I am writing in response to the European Union Committee's 9th Report of Session 2006-07, entitled Schengen Information System II (SIS II).

  The Government welcomes this report and is pleased that the Committee broadly shares our view of the importance of the SIS II and of the benefits it will bring to the UK's law enforcement agencies in their fight against crossborder crime.

  The attached response details the Government's reactions to the recommendations made by the Committee on a point-by-point basis. I feel it is also appropriate to raise here an issue which has recently emerged in relation to the implementation of SIS II in the UK. In giving evidence to the Committee on 29 November last year I was asked if the government had a firm view as to whether or not legislation would be required to implement SIS II in the UK. I stated that my officials had consulted widely during negotiations and that we were satisfied that no further legislation was required.

  As part of our ongoing process of consultation with other government departments and stakeholders, further work has revealed that we may in fact require legislation in order to implement SIS II. Officials engaged in this work are exploring possible legislative requirements as a matter of priority. I will provide further information to the Committee in due course.

26 April 2007

GOVERNMENT RESPONSE

  152.  The United Kingdom is not a Schengen State and will not become one in the foreseeable future. But the Schengen Information System, and its development into a second generation system, are matters of the highest relevance to this country.

  153.  We believe this is well understood by the police, the prosecuting authorities, and all those involved in the combating of serious cross-border crime. They appreciate the benefits to be derived from this country's participation in the information system - benefits not just for this country, but for all the States with which we can share our information.

  154.  We are less sure that this is fully understood by the Government. They are content not to participate in the current SIS, and likewise content that the United Kingdom should be one of the last countries to participate in SIS II. We find this hard to reconcile with their stated commitment to fighting crossborder crime.

    The Government is fully committed to fighting cross-border crime and to delivering the UK's SIS II connection as soon as possible. The Government is equally committed to managing good projects. In light of the lessons from SIS I we are proceeding with a robust and carefully planned Programme, which will deliver a system to give maximum benefits to ail law enforcement agencies.

Background-the development of the Schengen database

  155.  Ministers should put more resources into the development of the national connection to SIS II. Whenever the central system is ready, the United Kingdom should be ready and able to participate as early and as fully as possible. (paragraph 30)

    The Government agrees that a national connection to SIS II should be developed to enable full connection as early as possible, and we welcome the Committee's acknowledgement of the importance of the SIS II programme. The Government will provide the necessary resources to deliver connection to SIS II and to ensure that our law enforcement and criminal justice agencies are properly prepared to make full use of the system when it is implemented.

  156.  A project of this importance and magnitude needs to be developed openly and publicly. It potentially affects not just EU citizens, but also hundreds of thousands of non-EU citizens who may wish to travel to or reside in the EU. Information must be readily available, not just to EU institutions and national experts, but to all those affected. (paragraph 38)

    The Government agrees that it is important that all those who will be affected by SIS II should be able to access information about the system. We therefore welcome the requirement in the SIS II legal instruments which obliges the Commission, working together with the national supervisory authorities and the European Data Protection Supervisor, to conduct an information campaign about SIS II when it is launched. Member states are also required to ensure that their citizens are properly informed about SIS II.

  157.  It is unacceptable for a project with such cost and resource implications to be developed without a prior full impact assessment, and a full legIslative explanatory memorandum. (paragraph 39)

    The Government would agree that proposals for new projects should be accompanied by a full impact assessment. As the Committee notes, impact assessments will be carried out prior to the implementation of any new SIS II functions of considerable importance, such as the setting up of a Management Authority, and we welcome this progress. The Commission report which will be produced ahead of the introduction of the use of fingerprints for identification purposes should also be seen as a step towards greater transparency.

  158.  The Government should press for greater transparency in the future development of the project, including the award of contracts. (paragraph 40)

    The Government welcomes this recommendation, and has pressed the Commission to be more open in its development of this project.

