Select Committee on European Union Written Evidence


Memorandum by the Information Commissioner

  1.  The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 and the Freedom of Information Act 2000. He is independent from government and promotes access to official information and the protection of personal information. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The comments in this evidence are primarily from the data protection perspective.

  2.  The Information Commissioner's understanding is that the German Presidency of the European Union is giving priority to achieving the incorporation of the Prüm Convention into EU law. He also understands that whilst the principle of availability is still a guiding force, work on the adoption of a Framework Decision on the exchange of information under the principle of availability is not proceeding, at least for the time being. Work on the Data Protection Framework Decision (DPFD) is still underway, albeit that it is not now the Presidency's highest priority. Proposals from the Presidency on how the DPFD might be taken forward are awaited.

  3.  The Commissioner does not have any fundamental concerns about the Pruüm Convention itself or its incorporation into EU law. His principle area of concern is over the direction that developments in the EU's third pillar are now taking. In previous evidence to the Committee he has stressed the importance he attaches to the DPFD. He sees clear advantages in a single comprehensive data protection instrument for the third pillar. If framed appropriately it has the potential to provide a simple, easily understood data protection regime that provides real benefits to the individuals it is seeking to protect and is easily put into effect by the law enforcement agencies to which it is directed. He has been encouraged by the extent to which the Committee have shared this view.

  4.  The problem with the Pruüm Convention is that it is another example of the piecemeal approach to the exchange of information and associated data protection controls in the third pillar. So far as data protection is concerned it will further complicate an already complex picture. Complexity is neither in the interests of the individuals whose rights and freedoms are being protected nor of the law enforcement agencies who have to implement the necessary controls. The Commissioner's view is that to be consistent with good regulatory practice the correct strategic approach would be to give priority to the adoption of the DPFD as a precursor to any further developments involving the exchange or availability of personal data. To the extent that incorporation of the Pruüm Convention diverts attention from progressing the DPFD, it is unwelcome.

  5.  If the DPFD is eventually adopted the relationship between its provisions and the data protection provisions of the Pruüm Convention is unclear. As currently drafted the DPFD excludes a number of other data protection regimes established under third pillar instruments such as the Europol Convention. It is possible that the Pruüm Convention could be added to the list of exclusions. However it is the Commissioner's understanding that as part of its proposals for progressing the DPFD the Presidency intends to propose removal of these exceptions. This would be welcome from the point of view of clarity and consistency provided it does not involve any reduction in the level of protection afforded to individuals.

  6.  Perhaps the most likely and desirable outcome, if both the Pruüm Convention and the DPFD are incorporated into EU law, is that, as discussed in the Commissioner's evidence on SISII, the DPFD will provide the "lex generalis" and the Pruüm Convention will provide the "lex specialis". Thus the general provisions of the DPFD will apply except where there are more specific provisions (eg in relation to logging and recording) in the Pruüm Convention. We would not expect the provisions of the DPFD to be undermined by the Pruüm Convention. Rather it would "particularise and complement" the provisions of the DPFD in the specific context of Pruüm Convention activities.

  7.  So far as data protection controls are concerned there is much to be welcomed in the Pruüm Convention itself. There is no new central database with the attendant risk and need for supervision that this would bring. The exchange of DNA profiles and fingerprints is based on a hit/no hit system. This means that full details are only exchanged once it is clear that the records in question relate to the same person. Such an approach is consistent with the aim of "data minimisation". The data protection provisions apply equally to automated and to non-automated processing of personal data and includes detailed rules on logging and recording the exchange of data.

  8.  The Committee has indicated that it has a particular interest in the automated searching of DNA and fingerprint data. The Commissioner is encouraged that the exchange of data in both cases is initially limited to "reference data" from which the data subject can not be directly identified. Whilst it is clear to the Commissioner that this is still an exchange of personal data the limited extent of this initial exchange is welcome. However the Commissioner has some concerns over the basis on which matching will take place. There is no definition of what is meant by a "match". It is the Commissioner's understanding that in the UK matching of DNA profiles used to take place on the basis of six regions of the DNA. Following a case in which a sample from a crime scene was matched with an individual who could not in fact have been at the scene of the crime ten regions are now used for matching.[1] It is also the Commissioner's understanding that some other EU member states still use six point matching and this may be the basis for matching under the Pruüm Convention. This gives rise to obvious concerns about the reliability of matching. If matching on less than six points is allowed, for example because a scene of crime sample is not good enough to yield as many as six points, the Commissioner's concerns are heightened.

