WEDNESDAY 9 JULY 2008

Mr David Smith and Mr Jonathan Bamford

  Q420  Lord Dear: "In this area" meaning the 27 Member States or "in this area" meaning Europol?

  Mr Smith: The "area" meaning the UK's transmission of data to Europol.

  Q421  Lord Dear: My question was more to do with when it does go out and responsibility moves, which you have explained, whether in general terms you feel comfortable with the way in which it is then viewed by 27 Member States or whether you have some fears at that point.

  Mr Smith: I cannot say anything other than that we have no evidence to suggest that there are any problems with the handling of data that has gone out from Europol when it gets to Member States.

  Q422  Lord Dear: May I move on to the fact that the Joint Supervisory Body has made a number of comments on improving the quality of data sent to Europol and on analysis work files in particular. I wondered whether you would give us a steer on how quickly that situation is improving and, in general terms, how far there is yet to go, assuming that there is some way yet to get to.

  Mr Smith: The situation is improving. I am pleased to say that on recent inspections we have found the quality of data to be better than when we originally made checks. Yes, there are a few problems, but we found nothing, particularly in the analysis work files, that we would find unusual or out of step. The data in the analysis work files is largely relevant to the purpose of the file and where we have some doubts we have gone back to Member States. What sometimes does not happen is if information is sent forward by a Member State, say to go into the Europol information system, there is not enough supporting information with it to make that judgment there and then as to whether it is appropriately Europol data or not, whether it is about serious crime crossing borders. So that is an area which could be improved but I would say to you that things are going in the right direction. I would not want to come here really with any aspect of what we are saying to be taken as complaints to this Committee; Europol are moving in the right direction and they do take our JSB recommendations seriously when we make them. They have a difficult balance because they want to get data from Member States. If they are too insistent on quality, Member States may simply stop sending the data. It is getting that balance between encouraging data and standards at the same time that is the challenge.

  Q423  Lord Dear: I have another question which you have almost answered about your role, in so far as the analysis work files are concerned, in supporting the development of those files.

  Mr Smith: Yes, they feature in our checks when we do our inspections, but there is an opening procedure for analysis work files as well. When a new analysis work file is opened, an opening order is created which describes the purpose of the file and the types of information that should be kept in the file and we, as the Joint Supervisory Body, are asked for an opinion on that. There has been a change in recent years to simplify that procedure. It used to be that the management board had to agree it and consult with the Joint Supervisory Body before the analysis work file could start and there was a lot of red tape there. Now the analysis work file can be started by the Director and then the opinion is sought and we have been happy with that. We have also been happy with the development of target groups within analysis work files. Rather than an analysis work file being for a very specific type of crime and when a new type of crime develops you start a new analysis work file, Europol are moving to rather broader analysis work files, maybe on particular aspects of Islamic terrorism or something of that sort, then, within that file specific target groups in which a smaller number of Member States cooperate looking at particular aspects of the criminal activity. Europol sees that as a more efficient way of working and, again, as the JSB, our views have been sought and we have been content to go with that. This is not a complaint, but Europol are not as good perhaps as they should be at keeping us up to date on the development of these target groups within analysis work files. Part of our view was that we should be kept informed as part of transparency. More for administrative failings than anything else, this does not always happen.

  Q424  Lord Dear: I am getting the picture—and it is an encouraging picture, if I may say so—that you see your role in two parts: one is an audit to make sure that things are done properly and the other is almost a mentoring role, whilst the work is in progress, to encourage it to be done properly rather than waiting for the mistakes to be made before you go in. Would that be a correct assumption?

  Mr Smith: That is exactly right. We are keen to cooperate with Europol, we are keen to give them advice as they are developing, whether it is a new analysis work file or the system, the Oasis system, which is the analysis computer system that they are now developing for analysis, to give them our views and they are keen to seek our views so that they solve the problems before they ever happen. We do have this back-up role of auditing and checking but even then, our approach is to make recommendations and expect that Europol will comply with those and discuss with them those recommendations. Yes, I am pleased to tell you that by and large that process does work well.

