Data and supplementary information

53.  The SIS currently stores only "alphanumeric" data (letters and numbers), comprising (as regards individuals) data on:

• names, including aliases;
• sex and "objective physical characteristics";
• date and place of birth;
• nationality;
• whether the persons are armed or violent;
• the reason for the alert; and
• the action to be taken.[40]

54.  Very often these details are not enough to give the authorities the information they need, and from the start it was realised that a system was needed for the supply of supplementary information. Each Member State holds this information on persons who are the subject of its alerts on SIS in a national database known as SIRENE (an acronym for Supplementary Information Request at the National Entry) under the control of a national SIRENE bureau, and the information on all these databases is accessible upon request to law enforcement agencies in all Member States.

55.  SIRENE, though an essential feature of the SIS system, without which it could scarcely function, had no mention in the 1990 Convention, and originally had no legal base. There are now provisions requiring each Schengen State to designate a national authority—its SIRENE bureau—to be responsible for the exchange of all supplementary information, and operating in accordance with a manual—the SIRENE Manual—published by a Management Authority. The SIRENE bureau is responsible for holding supplementary information in relation to all its own national entries and making it available to the bureau of other Schengen States.

56.  The SIRENE system has in the past been criticised for secretiveness; for a long time the SIRENE Manual was not published. However the Manual has now been revised and published.[42]

Categories of data

57.  As between the SIS and SIS II, the main development as regards the categories of data to be stored in the system is the addition of biometric data, in particular fingerprint and photographic data, but probably also in due course DNA profiles and retina scans.[43] Such data can be used in two different ways, and the SIS II legislation distinguishes between them:

• a "one-to-one" search, using the data to confirm identity, for example by comparing the fingerprints of the person purporting to be Joe Bloggs only against the fingerprints in SIS II registered as being those of person also called Joe Bloggs);[44] and
• a "one-to-many" search, where the data is used to identify a person by comparing his fingerprints with all other fingerprints in SIS II.

58.  A number of our witnesses were particularly concerned about the risks of inaccuracy which could result from one-to-many searches. Dr von Pommer Esche from the Police Intelligence Service of the German Federal Data Protection Office expressed concern about the reliability of biometrics when used for investigative purposes: "… if the Schengen Information System was not used for control purposes only it would change its character to a kind of investigative tool or method. That would be a new quality and in the long run if Member States insist on that possibility … then we must reconsider additional safeguards." (Q 299) For the Home Office Mr Rejman-Greene, a senior biometrics adviser, thought that with the rapid expansion of the database to many tens of millions of records, a necessary safeguard would be to ensure that the process was harmonised across Member States to an adequate standard: "We also have to bear in mind that each individual country will have their own standards and ways of enrolling people into a system and what needs to be checked is that that is being done across equivalent quality levels so that we do not get undue numbers of errors …" (Q 48) However, evidence from the Department for Constitutional Affairs (DCA) suggests that the Commission will be recommending only minimum standards, rather than fully harmonised enrolment rules. (Q 126)

59.  The accuracy and reliability of biometric technology is of particular importance given its growing and widespread use in information systems. Biometric systems can only be designed to search for an acceptable degree of similarity. We were told that the technology can be set to obtain a high, medium or low success rating. As Superintendent Flynn explained, "so to actually talk about percentages [of false matches] can be quite difficult and misleading because you can actually vary the accuracy of the sensors." (Q 228) Data protection authorities such as the European Data Protection Supervisor also warn against a tendency to overestimate the reliability of biometrics and their use as a unique means of identification.[45]

60.  The SIS II legislation permits the use of one-to-many searches only once the Commission reports that the relevant technology is available and ready.[46] Our witnesses differed as to the effect and timing of this.[47] Mr Peter Thompson, the Head of the European and International Division at DCA, pointed out that the report would itself "be subject to discussion in the Council and agreement by Council members, and also consultation with European Parliament" (Q 123); and we were told by Baroness Ashton of Upholland, the Parliamentary Under-Secretary of State at the DCA, that the Council decision would need to be unanimous. (Q 258)

61.  The SIS II legislation permits the use of one-to-many searches only once the Commission reports that the relevant technology is available and ready. The Government must press for:

• the Commission report to be drawn up on the basis of the opinion of independent experts;
• the certification by the Commission that the technology is ready, sufficiently accurate and reliable;
• the report to be adopted by unanimous vote of the Council after consultation with the European Parliament.

The Government must deposit the Commission report for scrutiny, and the views of Parliament must be taken into account.

