Select Committee on European Union Minutes of Evidence

Examination of Witnesses (Questions 160-179)

Mr David Smith and Mr Jonathan Bamford

25 OCTOBER 2006

  Q160  Chairman: I should have said earlier that we are very grateful to you for the written evidence which we received from you. It is very helpful. Perhaps I could widen the question of legislation slightly, to ask you whether your Office is concerned about overlaps between SIS II texts and different EU and EC data protection legislation. In other words, we are moving wider than British legislation to EU. Are you able to give us an answer to that?

  Mr Smith: The very simple answer, My Lord Chairman, is yes, we are concerned. We are particularly keen in the Information Commissioner's Office at the moment to comply with better regulatory standards, making the law clear and accessible. I have to say that what we see here in this area goes completely against that, because there is such a myriad of legal instruments. In the First Pillar area we have the regulation and, at Member State level, the Data Protection Directive 95/46/EC will apply, and national law will flow from that. In the Third Pillar area we have the decision and Convention 108 of the Council of Europe, coupled with the recommendation on police data, which may be replaced by the Framework Decision and then that translated into national law. So far as the central processing is concerned we have the Council Regulation 45/2001, setting up the European Data Protection Supervisor. So it is an extremely mixed picture. We have difficulty following it. The public, who are the ones who are important—individuals whose data may appear in the system—we feel will have real difficulties exercising their rights. In the earlier evidence you referred to judicial remedies and going to court. What will the court make of this? We talk in our Office about judicial remedies, and we think of the person who is going off perhaps to Bolton County Court to get their remedies.

  Q161  Chairman: Perhaps we should ask the next question of the courts rather than of you! If there is a conflict between SIS II legislation, the Framework Decision and national data protection legislation, which should prevail? Or are we simply looking for the higher standard of data protection?

  Mr Smith: I think that you are looking for the higher standard, although I am not sure that it is really a question of one prevailing over the other. It is the sort of situation I was discussing with my colleague earlier, which we have all the time in the UK anyway. We have national data protection law here; we now have legislation on identity cards. There are some specific measures in the identity cards legislation which set out data that will be held in the system, and they set out ways in which security will apply. So this specialises, if you like, some of the data protection measures. I think that, in his opinion, the European Data Protection Supervisor talks about lex generalis and lex specialis. I hesitate to go too far down that route, but I think that he gives a good description. One is the general law which applies when nothing more specific exists in the Schengen legislation but, if there is something more specific in the Schengen legislation, that takes over. An example would be fingerprint data. You might be able to argue, whether under the general Framework Decision or the UK's general data protection law, that fingerprint data is excessive; that it breaches the requirement that data should be not excessive. However, I think it is very hard to pursue that argument if the Schengen legislation says that fingerprint data will be an item in the system; if the legislature has decided that. On the other hand, the Schengen Decision is more specific in areas like audit trail requirements. The Framework Decision and our data protection law require adequate security and it goes into a little more detail about what that means; but the Schengen Decision talks very specifically about the audit trail of information which will be kept, who will have access to it and how long it should be kept. That is how we see it, but it is a difficult picture that we are left with.

  Q162  Lord Avebury: You heard the argument that was being put to us by the DCA that there was a difference between the specific needs of SIS II and the much wider area of data to which the DPFD would apply, and that this justified the existence of two different instruments. Were you satisfied that there was that logical reason for the distinction? Also, that the assurances they gave, that wherever SIS II provided a superior degree of data protection it would trump the DPFD but, on the one example where the DPFD provided superior protection, it would trump SIS II, was that a reassurance that was valuable and satisfactory?

  Mr Smith: In simple terms, yes, it does provide some reassurance and it is how we see the picture—this lex specialis and lex generalis. However, the underlying level of data protection, both in the Schengen system—where there is nothing more specific—and more generally across the Third Pillar, will be the Framework Decision. I would say that we would be more reassured were we confident that the outcome of discussions on the Framework Decision would lead to a data protection instrument which was at least as good in terms of rights of individuals and protection as that which currently exists in the First Pillar, through the Data Protection Directive.