  Chairman: I think, Mr Bamford, you were nodding your head in agreement with Mr Smith throughout his replies to Lord Dear.

  Q425  Lord Mawson: Europol is the provider of technical infrastructure, applications and data processing systems for use by Member States. Does the JSB consider that Europol can dissociate itself from data protection responsibilities when data is owned and processed by Member States?

  Mr Smith: A slightly difficult question but I suppose the legal answer is yes, Europol can dissociate itself. If it is only supplying essentially the equipment, the technology on which the message is passed from one Member State to another, then Europol does not have legal responsibly for those data. Having said that, we have been keen that those systems should properly support data protection safeguards and where the exchange goes through the Europol system, the InfoEx system as it is at the moment, there are data protection safeguards within that. I am not sure there is a great deal more that I can add to that.

  Q426  Lord Mawson: The text of the Europol Convention reflected a heavy emphasis on technology use, information exchange and data protection accountability. Do you detect a change of emphasis in the new Council Decision?

  Mr Smith: The change in emphasis in the Council's Decision is more on flexibility; it is a less rigid instrument than the existing Convention, particularly in enabling Europol to introduce other information systems in addition to the Europol information system and the analysis work files without requiring a change in the legal instrument. We have been very keen that Europol should have that flexibility but also that the Joint Supervisory Body should have an input into the decision making on any new information systems. I am pleased that, as it has gone through the processes, the Europol Decision has now got that requirement to work with the Joint Supervisory Body built in. I would also point out, if I may, that we were particularly pleased in discussion on the Council's Decision about changes that have been made to the articles dealing with the individual's right of access to data at Europol. It has always been a very difficult area because you have a combination of the Convention and the national law of the Member State from which the individual applies. These provisions, coupled with the Europol Convention and how those relate has never been entirely clear. The problem really is that whenever anybody applies to Europol for access to their data, they get the answer "We cannot tell you whether Europol holds data on you because if we tell you it might prejudice the prevention or detection of crime". For a long time we felt that that may be the appropriate answer in some cases but there are many requests from people when there are no data held at Europol about them and does it really prejudice policing to tell them that is the case? We had some very helpful discussions with Europol in which we agreed the text to put forward to the Council working party dealing with the Europol Decision and that was largely adopted by the Council working party. We expect that when the Europol Decision comes into effect, we will have a simpler system of giving access that gives people a genuine right of access but does still enable Europol to withhold information where it genuinely needs to withhold it in order to protect its policing function. If I may just comment, in the whole process of developing the Council Decision, we believe the views of JSB have been taken seriously and have led to major changes. It is encouraging to us in this process that data protection has not been seen as a threat by the Council working party and a threat to policing. It has been seen as going hand in hand and part of the necessary safeguards that go with developing greater information exchange. That is not always the case, but it has been here and we welcome that.

  Q427  Chairman: Mr Bamford, you seem to agree.

  Mr Bamford: I do agree and if I could just add one point to the original question that was asked. You had three elements to the original question there in terms of technology, information exchange and data protection safeguards and the increases there. Clearly there is much greater flexibility now, greater interoperability is available. Our concern is to make sure that those three elements of technology, information exchange and data protection safeguards are kept in balance in some way, that we do not end up with greater interoperability meaning that any old data gets exchanged, we need to make sure that there is still a sensible approach and sensible safeguards, not just the mere capacity to do it meaning you can do, and you need the things in balance still.

  Q428  Lord Marlesford: I would like to follow up this point about people asking whether Europol have got information about them. It would never occur to most of us, even if we knew of the existence of Europol, to ask whether they had data on us and therefore, in a sense, if I were a policeman, I would find it sufficiently interesting that somebody should ask, and if there were no information, I would at least record the fact that they had asked so that if that person came up in another frame later on, it just might be of significance. Would that be something which would be appropriate in data protection terms?

