DATA PROTECTION: FRAMEWORK DECISION (13019/05)
Letter from Rt Hon Baroness Ashton of
Upholland, Parliamentary Under-Secretary of State, Department
for Constitutional Affairs to the Chairman
Thank you for your letter of 15 December 2005
about the proposal for a Council Framework Decision on the protection
of personal data processed in the framework of police and judicial
co-operation in criminal matters. I reply below to the questions
you ask, and will keep you updated and supplied with revised texts
as they become available.
A data controller should control the accuracy
of data they make available and the security of their computer
systems. In relation to direct automated access to databases,
this would require data controller to ensure that access links
are only established with other "competent authorities."
I agree that it is not possible for the data controller to ensure
that each automated request complies with the requirements of
Article 4 of the DPFD. It appears that the requirements of Article
9 DPFD replace rather than augment the requirements in Article
4. We will be seeking to clarify this in the Working Groups on
I also agree that it is not possible to verify
the accuracy of information on databases to which direct automated
access is provided at the moment of exchange, which implies that
the contents of such databases must be maintained to a standard
suitable for exchange with other Member States. The databases
to which such direct access is contemplated (for example, the
six listed databases in the Framework Decision on the Exchange
of Information under the principle of availability, such as that
for vehicle registration) are generally compiled to a high standard
of accuracy. However, difficulties for data processors in ensuring
accuracy arise particularly where the data processor must rely
on members of the public to update their personal details. My
officials are discussing with stakeholders how we might ensure
that accuracy requirements in the DPFD are appropriate in this
I consider that safeguards can be put in place
to prevent unauthorised access to direct automated access systems;
a data controller determines who has access to data, and configure
that in the system. The requirements for security and confidentiality
of data set out in articles 23-26 fall to holding and obtaining
data controllers in the first place and secondly to the supervisory
authority established in Chapter VII.
The only specific rule that applies to data
subjects who are not suspects appears to be Article 7(1). This
provides a stricter rule against storing data for longer than
is "absolutely necessary" for people in the last category
in "a person who does not fall within any of the categories
referred to above" (article 4(3)). This rule would not apply
to all non-suspects, for example witnesses who are not suspects.
The Commission has explained that article 4(3) is derived from
articles 8 and 10 of the Europol Convention. They note that it
is not evident why police and judicial authorities should process
the data of people who are not covered by these categories for
Third Pillar purposes. Although some "competent authorities"
do process a great deal of data which is not connected to policing,
for example, Her Majesty's Revenue and Customs process information
about all tax payers, this processing would not be within the
scope of this instrument. I therefore intend to ask the Commission
why this category was included.
I am still considering the implications of the
absence of an equivalent for article 19(4) in article 20. The
Committee should note that Article 30 requires the supervisory
authority to monitor the application of the DPFD, including whether
the restrictions in article 20 have been complied with.
The rule in Article 11 of the Data Protection
Directive, that notification be given in relation to data not
obtained from the data subject "no later than the time when
the data are first disclosed" is qualified by the words "in
so far as such further information is necessary, having regard
to the specific circumstances in which the data are processed,
to guarantee fair processing". I would draw the Committee's
attention to Schedule 1, Part II, paragraph 2(1)(b) of the UK's
Data Protection Act 1998, which states that when data have not
been obtained from the data subject, the data subject should be
provided with the information either "before the relevant
time or as soon as practicable after that time". In the context
of policing and crime prevention, I can envisage serious difficulties
over contacting the data subject and reluctance to be required
to do so when the need to transfer information can be urgent.
I intend to further enquiries of the Commission to confirm that
this is their position.
We are still considering whether the EU has
the jurisdiction to require Member States to impose criminal sanctions
as proposed in this instrument. We will seek to resolve that issue
before we look at what sanctions might be appropriate. You may
be interested to note that the maximum penalty imposed by s. 19
of the Commissioners for Revenue and Customs Act 2005 for wrongful
disclosure is two years' imprisonment.
