Select Committee on European Union Minutes of Evidence

Examination of Witnesses (Questions 120-139)

Mr Peter Thompson and Ms Harriet Nowell-Smith

25 OCTOBER 2006

  Q120  Chairman: Incidentally, if there are any legal postscripts you want to make to Peter Thompson's evidence, you are of course very welcome to give them.

  Ms Nowell-Smith: Thank you.

  Q121  Baroness Bonham-Carter of Yarnbury: I want to clarify one thing. You said the central database and the national database have all the same material. Is that right?

  Mr Thompson: Yes.

  Q122  Baroness Bonham-Carter of Yarnbury: As non-members of Schengen we cannot access the immigration data, though we can the police data. How does that work practically, if all the information is on our national database that is on the central one?

  Mr Thompson: The straightforward answer is that that is a level of operational knowledge I just do not have. If it would help, I am sure that I could ask Home Office colleagues to write in and give you a sense of that. I do not want to stray into areas about which I cannot say anything particularly knowledgeable.

  Q123  Viscount Ullswater: Perhaps we should get down a little more to the specifics. SIS II proposals introduce the possibility of processing a new category of data, which is the biometric data. Do the provisions on biometric data provide sufficient protection for inaccuracy and misidentification following this one-to-many search, as highlighted by the EDPS opinion on the proposal? What is your view on that particular aspect?

  Mr Thompson: Our view is that, in one sense, what we are waiting for here is the Commission report. Set out in the decision is an agreement that the Commission will come forward with a report which is an assessment on the reliability of the biometric technology, and indeed the state of readiness of the various Member States. That report itself will be subject to discussion in the Council and agreement by Council members, and also consultation with the European Parliament. I am not trying to duck your question at all. There is a sense in which we will get a chance to have a cold and rigorous look at those issues via that Commission report. It is envisaged, as I understand it, that biometric data will be very much used in conjunction with other data to verify. Used properly, one can see biometrics as a means of reducing misidentification. So, for example, in a large, EU-wide database, it must be quite possible that there will be people on that database with the same name. However, the idea that they will be on the database with the same name and, say, the same fingerprint, I imagine—and I am no expert in these matters—must be nil. I think that biometrics, properly used, can help with the quality of identification.

  Q124  Viscount Ullswater: Surely that is the one-to-one search? To try and identify the person with the same name is a one-to-one search, whereas a one-to-many is when you flick the data into the huge database and see how many matches you might get. That is the one-to-many, is it not?

  Mr Thompson: My understanding is that, certainly in the first instance, the one-to-one, as you call it—or the hit/no-hit—is very much what is envisaged for the SIS database. The Commission will be reporting on issues such as: is the technology there, and are the Member States in an efficient place where they can all sensibly and accurately add the data? However, this report will also discuss in detail the various problems associated with the kind of search you have been talking about. That is when Member States can take a decision, and come to a rigorous decision, about whether or not the sort of issue you are raising is adequately covered. I appreciate that I am slightly pushing my answer to a kind of "We'll know at a later date", but I think that is the best guarantor we have here.

  Q125  Lord Avebury: What you say is really alarming, because it will be possible for a law enforcement officer in a Member State to have a fingerprint, to enter that fingerprint into the system and to compare it with millions of other fingerprints. This is the kind of search which Viscount Ullswater has referred to, where error rates of up to two per cent have been found in other studies. Whatever the Commission may say, therefore, we are anxious—or, at least, I think that some of us are—about inaccurate false positives being thrown up by the system, and the degree of protection which is built in to safeguard against somebody being wrongfully accused or even arrested on the basis of the biometric comparison at that time.

  Mr Thompson: I hope that I did not give that impression. What I was trying to suggest is that my understanding of this data based on the use of biometrics—and, again, Home Office colleagues may be able to be more knowledgeable on this than me—is that a decision has simply not yet been taken about whether to use biometric data in that way. A decision will not be taken until Member States have had the Commission's report, can air exactly the sorts of concerns you are raising, and feel satisfied on the accuracy of the data, that the safeguards are appropriate, and so on. We are not anywhere near that position yet. By simply agreeing the SIS II Decision, it does not automatically take us down that road.

  Q126  Baroness Bonham-Carter of Yarnbury: Picking up on that, as regards the decisions on collection and storage of biometric data, are the Government concerned by the absence of harmonised provisions? What are the main points of conflict between data protection and the collection and use of the data?