  Mr Smith: It would be appropriate for Europol to record clearly that they had had an access request as part of the administrative process, because if they had another request from the same person, they would need to know. It would perhaps be a step too far, in terms of the purpose of the information, to record the fact that someone has made an access request as part of the policing information that is held. I have to say, and I understand the point that you are making, that some of the requests at least are from people who are perhaps somewhat obsessive about organisations holding information about them. There is no real prospect that Europol would be holding information and just giving them a non-committal answer plays to the obsession that information is being held on them. A straight answer is the way to deal with those people. Where there is some reason to believe they might have a criminal intent—part of the process is that Europol, before answering, can go back to check with the Member State as to the Member State's view it may still be right for Europol to give a non-committal answer. So the end result is not that everybody will get a straight answer: it depends on the facts of the particular case, which is what we look to.

  Q429  Lord Marlesford: I really want to ask you your view on the dividing of the original objectives of Europol into separate articles, whether you find this a satisfactory division or whether you have concerns or whether it is evolving or should evolve?

  Mr Smith: We did have some concerns and they probably come most strongly from members of the JSB who come from those countries which are very concerned with legal compliance and a legal basis for all the processing that goes on in Europol and the concern was that the objective of Europol as it was set out was drawn more widely than the competences of Europol. If you are checking on whether there is a legal basis for the processing of data at Europol, where do you go to? To the competences or to the objectives? The objectives talked simply about organised crime, whereas we have always been keen that Europol is confined to cross-border crime where cooperation actually assists. Not everything is cross border. If I can give you an example, the terrible murder of two French students in London. It clearly has cross-border implications because they were French students in London but there is nothing, as far as I know at the moment, to suggest that that would be a Europol matter and require international cooperation. They happen to be French students; there is no suggestion as far as I know of any French connection with criminal activity; whereas some crime clearly does cross borders, for example where money laundering of the proceeds of crime in the UK takes place in Spain or wherever. The objective and the competences have been clarified much more clearly as discussions have gone on and the latest version gives a much stronger reference in the objectives to organised crime being Europol's competence and talks about it affecting two or more Member States. The competency goes on to talk about "in such a way as to require a common approach". Our concerns have been largely—I would not say completely—addressed as the Decision developed.

  Q430  Lord Marlesford: When you are using this word "competence" which has a strange Euro meaning, presumably you are referring to vires rather than capabilities?

  Mr Smith: Yes; that is exactly right.

  Chairman: Thank you very much for clarifying the difference between the original objective of Europol, Article 2 of the Europol Convention, and the separate articles relating to objective and competence, Articles 3 and 4 of the Council Decision.

  Q431  Baroness Henig: May I ask how the JSB advisory body intends to oversee the responsibilities of Europol when Member States use the network to exchange information outside the competence of Europol in accordance with Article 9(3)(d) of the Council Decision?

  Mr Smith: Again, I am afraid I have to answer that they will not be doing so because if it is outside the competence of Europol, it is also outside the competence of the Joint Supervisory Body. I do not know whether my colleague wants to add anything. This is then in the territory of the national supervisory body.

  Q432  Baroness Henig: I thought that might be the case from what was said earlier.

  Mr Bamford: It is, and then it is down to the cooperation of the national supervisory authorities and the framework with which we generally work is a cooperative one and we have structures there such as this working party on police and justice, which may aid that form of cooperation in the future. There is a structure in place but it will have to happen on a bilateral basis between ourselves and our counterparts in the other states.

  Q433  Baroness Henig: Those who want to cooperate always do and difficult cases tend to remain difficult, if I might put it in those terms. How does the Joint Supervisory Body see the development of a data protection officer whose independence is protected under the Council Decision?

