DATA PROTECTION FRAMEWORK DECISION (13246/2/06)
Letter from the Chairman to Rt Hon Baroness
Ashton of Upholland, Parliamentary Under-Secretary of State, Department
for Constitutional Affairs
Sub-Committee F (Home Affairs) of the House
of Lords Select Committee on the European Union considered the
revised proposals for a Data Protection Framework Decision (DPFD)
at a meeting on 13 December 2006.
Over the past year there has been copious correspondence
between us on this instrument, and indeed this proposal was touched
upon in your evidence to the Sub-Committee's inquiries into both
the Heiligendamm meeting and the Schengen Information System.
However, none of this prepared us for the significance of the
changes since the original proposal was deposited for scrutiny
last year, most of which have gone in the direction of diminishing
safeguards for individuals. You will be aware of the Second Opinion
issued on 29 November 2006 by the European Data Protection Supervisor.
We believe his concerns should be taken seriously within the Council,
and should inform further negotiations over this instrument.
We are particularly concerned by those provsions
in the revised draft which appear to have fallen below the standards
of the Council of Europe Conventon on the processing of personal
data, which is binding upon Member States and provides a base-line
protection for individuals with regard to the exchange and processing
of personal data. These are:
the open-ended and discretionary
conditions which permit the processing of data for purposes other
than those for which the original processing took place, contrary
to basic principles of purpose limitation (Article 5);
the provison allowing as a general
rule, though subject to conditions, the processing of special
catagories of data (race, ethnic origin etc), rather than prohibiting
it with narrowly defined exceptions (Article 6);
the lack of common standards and
coordinated decisions on the adequacy of data protection provisions
in third states, which will enable third countries' authorities
to obtain information from the Member State with the lowerst legal
requirements for transfers, and so harm the trust between Member
States themselves (ex Article 16); and
the right of information being dependent
on a request by the data subject, effectively emasculating this
right (Artcle 19).
We would be grateful for your views on these
points, and would be glad to know how the Government intends to
take these issues forward in the negotiations.
It is also not clear to us why you continue
to question the legal base for the applicability of the DPFD to
domestic processing. The Council Legal Service issued an Opinion
on the matter in March 2006. Could you confirm that the Council
Legal Service has cleared the legal base question? How does the
view of your Department differ from that of the Council Legal
Service?
We agree with the EDPS that the DPFD should
include specific safeguards with regard to biometric data and
DNA profiles. If the DPFD is to be an instrument underpinnning
the third pillar data protection regime, as you have told the
Committee when giving evidence, it would be appropriate for specific
safeguards to be included for these categories of data, the use
of which is becoming increasingly important in the area of law
enforcement. This question is particularly pertinent at a time
when the German Presidency is planning to incorporate the Prum
Treaty, which focuses on biometric information and DNA profiles,
into the EU framework. Culd you let us know whether any thought
has been given to including in the DPFD specific standards with
respect to the processing of biometrics and DNA profiles? We understand
that this might be difficult to achieve within the time frame
that has been set for agreeing this proposal. We believe, however,
that a timely agreement should not result in either weak data
protection standards or in an ineffectual third pillar data protection
regime.
The Committee has decided to keep this document
under scrutiny pending receipt of the information requested and
further progress reports on negotiations. The previous draft (document
13019/05 and Add 1) has been superseded and is cleared.
14 December 2006
Letter from Rt Hon Baroness Ashton of
Upholland to the Chairman
Thank you for your letter of 14 December 2006
in which you raise a number of points regarding the most recent
draft of the Data Protection Framework Decision (DPFD). While
I have addressed each of these, it might be helpful to note that
we are waiting for the Presidency to circulate a new text and
expect this document to differ considerably from the current version.
We hope to receive this new text in early March.
In your letter you raise concerns that a number
of provisions in the DPFD appear to have fallen below the standards
of the Council of Europe Convention on the processing of personal
data (also known as Convention 108). The UK's position has always
been to ensure an appropriate standard of data protection in the
third pillar and we regard Convention 108 as a useful starting
point on which to build. You have helpfully noted in your letter
the specific data protection provisions where you believe the
standard of the data protection in the DPFD has fallen below that
of Convention 108 and I have addressed each of these below.
The first concern you raise is about processing
contrary to the basic principle of purpose limitation. Article
5 of Convention 108 states that data shall be "processed
fairly and lawfully . . . [and] stored for specified
and legitimate purposes and not used in a way incompatible with
those purposes." It does not prohibit the use of data for
purposes other than those for which it was originally collected.
Article 5(3) of the latest draft of the DPFD similarly permits
the further processing of data "if it is necessary for lawful
purposes of public interest not incompatible with" the original
purposes of prevention, detection, investigation or prosecution
of criminal offences. The DPFD does not, therefore, set out "open-ended"
conditions on data processing because all processing must be lawful
and, like Convention 108, "not incompatible" with the
original purpose.