  Mr Thompson: The first part of my answer I will keep fairly brief, because there is a sense in which the answer to part of your question is again the Commission report—and that is something we will be looking at—and whether or not the Commission recommend harmonised provisions or, as may be more likely, minimum standards. One clearly needs to feel secure that, given that data is being inputted into the system from all Member States via these national databases, the quality of the data being put in is good. Also, one of the things that gives us comfort here is that there is an agreement in the decision that there will be special quality checks—I think that is the phrase used—which addresses that point too. On the conflict point, I do not think that the Government see it in terms of conflict, in the sense that data protection applies just as much to biometric data as it does to other kinds of data. So it is not that they are in conflict. What we want is an arrangement where we feel that the data protection rules which apply to biometric data give us the kind of comfort and security we want. It is not about conflict; it is about compliance here, I think.

  Q127  Lord Avebury: Can you tell us about the question of transfer of data to non-EU states? The draft Data Protection Framework Decision allows that, whilst the SIS II Decision bars the transfer except to Interpol. Which rule will prevail if the Framework Decision is adopted? When you are answering that, can I also refer you to document 12924/06, which is a communication from the Council of the European Union to the Multidisciplinary Group on Organised Crime, in which they are saying that the adequacy proposals should be dropped from Articles 15.4 and 16, and it will be for each Member State to decide, where there is no bilateral treaty with a third state, whether the data protection of that state is adequate. We are therefore shooting at a moving target here, are we not? When we ask whether you think that the Data Protection Framework Decision should be the one that prevails, you have to make an assessment of which particular variant of the Data Protection Framework Decision will ultimately be adopted.

  Mr Thompson: If it were that the Data Protection Framework Decision prevailed, that would be so; but my understanding is very much that SIS II rules apply in addition to DPFD rules and that SIS II rules, in the example you have cited, would prevail.

  Ms Nowell-Smith: I could say a bit more about that, if you like. The way SIS II is drafted it provides higher standards of data protection because it is dealing with a very specific type of data, in a particular database. The DPFD covers all manner of data and is therefore a more flexible instrument. The relationship between the DPFD and SIS II is treated in two places in the draft texts. SIS II says that all data must be processed in accordance with Convention 108. The DPFD then says that in SIS II, wherever you have a reference to Convention 108—the 1981 Convention—all references to Convention 108 will be replaced by the DPFD. However, many of the rules in SIS II are not just based on Convention 108; the rule about sharing with Interpol, for example, is in addition to Convention 108. The time limits for keeping data—this three-year rule—are in addition to Convention 108. So while the DPFD will slot in, if you like, at the level of the Convention 108 protection, that would leave in place all the additional protections that are in SIS II.

  Q128  Lord Avebury: Are you satisfied that the reference of all these questions about the Data Protection Framework Decision to the Multidisciplinary Group on Organised Crime is a good way of dealing with the amendment of that document, and that it will not have any effect on the data protection system that applies to SIS II?

  Ms Nowell-Smith: We are satisfied with that, partly because it is already expressed on the SIS II instrument the places in which the DPFD will come in to replace Convention 108. So the discussion about the level of protection that should be in SIS II, this higher level of protection, has already been had and is on the face of the SIS II document. No matter what the DPFD comes out with as a minimum standard, it will not be below Convention 108; it will be slotted in at that level and the specific protections will remain in place in SIS II.

  Mr Thompson: From memory, the Council reached a common position on SIS II at the Justice and Home Affairs Council in October. The discussions within the Council have therefore finished. I think that the European Parliament vote on it this week. If they agree and there is a so-called "first reading deal", in effect the SIS II instrument is agreed.

  Q129  Lord Corbett of Castle Vale: Can we just stay with Interpol for a moment, please? Will the Framework Decision be applied to evaluate whether Interpol and its members offer adequate protection to personal data?

  Mr Thompson: The basic point I would want to make here, before going into some of the detail, is that no data will be shared by Interpol with a third country that does not have adequate data protection standards. They are not just going to spray it around to anyone. In addition, there is an agreement to be reached with Interpol, which from memory is Article 48AA and Annex 4, which sets out the basic principles of what an agreement with Interpol should be. I can quote it to you. These are quite tight requirements. "Ensure the security of the storage of transfer data"; "Mechanism for real-time update"; "Regulate the use of SIS II alerts by Interpol", et cetera. While that agreement has yet to be finalised, we are quite confident that SIS data that is shared by Interpol will be used properly. They are actually stricter rules and would take precedence over the rules that currently exist in the draft DPFD.

  Q130  Earl Listowel: May I ask you about the access by security services? The Council's latest draft allows security agencies to have access to SIS II data and to input alerts concerning surveillance into SIS II. Is it acceptable that they will, as the latest draft provides, be exempt from the Data Protection Framework Decision?

  Mr Thompson: The first thing I would say here is that anyone entering data or accessing data contained in SIS II will be bound by the requirements in the instrument. As to the DPFD, I am sorry, here I can be less forthcoming. That is because discussions are pretty live and this issue is a pretty live discussion. It is not at all clear yet in the Council working group, let alone when it goes to ministers, as to how the security service will be treated. I realise that is not a terribly useful answer, but I am not sure I can really go beyond that at this stage.

