Select Committee on European Union Minutes of Evidence

Examination of Witnesses (Questions 445-459)

Mr Daniel Drewer

28 NOVEMBER 2006

  Q445Chairman: Mr Drewer, thank you very much for coming. Particular thanks to you for coming all the way from The Hague. I am sorry you had minor travel problems, but we have had our travel problems too.

  Mr Drewer: I believe that you came to Europol in the past, so it is only right that I come to you on this occasion.

  Q446  Chairman: It is very kind of you. We do not want to impose too long on your time. If I may I will go straight into the questions. This meeting is on the record, a transcript will be taken and you will be sent a copy in due course. If there are any points in it that you either want to correct or follow up in writing you are very welcome to do so. Again for the record, this is an inquiry by this Committee into Schengen II. If I could go straight into some Europol questions. What use has Europol made so far of its competence to access and use the data held in the current SIS, and to request supplementary information from Member States? Are statistics available on this? Will statistics on this issue be available regularly?

  Mr Drewer: The use by Europol of the Schengen system has not yet taken place because we are waiting for the technical implementation of access. As soon as the practical technical side has been solved there will be statistics on the access that Europol officials will use. The statistics are drawn up by our information management unit, but at the end it is a legal obligation on Europol to keep reports on any retrieval of personal data. There will also be reports on the retrieval of personal data out of the Schengen system. Statistics will be available, yes.

  Q447  Chairman: Thank you very much. Are there plans to increase Europol's use of the current SIS data in practice?

  Mr Drewer: Since access to the Schengen data has not yet started it is difficult for me to answer this question. We will have to wait until the technical implementation has been carried out and then Europol officials will have to get accustomed to Schengen data. To my knowledge there are no plans or wishes to extend the use as it is foreseen in the legal provisions.

  Q448  Chairman: I think you have answered my next question which is whether there are current plans to amend or replace the legislation governing Europol's access, and the answer is no.

  Mr Drewer: No.

  Q449  Lord Avebury: What effect do you think the SIS II legislation may have upon Europol? Do you think there are any provisions in this legislation that should be more conveniently amended in Europol's view?

  Mr Drewer: Since we assume that SIS II will come to Europol in the long-term and access to SIS II will take place at a later stage, a full legal analysis of all the possibilities of SIS II has not yet been made by Europol. We will wait until we get access to the Schengen system as it is now and then we will analyse the situation later on when SIS II is in place. To my knowledge there is no wish from Europol to have more than that foreseen in the SIS II legislation.

  Chairman: You may have answered some of Lady Bonham-Carter's next question. Would you like to put it nevertheless?

  Q450  Baroness Bonham-Carter of Yarnbury: I will. What is the process of using SIS data in Europol's operations at present, that is SIS I? In particular, what is the added value of accessing and using SIS data in Europol's analysis work and in its other operations?

  Mr Drewer: Europol has to follow specific procedures when it comes to accessing data and other databases. Before we get access to the Schengen system, and the technical implementation is there, we draw up our information flow charts for how the information out of the Schengen system will be handled according to the legal framework at Europol. There are two information flow charts. One refers to the handling of the data that would concern data from third states and international organisations, and one from Member States. The difference is simply that Member States would put their data directly into the Europol systems whereas third states cannot put data directly into the Europol systems, and in this case the information management unit would do it for them in line with the legal provisions. If you ask for a more practical explanation: Europol will check data in the Schengen Information System. If there is an alert Europol will contact the Member State concerned and ask for permission to use the alert information and, if necessary, ask for supplementary information from that Member State, but always in line with the legal provision that says Europol has to obey the restrictions of the Member States given on their information to Europol. The information that Europol will get from the Member State that has been activated by our Schengen alert will be considered by Europol as a Member State contribution to Europol's systems, so it is no longer Schengen information, it is a Member State's contribution in line with Europol's data protection framework, and from then on we handle it according to Europol's Convention and the applicable secondary legislative framework that we have.

  Q451  Earl of Caithness: I think what you have just said is helpful on this question. Are you satisfied with the rules concerning data protection regarding Europol's access to and the use of SIS data and SIS II in the future?

