Select Committee on European Union Minutes of Evidence

Memorandum by the Information Commissioner, Richard Thomas

  1.  The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 and the Freedom of Information Act 2000. He is independent from government and promotes access to official information and the protection of personal information. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The comments in this evidence are primarily from the data protection perspective.

  2.  The Commissioner has been provided with powers to enable him to perform the role of the United Kingdom's data protection supervisory authority as envisaged by Article 114 of the existing Schengen Convention. These powers will enable the Commissioner to assess whether personal data recorded in the Schengen Information System is processed in compliance with the Data Protection Act 1998. These powers are set out in section 54A of the Data Protection Act 1998 (amended by virtue of the section 81 of the Crime (International Co-operation) Act 2003).

  3.  Although the United Kingdom has yet to participate in the Schengen Information System, the Commissioner has been invited to participate as an observer in meetings of the data protection Joint Supervisory Authority established under Article 115 the Schengen Convention. This has allowed him to participate in discussions on the data protection issues arising from the move to SIS II.

  4.  The Joint Supervisory Authority has produced a detailed opinion on SIS II, including a commentary on the various articles of both components of the proposed legislative basis for SIS II, the proposed Regulation (COM (2005) 236 final) and the proposed Decision ( COM (2005) 230 final). The Schengen Joint Supervisory Authority has many years of practical expertise of the current arrangements including conducting compliance inspections. It is particularly well placed to provide an authoritative view on the likely data protection concerns arising from the proposals to introduce SIS II. The Commissioner was able to contribute to discussion whilst the Joint Supervisory Authority was drawing up its opinion and he endorses the comments made in it. A copy of the opinion is attached.

  5.  The Joint Supervisory Authority opinion is a detailed document and given the Commissioner's support for its observations it is unnecessary duplication to reiterate each of these separately. In view of the detailed nature of many of the observations it is worth highlighting the main areas of concern:

    —    The application of current EU data protection laws allied with the present proposals will result in four separate EU legal instruments applying to SIS II. This produces a confusing picture and it is in the interests of all if the legal basis is clear and comprehensive.

    —    It is not clear who will be responsible for SIS II as some responsibilities fall to the Commission, others to the Member States. There is no clear designation of who is the data controller and the legal basis should make this clear.

    —    The purpose for SIS II incorporates the specific purpose of conducting entry controls with more general purposes of assisting police and judicial cooperation. The specific inclusion of Europol, Eurojust and vehicle registration authorities highlights the increased move to the use of SIS II as an investigation tool. Clarity of purpose for the processing of information is essential.

    —    The proposed data protection supervision arrangements could lead to a weakening of protection. The current arrangements for central supervision by a joint Supervisory Authority comprising the national supervisory authorities is replaced by divided responsibilities between the European Data Protection Supervisor ( for the activities of the Commission) and national supervisory authorities for the processing of personal data on or from their territories. The new arrangements place too much emphasis on monitoring of central processing which will be minimal and there is a need for an institutionalised role for cooperation between national supervisory authorities akin to the current Joint Supervisory Body arrangements.

  6.  The Commissioner would also draw the Sub Committee's attention to the Opinion of the European Data Protection Supervisor on the proposals for SIS II. His opinion is of particular relevance given his role in monitoring the activities of the Commission. This opinion is attached for information.

  7.  The Commissioner is concerned about the proposed data protection supervision arrangements. Experience gained in his participation in the work of the joint supervisory bodies for Europol and Customs Information System together with that of the Schengen Information System all points towards the need for very close cooperation when international information sharing systems are established. It is vitally important that all the national supervisory authorities act together with a common commitment and understanding when undertaking work such as compliance auditing. Being able to decide common approaches with colleagues and put these into practice has proved an essential feature of a relatively seamless and consistent form of data protection supervision across national boundaries. The opportunity to discuss problems together and arrive at common agreed solutions has proved most useful. Whilst some reduction in the bureaucracy accompanying the current arrangements would be welcome preserving an effective forum for discussion and coordinated action is essential. Whilst the proposed arrangements do envisage an element of cooperation and liaison between the EDPS and national supervisory authorities this does not provide for the same level of cooperation as currently enjoyed. Undoubtedly there would be great will between the parties to make the arrangements work in practice but the lack of a forum for national supervisory authorities to decide on matters and take action collectively both centrally and at national level is a practical concern.

  8.  The use of different legal instruments in the proposed Regulation and the proposed Decision as the basis for providing effective data protection safeguards undermines the need to adopt a consistent approach founded on equivalent standards. In the proposed Regulation it is primarily the Data Protection Directive (95/46/EC) whilst in the proposed Decision it is primarily the Council of Europe Convention 108. This difference once again highlights the need for an EU data protection framework for Third Pillar matters. The Commissioner has previously given evidence to the Sub Committee on the desirability of establishing a Third Pillar data protection instrument as part of its inquiry into EU Counter Terrorist Activities. The varying legal standards that are being deployed for the commencement of SIS II provide a good example of the pressing need for prompt adoption of such an instrument.

  9.  To be able to undertake effective supervision it is necessary for a data protection supervisory body to have full access to the personal data held. Article 114.1 of the current Convention provides for a national supervisory authority to have access the data file in the national section of the SIS. The proposals at Article 52 (proposed Decision) and Article 31(proposed Regulation) merely require that the national supervisory authority monitors the lawfulness of the processing. There is no specific reference to the extent of information available to it to achieve this objective and this ambiguity should be resolved to ensure that full access to data is available.

  10.  As stated above the Commissioner's powers to undertake functions in relation to the Schengen Information System (including any replacement system) are governed by section 54A of the Data Protection Act 1998. This section provides for the Commissioner to inspect any personal data recorded in the Schengen Information System at national level. Given the concerns expressed in paragraph 9, it is important that this level of supervision is not subsequently weakened by adoption of ambiguous wording in the two instruments. A further example of the ambiguity caused by the approach is apparent when comparing the provisions relating to the powers and duties of national supervisory authorities. In the proposed Decision, Article 53 provides specific powers for independent monitoring. The proposed Regulation adopts a slightly different approach by referring to these by reference to the powers conferred upon such authorities by virtue of Article 28 of the Data Protection Directive 95/46/EC. It would be undesirable if such a reference was seen as limiting supervision powers in any way.

  11.  An important feature of both the proposed Decision and Regulation is the communication of information to the public by way of an information campaign. Article 14AA (proposed Decision) requires the Commission in cooperation with national supervisory authorities and EDPS to launch an information campaign to accompany the start of SIS II and repeat campaigns regularly. Whilst such a campaign would be desirable, the extent of the involvement of national supervisory authorities and the financial resources this would involve is not clear. It is important that at national level the requirements on Member States to ensure that their national supervisory authorities are provided with the necessary resources for their tasks take account of such a potentially significant financial commitment.

  12.  The Commissioner hopes that the evidence provided to the Sub Committee assists in the consideration of this important matter and he is happy to assist it further if required.

12 July 2006

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007