79.  The current SIS is at present managed by France.[64] The Commission initially proposed that it should itself be responsible for management of the SIS II system.[65] However the idea of management by the Commission was unpopular with some Member States. Mr Sweet told us that the lack of trust in the Commission arose in part from the technical difficulties the Commission had had in delivering the programme, but also from "the extent to which those delays undermined Member States' confidence more generally in the Commission's ability to manage the system as a whole." (Q 36) It was therefore decided that a Management Authority should ultimately be responsible for the operational management of the Central SIS II. A Joint Declaration of the Commission, the Council and the European Parliament appended to the Regulation and Decision commits those institutions to having the Management Authority fully active within five years.

80.  During this five-year transitional period, responsibility for the management lies with the Commission, but it may delegate that task to national
public-sector bodies in two different countries.[66] Under the terms of the legislation, this delegation must "not adversely affect any control mechanism under Community law, whether of the Court of Justice, the Court of Auditors or the European Data Protection Supervisor".[67] In fact it appears that, as part of the overall agreement on the SIS II legislation, the Commission has already agreed to delegate management of SIS II during the transitional period to France and Austria, which are responsible respectively for the main site in Strasbourg and the back-up site in Sankt Johann im Pongau.

81.  One particular problem about the transitional period is that, despite the assertions in the legislation concerning the accountability mechanisms of EC law, the legislation establishing the EDPS limits his jurisdiction to data processing carried out by the EC institutions.[68] There is no provision permitting the EDPS to supervise data protection in Member States to which the Commission has delegated its powers. This means that the EDPS cannot take decisions concerning the processing of SIS II data in the Member States to which management has been delegated, or refer disputes to the Court of Justice.[69] Mr Thompson from DCA told us: "… we are content with the arrangements that the EDPS cannot bring proceedings under the Third Pillar and, indeed, the EDPS itself has never had powers where it could actually initiate proceedings against Member Sates." The reason for his lack of concern was that, in his view, proceedings were much more likely to be initiated at Member State level where national supervisory authorities (in this country, the Information Commissioner) could take action. (Q 117) We are not persuaded that this is a satisfactory alternative; this in our view is one more reason why the Management Authority should take over as soon as possible.

82.  We were told about five possible options concerning the future Management Authority. The Authority could be operated by the Commission, by Frontex (the EU's border control agency), by Europol, by one Member State on behalf of all of them, or by a new body to be established. Mr Faull told as that there would be "a major impact assessment on the long-term management of SIS II" which would also encompass "the other large-scale IT systems that have been created in the justice, freedom and security area." (Q 415)

83.  The Commission, despite its initial proposal that it should manage SIS II, and despite its current role managing Eurodac (the EU system for comparing the fingerprints of asylum-seekers), does not regard the management of large-scale information systems as one of its core functions. (Q 415) We agree that an essentially operational task like the management of information systems is not easily reconciled with the Commission's duties under Article 211 of the EC Treaty,[70] and is likely to be better performed by a separate agency. The question remains whether the task should be taken on by one of the EU's existing agencies, or by a dedicated agency. Professor Kees Groenendijk, giving evidence on behalf of the Meijers Committee, was suspicious that the underlying rationale for creating a new agency might be to put it out of reach of the Community "rules of remedies, liabilities, and the general rules on transparency …" (Q 82) Mrs Laura Yli Vakkuri who, when she gave evidence to us during the Finnish Presidency, was Chair of the Schengen Acquis Working Party, said that the preference of the Presidency would be for an independent agency. (Q 494)

84.  Management by an existing agency might avoid the likely delays and costs of creating an entirely new agency. However, it is unlikely that such delays and costs would be significantly reduced by assigning the management of SIS II to either of the two obvious candidates, Frontex or Europol. Frontex does not even have access to SIS data, nor will it have access to SIS II data under the governing legislation. Europol has only recently established its own information system, after extensive delays. Neither agency has sufficient relevant expertise in managing large-scale information systems. In the case of Europol there might be a conflict of interest, or at least a perception of one, between its role as a user of the service and as a service provider, particularly since it is supposed to have access only to limited categories of data.

85.  Furthermore, both agencies have specialised functions of their own: Frontex has the first pillar function of assisting Member States to enforce external border controls, while Europol has the third pillar role of assisting police investigations. Europol has no direct involvement in the judicial aspects of the SIS (transmitting extradition or EAW requests, and requesting witnesses and evidence for trial purposes). Mrs Yli-Vakkuri questioned whether it was even legally possible for a first pillar agency to process third pillar information, or conversely for a third pillar agency to process first pillar information. (Q 494)

86.  The planned Visa Information System (VIS), which will store information on all applications for short-term visas to visit the Schengen States, is likely to develop into a system even larger than SIS II. (Q 96) The intention is that a dedicated agency should be set up for the management of VIS. It appears that discussions have already taken place to link the VIS and the SIS II, which complicates decisions over the future management of such large-scale European databases. (QQ 403, 420, 511)

87.  Whatever is eventually decided, the legislation to establish the Authority must set out clear rules as regards the responsibility of the Commission, which is empowered to adopt many implementing rules governing the operation of SIS II, and the role of the Authority managing the system. It is also important to ensure that Member States' governments, parliaments and the public are able to scrutinize the management of SIS II effectively, and that the Authority is fully accountable for its activities. This would be even more important if, as suggested, the Authority also has responsibility for the Visa Information System, along with responsibility for other information systems or related functions, and if the EU develops the principle of "interoperable" information systems.

88.  The Government should press for the establishment as soon as possible of a dedicated Management Authority for the Central SIS II. The legislation setting it up must provide for:

• the Authority to have the required technical expertise in overseeing and operating large-scale information systems;
• the Authority to be required to publish full and clear statistics at regular intervals;[71]
• the Authority to be subject to effective scrutiny, including by the Court of Auditors;
• clear differentiation between the tasks which remain the responsibility of the Commission, and those delegated to the Authority;
• clear lines of accountability.

89.  Questions also arise in relation to the accountability of the Authority before the courts. There may be differences depending on whether the Authority is carrying out duties under the first or the third pillar. It should be made clear to what extent Community and national courts will have jurisdiction in proceedings brought against the Authority in the first or third pillar, for example where a data subject alleges a breach of confidentiality.

90.  The Government should ensure that individuals affected by the actions of the Management Authority are not left without an effective recourse to justice.

65   Article 12 of the proposed Regulation and proposed Decision, respectively COM(2005)236 and 238. Back

66   Article 15 of the Regulation and Decision. Back

67   Article 15(7) of the Regulation and Decision. Back

68   Regulation 45/2001 (OJ 2001 L 8/1). Back

69   See Articles 46 and 47 of Regulation 45/2001, ibid. Back

70   Article 211 requires the Commission to ensure that the provisions of the Treaty and the measures taken pursuant to it are applied; to formulate recommendations and deliver opinions; to have its own power of decision under the Treaty; and to exercise powers conferred on it by the Council. Back

71   We do not believe that the requirements of Article 50(3) of the Regulation and Article 66(3) of the Decision go far enough. We explain in paragraph 68 above what these statistics should include. Back