  Mr Drewer: I am Data Protection Officer at Europol and support the Director in ensuring the application of Europol's data protection provisions. From my point of view the data protection provisions foreseen in the Schengen text are pretty much similar to the data protection provisions foreseen in Europol's legislation. To answer your question, you can be satisfied when you have a look at the Schengen Information System data protection rules because effectively they are in line with the rules contained in Europol's Convention. In the Schengen Information System II legislation it is mentioned that Europol should possess the data under its Europol Convention. On the other side, with the Danish protocol to the Europol Convention that will be in place in March 2007, there will be a provision that says when Europol gets data from other systems the legal framework of that international organisation's system should apply to the use of data within Europol. But this does not lead to a conflict in this case because to inform, for example, or to ask for permission to transfer the data to a third party is the same in the Schengen legislative framework as in the Europol data protection framework.

  Q452  Earl of Caithness: Thank you for that. Do you have a record of the number of complaints by individuals or the number of criticisms by the supervisory authorities with regard to how you handle data protection?

  Mr Drewer: To answer the first question, there is a record because the complaints that we get are from European citizens, for example, appeals against decisions of Europol to answer Article19 requests. If a European citizen comes to Europol and asks, "You have data stored about me on your database and I would like to be informed about that" and we give an answer to the European citizen, he or she has the possibility of appealing against this. In a sense, it would be a complaint about how Europol's data protection rules affect their daily work. This appeal goes to the Joint Supervisory Body with its currently 25 national data protection authorities that have an eye on how Europol implements its data protection framework. This appeal is then answered by the Joint Supervisory Body. Since we have been operational there have been five appeals against a decision of Europol on how to answer an Article 19 request. Your second question related to criticisms.

  Q453  Earl of Caithness: Criticisms by the protection supervisory authorities of the way you have handled it.

  Mr Drewer: Europol has a formalised system on criticism as to how Europol follows data protection rules. This system is formalised in a way that once a year the Joint Supervisory Body visits Europol with a number of national data protection officers. We have an inspection at Europol in all areas of data protection, including the area of information security. Amongst those inspectors who come to Europol there are also IT security experts. Out of the inspection visit there is an inspection report and this inspection report is for the attention of the Director and for the attention of our Management Board. The inspection report includes recommendations to Europol, and you can take recommendations as criticisms in that sense, where the inspectors believe that Europol should have more enhanced data protection measures in place. This criticism in the inspection report, if there is any, is taken up by the Director in the implementation plan of the recommendations which will be checked by the Joint Supervisory Body at the following inspection the next year.

  Q454  Chairman: And would be public?

  Mr Drewer: The implementation plan of the Director, who ultimately is responsible for implementing the data protection measures is not public. The inspection report of the JSB is not a public report, it is a classified report, but every two years the JSB publishes an activity report and this activity report is sent to the European Parliament, and this is a public report.

  Q455  Lord Dubs: I understand that under the current rules Europol has a certain amount of immunity. Do these rules prevent Europol from being held sufficiently accountable in respect of its access to and use of SIS data? Will that situation change once the legislation governing the immunity is amended? Finally, how would the situation change again if, as has been suggested, Europol becomes subject to the normal rules on the privileges and immunities of the Community institutions?

  Mr Drewer: I think we have to distinguish between the different developments in Europol's legal framework in the future. One is pretty much foreseeable because there will be three protocols that will be implemented next year: the Danish protocol, the protocol on money laundering and the Joint Investigation Team protocol. In the Joint Investigation Team protocol there is an Article which refers to the immunity of Europol staff. This Article says that as soon as Europol officials are involved in the investigative work of this Joint Investigation Team they are subject to national law, so no immunity is granted to them. I mention this to make clear that it is foreseen that as soon as there are powers given to Europol officials and they become part of this investigation team immunity is automatically withdrawn. If you talk about a Europol official sitting in The Hague at his work station who is data processing in line with Europol's restrictive data protection framework, I do not think a change of this immunity is foreseen, even by the draft Council decision currently under discussion to replace the Europol Convention. I believe there is an Article* mentioned that immunity should not change. I am not sure if there are really remarkable differences between the immunity protocol and the protocol for the immunities of the European Communities.

*Article 50 of the Draft Council Decision.

