91.  The provisions on access to SIS II data specify broadly that the authorities responsible for border control or police checks, along with judicial authorities, can access the data. It will be possible for authorities responsible for issuing visas and for considering applications for visas or residence permits[72] to search SIS II immigration data.[73] These provisions simply copy the rules governing the current SIS, and can be compared with the Commission's more ambitious proposals to set out in more detail the precise circumstances in which different national authorities could have access to different types of SIS II data.

92.  The common rules of the Regulation and Decision on data processing provide for restrictions on the copying of SIS II data and on access to and use of SIS II data other than for the purposes of checking for the specified alerts and taking action following a hit. However, unlike the first pillar Regulation governing immigration data, the third pillar Decision, dealing as it does with police and judicial cooperation in criminal matters, allows the further use of data for other purposes, where this is "linked with a specific case and justified by the need to prevent an imminent serious threat to public policy and public security, on serious grounds of national security or for the purposes of preventing a serious criminal offence". Prior authorisation from the Member State issuing the alert must be obtained for this purpose.[74] This is not permitted under the current SIS rules.[75]

93.  However Superintendent Flynn told us that in practice, because of the limited descriptive detail in a Schengen alert, the SIS database did not lend itself readily to investigative purposes; there were much fuller and more reliable databases and partnerships in place for the exchange of information for those purposes. (Q 240) The provision on the further use of data may therefore be little used, at least for the present.

94.  It would have been desirable for Member States to be required to indicate in what circumstances they would consent to other Member States' further processing of SIS II data. Otherwise, the use of SIS II data as an investigatory tool, which a number of our witnesses objected to in principle, would be taking place without effective public knowledge or accountability.

95.  In order to ensure accountability, we believe that all Member States should report on the circumstances in which they will allow further processing of SIS II data, and when they will permit other Member States to process further SIS II data which they have entered.

96.  The common rules also require, for the first time, the publication in the Official Journal of a list of the national authorities authorised to search SIS II data, and for what purposes.[76] We were sent by the Home Office a list of the United Kingdom authorities which would have access to SIS II, but were asked to treat it as confidential. Accordingly we do not include it with the published evidence. Mr Mike Fitzpatrick, the Home Office SIS Programme Director, did however explain that most of the 80 United Kingdom authorities were constabularies. (Q 13)

97.  We are concerned that this information is treated as classified. From the perspective of the person whose data is stored it is crucial to be able to determine exactly who decides which personal data is stored, and for what reason it is stored. Equally, it is important to be able to determine exactly who has access to that data, and for what purpose. This was strongly suggested by Mr David Smith, the Deputy Information Commissioner. (QQ 175, 178) The jurisprudence of the European Court of Human Rights makes clear that an interference with private life, which any storage of personal data on an information system amounts to, can only be justified on grounds of the public interest if the rules governing such interference are sufficiently detailed and accessible to the public.[77]

98.  We believe that this information should currently be available as regards all Member States. In particular, it is inexcusable that the Government do not feel able to make public which United Kingdom authorities will be able to access SIS II data in the future. This is all the more perplexing given that this information will have to be published once SIS II is up and running. We cannot imagine how publication of this data could restrict the operational effectiveness of law enforcement authorities in particular cases, or in general.

99.  We welcome the provision requiring the publication of information on which authorities have access to SIS II data, and for what purposes. There is no reason why such information could not be published already in respect of access to data held in the current SIS.

100.  The Government should now publish:

• the list of those authorities which will have access to SIS II data;
• the purposes for which they will have access;
• the list of those authorities which will be able to input data into SIS II; and
• the circumstances in which they will be able to do so.

Access to immigration data for asylum purposes

101.  One particular issue that arose during discussion of the SIS II immigration data Regulation is the question of United Kingdom access to (and input of) alerts for asylum-related purposes. We discuss this in chapter 7, but there is an underlying issue as to whether in any Schengen State asylum authorities should have access to SIS data at all. It appears from the evidence that so far only Austria gives asylum authorities access to the SIS. (Q 359)

102.  The Commission had proposed that authorities should have access to data on persons in the context of an asylum procedure in order (i) to implement arrangements for the exchange of information under the Dublin Regulation[78] and (ii) to decide upon the merits of the application in the case of persons listed for denial of entry for crime-related reasons.[79]

103.  Both of these suggestions are problematic in the absence of full information which would allow an asylum authority to make an informed and lawful decision. Additional information is needed to determine, in the first case, whether the detailed criteria for allocation of responsibility under the Dublin Regulation are met. In the second case, asylum authorities must be satisfied that the detailed rules concerning the question of exclusion from refugee status on the grounds of criminal activity, or suspicion thereof are complied with. It would not be right for an asylum application to be rejected without full information being exchanged between Member States.

