You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Lords Select Committees > European Union > European Union
Select Committee on European Union Minutes of Evidence

Examination of Witnesses (Questions 410 - 419)

WEDNESDAY 9 JULY 2008

Mr David Smith and Mr Jonathan Bamford

  Q410  Chairman: Good morning gentlemen. My name is Harrison and, in the absence of Lord Jopling, I am chairing the meeting today. We are extremely grateful to both of you for coming in and acting as witnesses for our Europol inquiry this morning. If I could say this to you: these rooms are not adapted for modern speech and conversation, so please do speak up and we would be most grateful. When you speak up all will be recorded and we will have some minutes of these meetings which will be sent on to you. Because we are anxious to get as accurate a view as you are able to give us, please do correct any misunderstandings or anything which appears ambiguous and was not intended to be ambiguous. Additionally, if there are further items, as a result of the questions we put, where you want to give us further information, we would be most grateful if you could write and give us any additional information. May I ask you both to introduce yourselves, David Smith and Jonathan Bamford, and perhaps just say a few words about where you come from?

  Mr Smith: Thank you My Lord Chairman. It is a pleasure to be here and we are very happy to come to give evidence to the Committee. We have said this before but it is worth repeating that we are pleased with the interest that is taken in the work of Europol and in our work and are happy to come here and give evidence and tell you about what we do. I am David Smith, I am Deputy Information Commissioner in the UK Information Commissioner's Office. I am also, at the moment, the Chairman of the Europol Joint Supervisory Body. I am sure there will not be any difference between me and my UK colleague, but I will give evidence on behalf of the Joint Supervisory Body and I will let Jonathan introduce himself.

  Mr Bamford: I am Jonathan Bamford. I am Assistant Information Commissioner and Director of Data Protection Development. I am one of the members of the UK Joint Supervisory Body delegation and I sit on the Joint Supervisory Body and that is primarily the reason why I am here today.

  Q411  Chairman: I am very grateful for those introductions. Let us move to question number one and indeed in your role as the current Chairman of the Europol Joint Supervisory Board perhaps Mr Smith you could tell us a little bit about the work. Incidentally, how long do you retain the chairmanship?

  Mr Smith: I retain the chairmanship until October; it is a two-year term of office. I understand I can be re-elected for a further one year. The role of the Joint Supervisory Body is essentially independent supervision. It is to take an independent view of whether Europol is complying with the data protection requirements in the Europol Convention and in the legal instruments which sit above that. The reference points here are the Council of Europe Convention on Data Protection and there is a recommendation on the use of personal data in policing. It is to ensure that the rights of individuals whose data are held at Europol are not violated It is just worth emphasising that of course there are suspects and perpetrators of crimes and associates of those but Europol also holds data about people like victims and witnesses. The legal document talks about reviewing the activities of Europol, monitoring the permissibility of the transmission of data between Europol and other organisations, interpreting and examining implementation of the Europol Convention and considering requests from individuals for checks on the data that is held about them at Europol and whether that is held essentially in accordance with the rules. In practice we have regular contact with Europol. We have a permanent secretary, who I am afraid is on leave today otherwise he would be here with me, who meets Europol every couple of weeks or so to discuss the development of new systems, problems that have arisen, give them data protection advice. We, as the Joint Supervisory Body, consist of representatives of the data protection authorities from each of the EU Member States. We meet four or five times a year and issue opinions on new developments like new analysis systems at Europol, but a key part of our work is the inspection. We do an annual inspection of data processing at Europol and produce a report with recommendations which is a fundamental part of our work. Just one other thing to mention before I finish is that we do have an appeals committee as well which is a quasi-judicial body which rules essentially on complaints from individuals that when they have applied for access to the data held by Europol or asked for the data to be deleted and they are not satisfied with Europol's response to their request, then they have a right of appeal to this appeals committee which rules on their appeal and the rulings of that committee are final.

  Q412  Baroness Garden of Frognal: We have had evidence that the Member States tend to prefer bilateral channels and wondered how much of an issue that is for JSB, or is it sufficient that the bilateral exchanges are supervised by competent national bodies?

  Mr Smith: I will let my colleague answer because it is not really an issue for the Joint Supervisory Body. The Joint Supervisory Body is primarily concerned with processing by Europol and, when bilateral channels are used, that essentially is not a Joint Supervisory Body matter. Although it can be done on equipment provided by Europol, Europol are not the controlling body behind that, it is between the two Member States.