  Mr Smith: We are very supportive of the principle of setting up this quasi-independent data protection officer. It is a system which Eurojust has adopted and works well under the Eurojust decision. We are particularly pleased that it emphasises the importance of data protection within Europol, emphasises that the responsibilities there go straight to the Director and that data protection has to be taken seriously. There is also a very clear duty to cooperate with the Joint Supervisory Body, there is a whistle-blowing capability to the data protection officer, so if matters are not resolved within Europol, he or she has a very clear right to come to the Joint Supervisory Body with concerns. It is a step forward from where Europol already are in practice and it is very welcome. One other development that the data protection officer at Europol has recently introduced is their own auditing; so they do internal data protection auditing which is also seen as part of the function of the new statutory data protection officer. Again this is a very welcome step and helps underline these concerns about data quality and ensuring that quality is maintained at Europol.

  Mr Bamford: My understanding as well is that the data protection officer for Europol will do an annual report which will go to the management board and also to the Joint Supervisory Body and that is a helpful link between the two. We see the activity of the data protection officer and it gives us an opportunity on the Joint Supervisory Body to have that report to inform our future action in some way and that is a helpful development.

  Q434  Lord Young of Norwood Green: What is your view on the EU's requirements for equivalence in data protection regimes when EU law enforcement information is exchanged with third countries? Are these requirements currently hampering this exchange of information?

  Mr Smith: May I start by talking about the words? The word you used was "equivalence" and the requirements actually are not equivalence; where they exist they are about adequacy. The provisions in third countries do not have to be equivalent to the same level; they have to be adequate to deliver protection. It is a common misunderstanding and I raise it because the restrictions are not as restrictive as some people might think. There are many agreements in place between Europol and third countries on which the JSB has given an opinion. It is hard to say whether the requirements are currently hampering the exchange. I suppose that to some extent they may be because we have on the agenda of the Joint Supervisory Body agreements with Russia and Israel, presumably on the basis that Europol wants to exchange personal information with Russia and Israel and presumably feels that it cannot do so because it does not yet have an agreement in place. I do think that the extent to which this requirement for adequacy stands in the way of transfer is entirely justified. The point was made about transfer to other European Member States, but what happens to the data that goes to Europol when it goes to a third country? There has to be some proper protection for it. There are already—and these will continue—measures that allow the Director to transfer data in emergencies to safeguard essential interests in a Member State. Even then he still has to undertake some data protection considerations. It is a difficult area. In the first pillar, where we talk about the data protection directive, we do have a system whereby third countries can be deemed adequate by the Commission and they make a finding that third countries are adequate for the exchange of personal data. We have no such system in the third pillar area at the moment and there does not seem to be one greatly in prospect. It is slightly odd that Europol has to make its finding and Eurojust does so separately and other organisations do so. A slightly more joined-up system would be of benefit to everybody.

  Q435  Chairman: What are the current lines of reporting of the JSB and how will the Council Decision change that?

  Mr Smith: I hesitate with this one. I am tempted to say that we are an independent body and we report to no-one, but that is not a very satisfactory answer. We are independent, so we are not answerable to anybody but we do present an activity report; the requirement is to do so regularly and we do so every two years, and that goes to the Parliament and the Council, and the management board have a prior opportunity to consider it and to attach their comments to it. That has been the practice and it has actually being enshrined in some changes to the Convention that will be followed through into the final Decision. We have also, as a Joint Supervisory Body, taken steps to improve the transparency of our work. We have a website, we do publish a highly edited extract of our minutes on that website, we do publish the opinions that we reach, we do have information about people's rights and how they can exercise their rights. We just have this difficulty that there is a limit to how far we can go on transparency without prejudicing essentially the security of Europol information. That is probably about as far as I can go.

  Q436  Lord Marlesford: What is the linkage with the Commission? Do you have a linkage to the Information Commissioner?

  Mr Smith: No, the Joint Supervisory Body is comprised of up to two representatives from the data protection authorities of each Member State. The UK data protection authority is represented on the Joint Supervisory Body and when the Joint Supervisory Body produces its report, the UK data protection authority will generally make that available and circulate it and they will send it to this Committee. They are part of the process rather than having a formal link.