Types of alert

62.  Unfortunately, we were unable to obtain many statistics on the operation of SIS. Mr Gerrit Huybreghts, a Council expert on statistics, explained to us that "it was only in 2005, because of remarks that were made in the European Parliament about secrecy in relation to the number of SIS data and because of questions from the academic world, that the Presidency took the initiative to publish yearly statistics but without giving details about the different Member States." (Q 327) He told us that delegations were sensitive about giving national data. Quite apart from that, "not a lot of statistics are made about the SIS and available at Council level … There is no large scale exercise in statistics for SIS I." (QQ 332, 333)

63.  The few statistics we have seen on the numbers and types of alerts are poorly presented and insufficiently informative. However the following figures show the numbers of entries on the central database at the beginning of 2005, 2006 and 2007:[48]

"There is no central record of all name changes. Individuals are responsible for notifying relevant agencies that they have changed their names."[50]

66.  It might be argued that the collection of statistics relating to SIS II would create too great an administrative burden upon Member States. However Member States are already obliged to collect statistics on the numbers of persons refused entry at EU external borders, the grounds for refusal, the nationality of the persons refused entry and the type of border at which they were refused entry.[51] They are also obliged to collect statistics relating to visas,[52] and concerning illegal migration at external borders.[53] A Regulation requiring Member States to collect comprehensive statistics on all aspects of migration and asylum has largely been agreed between the Council and the European Parliament.[54] Member States also collect information relating to European Arrest Warrants, including information relating to the use of SIS.[55] What is obviously needed for the purpose of assessing and monitoring the working of the SIS, and SIS II, is that national statistics are collected and presented in a format that makes them comparable and relevant.

67.  As is evident from Table 2, the vast majority of entries concern Article 96 alerts, i.e. unwanted aliens. A recent report by the Schengen Joint Supervisory Authority[56] on an inspection of the use of Article 96 alerts highlighted that there was an unacceptable divergence of national practices on the issuing of these alerts. As JUSTICE put it: "In some Member States expulsion decisions lead automatically to [a] SIS alert; in others a separate decision (and thus a separate verification of the necessity of [a] SIS alert) is needed. Two Member States are notorious for issuing alerts for all failed asylum seekers, other Member States do not operate such an automatic alert policy." (p.136)[57] Professor Guild also expressed concern about "the extraordinary flexibility of the criteria on the basis of which somebody may be registered in the SIS, and the very wide degree of discretion which is left to a particular Member State official to insert someone's information into the SIS." (Q 98) Problems with these alerts are compounded by what Mr Huybreghts referred to as the "very poor quality as regards [statistics on] Article 96 data". (Q 337)

68.  Full and clear statistics must be published at regular intervals, and should include:

• the number and type of alerts per Member State;
• the number and type of hits per Member State;
• the use of the SIRENE system for each type of supplementary information exchanged by each Member State; and
• actions taken following a hit for each type of hit and for each Member State.

69.  There must be harmonisation of statistics to ensure consistency and comparability between EU and national statistics on SIS II relating to extradition requests, visa refusals, refusals of entry at the border and refusals to grant or renew residence permits.[58]

70.  As for the use of SIS II data to refuse entry to persons, as we pointed out in a previous report, the wide divergence between differing national approaches to listing a person on the current SIS to ban them from entry cannot be justified.[59] It is therefore unfortunate that, contrary to the Commission's proposals, there has been no attempt to harmonise the substantive rules for listing persons to be denied entry; although at least the issue is due to be reviewed in the future. There has been some procedural harmonisation, as all Member States can ban a person from entry only following an individual assessment, and must give that person the right to appeal. The latter right is linked to the "right to information", a data protection right considered further in chapter 6.

71.  We welcome the procedural harmonisation concerning immigration alerts contained in the legislation, but there should also be harmonisation of the substantive rules for listing a person. There should be a requirement to publish in the Official Journal a summary of the different national laws and practices concerning the creation of an immigration alert.

72.  The forthcoming review of the grounds for listing an immigration alert should also examine how well the right to appeal is secured in practice, and whether there is a need to address the timing of the right to appeal, and its link with the right to information.

Family members

73.  A particular issue in this context is the application of SIS II to family members of EU citizens. Such persons, even when travelling with the EU citizen who is their relative, can be denied entry to and residence in other Member States pursuant to EU free movement law, but only if they represent a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society.[60] Furthermore, EU free movement law sets out detailed procedural rights.[61] The standard set by the current SIS rules, and the future SIS II rules, is much less strict.

74.  The conflict between these two sets of rules was addressed in a judgment of the Court of Justice in January 2006.[62]

75.  The Commission had proposed removing family members of EU citizens from SIS II, a position also supported by the Meijers Committee and ILPA, (Q 93)[63] but the Council and European Parliament decided to retain them, subject to an express reference to the priority of EC free movement law and the use of the SIRENE system. JUSTICE told us: "We cannot see the need to treat differently EU citizens (for whom an SIS alert cannot be issued) and third-country nationals with free movement rights (who will typically be spouses or close family members of an EU citizen) … it smacks of an unjustifiable discrimination …" (p 138)

76.  The United Kingdom is particularly affected by the application of the current SIS, and SIS II, to the family members of EU citizens.
A British family which includes a third-country national subject to a SIS or SIS II alert will not be able in practice to travel to the Schengen area. This is justified if the third-country national has committed crimes sufficiently serious to justify exclusion under EC free movement law, but not otherwise. The application of SIS and SIS II rules needs to be monitored closely to ensure that they are being correctly applied.

