Schengen and SIS

12.  The 1990 Schengen Convention provides in Articles 92-119 for the establishment, operation and use of the SIS, and for protection of the data contained in it. Articles 94 to 100 divide the data entered in the SIS into a number of different categories of "alerts". The word "alert" is used in a technical sense, and is defined in relation to SIS II as "a set of data entered in SIS II allowing the competent authorities to identify a person with a view to taking specific action".[8] The categories of alert are:

(a)  persons wanted for extradition to a Schengen State (Article 95);

(b)  a list of non-EU citizens ("third-country nationals") who should in principle be denied entry to any of the Schengen States (Article 96);

(c)  missing persons or persons to be placed under police protection (Article 97);

(d)  persons wanted as witnesses, or for the purposes of prosecution or the enforcement of sentences (Article 98);

(e)  persons or vehicles to be placed under surveillance or subjected to specific checks (Article 99); and

(f)  objects sought for the purpose of seizure or use in criminal proceedings (Article 100).

13.  Each Schengen State decides which of its law enforcement and immigration control authorities are to have access to some or all categories of SIS alerts, and for which purposes. If a national authority finds that a particular individual or object is listed in the SIS, this is known as a "hit". The following are examples of the way the system works.

14.  The current SIS began operations in March 1995, when the Schengen Convention was first fully put into force for an initial group of seven Member States.[10] The Convention was later extended, and by March 2001 it applied fully to all of the first fifteen EU Member States, except the United Kingdom and Ireland.[11] The Convention also applied by that date to the associated States of Norway and Iceland.

15.  In the meantime, the legal framework for the Schengen Convention and the measures building on it (known collectively as the "Schengen acquis") altered fundamentally on 1 May 1999, when the Treaty of Amsterdam came into force. This Treaty aimed to integrate the Schengen acquis into the EU's legal order. This meant that the existing Schengen acquis would henceforth be treated as if it were EU law, and that all future measures building on that acquis would be adopted according to EU decision-making procedures. These procedures differ according to the different legal bases in the Treaties which confer power upon the EU institutions.

16.  Accordingly the Council was obliged to adopt a decision allocating all of the Schengen acquis in force as of 1 May 1999 to a legal basis in either the EC Treaty (which among other things deals with economic integration, including immigration law) or the EU Treaty (which deals with the EU's Common Foreign and Security Policy—the "second pillar"—and cooperation in criminal law and policing—the "third pillar"). The Council was able to agree on allocating the entire Schengen acquis to a legal base in the "first pillar" (the EC Treaty) or the "third pillar" (the policing and criminal law provisions of the EU Treaty), except for the provisions concerning the Schengen Information System.[12] The reason the Council was unable to agree on the allocation of the SIS provisions was that they applied simultaneously to data concerning immigration (which in principle should be subject to legal bases in the "first pillar" EC Treaty) and to data concerning policing and criminal law (which in principle should be subject to legal bases in the "third pillar" part of the EU Treaty).

17.  As a result, by way of default, all SIS provisions are regarded as falling within the third pillar (policing and criminal law). However, the Treaty of Amsterdam requires that any new measures "building upon" the Schengen acquis which was in force back in May 1999 have to be adopted using the correct legal bases. So, despite the failure to agree on the "legal base" for the SIS provisions in the Schengen acquis, it is necessary to use the relevant EC Treaty "legal bases" for any new measure concerning SIS immigration data to be adopted after May 1999.[13]

The United Kingdom position

18.  When the Schengen acquis was integrated into the legal framework of the EU by a Protocol to the Amsterdam Treaty,[14] the United Kingdom gained the possibility to request participation in all or part of that acquis, subject to approval by the unanimous consent of the Schengen states. To that end, the United Kingdom requested and gained approval in 2000 to participate in all of the Schengen acquis provisions concerning criminal law and policing (except for cross-border hot pursuit by police officers).[15] This also entailed participation in the SIS, as regards criminal law and policing information, but not the SIS immigration data, concerning the list of persons to be denied entry into the Schengen States. The Schengen provisions in which the United Kingdom had been given permission to participate were put into effect for this country from 1 January 2005.[16] The United Kingdom should have been ready to be linked to the SIS database by late 2004, but to date it has failed to connect to the system. Home Office officials told us that this proved impossible due to technical difficulties and "acts of God", such as a fire which destroyed some equipment. (Q 8)

