reach agreement on this proposal within the Finnish Presidency. It is reassuring to learn from the Finnish Minister of Justice hearing at the JURI Committee in Brussels that the DPFD is a key goal of their Presidency.

  You told us in evidence to the inquiry that the UK has a robust protection regime for law enforcement data. Other witnesses have highlighted, however, that it is the differing levels of protection across EU Member States that are an obstacle to the exchange of confidential information. What are needed are harmonised rules which ensure the integrity and protection of such information. The DPFD would ensure that robust standards are replicated across Member States. It is also important to ensure that these standards apply both to domestic data processing and their transmission cross-border. As European supervisory authorities have highlighted, in the light of the availability principle it is not practicable to exclude domestic data from the scope of the DPFD, as data which have been gathered in a purely domestic context can hardly be distinguished from data that have been subject to cross-border transmission. We reiterate our position that the adoption of common rules on protection of data, where the latter is intended for security purposes, is also a sine qua non for establishing the availability principle.

  We will continue to keep the document under scrutiny pending further progress reports on negotiations.

19 July 2006



183   Correspondence with Ministers, 45th Report of Session 2005-06, HL Paper 243, p 518. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007