  159.  The lack of transparency in Council proceedings, and in co-decision negotiations between the Council and the European Parliament, is an issue relevant to all areas of EU policy-making, and has been particularly noticeable in the negotiations on the SIS II legislation. The Government should press the EU institutions to ensure greater openness and transparency of their proceedings, and in particular to codify the procedures for co-decision negotiations. All drafts of legislation should as a general rule be published immediately. (paragraph 49)

    The UK supports greater transparency in the EU as our Presidency demonstrated—agreeing to open up the Council much more than ever before. Member States also agreed in December 2005 to "assess the functioning of these measures" during the Austrian and Finnish Presidencies.

    The June 2006 European Council agreed an "overall policy on transparency", the main effect of which was to open up to the public all deliberations on co-decided legislation. After we raised our concerns about moving too far, too fast we secured agreement to a review of these measures after six months, to assess the "impact on the effectiveness of the Council's work".

    The Finnish Presidency conducted the review (in December 2006) in a serious way and made real efforts to meet our concerns. Their report pointed out that the new arrangements had only been in place five months (including in August) and that therefore it was difficult to lay down definitive conclusions about how the rules are working. For this reason, the Finns have agreed with the Portuguese that there will be a further review in December 2007.

  160.  To facilitate public debate on SIS II and to ensure effective Parliamentary scrutiny of United Kingdom participation in the project, the Government should undertake to publish regular reports on our preparation for SIS II, and on the planned and actual impact on the United Kingdom. (paragraph 52)

    The Government does not believe it is appropriate to provide regular updates on our preparation for SIS II, as sufficient channels already exist for interested parties to seek updates on progress. The effort of producing a regular update would mean that resources would have to be diverted from work on delivering the programme successfully. However, the Government will produce a report prior to the UK connection to SIS II, explaining the preparations that have been made to support a successful implementation.

How the system works in practice

  161.  The SIS II legislation permits the use of one-to-many searches only once the Commission reports that the relevant technology is available and ready.The Government must press for:

  —  The Commission report to be drawn up on the basis of the opinion of independent experts;

  —  The certification by the Commission that the technology is ready, sufficiently accurate and reliable;

  —  The report to be adopted by unanimous vote of the Council after consultation with the European Parliament.

  The Government must deposit the Commission report for scrutiny, and the views of Parliament must be taken into account. (paragraph 61)

    The Committee is correct to note that identification using fingerprints will only be possible once the Commission has produced its report. The use of one-to-many searching for other categories of data (except photographs) will be possible as soon as the system is introduced.

    We will take a keen interest in the production of the Commission's report and will offer UK expertise and assistance where this is possible. The legislation clearly states that the European Parliament shall be consulted on the report. We will inform the UK Parliament when the report is published and will seek to ensure that their views are taken into account.

  162.  Full and clear statistics must be published at regular intervals, and should include:

  —  The number and type of alerts per Member State;

  —  The number and type of hits per Member State;

  —  The use of the SIRENE system for each type of supplementary information exchanged by each Member State; and

  —  Actions taken following a hit for each type of hit and for each Member State. (paragraph 68)

    Article 66(3) of the SIS II Decision and Article 50(3) of the Regulation require that the Management Authority shall publish the following statistics on a yearly basis, in total and for each Member State:

—  Number of records per category of alert;

—  The number of hits per category of alert; and

—  How many times SIS II was accessed.

    The SIS II legislation does not require the collection of data on actions taken following a hit. The Government considers that the reporting burden created by a requirement to gather statistics on action taken following every hit would be considerable, and as such we do not agree that there is a need to change the requirement.

    With regard to the monitoring of the exchange of supplementary information, the Management Authority will be required to produce, two years after SIS II is brought into operation and every two years thereafter, a report on the technical functioning of C SIS and the Communication Infrastructure. This report is required to cover the bilateral and multilateral exchange of supplementary information between Member States. The report shall be transmitted to the European Parliament and the Council.

    In addition, the Commission will be required to produce a regular overall evaluation covering the exchange of supplementary information. This overall evaluation will be produced three years after SIS II enters into operation and every four years thereafter.

    The Government is content that this requirement will provide sufficient supervision of the exchange of supplementary information.