  Q163  Earl of Caithness: I was concerned by an answer you gave to Lord Wright earlier, when you said that you were concerned that only limited information was available to you. Who is not giving you the information?

  Mr Smith: My colleague can perhaps say a little more. I think that when Harriet Nowell-Smith gave evidence she touched on the issue. I would want to be very clear with you that the Minister, Baroness Ashton, has given assurances to the Commissioner in that she wants us to be fully involved in negotiations and discussions on the Framework Decision. The difficulty is, when that is translated down to official level, it does not always come through, and part of it is this confidentiality which surrounds the negotiations. We are to some extent excluded because of that confidentiality. I think there is an argument that we should be a trusted expert party and within the bounds of that discussion—in the way that, as we understand it, some of our European colleagues are. Sometimes we find out more through other data protection authorities than we find out through government departments.

  Q164  Chairman: Are your European colleagues also suffering from this a bit?

  Mr Smith: Yes, I think that is fair. It is not unique to here, but we feel that there is—not just in the UK, no, but also at the European level—a lack of expert data protection input into these negotiations which have been referred to.

  Mr Bamford: When we talk to our European colleagues it is a variable picture. Some seem much better informed, always seem to have the latest version of every text available and are happy to share that, than others. We probably feel ourselves to be slightly in the other category on that one. That is not because we have not had contact with the DCA. We were involved in the stakeholder consultation which they did on the Data Protection Framework Decision. To put it into context, however, as part of that we were there with civil society organisations and were placed under restrictions to hand texts back and not to keep them. As David has said, perhaps we enjoy a different sort of relationship and have a different sort of expertise there, enabling us to be more actively involved in the process than in the twists and turns of the way the negotiations go on the Framework Decision, and being able to have some input there. That has not always been possible in the past.

  Q165  Chairman: This is rather beyond the scope of this meeting but are the rules of procedure for your European colleagues, if I can again use that expression, very similar? Are they identical and is their status vis-a"-vis their governments identical to yours?

  Mr Bamford: I think in other jurisdictions there is much more of a concept that the opinion of the supervisory authority, the National Data Protection Authority, has to be sought as part of the process of new legislation and new initiatives. It is not the case in the UK that there is an onus to do that. Often we are fortunate and the virtuous activities of government departments mean that we are involved in the process in some way but it is not the case as it is in other jurisdictions. We see there is a difference between where departments of state feel they have to consult with their National Data Protection Authority and ourselves where it is something which is nice to do, if I can put it that way, rather than actual requirements. To put it simply, we feel that we are one step behind some of your international colleagues in where we are up to and I do not believe that is as a result of any wish to exclude us from the process, perhaps some of it is the practicalities. One of the rules, as I understand it, is that only arms of Government can have the latest versions of the Framework Decision that is being negotiated. Clearly, we are not an arm of Government any more than the police are an arm of Government but do we get treated in the same way as other people like SOCA and others? If they had to give the text back as we do, that is fair enough but we want to be treated on all fours with those sorts of bodies that have a real direct interest in this.

  Q166  Baroness Bonham-Carter of Yarnbury: You said in your written evidence to us that it is not clear who will be responsible for SIS II as some responsibilities fall to the Commission and others to the Member States. Are you still concerned about the lack of clarity as to who will be responsible for the management of SIS II?

  Mr Smith: We still have some concerns and I would not want to overplay them. Our concern is to identify who is the data controller in our terms which is the organisation that controls the purposes and the means of processing in the system. We still have some doubts as to what operational management means, whether it is for the Commission or this management authority which is proposed. The way we see it, although it is not defined in the text and it would be helpful if it was, is that the management authority or the Commission will be a data controller and an organisation in each Member State, like SOCA in the UK, will be a data controller. You have a system of joint data controllers and joint responsibility which is fairly common place, particularly with shared information systems. What we always recommend domestically is that where you have those shared responsibilities, you have some sort of laying down of where the boundaries lie and who is responsible for what. It is not that everybody is responsible for everything. Naturally here the responsibility for the accuracy of the data rests with the data controller in the Member State. The management authority is unlikely to have any control over the actual information but some of the security arrangements are clearly with the management authority. You can work out a lot of it but we would like to see it clearly defined so that essentially everybody knows what their job is.