  9.  Furthermore the Commissioner is aware of the importance of quality control in DNA profiling. He has no evidence about the quality of DNA sampling in other EU members states but is aware that if the Pruüm Convention is adopted across the EU DNA profiles from the UK will be available to law enforcement agencies that have very much less experience of DNA profiling than those in the UK. In this connection it is worth noting that extending the Pruüm Convention to all 27 EU member states will mean that its benefits and data become available to a range of countries with traditions, legal systems and law enforcement expertise that are very different from those in the seven original signatory countries. The Commissioner's concern is not to prevent DNA and fingerprint matching across borders but to ensure that no-one places any more reliance on an apparent match of DNA or fingerprints that is scientifically justified. He has in mind in particular, a case from 2003 when a UK citizen who had never been to Italy was wrongly arrested for a murder in Italy on the basis of apparent DNA evidence.[2]

  10.  Another area of concern arises from the size of the UK's DNA database. As the Committee will know the UK has the world's most extensive collection of DNA profiles. This is an issue on which the Commissioner has frequently passed critical comment. The database extends not just to those who have been convicted of offences but also in many cases to those who have been arrested and to those who have volunteered samples for elimination purposes. Once held profiles are retained for the lifetime of the subject. Other EU members states have very much smaller collections of DNA profiles. For example the Commissioner's understanding is that in Germany profiles are only held for those who have been convicted of serious offences. The effect of this is that, so far as the UK is concerned, the traffic of DNA profiles is likely to be largely one way.

  11.  Furthermore the uses to which profiles may be put may differ from member state to member state. For example in the UK the technique of familial searching is used whereby a suspect can be identified though the DNA of family members in the same genetic line. It is not known how widely the same technique is used in other member states. Whilst it appears that the provisions of the Pruüm Convention may not permit familial searching across borders this is not beyond doubt, particularly as there is no definition of what constitutes a DNA profile match. This is though illustrative of how DNA profiles, fingerprints and supplementary information could be used after transfer in a way that would not be permissible in the member state of origin. In practice this may be more of a problem for some other EU member states that it is for the UK, although the extension of the Pruüm provisions to all 27 EU member states rather than the original seven signatories must be borne in mind. In any case there will be a need to check that making the UK's collection of DNA profiles available under the provisions of the Pruüm Convention is consistent with the basis of which the profiles were originally obtained. This is particularly true of voluntary samples where samples will have been given on the basis of assurances about their future use.

  12.  The Information Commissioner would also like to draw attention to the provisions in Article 39 for data protection supervision. To the extent that they underline the importance of such supervision and give powers to supervisory authorities to make checks on the exchange of data under the Pruüm Convention that would not otherwise be available to the UK Information Commissioner's office, they are welcome. The Commissioner's expectation is that these additional powers would have to be specifically translated into UK law by amendment to the Data Protection Act. This is the approach that has been taken in other cases where deficiencies in the Commissioner's inspection powers have had to be corrected in order to honour the UK's commitments under international instruments. An example is the Europol Convention.

  13.  Another concern is that the Convention makes it mandatory for supervisory authorities to carry out random checks on the lawfulness of the supply of data. This clearly has resource implications for the Commissioner's office. How significant these are will depend on the extent to which personal data are exchanged under the Pruüm Convention once all 27 EU member states are party to it. The main concern though is the principle involved in placing an obligation on the Commissioner to carry out specific checks on the processing of personal data. He is very clear that he should concentrate his limited resources on addressing processing of personal data that carries a significant risk of serious harm. This is consistent with good regulatory practice. Although in reality processing under the Pruüm Convention might well satisfy this test there is a wider principle at stake in that placing legal obligations on the Commissioner to carry out checks in specific areas could deflect him from carrying out checks in areas that in fact pose greater data protection risk, unless he has additional resources made available to him.

  14.  There is also a question about arrangements for cooperation between data protection supervisory authorities beyond the requirement of one authority to carry out checks when requested to do so by another. Although the Commissioner is not in favour of any disproportionately burdensome cooperation arrangements there will be a need, particularly once all 27 member states are involved, to ensure consistency in the application of the data protection provisions of the Convention, to carry out coordinated checks and to identify and make recommendations to address any defects in the legal framework. This is the nature of the role envisaged for the Working Party that is proposed in Article 31 of DPFD. Implementing the Pruüm Convention in the absence of the DPFD and without any compensating provisions will leave an unfortunate gap.

  15.  Finally the Commissioner draws attention to Article 44 of the Pruüm Convention. This provides for the Contracting Parties' competent authorities to conclude agreements for the administrative implementation of the Convention. The Commissioner's understanding is that such agreements have been concluded between the existing Pruüm members. He is therefore unclear as to whether the UK will simply have to accept these or whether application of the Convention to the UK will lead to a new set of agreements. It is through these agreements that a number of areas of uncertainty and potential data protection concern can be addressed. The Information Commissioner would expect to be consulted by the Government to the extent that they are in a position to influence these agreements.

1 March 2007






1   The case of Raymond Easton 1995. Back

2   The case of Peter Hamkin 2003. Back


 
previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007