  163.  There must be harmonisation of statistics to ensure consistency and comparability between EU and national statistics on SIS II relating to extradition requests, visa refusals, refusals of entry at the border and refusals to grant or renew residence permits. (paragraph 69)

    The Government agrees that, where there is already a requirement for statistics on SIS II to be produced, it would be desirable for there to be harmonisation of EU and national statistics. As the Committee is aware, however, we would have to agree any such step with both the Commission and the other Member States. The value of any statistics will depend upon their consistency and comparability. The UK will press for and support any necessary work to achieve. We will raise this issue at the appropriate working group, and put forward the Committee's suggestion that Eurostat should carry out this function.

  164.  We welcome the procedural harmonisation concerning immigration alerts contained in the legislation, but there should also be harmonisation of the substantive rules for listing a person. There should be a requirement to publish in the Official Journal a summary of the different national laws and practices concerning the creation of an immigration alert. (paragraph 71)

  165.  The forthcoming review of the grounds for listing an immigration alert should also examine how well the right to appeal is secured in practice, and whether there is a need to address the timing of the right to appeal, and its link with the right to information. (paragraph 72)

    We welcome the Committee's recommendations in this area. As the UK is not participating in the SIS II Regulation, which sets out the conditions for entering immigration alerts, we have a limited scope to influence the Commission and other Member States in their actions in this area. However, we will seek to ensure that the Committee's recommendations are heeded when the forthcoming review takes place.

  166.  The United Kingdom is particularly affected by the application of the current SIS, and SIS II, to the family members of EU citizens. A British family which includes a third-country national subject to a SIS or SIS II alert will not be able in practice to travel to the Schengen area. This is justified if the third country national has committed crimes sufficiently serious to justify exclusion under EC free movement law, but not otherwise. The application of SIS and SIS II rules needs to be monitored closely to ensure that they are being correctly applied. (paragraph 76)

    As set out in the Committee's Report, the application of SIS alerts in relation to third country national family members of EU citizens was considered by the European Court of Justice in Commission v Spain C-503/03. The Court ruled that the right of such a family member to move around the Union with an EU citizen could only be derogated from on the ground that the family member constituted a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society, as set out in the free movement legislation—now Directive 2004/38. Such a family member could not be prevented from entering a Member State on the sole ground that he or she was covered by an alert entered into SIS.

    In the light of this ruling, and of Article 25 of the SIS II Regulation which was inserted to cover this situation, the Government considers that the rights of third country national family members of a UK citizen wishing to accompany the UK citizen to a Schengen Member State should be protected. We agree with the Committee, however, that it is important that these rules are correctly applied.

  167.  The Home Office should start planning for the inevitable increase in the resources needed by the Crown Prosecution Service. The resources should be agreed in sufficient time so that the effectiveness of the Crown Prosecution Service in issuing and executing extradition requests and European Arrest Warrants is not reduced. (paragraph 78)

    We welcome the Committee's interest in the important task of planning for the business changes which will come about when SIS II goes live. The Government expects that the introduction of SIS II will lead to efficiencies in some areas, as well as requiring increased resources in others. In order to understand the impact this will have on their work the Home Office will be engaging with the Crown Prosecution Service this year, along with a number of other stakeholders who will be affected by the growth in arrests and extraditions expected to follow the implementation of SIS II.

Management of the system

  168.  The Government should press for the establishment as soon as possible of a dedicated Management Authority for the Central SIS II. The legislation setting it up must provide for:

  —  the Authority to have the required technical expertise in overseeing and operating large-scale information systems;

  —  the Authority to be required to publish full and clear statistics at regular intervals;

  —  the Authority to be subject to effective scrutiny, including by the Court of Auditors;

  —  clear differentiation between the tasks which remain the responsibility of the Commission, and those delegated to the Authority; and

  —  clear lines of accountability. (paragraph 88)

    The Government welcomes the Committee's recommendations in this area; they will be useful when we come to detailed discussions on setting up a dedicated Management Authority for SIS II. We are awaiting the outcome of the European Commission's formal Impact Assessment, containing a substantive analysis of the options for setting up the authority. We would not wish to pre-empt the outcome of that analysis, but we will consider the Committee's recommendations carefully at the appropriate time.