  Mr Bamford: It is a worry to the wider European data protection commissioner community that sits outside the framework of the Europol Joint Supervisory Body. We are all part of a working party on police and justice which all the EU and European data protection authorities' commissioners sit on. We have been concerned over the increasing number of bilateral arrangements with third countries that might be there. We much favour the idea of some common standards and equivalently high safeguards and there is a risk with the bilateral arrangements that those are watered down in particular arrangements. It is a particular concern to us, with the concept of the principle of availability, with the wider sharing of information between law enforcement bodies, which is a legitimate objective, what might happen if information is provided by one Member State to another and then that Member State has a bilateral arrangement with a third country. How do those arrangements work in practice and would you find that actually something is occurring there in terms of a transmission of information which the originating state would have concerns about or where they might want particular safeguards? Our chairman has just written to Mr Barrot at the Commission to ask the Commission and the Council to look into the existence of the bilateral arrangements between member states and third countries that are there and consider whether there are implications. The letter has been sent quite recently. We actually do want to judge whether the risks that we feel might be there are actually there in practice and to gauge the extent of these. We have also decided as well, at national level, to contact our own government authorities to ask them to explain to us the extent of the existing bilateral arrangements. If I am honest with you, I cannot say that I have a list available to me of all the arrangements that the UK has entered into with other countries. We would do a better job if we understood about those arrangements that are there and we will be contacting our authorities as a result of a recent meeting we have had of the working party to find out what the situation is and gauge the extent of the bilateral arrangements that are in place. The short answer is that there is a concern that there is a risk of a dilution of common standards.

  Q413  Baroness Garden of Frognal: In your view, is there a greater need for coordination between the national data protection supervisory bodies and the JSB?

  Mr Bamford: The majority of the European data protection authorities also wear the hat as member of the Joint Supervisory Body, so there is an in-built cooperation arrangement there because we do not come up with substantially different views depending which forum we sit in. The whole point behind the working party on police and justice is to be able to deal with matters in the policing and justice area which are not covered within the framework of existing joint supervisory arrangements, such as Europol, such as Schengen, such as the customs information system. We do cooperate at that level to try to coordinate our activities, to come up with a coherent response. There is a risk, if we keep reinventing the wheel on Member States with third party bilateral arrangements, that we end up with something different and it just seems much more efficient and sensible and with less risk if we have common standards rather than keep reinventing the wheel 20-odd times.

  Mr Smith: If I may, the Joint Supervisory Body recognises the need for very close cooperation and coordination with national data protection authorities. I hesitated when the questioner asked whether there was a need for greater cooperation or coordination, because I think probably not. There is a need for close cooperation and we are already doing that. As my colleague has explained to you, it is partly to do with the way the Joint Supervisory Body is made up because it contains representatives of all the national supervisory authorities. In the 2006 inspection at Europol—I will not go into too much detail about specific cases—we did do checks on data held in the Europol information system and traced that back into Member States, essentially to see whether the data was in accordance with the competences of Europol, whether it was about serious organised crime with an international basis to it, and as a result of that some data have been deleted from the system. This year we repeated the same sort of process and at the moment 18 of the 27 national data protection authorities are in the process of doing checks on data that we found at Europol to see whether it is within Europol's competence. That process has led to changes at national level; changes in the procedure for handling data within the national units have developed as a result of tracing Europol data back to the national unit. It is perhaps just worth mentioning that when we move, as I assume we will, to the Europol Decision to replace the current Convention, there is a new specific duty on the Joint Supervisory Body to cooperate with other supervisory authorities as part of its work.

  Q414  Chairman: Just to go back one step, in your reply to Baroness Garden of Frognal you said you had written to the Government about the nature of the bilaterals. Was that very recently?

  Mr Bamford: We have not written a letter yet. May I put some chronology on it? We had a meeting of the working party in Brussels a couple of weeks ago, one of the action points following from that is for us to write to our Government. We have not written a letter yet but it will be going out asking what the situation is. I suspect one of our slight difficulties is deciding whom to write to because clearly there can be a number of interested parties. At the moment we are just deciding to make sure we have all bases covered.

  Q415  Lord Young of Norwood Green: I just wanted to return to the answer you gave in relation to the bilateral exchanges. You almost bemoaned them in a way and said that what we need are fewer of those and more common standards. Are they not really a practical reality, because of the fact that people are having to operate with 27 Member States, with a variety of different standards applying, and that bilateral exchanges are an inevitable by-product of that until people feel confident that there are indeed common standards operating in Member States?

  Mr Bamford: In answer to your question, it is possible to have some core standard features that provide a level of protection that can be included in all sorts of bilateral arrangements, if you need to do that. The working party on police and justice has come up with its own paper of what the sort of considerations would actually be when trying to make information more widely available. The key for us is to make sure that we have the core things in place there and that there are some common elements to achieve that. Clearly we desire something which does not allow for too much variation from that, but we are not against some flexibility; we just need to make sure that we have the core things in place.