  Q167  Baroness Bonham-Carter of Yarnbury: We did hear some concern expressed last week about this management authority and the idea that it would be better if it was the Commission running SIS II was expressed. Do you share that view or are you less categorical?

  Mr Smith: We would be less categorical. As a natural reaction, without hearing arguments why people think it should be the Commission, I hesitate a little. I think our view is that, in general, in applying data protection provisions we are not stuck on who it is who exercises functions so long as they are subject to the right controls. Our concern would be if in going to the management authority somehow the rules were slackened, the level of supervision was somehow less, that would bother us, but we do not see that necessarily follows.

  Q168  Lord Corbett of Castle Vale: Do you feel that the agreed text which we were talking about in the last question provides for sufficient clarity and appropriate limits as regards the purposes of the processing of information?

  Mr Smith: I suppose, in summary, it is better than it was if you will forgive me and I am happy to elaborate on that. I suppose what we have never had clearly explained to us, and I do not know whether anybody has explained it to your Committee, is just how the new system will be used and how the way in which it will be used will be different from the way in which the current system is used which is essentially as a hit/no hit system. Our simple take on the existing system is that you have to have someone there who you have arrested, you have stopped at the border or whatever and you do a check against the system on that person, "is there a hit?" We can see that having a fingerprint—someone will not give you their right name or whatever—is helpful to that process. Some of the things in the decision and some of the things that have been added help confirm that is still how it will be used. I think the words "compensatory measure" have been added in in Recital 5 which suggests it is still compensation for the removal of border controls which is a limiting factor. Article 40 talks about the data in each category of alert only being processed for the purposes for which it was put into the system which is encouraging in itself. Then Article 40(4) talks about some exceptions to that including, where necessary, for serious offences and views on what is a serious offence differ widely around Europe, maybe even within Member States. Some further definition there would help limit what is going on here. Having said that, it does talk about "it can only be used for those further purposes with the agreement of the Member State that put the data in" so that is a compensating measure. I think one area we would like to highlight is the one you referred to in the earlier evidence with the DCA, fingerprint data. I think it is Article 14 which says that fingerprint data can only be used to verify the identity of somebody, so you have got someone there and you use the fingerprint to check. This is not a problem. It is the possible extension in the future to essentially enable fingerprints to be run against the Schengen System. It does seem to us there is a possibility of a fingerprint being found at a scene of crime in the UK and not only do you run that against the UK fingerprint record, you run it against the Schengen System to see if there is anything that matches. This is becoming an investigative tool, not a replacement for removal of border controls and some of the things like access by Europol also feed into that. Europol is very much an analytical intelligence investigative type of organisation, so how will they use their access? We have this underlying concern of function creep, I think we have used that term here before. There is scope for function creep here and we are concerned that there may be inadequate control over that.

  Q169  Viscount Ullswater: How possibly then can you control function creep because if the information is shared from a national database to the Schengen information service database, that database is going to be shared with Interpol, it is exactly the description that you have made which is likely to happen. If data held on a national database arrives at Interpol, then if there is somebody who has committed a crime, is it not likely that could be the route where this fishing expedition could occur? You have got these massive databases which are perhaps inter-operable, I am not sure. It would be very useful for Interpol to be able to access all of that fingerprint evidence which is provided by all the Member States through Schengen.

  Mr Smith: I think there is no basic problem with Interpol having access on the same terms as the intention of the system, this checking an individual who has given a fingerprint. The danger is if you transfer the data to Interpol, are there any rules within Interpol or are there any obligations imposed on Interpol through an agreement which limits them in how they use it and, if there are, are you confident that Interpol will follow those? I think the answer may well be yes for Interpol, but Interpol is just an example of many possible transfers outside the European Union.

  Q170  Chairman: Your new position to which you have just been elected, does this give you a closer relationship with Interpol as well?