19.  The later application of Ireland to participate in the same provisions of the Schengen acquis as the United Kingdom (except for the provisions on cross-border police surveillance) was approved in 2002,[17] but has not yet been put into effect in any respect.

The need for SIS II

20.  As we have said, initially the main purpose of a new version of the SIS was to accommodate the inclusion of the EU's new Member States. The creation of a new system was also seen as an opportunity to provide for additional technical features, in particular for the inclusion of biometric data (data directly concerning the physical characteristics of individuals, such as photographs, fingerprints, DNA profiles or retina scans).

21.  In the event, neither the United Kingdom nor Ireland has sought to opt in to the measures concerning SIS II immigration data, but they will both be covered by the measures concerning policing and criminal law data, as well as concerning access by vehicle registration authorities to data on stolen vehicles (see further discussion of the new SIS II legislation in paragraphs below). We consider in chapter 7 whether the Government should attempt to obtain access to some of the SIS II immigration data, and to share United Kingdom immigration data with other Member States.

The timetable of SIS II

22.  The initial intention was to implement SIS II in 2007, in parallel with the extension of the Schengen area to the EU's new Member States (the ten Member States joining in May 2004).[18] When, as far back as 2001, the Council entrusted the Commission with the development of SIS II, its mandate ran to 31 December 2006; five years was thought to be generous. But following the Commission's award of the tender for the SIS II project, a disappointed tenderer brought legal proceedings against the Commission. The Court of First Instance[19] suspended the award of the tender until its interim ruling, in which it strongly criticised the Commission's conduct in issuing the tender, but nevertheless allowed it to proceed. The case was subsequently settled.[20]

23.  This was the main cause of delay, but there was no lack of other delaying factors. There was uncertainty regarding the sites for the development until agreement was reached that the main site should be in Strasbourg, with the back-up site in Sankt Johann im Pongau, in Austria. Problems arose with the air-conditioning which is an important feature of such a project. (Q 5) The implementation of the SIS II contract by the successful tenderer ran into difficulties; the Commission admitted that it did not sufficiently supervise the tenderer, due to a lack of qualified staff. (Q 392) And finally, in the Commission's own inimitable words, "the complexity of the project itself also had a negative impact on the planning"[21]—a fact which should come as no surprise to those familiar with the fate of similar projects in this country.

24.  In July 2006 the Commission accordingly proposed that its mandate should be extended to 31 December 2007, and this was agreed. But barely two months later the Commission proposed an extension of its mandate by a further year, to 31 December 2008.[22] No further reasons were given for this either by the Commission or by the Home Office in their Explanatory Memorandum on the proposal. Nevertheless, this further extension was also agreed.[23]

25.  The A8—the ten Member States which acceded in May 2004, less Cyprus and Malta—believe they are being treated as second class States from the point of view of free movement of persons. They had been led to believe that they would join the Schengen area by October 2007, and this date had been re-affirmed by the European Council in June 2006. They had been anxiously awaiting SIS II coming into operation, and were dismayed by these delays. Some of them had invested considerable resources to ensure that their internal record systems would be of a standard which would enable them to join. We heard an eloquent speech to this effect from the Chairman of the Constitutional Rights Committee of the Estonian Parliament. At a joint meeting in November 2006, the foreign ministers of the Visegrád countries[24] and the three Baltic States were still pressing for adherence to the original timetable.