104.  It would be possible to address this issue either by providing expressly for the exchange of supplementary information through the national SIRENE bureaux following an asylum-related hit in the SIS II legislation, or by providing for a mechanism for the exchange of such information in the EC's asylum legislation. But neither the SIS II legislation nor the EC's asylum legislation addresses the issue sufficiently.[80]

105.  If the United Kingdom asylum authorities were ultimately given access to this information, there would be a particular difficulty for the United Kingdom in providing information which might be used in determining asylum applications in other EU States by persons whose deportation from the United Kingdom was deemed to be conducive to the public good, or by members of their families.[81] The discretion of the Secretary of State in those cases is absolute, and reasons for the deportation are never given. If such persons were listed in alerts placed on SIS II by the United Kingdom, or their data otherwise exchanged, the Government might be forced to disclose the reasons for their deportation.

106.  Access to SIS II data (or data in the current SIS) by asylum authorities, to determine responsibility for an asylum application or to decide on the merits of an application, must be subject to detailed safeguards ensuring a full exchange of relevant information following a hit. It is not enough simply to note that there is an alert against a person.

Europol

107.  We received evidence on the SIS II project from Mr Daniel Drewer, Europol's Data Protection Officer. Although Europol in principle has had access to certain SIS alerts since October 2006, Mr Drewer told us that in practice access was still waiting for technical implementation. (Q 446) The question which arises is the purpose of Europol's access to this data, since the SIS was established (and SIS II is being established) for the purpose of providing information in order for law enforcement or immigration authorities to take action following a hit on an alert. But Europol has no power to take any action based on the alerts which it accesses.

108.  Mr Drewer told us that if there is an alert, Europol will contact the Member State concerned and ask for permission to use the alert and, if necessary, ask for supplementary information. "The information that Europol will get from the Member State that has been activated by our Schengen alert will be considered by Europol as a Member State contribution to Europol's system, so it is no longer Schengen information … and from then on we handle it according to Europol's Convention." (QQ 450, 458). Thus Schengen information becomes Europol information. This information could, under the terms of the Europol Convention, be transferred to third states or third parties with which Europol has agreements in place for the exchange of personal data. Europol has operational agreements in place with Canada, Croatia, Eurojust, Iceland, Interpol, Norway, Switzerland and the United States (Q 462). In limited circumstances information can be exchanged in the absence of such an agreement. (QQ 466, 467).

109.  The witnesses from the Meijers Committee expressed concern about the possibility that information stored in SIS II would find its way to third countries. Such transfers of SIS data are not allowed in the SIS II legislation.[82] They were particularly concerned about the possibility of such information falling into the hands of the security services, because this meant losing control of how the information was used. (Q 98)

110.  Europol has a legal obligation to keep reports on any retrieval of personal data. (Q 446) We believe that Europol should indicate in its annual reports how often it has accessed SIS data, and what use has been made of that data, and we so recommend.

73   Article 27 of the Regulation and Article 40 of the Decision. Back

74   Article 46(5) of the Decision. Back

75   See Articles 101 and 102 of the Schengen Convention.. Back

76   Article 31(8) of the Regulation and Article 46(8) of the Decision. Back

77   See generally, for instance, PG and JH v United Kingdom (Reports 2001-IX), Peck v United Kingdom (Reports 2003-I) and Perry v United Kingdom (Reports 2003-IX). As regards databases in particular, see Amann v Switzerland (Reports 2000-II), Rotaru v Romania (Reports 2000-V) and Segerstedt-Wiberg and others v Sweden, judgment of 6 June 2006. Back

78   Council Regulation (EC) 343/2003 of 18 February 2003 establishing the criteria and mechanisms for determining the Member State responsible for examining an asylum application lodged in one of the Member States by a third-country national (Dublin II), OJ 2003 L 50/1 Back

79   See COM(2005)236, Article 18, and Explanatory Memorandum. Back

80   The rules on exchange of information on asylum applications between Member States (Article 21 of Regulation 343/2003) do not clearly address the issue of the transfer of such information. Back

81   Section 3(5)(b) and (c) of the Immigration Act 1971. Back

82   See Recital 18 and Article 54 of the Decision. Back