  169.  The Government should ensure that individuals affected by the actions of the Management Authority are not left without an effective recourse to justice. (paragraph 90)

    Again the Government welcomes this recommendation; we will seek to ensure that this is not the case, whichever form the Management Authority takes.

Access to data

  170.  In order to ensure accountability, we believe that all Member States should report on the circumstances in which they will allow further processing of SIS II data, and when they will permit other Member States to process further SIS II data which they have entered. (paragraph 95).

    Further processing of any SIS II data must be lawful and within the rules set out in the SIS II Decision. Article 46(5) of the SIS II Decision states that prior consent must be obtained from the Member State issuing the alert before any further processing may take place. In addition, further processing must be linked to a specific case and justified "by the need to prevent an imminent serious threat to public policy and public security, on grounds of national security or for the purposes of preventing a serious criminal offence". These are the only circumstances under which further processing of SIS II data may take place.

  171.  We welcome the provision requiring the publication of information on which authorities have access to SIS II data, and for what purposes. There is no reason why such information could not be published already in respect of access to data held in the current SIS. (paragraph 99)

    As the Committee is aware the UK is not currently connected to SIS I, and we therefore have a limited ability to persuade our European partners to publish this information. We will however raise this point in the appropriate forum.

  172.  The Government should now publish:

  —  the list of those authorities which will have access SIS II data;

  —  the purposes for which they will have access;

  —  the list of those authorities which will be able to input data into SIS II; and

  —  the circumstances in which they will be able to do so. (paragraph 100)

    The Government will be required to publish a list of those authorities which will have access to search SIS II, as the Committee notes. We have no objection in principle to publishing these details.

    However SIS II is still in development stage and the exact list of authorities who will access SIS II and the means by which they will access the system has yet to be finalised. In order to avoid confusion, we do not intend to publish an exhaustive list of those authorities which will access SIS II until this has been finalised. Authorities which will have access will include police forces, the Serious Organised Crime Agency and the Border and Immigration Agency. All SIS II access will of course be in line with the strict limitations set out in the legal instruments.

  173.  Access to SIS II data (or data in the current SIS) by asylum authorities, to determine responsibility for an asylum application or to decide on the merits of an application, must be subject to detailed safeguards ensuring a full exchange of relevant information following a hit. It is not enough simply to note that there is an alert against a person. (paragraph 106)

    In the UK asylum claims are determined on a case by case basis considering all available information. Consequently, no asylum claim would be determined solely on the basis of whether or not the individual was subject to an alert on SIS or SIS II. All asylum decision in the UK are subject to a right of appeal before an Immigration Judge. If information of an alert formed part of the information available to the UK asylum authorities then we agree that it would have to clarified by detail of the reasons for the alert in order to be used.

  174.  Europol should indicate in its annual reports how often it has accessed SIS data, and what use has been made of that data. (paragraph 110)

    This information should be held as part of Europol's Management Information Systems data. We will ensure that this issue is raised with them.

Data protection and data processing rules

    The Government considers the data protection measures in SIS II to be robust, specific to and appropriate for the highly specialised nature of the database.

    It is the Government's expectation that the data protection measures in SIS II will not contradict the Data Protection Framework Decision (DPFD), although the DPFD is still in draft. The DPFD will set overarching minimum standards of data protection across the whole of the third pillar, which will be supplemented by the more specific data protection provisions in SIS II. Where the rules in SIS II are stricter we would expect them to prevail over those in the DPFD.

  175.  We agree with our witnesses that the data protection regime applicable to the SIS II rules is unduly complex. There are several third pillar instruments in force or in the course of preparation which have data protection provisions which are similar to but not identical with those in chapter XII of the Decision. (paragraph 119)

    The Government does not agree that the data protection rules in the SIS II Decision are unduly complex. The bespoke data protection rules for SIS II are necessary to ensure an appropriate level of data protection, bearing in mind the highly specific functionality of the SIS II database.

