Examination of Witnesses (Questions 445-459)|
Mr Daniel Drewer
28 NOVEMBER 2006
Q445Chairman: Mr Drewer, thank you very much
for coming. Particular thanks to you for coming all the way from
The Hague. I am sorry you had minor travel problems, but we have
had our travel problems too.
Mr Drewer: I believe that you came to Europol
in the past, so it is only right that I come to you on this occasion.
Q446 Chairman: It is very kind of you.
We do not want to impose too long on your time. If I may I will
go straight into the questions. This meeting is on the record,
a transcript will be taken and you will be sent a copy in due
course. If there are any points in it that you either want to
correct or follow up in writing you are very welcome to do so.
Again for the record, this is an inquiry by this Committee into
Schengen II. If I could go straight into some Europol questions.
What use has Europol made so far of its competence to access and
use the data held in the current SIS, and to request supplementary
information from Member States? Are statistics available on this?
Will statistics on this issue be available regularly?
Mr Drewer: The use by Europol of the Schengen
system has not yet taken place because we are waiting for the
technical implementation of access. As soon as the practical technical
side has been solved there will be statistics on the access that
Europol officials will use. The statistics are drawn up by our
information management unit, but at the end it is a legal obligation
on Europol to keep reports on any retrieval of personal data.
There will also be reports on the retrieval of personal data out
of the Schengen system. Statistics will be available, yes.
Q447 Chairman: Thank you very much. Are
there plans to increase Europol's use of the current SIS data
Mr Drewer: Since access to the Schengen data
has not yet started it is difficult for me to answer this question.
We will have to wait until the technical implementation has been
carried out and then Europol officials will have to get accustomed
to Schengen data. To my knowledge there are no plans or wishes
to extend the use as it is foreseen in the legal provisions.
Q448 Chairman: I think you have answered
my next question which is whether there are current plans to amend
or replace the legislation governing Europol's access, and the
answer is no.
Mr Drewer: No.
Q449 Lord Avebury: What effect do you
think the SIS II legislation may have upon Europol? Do you think
there are any provisions in this legislation that should be more
conveniently amended in Europol's view?
Mr Drewer: Since we assume that SIS II will
come to Europol in the long-term and access to SIS II will take
place at a later stage, a full legal analysis of all the possibilities
of SIS II has not yet been made by Europol. We will wait until
we get access to the Schengen system as it is now and then we
will analyse the situation later on when SIS II is in place. To
my knowledge there is no wish from Europol to have more than that
foreseen in the SIS II legislation.
Chairman: You may have answered some
of Lady Bonham-Carter's next question. Would you like to put it
Q450 Baroness Bonham-Carter of Yarnbury:
I will. What is the process of using SIS data in Europol's operations
at present, that is SIS I? In particular, what is the added value
of accessing and using SIS data in Europol's analysis work and
in its other operations?
Mr Drewer: Europol has to follow specific procedures
when it comes to accessing data and other databases. Before we
get access to the Schengen system, and the technical implementation
is there, we draw up our information flow charts for how the information
out of the Schengen system will be handled according to the legal
framework at Europol. There are two information flow charts. One
refers to the handling of the data that would concern data from
third states and international organisations, and one from Member
States. The difference is simply that Member States would put
their data directly into the Europol systems whereas third states
cannot put data directly into the Europol systems, and in this
case the information management unit would do it for them in line
with the legal provisions. If you ask for a more practical explanation:
Europol will check data in the Schengen Information System. If
there is an alert Europol will contact the Member State concerned
and ask for permission to use the alert information and, if necessary,
ask for supplementary information from that Member State, but
always in line with the legal provision that says Europol has
to obey the restrictions of the Member States given on their information
to Europol. The information that Europol will get from the Member
State that has been activated by our Schengen alert will be considered
by Europol as a Member State contribution to Europol's systems,
so it is no longer Schengen information, it is a Member State's
contribution in line with Europol's data protection framework,
and from then on we handle it according to Europol's Convention
and the applicable secondary legislative framework that we have.
Q451 Earl of Caithness: I think what
you have just said is helpful on this question. Are you satisfied
with the rules concerning data protection regarding Europol's
access to and the use of SIS data and SIS II in the future?
Mr Drewer: I am Data Protection Officer at Europol
and support the Director in ensuring the application of Europol's
data protection provisions. From my point of view the data protection
provisions foreseen in the Schengen text are pretty much similar
to the data protection provisions foreseen in Europol's legislation.