  Q437  Chairman: Earlier on you talked about the data protection officer and that his independence is protected by the Council Decision. You used the expression "quasi independent". Why did you qualify it with "quasi"?

  Mr Smith: I suppose because it is the Joint Supervisory Body that ultimately is the independent body. The data protection officer—and I hesitate a little without going to the Decision—is an employee of Europol; pay and rations still come from the Director, his annual appraisal will be done by the Director. So he has some channels which guarantee he can exercise his proper function but he is part of Europol at the end of the day and that is why he is not completely independent, whereas we are not answerable to Europol. If we upset the Director, and we try not to do, there is no comeback on the Joint Supervisory Body.

  Q438  Chairman: I am just trying to recall the evidence with SOCA and certainly in the oral evidence that they gave to us, they made it clear that data protection in no way imperilled the work that they did. However, as I recall the written evidence that they gave to us, which you may have had sight of, they did suggest that sometimes it is easier to go down the path of bilateral conversations rather than working through Europol, which perhaps suggests that observing data protection might sometimes make life difficult. I think I am right in reporting—and I hope and believe I am—but do you have any comment on that?

  Mr Smith: That is fair comment. There is no doubt that the activities of Europol are more closely supervised in data protection terms than bilateral exchanges of information that do not involve Europol. In the UK we have a power in law to inspect the national unit involved in Europol exchanges. We have no power to make comparable inspections of bilateral exchanges because the only power to make inspections derives in fact from the Europol Convention and we would have a similar power if the UK joined Schengen and we have one for the customs system. Yes, Europol exchanges are subject to close supervision and also some of the data protection requirements may well be more stringent because of the desire of Europol not to be seen to be data protection deficient, which would then be a reason for countries not to supply them with data because it will not be protected properly, so they do maintain higher standards. Sometimes it is possible that Member States, I hesitate to say it, could get away with lower standards in bilateral arrangements than they could do through Europol. It is something we are conscious of and we are making some inquiries about bilateral arrangements. It is an area we do need to look at more closely as a national authority rather than as a Joint Supervisory Authority.

  Mr Bamford: Obviously we would be concerned if the simple red tape got in the way and that caused the process to be lengthier through Europol. In some of the aspects of the way things operate there, there is at least some element of scrutiny that comes to bear. It is not quite so certain with bilateral arrangements where the scrutiny is being applied to the arrangement that has been put in place. There is a difference there and potentially a weakness there as a result of that but none of us wants red tape getting in the way; we want the right decisions to be made and the right levels of standards to be in place.

  Mr Smith: The answer SOCA gave you when they gave evidence to you is encouraging. This question of whether data protection hampers information exchange or stands in the way is quite difficult because, at the end of the day, yes, it does to some extent and it ought to do so. It ought not to stop sensible information exchange but it is about applying safeguards and rights for individuals and they do make it more difficult than just handing over the data without further thought. It is getting the balance right and by and large, certainly through Europol, we do get that balance right.

  Q439  Chairman: In the absence of any further questions from my colleagues, may I remind you what I said at the beginning that if you have any further thoughts or indeed any corrections you wish to make, please do so. However, there is opportunity now: if you think there is anything the Committee should learn about the work that the two of you jointly do, please do impart it to us now, if there is anything else that you came primed to tell us this morning.

  Mr Smith: No, we have covered all the points, unless my colleague has anything to add. I hope we have left you with the impression that the data protection supervision at Europol is important to us but we do feel the system is operating reasonably effectively at the moment and that Europol does take account of our concerns and tries to address them. Whilst we might have differences from time to time, there are no major failings which I would want to bring to your attention.

  Chairman: I say on the behalf of the Committee, we have heard a most eminently sensible and sensitive set of replies to our questions this morning. We are extremely grateful to both of you for coming this morning and for giving us much meat to think about and consider in finally coming to our conclusion and report. Many thanks indeed.