I note your concerns about the creation of a
Committee chaired by the Commission and composed of representatives
of Member States (Article 16 DPFD). I explained to the House of
Commons Scrutiny Committee that the Government's position on comitology
in the Third Pillar is that it must be assessed rigorously, on
a case by case basis, to determine whether it would be appropriate,
and in what form. Comitology has been provided for in other Third
Pillar instruments and the Government is considering the position
in relation to the DPFD.
The determination of adequacy of data protection
in third countries is a significant issue, which arguably needs
to be decided collectively. This argument might amount to a case
for the Committee. This function is very similar to that performed
by the committee created under Article 31 of the Data Protection
Directive, as per Article 25(4) and 25(6) of the Data Protection
Directive. As I said, your concern on this point has been noted,
and will be taken account of as we continue to develop the UK
While the Government agrees that there is a
case for the consolidation of the Third Pillar supervisory authorities,
I do not believe that this Framework Decision is the place to
pursue that objective.
The Commission addressed the issue of the non-coverage
of Europol and Eurojust in Article 4.6 of the Impact assessment
13019/05 ADD 1. I largely agree with their analysis that the Framework
Decision is less a harmonisation measure than one to impose minimum
standards, and that including Europol and Euroust would probably
hamper its introduction by adding complexities. I believe that
the data protection provisions that apply to Europol and Eurojust
are adequate as they stand.
I regret that I cannot give you a detailed timetable
for the adoption of the proposal at the present time, as negotiations
have barely begun and Member States have not revealed their positions.
I will, of course, give you an estimate of the timetable as soon
as I have it.
I hope this letter clarifies the points you
have raised with me. I will, naturally, keep you fully informed
of developments as negotiations continue.
20 January 2006
Letter from the Chairman to Rt Hon Baroness
Ashton of Upholland
Thank you for your letter of 20 January 2006
in which you provide a very detailed response to our questions.
Sub-Committee F (Home Affairs) of the House of Lords Select Committee
on the European Union has re-examined this proposal in the light
of your information and the Opinion of the European Data Protection
Supervisor (EDPS) at a meeting on 8 February.
We note that you share our concern that the
accuracy and quality of personal data is adequately verified.
We hope you will agree that this would be better achieved by bringing
the provisions concerning the verification of data quality laid
down by Article 9 within the general rules on the lawfulness of
personal data processing in Chapter II, so as to complement the
requirements of Article 4(1). As a general rule, the Framework
Decision should also ensure that the provisions on proper verification
of data quality apply to all processing of personal data by law
enforcement authorities, including their further transmission
as envisaged by Article 11(1). As you will be aware, this is the
approach suggested by the EDPS. We would further emphasise the
additional safeguards recommended by the EDPS, in particular in
relation to the processing of biometric data and DNA profiles.
We would like to see these safeguards built into the Framework
Decision since they are relevant to current legislative proposals,
such as the draft Framework Decision on the exchange of information
under the principle of availability, entailing the processing
of biometric and DNA data.
You will also have seen that, according to the
EDPS, the criteria for data processing laid down in Article 4(4)
go beyond the requirements of necessity and proportionality, as
reflected in the case law of the European Court of Human Rights.
As currently drafted, the Framework Decision would allow the collection
of personal data simply on the ground that the competent authorities
believe that such data would facilitate or accelerate the prevention,
investigation, detection or prosecution of a criminal offence,
rather than on the basis of a demonstrable need for it. As highlighted
in the EDPS's Opinion, "almost any processing of personal
data could be considered as facilitating the activities of police
or of judicial authorities". We would like to see the criteria
under Article 4(4) tightened so as to comply with the requirements
of Article 8 ECHR.
With regard to personal data of non-suspects,
as you confirm in your letter, Article 7(1) lays down specific
safeguards only with regard to time limits, and only for a limited
number of persons who do not fall within any of the other categories
listed in Article 4(3). While we are glad to know that you will
be seeking clarification from the Commission as to why this residual
category was included in the first place, we do not believe that
Article 7(1) provides for satisfactory guarantees. Specific safeguards
should apply to all non-suspects and should impose restrictions
not only on time limits, but also on access to data and the conditions
for their collection, and on the refusal of access or information
to the data subject. We draw your attention to the EDPS's Opinion
at paragraphs 88-92 with regard to this point.