  Mr Smith: No, not directly, it is with Europol. There is a Europol/Interpol agreement on the exchange.

  Q171  Chairman: There is a Europol person in Lyon, is there not?

  Mr Smith: That is right, yes. My colleague has been to Interpol, I have not yet been there. One thing which does concern us slightly is to do with transfer to Interpol. The decision talks about an agreement with Interpol on the adequacy of the level of protection of personal data provided to Interpol of which we are fully supportive. It talks about the Council seeking the opinion of the Commission on the adequacy of the level of data protection at Interpol. It makes no reference to seeking an opinion of a data protection authority. In the first pillar the Commission makes decisions on the adequacy of third countries but it does so after seeking the advice of the Article 29 working party of the Data Protection Commissioners. With Europol, I think it is the management board that makes decisions on the adequacy of third countries for transfer but after seeking the opinion of the joint supervisory body. There does not appear to be any mechanism in this arrangement for those sorts of views to be sought.

  Q172  Lord Avebury: I was going to ask you on the adequacy, and we have already put this to the DCA witnesses, whether amongst the requests for an opinion made by the Council to the MDG, one would ask them to consider the deletion of the adequacy provisions had you got the transfer of data to third countries in Articles 15(4) and 16. Do you know whether that extends to transfers to Europol and Interpol and have you any input with the MDG so that you can influence the way that this discussion goes?

  Mr Smith: The issue you raise is one which, if you like, we have heard. What we received—the latest news we had—was at a meeting of the Police Working Party of the European Data Protection Commissioners where we were given a report last week about how the negotiations are going in the multi-disciplinary group which use words like "disappointing, lack of data protection expertise, questioning basic data protection principles which are well established including those on the adequacy of transfer to third countries". We are concerned that with some of the things which we see as fundamental to international instruments on data protection, like adequacy of transfers, like Articles 19 and 20 that the DCA witnesses referred to on the provision of information, there is talk of taking these out and simply removing them altogether which we find deeply worrying.

  Q173  Lord Avebury: You do not have sight of the memoranda that were produced by the MDGs?

  Mr Smith: No.

  Q174  Lord Avebury: Can I go on to ask you with regard to the provisions and the agreed text for supervision of data protection at national level, and you have already described what the arrangements are within the United Kingdom, do you think the texts are sufficiently prescriptive as regards the whole of the European Union to ensure that the arrangements in other EU countries are as sufficiently robust as ours are?

  Mr Smith: I think that is hard to say. Most European Member States have done the same as the UK and applied data protection law based on the first pillar instrument, the Data Protection Directive 95/46/EC. When they have applied it domestically, they have applied it across the board even to third pillar activities and that does provide a good basic level of data protection, so I think in practice there is a limited problem but there is scope for difficulty even in the UK. I have heard no suggestion that it will happen but the Data Protection Act that we have could be repealed in respect of the third pillar and our worry is that we do not have anything at European level to underpin it There is nothing at the moment other than the Council of Europe Convention 108. I think it is hard to see how the Framework Decision could have any provisions less than Convention 108 because this is part of the terms of the European Union so at least it will come up to that level, but it may not be much better than that. In practice this may not be a problem in most Member States but it does leave a gap in what underpins the arrangements which would be worrying.

  Q175  Viscount Ullswater: Is the Information Commissioner's office still concerned that the SIS II decision will not require Member States to confer sufficient control powers on the national data protection authorities and would the proposed Framework Decision on data protection solve this issue sufficiently?