77.  SIS II will provide for the direct exchange of the full text of European Arrest Warrants, not just a summary of the data in each EAW as at present. The Crown Prosecution Service (CPS) told us that between January 2004 and August 2006, since the EAW had been functioning, they had issued a total of 307 EAWs in the United Kingdom on behalf of EU partners which had led to the arrest of 172 suspects; they estimated that their EAW caseload had doubled between 2005 and 2006. Due to the increased effectiveness of the SIS (and in future, SIS II) in determining whether an extradition request or EAW had been issued in respect of a particular individual, the United Kingdom's participation in SIS II would be likely to result in a doubling or tripling of the workload of the CPS and the Serious Organised Crime Agency (SOCA). (QQ 208, 213, 217) However, it appears from the evidence of Joan Ryan MP, the Parliamentary Under-Secretary of State at the Home Office, that no funding has yet been agreed to cover this; indeed the issue seems barely to have been considered. (QQ 589-591)

78.  The Home Office should start planning for the inevitable increase in the resources needed by the Crown Prosecution Service. The resources should be agreed in sufficient time so that the effectiveness of the Crown Prosecution Service in issuing and executing extradition requests and European Arrest Warrants is not reduced.

41   Source: Serious Organised Crime Agency. Back

42   The revised SIRENE Manual is annexed to Commission Decision of 22 September 2006 (OJ 2006 L 317/1). Back

43   These would however require amendments to the legislation. Back

44   It is possible, of course, that several persons share the name "Joe Bloggs". In that case, a comparison could take place also using the second biometric identifier (photographs), and/or other data stored on the SIS such as date and place of birth.  Back

45   Opinion of the EDPS on the draft SIS II legislation, OJ C 91/44 of 19 April 2006. Back

46   See Article 22 of the Regulation and Decision. Back

47   Home Office witnesses would be "disappointed" if the report was not produced by 2009 (QQ 579, 581). Back

48   Documents 8621/05 and 5239/06. Back

49   In 2006 the United Kingdom Identity and Passport Service processed 290,996 reports of lost and stolen passports: 237,879 reports of lost passports, 41,830 stolen, and 11,287 in other categories, including those reported as damaged or destroyed. In 2006 298,172 replacement passports were issued. This includes those issued to replace lost or stolen documents, and also replacements following a change of name, and replacements where the original passport has been damaged but is returned with the application for a replacement. (Official Report, 31 January 2007, col. WA 55) Back

50   Official Report, 29 January 2007, col. WA 15. Back

51   Article 13(5) of the Schengen Borders Code (Regulation 562/2006, OJ 2006 L 105/1). Back

52   Schengen Executive Committee Decisions, OJ 2000 L 239/173 and 196. Back

53   Schengen Executive Committee Decision, OJ 2000 L 239/176. Back

54   See Council document 17005/06, 22 Dececember 2006. Back

55   See most recently Council document 9005/5/06, 18 January 2007. Back

56   The report was published on 20 June 2005. The Joint Supervisory Authority (JSA), set up under Article 115 of the Schengen Convention, supervises the technical support of the SIS. The Information Commissioner has observer status which has allowed him to participate in meetings of the JSA discussing data protection issues arising from the move to SIS II. (p 39)  Back

57   The German automatic alert policy on failed asylum seekers is the basis of the litigation referred to in paragraph 74 below. Back

58   This might well be a task for Eurostat, the European Statistical Office in Luxembourg, but we have received no evidence on this. Back

59   Illegal Migrants: proposals for a common EU returns policy, 32nd Report, Session 2005-06, HL Paper 16, paragraph 134. Back

60   See in particular Cases: 41/74 Van Duyn [1974] ECR 1337; 67/74 Bonsignore [1975] ECR 297; 36/75 Rutili [1975] ECR 1219; 30/77 Bouchereau [1977] ECR 1999; 115/81 and 116/81 Adoui and Cornuaille [1982] ECR 1665; C-348/96 Calfa [1999] ECR I-11; C-100/01 Olazabal [2002] ECR I-10981;
C-482/01 and C-493/01 Orfanopolous and Olivieri [2004] ECR I-5257; and judgment of 27 Apr. 2006 in Case C-441/02 Commisson v Germany, not yet reported. Back

61   See in particular: Rutili (ibid); Adoui and Cornuaille (ibid); Orfanopolous and Olivieri (ibid); Commisson v Germany (ibid); and Cases: 48/75 Royer [1976] ECR 497; 98/79 Pecastaing [1980] ECR 691; 131/79 Santillo [1980] ECR 1585; C-297/88 and C-197/89 Dzodzi [1990] ECR I-3763; C-175/94 Gallagher [1995] ECR I-4253; C-65/65 and 111/95 Shingara and Radiom [1997] ECR I-3343; C-357/98 Yiadom [2000] ECR I-9265; C-459/99 MRAX [2002] ECR I-6591; and C-136/03 Dorr and Unal [2005] ECR I-4759. The substantive and procedural rules on the refusal of entry or expulsion of EU citizens and their family members have recently been revised in the Directive on EU citizens' free movement rights (Articles 27-33 of Directive 2004/38, OJ 2004 L 229/35, applicable from 30 April 2006).  Back

62   Case C-503/03 Commission v Spain, 31 January 2006  Back

63   See also the written evidence of the Meijers Committee, paragraph 5b, p 14. Back