With regard to the rights of the data subject,
we believe that these should be aligned with those provided for
under other EU data protection instruments. We do not believe
that the case has been made out for a less stringent requirement
in the notification to be given in relation to data not obtained
from the data subject, ie that he or she be notified about the
data obtained or processed "within a reasonable time"
from disclosure rather than at the moment of disclosure. However,
we look forward to receiving clarification as to what might justify
such a provision from your enquiries with the Commission. We would
also welcome any insight into the implications of the absence
of an equivalent to Article 19(4) in Article 20 once you have
had a chance to consider this adequately.
We will be following closely negotiations on
the provisions regarding the determination of the adequacy of
data protection in third countries. This is undoubtedly an issue
of great and increasing significance and has been the source of
litigation in relation to First Pillar measures. It is all the
more important, in the context of the exchange of law enforcement
information, that a robust mechanism is in place which ensures
that data transfers occur only to third countries that have data
protection provisions which fully match European Union and Council
of Europe standards.
We would also like to reiterate our view that
the current fragmentation of data protection provisions in Third
Pillar measures is unsatisfactory against the background of closer
co-operation between law enforcement authorities, within the EU
and with Third States. We take your point that the data protection
provisions that apply to Europol and Eurojust are adequate as
they stand, but concur with the EDPS that in the longer term the
rules on data protection applicable to these agencies should be
made fully consistent with the present Framework Decision.
We are not persuaded, on the other hand, that
this Framework Decision is not the place to pursue the objective
of consolidating the Third Pillar supervisory authorities. Given
that you seem to agree that there is a case for it, perhaps you
could explain to us where the obstacles to this currently lie.
The Committee looks forward to receiving updates
on the progress of negotiations and revised drafts as soon as
they become available, along with the timetable for adoption of
the proposal. We would assume that the Information Commissioner
has been consulted on this proposal, and would also be grateful
if his views, once obtained, could be copied to us. In the meantime,
we will continue to keep the document under scrutiny.
8 February 2006
Letter from Rt Hon Baroness Ashton of
Upholland to the Chairman
Thank you for your letter of 8 February, and
for the further very detailed comments the Sub-Committee has made
on the Proposal in the light of my letter of 20 January, and the
Opinion of the European Data Protection Supervisor. These comments
are most helpful, and my officials will pay close attention to
them as they become relevant during the negotiations on this Proposal.
At this point I cannot add much more than that, but perhaps it
is worth saying that the negotiations on the Proposal are moving
forward, though slowly, and may achieve a first read through by
the end of the Austrian Presidency.
You raise several points of information. Firstly,
you asked about the justification for the requirement that when
data has been obtained from a third party, that the data subject
be notified about the data obtained or processed "within
a reasonable time" after the first disclosure, rather than
at the point of disclosure. The Commission explained that in the
context of criminal investigations there are circumstances in
which it would not be possible to comply with this requirement,
and that greater flexibility is required. Such circumstances might
be the difficulty in finding where an individual currently lives,
balanced against the legitimate need to transfer the data in a
timely manner. There is also a disproportionate effort clause,
to allow for the possibility that it would prove too burdensome,
or perhaps impossible, to find that out.
You also ask about the absence of an equivalent
to Article 19(4) in Article 20. The Commission indicated that
as the data was not obtained from the data subject, there could
be no right of information or appeal at that stage, as the data
subject would not be aware that data had been obtained and processed.
However, should the data subject believe that his data has been
obtained and processed, then an access request could be made under
the terms of Article 21, with the right of appeal to the supervisory
authority if access is refused or restricted.
As I said in my previous letter, while the government
does recognise in general terms the case for unifying the Third
Pillar supervisory authorities, this proposal is not intended
as an inclusive measure across the Third Pillar. Indeed, the option
of including Europol and Eurojust was specifically rejected by
the Commission in the impact assessment attached to the Framework
Decision (13019/05 ADD 1, para 4.6). EU JHA Ministers commitment
is to deliver this proposal as quickly as possible, in line with
the Council Declaration of 13 July 2005 on the EU response to
the London bombings, and I would be concerned that raising the
issue of the Third Pillar supervisory bodies, which is likely
to be difficult to resolve, would hinder that process.