  Q456Baroness Henig: Do the restrictions on the jurisdiction of the European Court of Justice as regards Europol prevent Europol from being held sufficiently accountable in respect of its access to and use of Schengen data?

  Mr Drewer: I believe that the system we have in place now and the restrictions of the European Court stay the same for the handling of Schengen data. The handling of Schengen data within the new legal framework follows the same rules and the same system as applies to any other Europol information. When it comes to judging the activities of a Europol official and the activities of Europol in processing the handling of personal data, then of course our Joint Supervisory Body plays an important role in this with its inspection, its recommendations, its possibility to directly address the Management Board when they deem that Europol has not behaved appropriately regarding the processing of personal data. This is a system that until now has worked efficiently because, apart from the complaints I mentioned before, we have had no case where somebody has asked for jurisdiction over Europol's activities, so we take this as a sign that the system works effectively.

  Q457  Earl of Listowel: The proposed Framework Decision on data protection will not amend the data protection rules in the Europol Convention, but the Framework Decision will apply to SIS II. Will the Framework Decision govern Europol's access to and use of SIS II data or not? What are the practical implications of the answer to that question?

  Mr Drewer: Without going too far into a legal analysis of the SIS II text, we would say that the Framework Decision on data protection, even if it applies, will have no practical impact on Europol because what we saw when we did a comparison between the Framework Decision on data protection and Europol's legal framework was that there were not that many differences. Sometimes the Europol data protection framework exceeds the draft Framework Decision on data protection. The answer from Europol's point of view is that Europol's data protection framework will apply to the data that we get first of all through the alert in the Schengen system and, secondly, through the data provided by the Member States as supplementary information. If there should be a check of the handling of information with a view on the Framework Decision on data protection, then the result will be pretty much the same, because the conditions that we have in our legal framework are equal to the ones that are in the Framework Decision on data protection. Of course there are some differences but the differences in our estimation would not affect the Schengen data that will be processed by Europol.

  Lord Teverson: In terms of Schengen data being transferred by Europol to other states outside the EU, and presumably you deal with Norway and Iceland anyway and also other non-EU agencies, what is the scope for that under the present and future arrangements? Obviously we have a concern about the onward transmission of data that you would hold.

  Q458  Chairman: Can I just add a supplementary to that and that is, is Interpol at all relevant to that question?

  Mr Drewer: When it comes to the exchange of information, and I say Europol information because Schengen information will become Europol information with third states and international organisations, at Europol we need the legal basis for this and we have to follow the provision that is already in the Convention in Article 18 IV, where it says that when Europol would like to exchange Member State's information with a third party it can only be done with the consent of that Member State, that is the owner of the information.

  Q459  Lord Teverson: Can I just ask in a practical sense how that permission is sought? Do you phone someone or email them? Obviously you need a record of some sort of the permission.

  Mr Drewer: Any processing of information is recorded according to the data protection rules at Europol. The information can only be exchanged in cases where we have a co-operation agreement with that particular third state or international organisation. We distinguish here between different kinds of agreements. There are operational agreements for the exchange of personal data. There are strategic agreements where it is not allowed to exchange personal data, only so-called strategic information. These are the two types of agreement that we have in place. When it comes to a case where a Member State's information should be exchanged with a third state, we first ask whether an operational agreement is in place. To answer your question, there is an operational agreement in place with Interpol. In this operational agreement there are not just the details in the provisions manifested for the data protection side of the information exchange, you will also find provisions on the confidentiality side and provisions on the IT security side, that is the INFOSEC side, on the exchange of information. The permission to exchange that information with a third state is given by the Member State through a system that we call the handling codes. That means on the particular information there is a handling code and the handling code informs the Europol official what can be done with that information regarding the data protection provisions that are applicable. A Member State could foresee information with a handling code that says "no further dissemination to third states without our consent", so that means the Europol official has to go back to the Member State and ask for written consent that will also be recorded in our system. The handling code says nothing about the confidentiality side of the information because security packages go together with the classification levels that you find additionally on each Europol transmission slip. This tells you, and this is also important for you to know, if there is classified information then it might not be possible to exchange that with a third state, not for data protection reasons, but for confidentiality reasons.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007