111.  It will be clear from what we have said that the SIS holds a large quantity of information for the sole purpose of exchanging it between the authorities of the Member States. SIS II will hold a great deal more (and more complex) information for exchange between still more States. Almost by definition, that information should be subject to a single, clear and robust regime for the protection of personal data. What we have is the exact opposite. In the words of Mr David Smith, the Deputy Information Commissioner, "this area goes completely against [making the law clear and accessible], because there is such a myriad of legal instruments … individuals whose data may appear in the system … will have real difficulties exercising their rights." (Q 160)

112.  The rules on data protection and data processing in the immigration data Regulation and the third pillar Decision on cooperation in criminal law and policing have almost as many differences as they have similarities.[83] Thus in the Regulation there is a "right to information" (the right of a person to know that a file with his personal data has been established, along with who has established the file and for what purpose) that has no parallel in the Decision.[84] Conversely, the Decision has provisions for the sharing of passport data with Interpol, and regarding the applicability of the Council of Europe Data Protection Convention,[85] that have no parallel in the Regulation.[86]

113.  In respect of all types of alert, there is a right for individuals to access the personal data held on them in SIS II, although access must be refused "if this is indispensable for the performance of a lawful task in connection with the alert or for the protection of the rights and freedoms of third parties".[87] Everyone has the right to have inaccurate data corrected or unlawfully stored data deleted, and the legislation imposes time limits concerning requests for access, correction or deletion. Of course, the right to correction or deletion cannot be effectively exercised unless the right of access is first granted. An individual will probably not even be aware that he has an interest in exercising a right of access unless he knows that his personal data is held on SIS II and knows of the consequences of this, pursuant to the "right to information" for individuals—a right which, as we have pointed out, does not exist under the Decision.

114.  As for the role of data supervisory authorities, national authorities with the powers referred to in general EC data protection legislation must monitor the lawfulness of the processing of SIS II data on their territory and its transmission from that territory, along with the processing of supplementary information via the SIRENE system. The EDPS will perform the same function for the Management Authority; during the transitional period, the Commission must ensure that the EDPS can exercise his tasks in respect of national public-sector bodies. The EDPS and the national authorities will cooperate in the exercise of their supervisory tasks. However, as noted above, the EC legislation establishing rules for data protection in the EU institutions does not confer such powers on the EDPS.

115.  Further complexity results from the application of general data protection legislation to SIS II, on top of the specific data protection rules in the SIS II legislation. The immigration data Regulation, being a first pillar instrument, is subject to the EC Data Protection Directive 95/46, while the third pillar Decision is not. The Decision requires instead the application of the Council of Europe data protection Convention. But in the meantime, the Commission has proposed a Framework Decision on the protection of personal data in the field of policing and criminal law (the Data Protection Framework Decision, or DPFD). A Declaration adopted along with the SIS II Decision indicates that the general rules in the DPFD, once adopted, will apply to SIS II instead of the Council of Europe rules. However, the Framework Decision has not yet been agreed, much less adopted.

116.  As an illustration of the complexities involved, it is not clear which rules (whether the ones in the DPFD, once it is adopted, or the specific rules in the SIS II Decision) will prevail where they conflict, or when a matter is regulated only under one instrument. We have asked a number of witnesses how potential conflicts are to resolved, and have received as many answers as there are witnesses.

117.  For the DCA, Mr Thompson told us that his understanding was that "SIS II rules apply in addition to the DPFD rules and … would prevail" in many of the examples we cited.[88] The reason, Ms Nowell-Smith explained, is that SIS II "provides higher standards of data protection because it is dealing with a very specific type of data, in a particular database." (Q 127) However, DCA officials also reassured us that on the one example where the DPFD is stronger (i.e. the right to information, which is not provided for in the SIS II Decision), it would trump SIS II. (Q 141) The Minister, Baroness Ashton, confirmed this. (Q 255) But Dr von Pommer Esche seemed to think differently (Q 286): "There is the intention of the legislator that there should not be a right to information in the field of Schengen. That means that the general rule cannot replace the missing regulation in the SIS Decision." (Q 286). It would be unfortunate if the only way to resolve conflicts concerning the interpretation of these data protection rules was by seeking a ruling from the Court of Justice, since limitations in the Court's jurisdiction may cause difficulties.

118.  Another instrument with equally complex, but different, data protection provisions is the 2005 Prüm Convention on cross-border cooperation against crime, terrorism and illegal immigration. This is not yet part of EU law, but the seven States party to it[89] are determined that it should become EU law as soon as possible.[90] The Rt Hon Geoff Hoon MP told this Committee on 12 December 2006 that the Government is now "seriously considering signing up to the Prüm Convention". This would make yet another EU instrument with potentially conflicting provisions.[91]

119.  We agree with our witnesses that the data protection regime applicable to the SIS II rules is unduly complex. There are several third pillar instruments in force or in the course of preparation which have data protection provisions which are similar to but not identical with those in chapter XII of the Decision.

120.  The third pillar Data Protection Framework Decision should prescribe exactly which data protection rules are applicable, and which are to prevail where there is a conflict. The Government should press the Council to achieve effective harmonisation of data protection rules in the Framework Decision, and ensure that it sets a sufficiently ambitious data protection standard.

121.  We examined the proposed Data Protection Framework Decision on several occasions throughout our inquiry. A number of our witnesses expressed disappointment at the most recent texts of the proposal under discussion during the Finnish Presidency, as regards the adequacy (or even the existence) of basic data protection rights. (QQ 108, 159, 162, 288) The content of this proposal, and the timing of its adoption, are still unsettled.