You also asked about the inclusion of the residual
category of personal data included in Article 4.3. Previously
the Commission commented that special attention should be paid
to the necessity of processing the data of persons with regard
to whom there are no reasons to believe that they could contribute
anything to the prevention or prosecution of a criminal offence.
This applies especially to time limits for the storage of personal
data as it is set out in Article 7(1), second sentence. I believe
that this is a genuinely residual category, though, and is not
intended to be one of wide application.
My officials are in discussion with the Information
Commissioner on these proposals, and I myself hope to discuss
them with the Commissioner in the near future. As yet we do not
have a detailed consideration of the proposals from the Commissioner.
When I have that I will of course send it to you.
In conclusion, I apologise for the slight delay
in responding to you.
3 March 2006
Letter from the Chairman to Rt Hon Baroness
Ashton of Upholland
Thank you for your letter of 3 March 2006 in
which you further address our concerns with the proposal. You
also wrote that you were awaiting a detailed consideration of
the proposal from the Information Commissioner which you would
then kindly send to us. We have not yet received this information.
We have, however, been in correspondence with
the Information Commissioner on a number of EU instruments that
raise data protection issues, and a few important remarks were
made on this proposal in his letter of 21 February which we attach.
We would be grateful if you could address his question on scope,
i.e. that the data protection rules should apply to all processing
of personal data in the law enforcement field, particularly in
the light of the principle of availability. We assume this point
to be still relevant to the discussion. We are aware that negotiations
on the Third Pillar data protection proposal are progressing slowly
and that a revised draft of the proposal may yet have to emerge.
In the absence of a new text, we would be grateful if you could
provide us with an update on the state of play of discussions
in the Council and a tentative timetable for adoption. In the
meantime, we will continue to keep the document under scrutiny.
10 May 2006
Letter from Rt Hon Baroness Ashton of
Upholland to the Chairman
Thank you for your letter of 10 May 2006 regarding
comments made by Richard Thomas, the Information Commissioner,
in his letter to you of 21 February about the Data Protection
Framework Decision (DPFD). You raise a number of important points
and I have addressed each in order below.
With regard to your request for the Information
Commissioner's consideration of the proposed framework decision,
I think there has been some misunderstanding. In my letter to
you of 3 March, I noted that I would share with you any consideration
of the proposal that I received from the Information Commissioner.
However, I had not specifically sought a detailed consideration
from the Commissioner when I wrote to you on 3 March, and have
not as yet received one. My officials meet regularly with their
counterparts in the Information Commissioner's Office (ICO) and
I am satisfied that this is an effective way of keeping the ICO
informed and provides an opportunity to discuss various issues
as negotiations on the DPFD proceed. Of course, the Commissioner
is welcome to contribute a written consideration at any time and
may choose to do so as we progress towards a more final draft
of the DPFD.
You invited my comments on the point raised
by the Information Commissioner in his letter of 21 February regarding
the extent to which the DPFD might apply to all processing of
personal data in the field of law enforcement, rather than simply
to the exchange of personal data across borders. We are still
considering the many important issues concerning the scope of
the DPFD, including the extent to which it might apply to domestic
data processing and the potential impact that the principle of
availability might have. I think it is important to note that
while it would appear that there are no objections in principle
to the inclusion of domestic processing in the scope of the DPFD
at this present time, we naturally need to consider very carefully
the practical implications that this proposal would have for competent
authorities in the UK.
We have a number of concerns over the implications
of current text for the work of our stakeholders because the Framework
Decision defines the purposes for which personal data may be processed,
or further processed, so narrowly it would in fact prevent a number
of our organisations from fulfilling their proper duties efficiently
and effectively. Many of these duties are statutory and include
the protection of children, providing support to victims of violent
and/or sexual offences and preventing regulatory breaches in the
financial services industry. Of course, we could not commit UK
competent authorities to provisions that would prevent them from
carrying out their proper duties in a responsible and cost-effective
manner, particularly when a number of our difficulties appear
to stem simply from the different structure of our competent authorities
in comparison to those in other Member States, where the police
often have a wider remit than in the UK. Negotiations are therefore
currently at too early a stage to be able to provide any sort
of commitment on domestic processing, although we hope that progress
on the proposal will be made as quickly as possible, which will
enable us to clarify our position on this matter.