  Q416  Lord Marlesford: In one of your earlier answers you referred to the fact that in the course of one of your inspections you found some information which, in your view, it was not appropriate to keep and it was therefore deleted. This is an interesting aspect of your work. Can you give us an example of the sort of information, not cases or anything, which you found inappropriate? I think you said you were judging it against the criteria of serious and organised crime and terrorism.

  Mr Smith: There is a particular example which featured in both the last inspection and this year's inspection. I just hesitate because I do not want to give out too much information so I will not mention the Member State which was involved. It was to do with a group of 33 women, young women, and their information was in the Europol information system. Essentially they were a ring of prostitutes and their information was held with the indication that they were suspects or perpetrators of criminal activity. When we traced it back to the Member State, it appeared actually they were probably victims of people trafficking. There was some doubt there because it was possible that amongst the 33 one or two or maybe even more were part of the criminal ring behind the people trafficking, but essentially there was not sufficient evidence to hold them in the Europol system as suspects. Our report last year asked for those data to be deleted. In fact, when we came to do the inspection this year, those data were still in the system which caused us a great deal of concern. At that point we wrote both to the data protection authority for the Member State concerned, because the inputting of data, the quality of data coming in, is essentially a matter for the Member State rather than Europol. We also wrote to the Director of Europol reminding him that Europol have some responsibility as well, in accordance with the Convention. We set a time limit and those data were then very quickly removed from the system. It illustrates another slight tension, this tension between where Member States' responsibility ends and Europol's responsibility starts for the accuracy of data. The Director acted entirely properly and took steps to ensure that the data were removed, but he did point out to us very clearly that he did not consider it was Europol's responsibility and that the data in question was the Member State's responsibility.

  Q417  Lord Marlesford: That really brings up a very interesting point, that you have a certain influence or authority or power to require Europol to take away things which it is not appropriate to keep. Presumably you have none of that as far as any Member State is concerned. In other words, information which goes from Europol to a Member State, once it is in the Member State, is totally out of the control of the European Union and the Commission.

  Mr Smith: Yes. Once it has gone to a Member State, it is up to the data protection authority of that Member State to supervise the data. In fact with the Europol JSB, even at Europol, when I say our powers "require" the data to be deleted, I mean our powers are essentially to make a recommendation to the Director of Europol and if we are not satisfied with the response, then to raise the matter with the management board. I have to say that at the moment, under the Convention, it is unclear what happens then if the management board do not agree with our approach, whereas actually, if it were in the UK, we would have a power to order—it would probably be SOCA, the Serious Organised Crime Agency—the Member State to delete the data but they of course have a right of appeal against that, if they wish.

  Q418  Lord Dear: You are being very frank and very helpful to us on this issue of the data and whether it is to be supervised or dealt with by the Member State or by Europol. May I just follow that more closely and ask you this and indeed, if it is too sensitive, you might not want to answer it. Do you have complete confidence that in all the 27 Member States, their data protection agencies are pretty well in line and following the same standard as yourself? Or, conversely, at the other end of what might be a scale, do you have some worries that in some countries data protection really counts for very little? I have deliberately gone out onto the perimeter with that question and I wonder whether you could give a view. It would be helpful to know, if you can give a view, where it would sit on that scale of opportunity.

  Mr Smith: It is hard to answer the question and I expect you are not surprised that I am a bit reticent to go too far.

  Q419  Lord Dear: Do not name names; I would not expect you to.

  Mr Smith: I do not know enough about how the systems work in practice in other countries to comment on them. What I would say is that even in the UK we can only make limited checks on what goes on. We did our own inspection of the Europol national unit about three years ago now and we are due to do another one, but we cannot be there all the time. We do rely on SOCA to get it right. Where data come to Europol, then we check what is coming in from Member States and raise that with Europol and I know, as a result of our previous work, the quality of data that is coming into Europol is improving, there are more reliability codes—these are the codes which say the data is from a reliable source and so on—than there were previously. There is a very different approach to data protection compliance between some Member States and others depending on the legal system. Some are very, very keen on the letter of the law in the Convention and they check that the Convention is complied with and if it is, they are satisfied. I have to say that our approach is less about the letter of the law and more about the effects of the data on individuals. There is sometimes a tension there but we cannot be there all the time supervising everything we do. We rely very much on good practice in Member States and certainly from the UK's point of view, what we look at is where we see the greatest risk and our experience and our checks show that although these are very important and sensitive data, by and large things are done reasonably well in this area and there are other areas of our remit that require our attention.

 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2008