26.  In October 2006 Portugal put forward a proposal, which it called "SIS one4all", to allow the SIS to be adapted to include the A8, so enabling them to join Schengen by October 2007.[25] Some of those States were initially unenthusiastic, believing that they should not accept a halfway house; other States, and not just the A8, feared that this would further delay SIS II. The Commission believed that it would add nine months to the planning of SIS II. Nevertheless on 5 December 2006 the Justice and Home Affairs Council, after re-affirming that "the development of the SIS II remains the absolute priority", decided to implement SIS one4all for the A8, and invited the Commission to present yet another revised timetable for SIS II by February 2007.

27.  Since the requirement to develop a new generation of the SIS was apparent many years ago, in the light of the planned enlargement of the EU, there was an opportunity for long-term strategic planning of the project, which could have avoided the delays and reduced the costs which have affected the SIS II project. This opportunity was missed. There are lessons to be learned by the EU as regards the planning and development of other large-scale multinational information systems.

The United Kingdom's timetable

28.  As we have said,[26] the United Kingdom does not participate in the current SIS, nor has it any plans to do so. Home Office witnesses told us that their assessment in October 2005 was that SIS I connection for the United Kingdom would not have been achieved by the time SIS II would have been delivered for the rest of the Member States.[27] Ministers decided that efforts should be concentrated on delivering SIS II to a properly robust programme and timetable. The United Kingdom's "aspiration is to join SIS II in 2009. We think we will be ready … all Member States will be connected when the UK will join in 2009." (QQ 8, 11) But Superintendent Mike Flynn, the Director of the Joint Operational Authority of SIRENE UK,[28] was of the view that, once the central system of SIS II was in operation, "the new Member States, of which the United Kingdom will be one, will have a staggered integration into the system, and we would reasonably expect this to be about 2010". (Q 202)

29.  The inevitable further delay entailed by SIS one4all might have been bad news for the law enforcement authorities of this country. As it is, unless there is further disastrous slippage in the timetable for SIS II, it will be operative by the time the United Kingdom can be connected. This does not explain why Ministers are content for the United Kingdom to be the last Member State to be connected to it, or for our law enforcement authorities to be the last to benefit from the scheme.

30.  Ministers should put more resources into the development of the national connection to SIS II. Whenever the central system is ready, the United Kingdom should be ready and able to participate as early and as fully as possible.

31.  It does not appear that the Government have considered that the United Kingdom might join SIS one4all. Since this was designed for those States which had plans to join SIS II in 2007, and since the United Kingdom had in any event no plans to join before 2009 at the earliest, no doubt the Government felt that SIS one4all was not relevant and need not affect its plans. At least, agreement has been reached that the United Kingdom need not contribute to its cost.[29]

The cost

32.  The cost of developing SIS II is a charge on the budget of the EU. Since the Commission was charged with the task of developing SIS II at the end of 2001, a total of over €26 million has been committed to this project from the EU budget.[30] According to the Commission's proposed SIS II legislation, the EU budget will be charged a further €114 million between 2007 and 2012 to get SIS II up and running.[31] Of this the United Kingdom pays 18%: a full contribution, despite not having access to all the information on SIS II. (QQ 28-32)

33.  The current Home Office estimate for the cost to the United Kingdom of implementing SIS II is £39 million. Additionally there is an annual cost of £500,000 to the Commission for its costs in running the system, and operational costs for running the system in the United Kingdom, the supporting technology and the people to manage it of the order of £3 to £4 million. (QQ 22-27)

Lack of transparency

34.  The Commission did not conduct an impact assessment of the SIS II proposals, even though these have become standard for any significant EU legislative proposal. Furthermore, the Commission's legislative proposals for SIS II were accompanied by an explanatory memorandum that only briefly set out the background to the proposals, whereas the explanatory memoranda for proposed EC or EU legislation usually explain the proposed legislative text in detail.