In his letter of 21 February, the Information
Commissioner also noted that the scope of the DPFD extends to
automated and structured manual data and expressed concerns that
this could lead to a reduction in protection in relation to unstructured
manual data. This is because the data protection rules that apply
to the current Schengen Information System (SIS), which also cover
unstructured manual data, would be superseded by those in the
DPFD when the SIS II is implemented. While I can understand the
Commissioner's concerns, it would be very difficult to include
unstructured manual files in the DPFD. The SIS applies to a limited
set of exchanged data, whereas the scope of DPFD is considerably
wider and, as discussed above, could also include purely domestic
data processing. In these circumstances it would not be possible
to apply the DPFD to unstructured manual data without imposing
a huge extra burden on data controllers in the UK and throughout
the EU. Of course, protection for unstructured manual data will
continue to be provided through other measures such as Article
8 of the European Convention on Human Rights and national law.
My officials discussed this matter on 21 June with representatives
from the ICO, and noted the enormous regulatory burden this would
impose on competent authorities. The ICO officials accepted that
this could be a significant issue and they would need to reconsider
You also asked about progress with the DPFD.
Some of the information above addresses this point; additionally,
as you will know, I recently discussed the matter of progress
with the House of Lords Select Committee on the European Union
Sub-committee F (Justice and Home Affairs) on 7 June as part of
its inquiry into the G6 meeting of Interior Ministers at Heiligendamm
in March where the principle of availability and data protection
were considered. I was very pleased to accept the invitation to
speak to the Committee and appreciate its ongoing interest and
support during negotiations on the DPFD. A number of significant
amendments have already been agreed on the proposal and productive
discussion on the first part of Chapter 3 took place at the most
recent Working Group meeting on 20 June. Revision 5 of the DPFD
was circulated yesterday and I have enclosed a copy for your information.
Negotiations are necessarily taking some time
in view of the vastly different police and judicial organisational
structures within Member States. However, at a UK level, we are
working hard to ensure that progress is made as rapidly as possible.
I have spoken personally to stakeholders about their views and
concerns regarding the DPFD. Officials are continuing to engage
proactively with our stakeholders to ensure we fully understand
the potential operational impact on the ability of our institutions
and organisations to carry out their work, and to determine how
we can help to move the negotiations forward. You may be interested
to know that my officials provided a room document at the Working
Group meeting on 20 June in order to help facilitate discussions
on further data processing, the focus of a number of the Articles
soon to be discussed. This contribution has been well received
and the UK has been invited to present the paper for more detailed
consideration at the next meeting on 7 July; I have enclosed a
copy for your information. Finland will chair the meeting on 7
July, and will hold monthly meetings from September. It is Finland's
hope that negotiations on the DPFD will be concluded under its
Presidency and the UK has made clear its full support for this
desire to quicken the pace of progress on the proposal.
27 June 2006
Letter from Rt Hon Baroness Ashton of
Upholland to the Chairman
I am writing with regard to comments received
on 11 January 2006 from Jimmy Hood MP, Chairman of the Commons
European Scrutiny Committee, about the Data Protection Framework
Decision (DPFD). Those comments were in response to my letter
to the Commons Committee of 30 November 2005 and I thought you
would be interested to know the substance of our exchanges. Mr
Hood MP highlighted three areas on which he welcomed further information
and in my response I also provided an update on the progress of
negotiations on the DPFD which may be of particular interest to
you. The three areas noted by Mr Hood MP were:
1. The effect of the exemption in Article
15(6) of the proposal on arrangements with third countries;
2. The proposed arrangement for a committee
chaired by the Commission to make determinations on the adequacy
of data protection in third countries (the proposed "comitology"
arrangements in Article 16); and
3. The need or otherwise for criminal sanctions
as provided for in Article 29.