    Other third pillar instruments do contain different data protection rules. This is sometimes simply because the data protection provisions have been negotiated at different points in time but, more importantly, because the provisions are tailored to fit the bespoke nature of the various instruments and the often highly specialised data they contain. The Government believes the DPFD, once agreed, will help to ensure consistency of approach across the third pillar in establishing a clear, legally binding minimum standard of data protection, above which bespoke provisions will apply to specific instruments.

  176.  The third pillar Data Protection Framework Decision should prescribe exactly which data protection rules are applicable, and which are to prevail where there is a conflict. The Government should press the Council to achieve effective harmonisation of data protection rules in the Framework Decision, and ensure that it sets a sufficiently ambitious data protection standard. (paragraph 120)

    The aim of the DPFD is to set minimum standards of data protection in the third pillar. The intention is that other third pillar legislation observe these minimum standards but may also impose higher data protection standards dependent on the specific nature of the instrument.

    The ongoing negotiations on the DPFD include discussions about the relationship between the DPFD and other third pillar instruments. It is difficult to give a definitive view of the Council position on this at present, as we are not yet sure what the final DPFD text will look like. However, our understanding is that in the case of a conflict the higher standard of data protection would apply. In most cases the higher standard would come from the more specific provisions in third pillar instruments, such as SIS II, rather than the more general provisions in the DPFD.

    The Government has always supported the DPFD in principle. We want to ensure that the provisions strike the right balance between providing an appropriate level of data protection and ensuring that law enforcement agencies can share data effectively in the fight against crime.

  177.  Given that the Data Protection Framework Decision would apply to SIS II, it is not appropriate to implement SIS II until the Framework Decision has been adopted and is being implemented. The Government should seek to have this Framework Decision adopted by the summer of 2007. (paragraph124)

    The Presidency circulated a revised DPFD text on 14 March which was discussed at Working Group level on 29 and 30 March and 3 April. However, due to the diverging positions of Member States on the DPFD it would appear unlikely that an agreement will be reached by the summer of 2007. The Government would welcome agreement on a DPFD text as soon as possible but we need to ensure that its provisions do not prevent UK stakeholders from fulfilling their duties, including statutory functions, in an effective and efficient manner.

    The Government is keen to have access to SIS II as soon as possible as it will be a useful tool in the fight against serious crime. However, if SIS II is implemented before the DPFD is in place, the Council of Europe Convention on the automatic processing of personal data (Convention 108) will apply to SIS II as will article 8 of the European Convention on Human Rights, which requires public authorities to protect people's privacy rights. Convention 108 currently provides general data protection provisions for third pillar business. The DPFD will provide more detailed provisions and, once implemented, will replace Convention 108 in relation to the SIS II Decision.

  178.  Because of its importance for civil liberties, the Framework Decision should be negotiated with the maximum degree of transparency and involvement of data protection authorities at national and European level. (paragraph 125)

    Data Protection authorities at national and European level are indeed involved in the negotiations on the Framework Decision. The European Data Protection Supervisor (EDPS) has issued two opinions on the Framework Decision and we would expect a further opinion on the new draft of the Framework Decision. National supervisory authorities feed in to the work of the EDPS.

    The UK Government has a good working relationship with the Information Commissioner's Office (ICO) with regard to the Framework Decision and officials from the DCA and the ICO contact each other regularly. We understand that other Member States are also in regular contact with their supervisory authorities.

  179.  As regards SIS II, the exclusion of Europol, Eurojust and security agencies from the proposed Data Protection Framework Decision is unjustified unless equivalent data protection standards apply to these bodies. (paragraph 127)

    The new draft of the DPFD brings Europol and Eurojust within its scope. However, negotiations on this draft have only just begun it is difficult to say whether these bodies will remain within scope.

    We are content with the data protection standards applied to Europol and Eurojust, although it is worth noting that the data protection measures in the draft Council Decision on Europol are currently being redrafted. The DPA applies to the security agencies.