35.  In its written evidence, the Commission told us that "the underlying rationale and nature of the system [SIS II] will remain the same as the current SIS. An impact assessment and public consultation were, therefore, not necessary." For the Home Office, Jonathan Sweet repeated this, and did not suggest that there was anything inadequate about this procedure. (Q 33) However in oral evidence Jonathan Faull, the Director-General for Justice, Freedom and Security at the Commission, reassured us that an impact assessment would be carried out before new functions of considerable importance were implemented, such as the full use of biometric data and its use for searches. (Q 387)

36.  The Commission had formally consulted several persons and bodies, among them Mr Peter Hustinx, the European Data Protection Supervisor (EDPS). However it seems to us that the Commission did not take his views seriously. In his formal Opinion on the proposals for the legislation, delivered in reply to the Commission's request, Mr Hustinx stated: "It is in many respects difficult to know what the intention behind the texts is; the absence of an explanatory memorandum is highly regrettable … Moreover, one can only regret there has been no impact assessment study. The fact that the first version of the system is already in place does not justify this, since there are considerable differences between both."[32]

37.  Other witnesses have also regretted the lack of explanatory material. We share this view. In the light of the considerable cost and resource implications for all Member States (including the United Kingdom) resulting from the development of SIS II, an impact assessment was obviously desirable. The existence of the prior agreement of the Council on SIS II is no answer. As for the explanatory memorandum, the extensive changes which the Commission proposed to the current SIS merited a detailed explanation, as is usual with the great majority of EU legislative proposals.

38.  A project of this importance and magnitude needs to be developed openly and publicly. It potentially affects not just EU citizens, but also hundreds of thousands of non-EU citizens who may wish to travel to or reside in the EU. Information must be readily available, not just to EU institutions and national experts, but to all those affected.

39.  It is unacceptable for a project with such cost and resource implications to be developed without a prior full impact assessment, and a full legislative explanatory memorandum.

40.  The Government should press for greater transparency in the future development of the project, including the award of contracts.

Legislation for SIS II

41.  The legislation for the establishment of SIS II was contained in three measures proposed by the Commission in May 2005: a Regulation concerning SIS II immigration data; a Regulation concerning access by vehicle registration authorities to SIS II data on stolen vehicles; and a third pillar Decision concerning policing and criminal law data.[33] Three different measures were necessary because any measures 'building upon" the Schengen acquis following its integration into the EU's legal framework had to be based upon the correct legal bases in the EU and EC Treaties: EC immigration law powers (as regards the immigration data); EC transport law powers (as regards access to data on stolen vehicles); and EU policing and criminal law powers (as regard police and criminal law data).

42.  The SIS II Regulation concerning immigration data will take effect as EC law, whereas at present the current SIS remains almost entirely a third pillar measure. This will entail the direct applicability of the Regulation in national legal systems, the Court of Justice's jurisdiction in the truncated form applicable to EC immigration and asylum law,[34] and the application of EC rules and principles in other areas (such as the use of the EC budget, the rules on accountability of EC bodies, and the application of EC data protection rules).

43.  The two EC Regulations were both subject to the co-decision procedure with the European Parliament, as well as to qualified majority voting in the Council. After an agreement at first reading between the Council and the European Parliament, both Regulations were adopted on 20 December 2006, and entered into force on 17 January 2007.[35] The third pillar Decision, which was subject to consultation with the European Parliament and unanimous voting in the Council, has been agreed in principle but was not adopted at the JHA Council meeting on 15 February 2007 because Denmark and Sweden maintained their parliamentary scrutiny reserves.[36]

44.  As compared to the current SIS, the new legislation provides for the inclusion of biometric data into SIS II, as mentioned above. The new legislation also provides for revised rules on data protection. Although all six of the current categories of alert have been retained, without any additional categories being added, there have been amendments to the detailed rules applicable to four categories (immigration alerts, extradition alerts, surveillance alerts and alerts on objects).