The issues above reflect those raised by the
Commons Committee in Mr Hood MP's letter of 18 November. In my
response to him of 30 November, I provided answers to the questions
raised as fully as I was able to, bearing in mind that we were
in the early stages of negotiation. I also gave an undertaking
to send a further account once those issues had been considered
in detail by the Working Group. The Working Group has not yet
begun the first reading of the Articles noted above and so unfortunately
I was unable to expand on my comments of 30 November.
However, I also undertook to keep Mr Hood MP
in touch with developments on the DPFD more generally. My letter
to you of 27 June, copied to Mr Hood MP on 29 June, provided a
general update and I was also able to provide information about
the first DPFD Working Group to be chaired by Finland, which,
as you may know, took place on Friday 7 July. Discussions continued
on Chapter 3, focussing on articles 10 to 14. I noted in my earlier
letter to you that the UK had circulated a room document about
further processing at the meeting on 20 June, and the UK delegation
introduced this document to the Working Group on 7 July. The UK
received support from many Member States with regard to the content
of the room document and for the proposal that articles dealing
with further processing should be considered as a whole, rather
than delegations registering the same concerns on a series of
similar articles; in addition to forming a more coherent approach
to negotiations on further processing, it was also hoped that
this would help to speed up negotiations. Unfortunately the agenda
on 7 July was such that the time available to discuss the DPFD
was cut to around half of that normally available. However, the
Finnish Chair of the DPFD Working Group once again noted his keeness
to make more rapid progress on the dossier and the UK naturally
made its support for this sentiment known.
This keeness to make progress has translated
into an unexpected but very welcome second meeting this month
on 25 July. The Presidency circulated a revised text on 13 July
and has proposed that discussion at the next meeting is focussed
on specific aspects of Articles 10-18. I have enclosed a copy
of the Presidency's revised text for your information and hope
to make sufficient progress in the next meeting to be able to
soon provide you with the more detailed comments requested by
Mr Hood MP on Articles 15 and 16.
I hope this letter provides a helpful update
and, as always, I would be very happy to discuss any aspect further
17 July 2006
Letter from the Chairman to Rt Hon Baroness
Ashton of Upholland
Thank you for your letters of 27 June 2006 and
17 July which Sub-Committee F (Home Affairs) of the European Union
Select Committee considered at a meeting on 19 July 2006. We are
grateful to you for addressing the points raised by the Information
Commissioner in his letter of 21 February and for providing us
with an update on the state of play of negotiations.
We would also like to reiterate that we are
most grateful to you for giving evidence to Sub-Committee F as
part of our inquiry on the Heiligendamm meeting. The report Behind
Closed Doors: the meeting of the G6 Interior Ministers at Heiligendamm
has just been published (40th Report of Session 2005-06, HL 221)
and you will see that in one of the recommendations we call on
ministers to treat the proposed Data Protection Framework Decision
(DPFD) as a matter of priority. We are pleased to hear, therefore,
that UK officials are actively engaged in moving negotiations
forward and that there is hope to reach agreement on this proposal
within the Finnish Presidency. It is reassuring to learn from
the Finnish Minister of Justice hearing at the JURI Committee
in Brussels that the DPFD is a key goal of their Presidency.
You told us in evidence to the inquiry that
the UK has a robust protection regime for law enforcement data.
Other witnesses have highlighted, however, that it is the differing
levels of protection across EU Member States that are an obstacle
to the exchange of confidential information. What are needed are
harmonised rules which ensure the integrity and protection of
such information. The DPFD would ensure that robust standards
are replicated across Member States. It is also important to ensure
that these standards apply both to domestic data processing and
their transmission cross-border. As European supervisory authorities
have highlighted, in the light of the availability principle it
is not practicable to exclude domestic data from the scope of
the DPFD, as data which have been gathered in a purely domestic
context can hardly be distinguished from data that have been subject
to cross-border transmission. We reiterate our position that the
adoption of common rules on protection of data, where the latter
is intended for security purposes, is also a sine qua non for
establishing the availability principle.
We will continue to keep the document under
scrutiny pending further progress reports on negotiations.
19 July 2006
183 Correspondence with Ministers, 45th Report of
Session 2005-06, HL Paper 243, p 518. Back