The inclusion of the term "not incompatible"
may appear to permit a wide range of processing. However, as noted
above, the term is taken from Convention 108 (it is also used
in the Data Protection Directive). It is necessary to permit data
processing as part of the non-criminal functions of the police
and for civil and regulatory procedures. For example, the police
have a statutory duty to provide support for victims of crime,
and in particular, for victims of serious and violent crime, under
the Criminal Justice Act 2003. Victims may be informed by the
police when their attacker is about to be released, if an appeal
has been turned down, whether they will be re-housed in an area
close to the victim and so on. Processing of the offender's data
in this way is often simply to support the psychological and emotional
welfare of the victim and is not for the purpose of crime prevention,
investigation, detection or prosecution. We would not wish UK
police to be prevented from processing data for purposes of victim
support and so we welcomed the permission to process data for
other lawful purposes not incompatible with crime prevention to
ensure that the police can continue to fulfil this important statutory
function.
Permission to process data for purposes "not
incompatible" with the original crime prevention function
is also necessary for the conduct of civil and regulatory business.
It is often unclear at the start of an investigation whether certain
actions amount to a criminal offence or a regulatory breach. Regulatory
bodies therefore need to be able to further process data originally
used in a criminal context to pursue a regulatory breach if that
transpires to be the most appropriate course of action. It would
not be possible for organisations such as the Financial Services
Authority or the Serious Fraud Office, for example, to carry out
their lawful functions if all data originally processed for a
criminal purpose could then not be processed for civil or regulatory
purposes. In addition, these bodies all have duties under the
Public Records Act to preserve certain material for posterity
and to send it to the National Archives. This function is far
removed from crime prevention, but is lawful and "not incompatible"
with the original policing function.
Another concern you raise relates to the processing
of sensitive data. As you point out, Convention 108 does not permit
the processing of sensitive data unless domestic law provides
appropriate safeguards. These safeguards can be found in domestic
law in the UK's Data Protection Act 1998 (particularly in the
1st data protection principle which requires a Schedule 3 condition
be met to process sensitive personal data) and in other legislation,
like the Rehabilitation of Offenders Act. The DPFD would permit
the processing of sensitive data only when "strictly necessary"
and states that Member States must provide for suitable additional
safeguards. Further, the DPFD also prohibits the selection of
groups solely on the basis of sensitive personal data. It is the
Government's view that the provisions in the DPFD will ensure
an appropriate level of control over the processing of this data
and that those controls will provide a level of protection consistent
with the DPA and Convention 108.
You also noted concerns about a lack of common
standards and co-ordinated decision-making on the adequacy of
data protection provisions in third countries if article 16 is
removed from the text. This issue is still being discussed at
Working Group level and no final view has yet been taken in this
area. The UK, along with most Member States, opposed the establishment
of the comitology committee operating under Qualified Majority
Voting rules because such a committee and voting system is not
appropriate in the third pillar. It is important to bear in mind
that some sharing of data with countries with inadequate data
protection is necessary, for example in relation to extradition,
deportation or to aid criminal investigations (for example, the
overseas murder investigation of a UK national). In practice,
data is shared safely with countries that have inadequate data
protection by several means, including sharing with a trusted
recipient or subject to specific conditions.
You have also noted concerns about the right
to information about data processing being dependent on a request
by the data subject. The original notification right (ie to be
told that a body is processing one's data for police purposes)
was subject to exemptions that would result in the data controller
often being exempt from this duty. It did not apply if the data
subject already had this information or where notification would
prejudice crime prevention. The narrower version of this right
(to receive this information only on request) is consistent with
the comparable right in Article 8 of Convention 108. You might
like to note that the provisions in the DPFD which grant a subject
access rights are also consistent with those in Convention 108
and with those in domestic law, in Section 7 of the Data Protection
Act.
In your letter you seek further information
regarding the UK position on the legal base for the applicability
of the DPFD to domestic processing. The Government remains unconvinced
that a suitable legal base exists for this instrument to apply
to purely domestic business. However, we are prepared to make
a political undertaking that we would apply comparable principles
to domestic data processing.
You asked whether thought had been given to
including specific safeguards in the DPFD on the processing of
biometric data including DNA and I can confirm that no specific
discussions have taken place on biometric data during Working
Group negotiations. It might be helpful to note that biometric
data is of course another form of personal data. Some biometric
data, for example, certain photographs and DNA would also be considered
to be sensitive data if it were possible to derive information
regarding the racial or ethnic origin or health of the data subject.
All biometric data will therefore be subject to the provisions
of the DPFD and some biometric data will be subject to the additional
provisions on sensitive personal data. As you know, the DPFD aims
to set a minimum standard across the whole of the third pillar,
and where appropriate, we would expect certain databases to have
bespoke data protection rules, including specific rules on biometric
data, as found in the Council Decision on the Establishment, Operation
and Use of the Second Generation Schengen Information System.
As ever, I am grateful for the interest your
Committee has shown in this important dossier. I hope I have supplied
the information you were seeking, but please do not hesitate to
contact me should any further details be helpful.
16 February 2007
|