45.  As for access to alerts and the power to input alerts, the existing rules are unchanged, except for an extension of access to alerts for the national members of Eurojust, the EU prosecutors' agency, which will have power to access alerts concerning extradition, missing persons, wanted persons and alerts on objects.[37] There are also revised provisions on the system of "flagging" alerts, which allows a requested State to prevent a requested action (such as the arrest of a person) from being carried out on its territory following a hit. (QQ 231-233) Furthermore, SIS II will provide for a link between different alerts; the current SIS does not provide for this.

46.  The Commission's proposals would have gone further in several respects, in particular: requiring a greater level of harmonisation regarding the grounds for issuing an immigration alert; conferring power upon the Commission to manage SIS II; providing for more detailed rules on the authorities with power to access alerts and the circumstances in which they could access them; allowing wider possibilities for the transfer of SIS II data to third parties; and setting out longer periods for retaining data in SIS II as compared to the current SIS.[38]

47.  During the negotiation of this proposal, in the first half of 2006 the Austrian Presidency sought to drop most of the changes to the existing Schengen Convention rules that had been proposed by the Commission. However, the Council had to modify this approach in order to take account of the joint decision-making power of the European Parliament, which wanted to retain many of the changes proposed by the Commission and insert further changes of its own. The Council agreed on the legislation in June 2006, but negotiations with the European Parliament continued under the Finnish Presidency before the texts could be agreed and adopted.

48.  It proved difficult for parliaments and civil society to obtain any access to texts under discussion, or to follow the progress of negotiations between the Council and the European Parliament. JUSTICE pointed out the "notorious difficulty for non-governmental organisations … to obtain up-to-date information about the current state of Commission proposals for legal instruments, such as SIS II, under negotiation in the EU Council". (p 132) The situation is complicated because when the European Parliament and the Council seek to agree on legislation at the "first reading" of the co-decision process,[39] there is no formal or even informal arrangement governing the conduct of their negotiations. (QQ 76, 128, 383, 482)

49.  The lack of transparency in Council proceedings, and in co-decision negotiations between the Council and the European Parliament, is an issue relevant to all areas of EU policy-making, and has been particularly noticeable in the negotiations on the SIS II legislation. The Government should press the EU institutions to ensure greater openness and transparency of their proceedings, and in particular to codify the procedures for co-decision negotiations. All drafts of legislation should as a general rule be published immediately.

50.  The legislation does however require regular reports and evaluations of
SIS II, unlike the current SIS, where there is in practice no system of reporting to the public or evaluating its functioning. This is an improvement we welcome.

Issues concerning United Kingdom implementation

51.  To date, there has been minimal public consultation or Parliamentary scrutiny concerning United Kingdom participation in the Schengen Information System. Given the direct and indirect costs of participation, (Q 22) and its potential significance for both civil liberties and the operational effectiveness of our law enforcement authorities, this is most regrettable. There will be no opportunity for such a debate when SIS II is implemented in the United Kingdom if, as the Government assert, participation in SIS II does not require any amendment of our domestic law. (Q 592)

52.  To facilitate public debate on SIS II and to ensure effective Parliamentary scrutiny of United Kingdom participation in the project, the Government should undertake to publish regular reports on our preparation for SIS II, and on the planned and actual impact on the United Kingdom.

9   See Article 15 of the Convention, read in conjunction with Article 5. Back

10   Belgium, France, Germany, Luxembourg, Netherlands, Portugal and Spain. Back

11   See paragraphs 18-19. Back

12   The decision allocating the acquis can be found in OJ 1999 L 176/1. Back

13   Modest amendments to the current SIS were given effect by an EC Regulation and an EU third pillar Decision adopted in 2004 and 2005, which among other things gave access to Europol and Eurojust. (OJ 2004 L 162/29, and 2005 L 68/44). Back