To answer your question, you can be satisfied when you have a
look at the Schengen Information System data protection rules
because effectively they are in line with the rules contained
in Europol's Convention. In the Schengen Information System II
legislation it is mentioned that Europol should possess the data
under its Europol Convention. On the other side, with the Danish
protocol to the Europol Convention that will be in place in March
2007, there will be a provision that says when Europol gets data
from other systems the legal framework of that international organisation's
system should apply to the use of data within Europol. But this
does not lead to a conflict in this case because to inform, for
example, or to ask for permission to transfer the data to a third
party is the same in the Schengen legislative framework as in
the Europol data protection framework.
Q452 Earl of Caithness: Thank you for
that. Do you have a record of the number of complaints by individuals
or the number of criticisms by the supervisory authorities with
regard to how you handle data protection?
Mr Drewer: To answer the first question, there
is a record because the complaints that we get are from European
citizens, for example, appeals against decisions of Europol to
answer Article19 requests. If a European citizen comes to Europol
and asks, "You have data stored about me on your database
and I would like to be informed about that" and we give an
answer to the European citizen, he or she has the possibility
of appealing against this. In a sense, it would be a complaint
about how Europol's data protection rules affect their daily work.
This appeal goes to the Joint Supervisory Body with its currently
25 national data protection authorities that have an eye on how
Europol implements its data protection framework. This appeal
is then answered by the Joint Supervisory Body. Since we have
been operational there have been five appeals against a decision
of Europol on how to answer an Article 19 request. Your second
question related to criticisms.
Q453 Earl of Caithness: Criticisms by
the protection supervisory authorities of the way you have handled
Mr Drewer: Europol has a formalised system on
criticism as to how Europol follows data protection rules. This
system is formalised in a way that once a year the Joint Supervisory
Body visits Europol with a number of national data protection
officers. We have an inspection at Europol in all areas of data
protection, including the area of information security. Amongst
those inspectors who come to Europol there are also IT security
experts. Out of the inspection visit there is an inspection report
and this inspection report is for the attention of the Director
and for the attention of our Management Board. The inspection
report includes recommendations to Europol, and you can take recommendations
as criticisms in that sense, where the inspectors believe that
Europol should have more enhanced data protection measures in
place. This criticism in the inspection report, if there is any,
is taken up by the Director in the implementation plan of the
recommendations which will be checked by the Joint Supervisory
Body at the following inspection the next year.
Q454 Chairman: And would be public?
Mr Drewer: The implementation plan of the Director,
who ultimately is responsible for implementing the data protection
measures is not public. The inspection report of the JSB is not
a public report, it is a classified report, but every two years
the JSB publishes an activity report and this activity report
is sent to the European Parliament, and this is a public report.
Q455 Lord Dubs: I understand that under
the current rules Europol has a certain amount of immunity. Do
these rules prevent Europol from being held sufficiently accountable
in respect of its access to and use of SIS data? Will that situation
change once the legislation governing the immunity is amended?
Finally, how would the situation change again if, as has been
suggested, Europol becomes subject to the normal rules on the
privileges and immunities of the Community institutions?
Mr Drewer: I think we have to distinguish between
the different developments in Europol's legal framework in the
future. One is pretty much foreseeable because there will be three
protocols that will be implemented next year: the Danish protocol,
the protocol on money laundering and the Joint Investigation Team
protocol. In the Joint Investigation Team protocol there is an
Article which refers to the immunity of Europol staff. This Article
says that as soon as Europol officials are involved in the investigative
work of this Joint Investigation Team they are subject to national
law, so no immunity is granted to them. I mention this to make
clear that it is foreseen that as soon as there are powers given
to Europol officials and they become part of this investigation
team immunity is automatically withdrawn. If you talk about a
Europol official sitting in The Hague at his work station who
is data processing in line with Europol's restrictive data protection
framework, I do not think a change of this immunity is foreseen,
even by the draft Council decision currently under discussion
to replace the Europol Convention. I believe there is an Article*
mentioned that immunity should not change. I am not sure if there
are really remarkable differences between the immunity protocol
and the protocol for the immunities of the European Communities.
*Article 50 of the Draft Council Decision.