122.  Our witnesses also expressed concern about the degree of transparency of the negotiations. A particular concern was that the proposal was being negotiated by the Council Multi-Disciplinary Group on Organised Crime (MDG), rather than by a data protection working party. Mr David Smith referred to "lack of data protection expertise [in the MDG], questioning data protection principles which are well established", (Q 172) although DCA witnesses assured us that data protection experts were sufficiently involved. (QQ 128, 149)

123.  There are variations in the degree of involvement of the data protection authorities of different States which are not to the advantage of this country. Dr von Pommer Esche from the Office of the German Information Commissioner was able to say: "In Germany it is the case that … when the Federal Government deals with matters, bills and so on, which have any kind of data protection implications then we have to be involved. We are well-informed about these kinds of bills or projects." (Q 279) Contrast Mr Smith: "We are to some extent excluded … I think there is an argument that we should be a trusted expert party … in the way that, as we understand it, some of our European colleagues are. Sometimes we find out more through other data protection authorities than we find out through government departments." (Q 163)

124.  Given that the Data Protection Framework Decision would apply to SIS II, it is not appropriate to implement SIS II until the Framework Decision has been adopted and is being implemented. The Government should seek to have this Framework Decision adopted by the summer of 2007.

125.  Because of its importance for civil liberties, the Framework Decision should be negotiated with the maximum degree of transparency and involvement of data protection authorities at national and European level.

126.  A further anomaly is that, in the latest drafts, the Framework Decision will not apply to Europol and Eurojust, or to security agencies, even though they will have access to SIS II data (indeed, security authorities will be able to input data on surveillance). The data protection standards set out in the Europol Convention, the decision establishing Eurojust and the national laws governing security agencies would not necessarily meet the standard to be set by the Framework Decision, at least as regards SIS II. Whatever the solution to this question, it must be one which does not compromise the operations of security agencies.

127.  As regards SIS II, the exclusion of Europol, Eurojust and security agencies from the proposed Data Protection Framework Decision is unjustified unless equivalent data protection standards apply to these bodies.

128.  We were unable to obtain much information about the application in practice of individual data protection rights under the current SIS. The SIS II legislation provides for extensive exemptions from the right of access to data and the right of information (which, as noted above, does not even exist in the third pillar SIS II Decision), so much so that Dr von Pommer Esche even questioned whether "this right to information in practice will be of any value for the data subjects". (Q 301) The content of the right to information can only be understood by a careful reading of both the EC Data Protection Directive and the relevant provision of the SIS II immigration data Regulation,[92] and even then crucial issues, like the precise timing of the information and the extent of possible limits on the right, are unclear.

129.  There are, it is true, some improvements to the data protection regime in SIS II as compared to the current SIS, such as the removal of the requirement to be on the territory of a Schengen State in order to bring proceedings, the addition of a right to information (as regards immigration data), and the addition of deadlines for administrations to act upon applications to exercise rights of access and other data protection rights. But these go little way to addressing our concerns.

130.  The Government should press for amendments to the data protection rules when they are reviewed, in particular:

• to provide for clearer rules on the right to information, and
• to limit the ability of Member States to derogate from data protection rights to those cases where national security and the operations of law enforcement authorities would be directly prejudiced.

131.  As for national data protection authorities, which will have a role in ensuring that the data protection rules in the legislation are upheld, the SIS II immigration data Regulation refers to the EC Data Protection Directive, which gives substantial powers to data protection authorities.[93] However, it is not clear whether all authorities have all of the powers referred to in the Directive, or whether in any event national authorities have the resources to supervise the application of the SIS II rules effectively.

132.  The SIS II third pillar Decision does not make reference at all to powers of the national data protection authorities, a fact that causes concern to this country's Information Commissioner, as Mr Smith explained: "The existing Schengen Convention … says very clearly "[supervisory authorities] shall have the power to inspect or access data in the national section of SIS". As far as we can see, that is not as clearly replicated in the new decision … In the UK we have been given a power to inspect the national section of the Schengen system and we find it hard to believe that would suddenly be taken away from us." (Q 195) While the proposed DPFD does cover this issue, this measure is of course still under negotiation.

133.  The Government should seek to ensure that the Data Protection Framework Decision requires that all national data protection authorities enjoy all of the powers referred to in the EC Data Protection Directive. The Framework Decision should also make clear that this provision applies to the SIS II Decision.

134.  The question of adequate resources for data protection authorities to enforce EU data protection rules, and the SIS II rules in particular, should be reviewed on a regular basis.

84   Article 42 of the Regulation.  Back

85   Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data. Back

86   Articles 55 and 57 of the Decision. Back

87   Article 41(4) of the Regulation, Article 58(4) of the Decision. Back

88   Q 127 with regard to transfer of data to third states; Q 135 with regard to time limits for storage of data; Q 138 with regard to further processing. Back

89   Austria, Belgium, France, Germany, Luxembourg, Netherlands and Spain. Back

90   Six States (Italy, Portugal, Slovenia, Finland, Sweden and Romania) have already applied to join these seven States, and all of them have joined the German Presidency in proposing for discussion at the Council on 15 February 2007 a draft Council Decision which would incorporate into EU law all the third pillar provisions of the Convention. Back

91   We have now begun an inquiry into the Prüm Convention. Back

92   Articles 10 and 11 of the Directive (OJ 1995 L 281/31) and Article 42 of Regulation 1986/2006. Back

93   Art. 28 of the Directive. Back