  Mr Smith: We still have some concerns in this area. It is one of the things where we come back to, if you like, the complicated nature of the legislation surrounding this area. The existing Schengen Convention, I think it is section 114, talks about the powers of supervisory authorities and it says very clearly, " ... shall have a power to inspect or access the data in the national section of SIS". As far as we can see, that is not as clearly replicated in the new decision. There are some measures there which give us some reassurance. There is something, I think it is Article 11, which says that we have to be given access to the audit trail but not necessarily to the data. There is a provision in Article 53 about conducting audits at least once every four years and there is a very genuine question of how could we conduct an audit if we were not given the power to go in and look at the data. In the UK we have been given a power to inspect the national section of the Schengen System and we find it hard to believe that would suddenly be taken away from us. Again, is there really this underpinning? I think what has always been an issue for us with our powers, is that the existing power we have is to inspect the data in the national copy of the Schengen System so you just look at what is there. What is important to us very often is how the data got there. If there was an alert on me in the system, it does not help the supervision very much just to be able to go and look and see that there is an alert under Article 96 or whatever under the current arrangements without going back to trace in police systems here how it got there, when was I arrested or whatever, what was recorded in the police system, where was the decision that it was appropriate for this to be put in the Schengen System? We do not have—and there is nothing in this arrangement which gives us—an assurance or a power to go and make those sorts of checks. It also limits our ability to co-operate with other data protection authorities because there has been a very welcome move, and the JSA has initiated this, in doing co-ordinated checks, first on Article 96 data and more recently on Article 99 data where each Member State looks at what is in the system and traces it back and comparisons are done. There is a danger we will be cut off short and not be able to make the same contribution to that because of our limited powers. It is of concern to us. I have to say it is not confined to Schengen issues but it is here that it is heightened.

  Q176  Chairman: Are the existing powers for information authorities like ourselves in the European Union fairly consistent or are you conscious of some of your colleagues having much more power—or less—than you do?

  Mr Smith: Some of our colleagues have powers that we could only dream about! The Spanish data protection authority has powers to impose administrative penalties, I think they are, of many hundreds of thousands of euros, the result of which they keep for their own authority to help their function.

  Q177  Chairman: We should send a copy of this transcript to the Treasury!

  Mr Smith: That is right. We are not in any way suggesting those powers are necessarily right or appropriate for us. The powers do vary hugely because the legal framework and the whole approach vary hugely; in some areas we have better powers. There are criminal offences under UK data protection law, particularly for unlawfully obtaining or disclosing data. You may know we recently published a report, What Price Privacy?, calling for the penalties to be increased to prison sentences. I am happy to place on record that we are very encouraged by the government response to that and they have gone out to consultation on increasing penalties to prison sentences. That is something that many of our colleagues in other Member States would be in some way jealous of, but I think the area where we appear to have much less power is in the power to go in and make checks without the consent of the organisation.

  Q178  Earl of Listowel: In evidence we have received it has been pointed out the records of information kept by the authorities might be improved to enable better auditing and observing how much added value that provides. For instance, the authorities which obtained access to SIS II, the nationalities of persons stored in SIS II, the decisions or measures which had been taken on the best basis of SIS II information, would you like to see that improved detail of information kept? Would it be, do you think, maybe too heavy a burden to move that far forward?

  Mr Smith: I think it would be helpful for there to be some record-keeping. Were we able to make the sort of checks that we are talking about, it would be very important to be able to see why the data was put in the system, who took the decision and when. Having said that, we are very conscious of the added administrative burden argument and I think that may be one of the fears that Member States have about the Framework Decision, that this will add a big level of bureaucracy without necessary compensatory protection for individuals. All I can say is we are more than happy to look at those points, because we are concerned about that ourselves. Yes, there needs to be proper record-keeping but we have to draw the line. It is proportionality; the requirements have to be proportionate for what they are going to achieve.

  Q179  Earl of Caithness: I would like to move you on to the ECHR and in particular Article 8(2) which requires that "the interference with the right to privacy be in accordance with the law". How can that be satisfied given the substantial differences between the Framework Decision and SIS II?

  Mr Smith: I hope we covered that to some extent by the description of lex specials and lex generalis, and it is not one or the other. One sets the basic level, the Framework Decision, so that is what you get, what is in the Framework Decision, unless there is something better or more specific in the SIS decision. That packaged together should come up to the level specified in the ECHR and perhaps more specifically the Council of Europe Convention 108 on data protection. As I say, our concern is the way the Framework Decision appears to be going. That underlying level may be fairly low and then, if it is low, there is a question as to whether or not it satisfies the requirements.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007