  Q131  Earl of Caithness: I want to come back and spend a little more time looking at the difference between SIS II and the Data Protection Framework Decision, because that Decision allows sensitive data to be processed in certain cases whereas the SIS II Decision does not. Which rule will apply if the Framework Decision is adopted?

  Mr Thompson: Pretty much the rule I mentioned before. As a general rule, SIS II rules prevail. In this case again, SIS II is adding additional data protection rules over and above what is in the DPFD. So in the particular case you cite, SIS II rules prevail.

  Q132  Earl of Caithness: Are you happy that they should in this instance?

  Mr Thompson: Yes, we think that is quite appropriate. SIS II is not a closed database, if you like, because data comes in and out; it is entered. However, it is a very specific database, used for defined purposes, and we think that the rules set out in the instrument as a whole are appropriate.

  Q133  Earl of Caithness: If that is going to be the case, why is there such a difference between the Framework Decision and SIS II, if SIS II is going to end up ruling everything?

  Mr Thompson: SIS II only works in relation to SIS II data. What the Framework Decision is trying to do is give a set of broad rules, if you like, right across the Third Pillar—which have been lacking. It is trying to bring general coherence and to stop Third Pillar instruments always reinventing the wheel in terms of data protection rules. It provides this minimum standard, this "floor" if you like, and the SIS II instrument—which, as I say, is quite a specific, contained database for a specific purposes—happens to have additional rules. I think that the difference is because they are trying to do different things. I do not know if there is anything you would want to add, Harriet, to illustrate that point?

  Ms Nowell-Smith: The list of types of data that you can put into SIS II is defined in the instrument and it is very narrow. There is no need to put sensitive personal data in there. It is not relevant to any of the listed categories, and it should not be in the SIS II database. The Data Protection Framework Decision covers all data processed in the context of police and judicial co-operation. For example, information about a witness or a victim, if a victim has suffered physical injury due to an assault, that would be relevant data to be shared across borders in the context of co-operation in the police or the judicial sphere. If a British person is harmed in France and the authorities want to share that data—it could be information about their religion, if it was a hate crime, or it could be information about their physical health—all that sensitive personal data is highly relevant to police and judicial co-operation and needs to be treated in the Data Protection Framework Decision, because obviously you need that kind of data for the purpose of police and judicial work.

  Q134  Lord Avebury: Does not that raise a question in your minds that, if the rules in SIS II always trump the Data Protection Framework Decision with regard to SIS II, we are aiming at inadequate standards for the Third Pillar as a whole?

  Mr Thompson: No, I do not think so. I think it is more a recognition of the fact, as Harriet has said, that because this is trying to provide an overview of the Third Pillar, and the range of data and the uses to which it would be put are so varied, it is inevitable that the Data Protection Framework Decision is a more—for want of a better word—subtle instrument: one that has to cope with more variation. It is just the nature of these two things. One is trying to provide a very general application; the other is a very specific instance.

  Q135  Lord Dubs: Is that therefore your answer to my question as well? My question is about the time limits for storage of personal data. SIS II is quite precise; the Framework Decision is rather vague on this.

  Mr Thompson: I am afraid this is where I get into broken-record territory. Yes, SIS II rules in this particular example do prevail.

  Q136  Lord Dubs: I do not want to put words into your mouth, but you justify it by saying that the Framework Decision covers a wider range of things which are not so precise and do not need to be so precise?

  Mr Thompson: It is not that they do not need to be so precise. I think that that level of precision in the wide range of cases that the DPFD covers is not practical. I think that is the distinction.

  Q137  Lord Dubs: What you are saying applies to all personal data then, other than the bits covered by SIS II? I can see why in general terms there may be instances where the Framework Decision is appropriately wider or vaguer than SIS II, but I do not see why that should apply to something as clear-cut as time limits for storage of personal data. It seems to me that is a fundamental safeguard.

  Mr Thompson: One of the reasons why time limits in the DPFD are longer than the three years in SIS II is for audit purposes. There are cases of people who have taken action where their data has been five years old, so there is a real point about audit in terms of data storage. Of course there must be a point at which time limits are very relevant, but the point is surely that the data is stored, treated properly, regardless of whether that data is kept for period-of-time "x" or period-of-time "y"?

  Q138  Lord Dubs: May I move on? It seems to me that also there is a difference between the SIS II and the Data Protection Framework Decision as regards the further data processing that is permitted by the SIS II Decision. Will that prevail if the Framework Decision is adopted?

  Mr Thompson: Again, in terms of further processing, in this case the SIS II rules apply to SIS II data.

  Q139  Chairman: I am sorry, could you repeat that?

  Mr Thompson: The SIS II rules prevail here again. They are the rules that apply to the SIS II data.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007