Q456Baroness Henig: Do the restrictions on the
jurisdiction of the European Court of Justice as regards Europol
prevent Europol from being held sufficiently accountable in respect
of its access to and use of Schengen data?
Mr Drewer: I believe that the system we have
in place now and the restrictions of the European Court stay the
same for the handling of Schengen data. The handling of Schengen
data within the new legal framework follows the same rules and
the same system as applies to any other Europol information. When
it comes to judging the activities of a Europol official and the
activities of Europol in processing the handling of personal data,
then of course our Joint Supervisory Body plays an important role
in this with its inspection, its recommendations, its possibility
to directly address the Management Board when they deem that Europol
has not behaved appropriately regarding the processing of personal
data. This is a system that until now has worked efficiently because,
apart from the complaints I mentioned before, we have had no case
where somebody has asked for jurisdiction over Europol's activities,
so we take this as a sign that the system works effectively.
Q457 Earl of Listowel: The proposed Framework
Decision on data protection will not amend the data protection
rules in the Europol Convention, but the Framework Decision will
apply to SIS II. Will the Framework Decision govern Europol's
access to and use of SIS II data or not? What are the practical
implications of the answer to that question?
Mr Drewer: Without going too far into a legal
analysis of the SIS II text, we would say that the Framework Decision
on data protection, even if it applies, will have no practical
impact on Europol because what we saw when we did a comparison
between the Framework Decision on data protection and Europol's
legal framework was that there were not that many differences.
Sometimes the Europol data protection framework exceeds the draft
Framework Decision on data protection. The answer from Europol's
point of view is that Europol's data protection framework will
apply to the data that we get first of all through the alert in
the Schengen system and, secondly, through the data provided by
the Member States as supplementary information. If there should
be a check of the handling of information with a view on the Framework
Decision on data protection, then the result will be pretty much
the same, because the conditions that we have in our legal framework
are equal to the ones that are in the Framework Decision on data
protection. Of course there are some differences but the differences
in our estimation would not affect the Schengen data that will
be processed by Europol.
Lord Teverson: In terms of Schengen data
being transferred by Europol to other states outside the EU, and
presumably you deal with Norway and Iceland anyway and also other
non-EU agencies, what is the scope for that under the present
and future arrangements? Obviously we have a concern about the
onward transmission of data that you would hold.
Q458 Chairman: Can I just add a supplementary
to that and that is, is Interpol at all relevant to that question?
Mr Drewer: When it comes to the exchange of
information, and I say Europol information because Schengen information
will become Europol information with third states and international
organisations, at Europol we need the legal basis for this and
we have to follow the provision that is already in the Convention
in Article 18 IV, where it says that when Europol would like to
exchange Member State's information with a third party it can
only be done with the consent of that Member State, that is the
owner of the information.
Q459 Lord Teverson: Can I just ask in
a practical sense how that permission is sought? Do you phone
someone or email them? Obviously you need a record of some sort
of the permission.
Mr Drewer: Any processing of information is
recorded according to the data protection rules at Europol. The
information can only be exchanged in cases where we have a co-operation
agreement with that particular third state or international organisation.
We distinguish here between different kinds of agreements. There
are operational agreements for the exchange of personal data.
There are strategic agreements where it is not allowed to exchange
personal data, only so-called strategic information. These are
the two types of agreement that we have in place. When it comes
to a case where a Member State's information should be exchanged
with a third state, we first ask whether an operational agreement
is in place. To answer your question, there is an operational
agreement in place with Interpol. In this operational agreement
there are not just the details in the provisions manifested for
the data protection side of the information exchange, you will
also find provisions on the confidentiality side and provisions
on the IT security side, that is the INFOSEC side, on the exchange
of information. The permission to exchange that information with
a third state is given by the Member State through a system that
we call the handling codes. That means on the particular information
there is a handling code and the handling code informs the Europol
official what can be done with that information regarding the
data protection provisions that are applicable. A Member State
could foresee information with a handling code that says "no
further dissemination to third states without our consent",
so that means the Europol official has to go back to the Member
State and ask for written consent that will also be recorded in
our system. The handling code says nothing about the confidentiality
side of the information because security packages go together
with the classification levels that you find additionally on each
Europol transmission slip. This tells you, and this is also important
for you to know, if there is classified information then it might
not be possible to exchange that with a third state, not for data
protection reasons, but for confidentiality reasons.