  180.  The Government should press for amendments to the data protection rules when they are reviewed, in particular:

  —  to provide for clearer rules on the right to information, and

  —  to limit the ability of Member States to derogate from data protection rights to those cases where national security and the operations of law enforcement authorities would be directly prejudiced. (paragraph 130)

    The Government believes that the rules on the right to information in the SIS II Decision are already clear. The Decision states that any person has the right of access to data about them entered into SIS II in accordance with the national law of the Member State in which they invoke that right. In the UK, therefore, individuals may make a subject access request under the Data Protection Act. If the request for access occurs in the UK but the alert was entered by another Member State, the UK would need to advise that Member State of the UK's intention to disclose or withhold the relevant data.

  181.  The Government should seek to ensure that the Data Protection Framework Decision requires that all national data protection authorities enjoy all of the powers referred to in the EC Data Protection Directive. The Framework Decision should also make clear that this provision applies to the SIS II Decision. (paragraph 133)

    The current draft of the DPFD gives the national data protection authorities the powers consistent with those set out in the EC Data Protection Directive. The UK supports this. Article 60 of the SIS II Decision relates to the powers of the national supervisory authority and, once implemented, the DPFD would also apply to the data shared under SIS II. In most cases, we would expect the provisions setting the highest standard of data protection to apply if the two instruments differ on particular points. As the draft DPFD currently stands, it would provide for greater subject access than SIS II (in some Member States but not in the UK) and so here we would expect the DPFD to prevail over SIS II. However, this is a matter we will be able to comment on further as the DPFD text comes closer to being finalised.

  182.  The question of adequate resources for data protection authorities to enforce EU data protection rules, and the SIS II rules in particular, should be reviewed on a regular basis. (paragraph 134)

    Article 60(3) states that Member States "shall ensure that the (National Supervisory Authority has) sufficient resources to fulfil the tasks entrusted to it under this Decision". This obliges Member States to ensure the National Supervisory Authority has sufficient resources to carry out these tasks.

    The ICO's resource requirements are the subject of regular discussion between the lCO and DCA.

United Kingdom access to immigration data

  183.  We accept, as do the Government, that the position under the Amsterdam Treaty is that the United Kingdom cannot have access to all SIS II immigration data as long as it retains its border controls. However the contribution this information can make to the overall security of the European Union needs to be taken into account. We hope that when amendments to the EC and EU Treaties are next negotiated the Government will seek to persuade our partners of the benefits, to them as well as to us, of securing amendments to the relevant provisions. (paragraph 148)

    The Government agrees with the Committee that access to these alerts by the UK would benefit the overall security of the EU. Although this matter could be considered in the context of any future change to the treaties the Government's view is that the UK should be able to access immigration data for law enforcement purposes under the current treaty arrangements. The UK is being prevented from accessing this information as a result of the legal interpretation currently afforded to the application of the Treaty Protocol integrating the Schengen acquis into the framework of the EU and the Protocol on the position of the UK and Ireland (1997). But the UK is currently challenging the interpretation of those Protocols in the European Court of Justice and will review the position in light of the judgment, which is expected next year.

  184.  In the meantime, Ministers should persuade their colleagues from the Schengen States that police and other law enforcement bodies in the United Kingdom must have access to other Member States' immigration data relating to the criminality of the individuals concerned. In return, the United Kingdom would make available to other Member States its own data on individuals who are undesirable due to their criminal activity. (paragraph 149)

  185.  Time is of the essence. These recommendations rely on it being technically feasible to distinguish between alerts on unwanted aliens for public policy, public security and national security purposes, and alerts based on immigration control purposes. The sooner attempts are made to resolve these technical problems, the more likely they are to succeed. (paragraph 150)

  186.  To help the United Kingdom and its EU partners in their joint fight against terrorism and serious crime, the Government must therefore press ahead with representations at the highest levels. (paragraph 1.51)

    The Government agrees on the importance for the UK of being able to access other Member States immigration data relating to the criminality of the individuals concerned and will continue to lobby other Member States on this important issue. If and when the UK is able to access these alerts we will explore with our EU colleagues the technical and operational issues which arise.

  187.  We recommend this report to the House for debate. (paragraph 11)