14   Protocol integrating the Schengen acquis into the framework of the European Union. Back

15   OJ 2000 L 131/43. Back

16   OJ 2004 L 395/70. Back

17   OJ 2002 L 64/20. Back

18   See the Hague Programme, adopted on 5 November 2004, paragraph 1.7.1: "The European Council urges the Council, the Commission and Member States to take all necessary measures to allow the abolition of controls at internal borders as soon as possible, provided all requirements to apply the Schengen acquis have been fulfilled and after the Schengen Information System (SIS II) has become operational in 2007." Back

19   The Court of First Instance is attached to the Court of Justice to hear designated categories of cases. There is a limited right of appeal to the Court of Justice on points of law. Back

20   Capgemini Nederland BV v Commission, Case No T 447/04, [2005] ECR II-257 Back

21   Explanatory memorandum to the proposal for the extension of the mandate in Document 11746/06. Back

22   Document 12737/06. Back

23   OJ 2006 L 411/1 and L 411/78. Back

24   Czech Republic, Hungary, Poland and Slovakia. Back

25   Document 13540/06. Back

26   Paragraph 18. Back

27   Yet as recently as 28 June 2006 the Commission stated, in its Report on the implementation of the Hague Programme for 2005: "The Council Decision on the implementation of part of the SIS by the United Kingdom will be adopted after finalisation of the necessary technical amendments in that Member State" (COM(2006)333 final, paragraph 33)  Back

28   For an explanation of SIRENE UK, see paragraphs 54-55. Back

29   The initial proposal was uncosted, and we have not seen any estimate of what the costs may be either of SIS one4all itself, or of the consequent delays in SIS II. Back

30   The exact figure is €26,400,775. This is derived from the EU's annual budgets, which indicated a charge of €950,000 in 2002 (OJ 2002 L 29, p 1054), €500,000 in 2003 (OJ 2003 L 54, p 871), €8,100,775 in 2004 (OJ 2004 L 53, p 1000), €15,800,000 in 2005 (OJ 2005 L 60, p 1078), and €1,050,000 in 2006
(OJ 2006 L 78, p 994). Back

31   See COM(2005)236, 31 May 2005, page 46. Back

32   OJ C 91/38 of 19 April 2006. Back

33   See respectively COM(2005)236, 237 and 230, all 31 May 2005. Back

34   This will mean an increase in the Court's jurisdiction in most new Member States, but a reduction in its jurisdiction in most old Member States, compared to the current SIS, which is essentially subject wholly to the Court's third pillar jurisdiction as set out in Article 35 TEU, which gives Member States options as to whether to confer jurisdiction upon the Court at all regarding references from their national courts. On the decisions taken by Member States, see OJ 2005 C 327/19. Back

35   Regulation (EC) No 1986/2006 of the European Parliament and of the Council of 20 December 2006 regarding access to the Second Generation Schengen Information System (SIS II) by the services in the Member States responsible for issuing vehicle registration certificates (OJ 2006 L381/1 of 28 December 2006); and Regulation (EC) No 1987/2006 of the European Parliament and of the Council of
20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ 2006 L381/4 of 28 December 2006). It is to the latter Regulation that we refer hereafter as "the Regulation". Back

36   Council Decision on the establishment, operation and use of the Second Generation Schengen Information System (SIS II). The latest text is document 14914/06 of 12 December 2006. We have maintained our scrutiny reserve but have indicated, in accordance with paragraph 3(b) of the reserve, that ministerial agreement need not be withheld pending scrutiny. This is the Decision to which we refer hereafter as "the Decision". Back

37   At present Eurojust can only access alerts concerning extradition and wanted persons. Back

38   The final legislation simply applies to SIS II the current SIS rules regarding the period of retaining data (compare Articles 112 and 113 of the Schengen Convention, as amended in 2005, with Article 38 of the Regulation and Articles 44 and 45 of the Decision). Back

39   In the co-decision process, there are up to three readings of legislation in the Council and the European Parliament, but legislation can be agreed at any of the three readings. By 2005, legislation was agreed at first reading in over two-thirds of cases. The readings under the co-decision process are not comparable to readings under the Westminster Parliamentary process. Back