Correspondence with Ministers October 2006 to April 2007 - European Union Committee Contents


DATA PROTECTION FRAMEWORK DECISION (13246/2/06)

Letter from the Chairman to Rt Hon Baroness Ashton of Upholland, Parliamentary Under-Secretary of State, Department for Constitutional Affairs

  Sub-Committee F (Home Affairs) of the House of Lords Select Committee on the European Union considered the revised proposals for a Data Protection Framework Decision (DPFD) at a meeting on 13 December 2006.

  Over the past year there has been copious correspondence between us on this instrument, and indeed this proposal was touched upon in your evidence to the Sub-Committee's inquiries into both the Heiligendamm meeting and the Schengen Information System. However, none of this prepared us for the significance of the changes since the original proposal was deposited for scrutiny last year, most of which have gone in the direction of diminishing safeguards for individuals. You will be aware of the Second Opinion issued on 29 November 2006 by the European Data Protection Supervisor. We believe his concerns should be taken seriously within the Council, and should inform further negotiations over this instrument.

  We are particularly concerned by those provsions in the revised draft which appear to have fallen below the standards of the Council of Europe Conventon on the processing of personal data, which is binding upon Member States and provides a base-line protection for individuals with regard to the exchange and processing of personal data. These are:

    —  the open-ended and discretionary conditions which permit the processing of data for purposes other than those for which the original processing took place, contrary to basic principles of purpose limitation (Article 5);

    —  the provison allowing as a general rule, though subject to conditions, the processing of special catagories of data (race, ethnic origin etc), rather than prohibiting it with narrowly defined exceptions (Article 6);

    —  the lack of common standards and coordinated decisions on the adequacy of data protection provisions in third states, which will enable third countries' authorities to obtain information from the Member State with the lowerst legal requirements for transfers, and so harm the trust between Member States themselves (ex Article 16); and

    —  the right of information being dependent on a request by the data subject, effectively emasculating this right (Artcle 19).

  We would be grateful for your views on these points, and would be glad to know how the Government intends to take these issues forward in the negotiations.

  It is also not clear to us why you continue to question the legal base for the applicability of the DPFD to domestic processing. The Council Legal Service issued an Opinion on the matter in March 2006. Could you confirm that the Council Legal Service has cleared the legal base question? How does the view of your Department differ from that of the Council Legal Service?

  We agree with the EDPS that the DPFD should include specific safeguards with regard to biometric data and DNA profiles. If the DPFD is to be an instrument underpinnning the third pillar data protection regime, as you have told the Committee when giving evidence, it would be appropriate for specific safeguards to be included for these categories of data, the use of which is becoming increasingly important in the area of law enforcement. This question is particularly pertinent at a time when the German Presidency is planning to incorporate the Pru­m Treaty, which focuses on biometric information and DNA profiles, into the EU framework. Culd you let us know whether any thought has been given to including in the DPFD specific standards with respect to the processing of biometrics and DNA profiles? We understand that this might be difficult to achieve within the time frame that has been set for agreeing this proposal. We believe, however, that a timely agreement should not result in either weak data protection standards or in an ineffectual third pillar data protection regime.

  The Committee has decided to keep this document under scrutiny pending receipt of the information requested and further progress reports on negotiations. The previous draft (document 13019/05 and Add 1) has been superseded and is cleared.

14 December 2006

Letter from Rt Hon Baroness Ashton of Upholland to the Chairman

  Thank you for your letter of 14 December 2006 in which you raise a number of points regarding the most recent draft of the Data Protection Framework Decision (DPFD). While I have addressed each of these, it might be helpful to note that we are waiting for the Presidency to circulate a new text and expect this document to differ considerably from the current version. We hope to receive this new text in early March.

  In your letter you raise concerns that a number of provisions in the DPFD appear to have fallen below the standards of the Council of Europe Convention on the processing of personal data (also known as Convention 108). The UK's position has always been to ensure an appropriate standard of data protection in the third pillar and we regard Convention 108 as a useful starting point on which to build. You have helpfully noted in your letter the specific data protection provisions where you believe the standard of the data protection in the DPFD has fallen below that of Convention 108 and I have addressed each of these below.

  The first concern you raise is about processing contrary to the basic principle of purpose limitation. Article 5 of Convention 108 states that data shall be "processed fairly and lawfully . . . [and] stored for specified and legitimate purposes and not used in a way incompatible with those purposes." It does not prohibit the use of data for purposes other than those for which it was originally collected. Article 5(3) of the latest draft of the DPFD similarly permits the further processing of data "if it is necessary for lawful purposes of public interest not incompatible with" the original purposes of prevention, detection, investigation or prosecution of criminal offences. The DPFD does not, therefore, set out "open-ended" conditions on data processing because all processing must be lawful and, like Convention 108, "not incompatible" with the original purpose.

  The inclusion of the term "not incompatible" may appear to permit a wide range of processing. However, as noted above, the term is taken from Convention 108 (it is also used in the Data Protection Directive). It is necessary to permit data processing as part of the non-criminal functions of the police and for civil and regulatory procedures. For example, the police have a statutory duty to provide support for victims of crime, and in particular, for victims of serious and violent crime, under the Criminal Justice Act 2003. Victims may be informed by the police when their attacker is about to be released, if an appeal has been turned down, whether they will be re-housed in an area close to the victim and so on. Processing of the offender's data in this way is often simply to support the psychological and emotional welfare of the victim and is not for the purpose of crime prevention, investigation, detection or prosecution. We would not wish UK police to be prevented from processing data for purposes of victim support and so we welcomed the permission to process data for other lawful purposes not incompatible with crime prevention to ensure that the police can continue to fulfil this important statutory function.

  Permission to process data for purposes "not incompatible" with the original crime prevention function is also necessary for the conduct of civil and regulatory business. It is often unclear at the start of an investigation whether certain actions amount to a criminal offence or a regulatory breach. Regulatory bodies therefore need to be able to further process data originally used in a criminal context to pursue a regulatory breach if that transpires to be the most appropriate course of action. It would not be possible for organisations such as the Financial Services Authority or the Serious Fraud Office, for example, to carry out their lawful functions if all data originally processed for a criminal purpose could then not be processed for civil or regulatory purposes. In addition, these bodies all have duties under the Public Records Act to preserve certain material for posterity and to send it to the National Archives. This function is far removed from crime prevention, but is lawful and "not incompatible" with the original policing function.

  Another concern you raise relates to the processing of sensitive data. As you point out, Convention 108 does not permit the processing of sensitive data unless domestic law provides appropriate safeguards. These safeguards can be found in domestic law in the UK's Data Protection Act 1998 (particularly in the 1st data protection principle which requires a Schedule 3 condition be met to process sensitive personal data) and in other legislation, like the Rehabilitation of Offenders Act. The DPFD would permit the processing of sensitive data only when "strictly necessary" and states that Member States must provide for suitable additional safeguards. Further, the DPFD also prohibits the selection of groups solely on the basis of sensitive personal data. It is the Government's view that the provisions in the DPFD will ensure an appropriate level of control over the processing of this data and that those controls will provide a level of protection consistent with the DPA and Convention 108.

  You also noted concerns about a lack of common standards and co-ordinated decision-making on the adequacy of data protection provisions in third countries if article 16 is removed from the text. This issue is still being discussed at Working Group level and no final view has yet been taken in this area. The UK, along with most Member States, opposed the establishment of the comitology committee operating under Qualified Majority Voting rules because such a committee and voting system is not appropriate in the third pillar. It is important to bear in mind that some sharing of data with countries with inadequate data protection is necessary, for example in relation to extradition, deportation or to aid criminal investigations (for example, the overseas murder investigation of a UK national). In practice, data is shared safely with countries that have inadequate data protection by several means, including sharing with a trusted recipient or subject to specific conditions.

  You have also noted concerns about the right to information about data processing being dependent on a request by the data subject. The original notification right (ie to be told that a body is processing one's data for police purposes) was subject to exemptions that would result in the data controller often being exempt from this duty. It did not apply if the data subject already had this information or where notification would prejudice crime prevention. The narrower version of this right (to receive this information only on request) is consistent with the comparable right in Article 8 of Convention 108. You might like to note that the provisions in the DPFD which grant a subject access rights are also consistent with those in Convention 108 and with those in domestic law, in Section 7 of the Data Protection Act.

  In your letter you seek further information regarding the UK position on the legal base for the applicability of the DPFD to domestic processing. The Government remains unconvinced that a suitable legal base exists for this instrument to apply to purely domestic business. However, we are prepared to make a political undertaking that we would apply comparable principles to domestic data processing.

  You asked whether thought had been given to including specific safeguards in the DPFD on the processing of biometric data including DNA and I can confirm that no specific discussions have taken place on biometric data during Working Group negotiations. It might be helpful to note that biometric data is of course another form of personal data. Some biometric data, for example, certain photographs and DNA would also be considered to be sensitive data if it were possible to derive information regarding the racial or ethnic origin or health of the data subject. All biometric data will therefore be subject to the provisions of the DPFD and some biometric data will be subject to the additional provisions on sensitive personal data. As you know, the DPFD aims to set a minimum standard across the whole of the third pillar, and where appropriate, we would expect certain databases to have bespoke data protection rules, including specific rules on biometric data, as found in the Council Decision on the Establishment, Operation and Use of the Second Generation Schengen Information System.

  As ever, I am grateful for the interest your Committee has shown in this important dossier. I hope I have supplied the information you were seeking, but please do not hesitate to contact me should any further details be helpful.

16 February 2007



 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009