Beyond Brexit: policing, law enforcement and security Contents

Chapter 3: Future UK-EU sharing of law enforcement and criminal justice data

Title II: DNA, fingerprint and vehicle registration data (Prüm)

EU evaluation of UK systems compliance under the agreement

33.Title II makes provision for the “automated transfer” between the Parties of DNA profiles, fingerprints (referred to as ‘dactyloscopic data’ in the text) and “certain domestic vehicle registration data” (hereafter referred to as Prüm55 data).56

34.The UK’s ability to apply and comply with the rules set out in Title II and the technical rules listed in Annex LAW-I of the law enforcement agreement is subject to an “evaluation visit and pilot run” (or runs) undertaken by the EU.57 On the basis of an overall evaluation report, “the Union shall determine the date or dates from which personal data may be supplied by Member States to the United Kingdom pursuant to this Title.”58 However, provision is made to allow data to continue to flow after 31 December 2020 on the basis of the TCA, but for “not longer than” nine months. The SCLE&JC can extend this period once for a further nine months.59

35.Home Office Minister, Kevin Foster MP, expressed confidence that the UK would pass the EU’s tests for Prüm data:

“We are confident that our operating processes are still fully in line with the Prüm requirements, given our experience of passing the previous evaluations. If any matters arise on a technical level during the evaluation that cannot be resolved between the evaluating team and the UK specialists, we would look to refer the matter to the specialised committee.”60

Comparison with previous UK-EU arrangements

36.Witnesses welcomed the Agreement on Prüm. Mr Steve Rodhouse, Director General (Operations), National Crime Agency, told us: “This deal continues our access to the Prüm system. It makes the UK safer, because it will allow us to make more links between people and crime scenes that we would not otherwise have seen.”61 Assistant Chief Constable Ayling observed: “Regarding the exchange of information related to DNA and fingerprints, there is little material difference in how we will use the system access and its benefit for UK policing.”62

37.Dr Ni Loideáin described Prüm as “arguably one of those glass-half-full situations. It is still a significant area where we have influence and can still contribute to law enforcement and day-to-day exchanges.”63 Sir Julian King also said the arrangements “look pretty good”.64 When compared to similar sharing arrangements between the EU and other third countries, he added: “The UK is not a member state; it has left. Therefore, the precedents that you have to measure it against are the arrangements that are available to other third countries. Against that, these look like effective arrangements.”65

Future UK alignment with EU standards on Prüm data

38.The law enforcement agreement is not clear about the extent to which the UK will be obliged to follow any subsequent EU legislative amendments concerning Prüm data. It states that, in the event the Title is “amended substantially” by the EU, “it may notify the United Kingdom accordingly with a view to agreeing on a formal amendment of this Agreement in relation to this Title. Following such notification, the Parties shall engage in consultations.”66

39.Prof Mitsilegas described the provisions relating to the sharing of Prüm data as “very detailed”, noting that they “envisage what happens if the EU develops its rules further in the future and whether the UK needs to align with these rules, and there are mechanisms for that as well”.67

40.As for future alignment in relation to Prüm data, Chris Jones, EU Director at the Home Office, insisted that the Agreement was not “dynamically aligned”.68 He explained:

“In the longer term, it is possible that those standards may evolve. The UK would then have a choice as to whether or not to move its standards to meet the requirements under the Prüm system. There is no compulsory requirement for us to align with the EU Prüm system. The technology, of course, will not stay static in the long term.”69

41.The Minister also reflected upon what would happen if future changes by the EU to the system of sharing of Prüm data, in advance of their evaluation of the UK’s systems, put that evaluation at risk:

“First, we would look to see whether we could resolve it at a technical level. That would be the first resort, if it was more about how the system operated rather than the fundamental principles. If we could not, the second part would be to go to the specialised committee. Ultimately, there would need to be a decision, for which Ministers would be accountable to Parliament, around the decision. There are so many options in this space.”70

Title III: Passenger Name Record data (PNR)

42.This Title deals with the transfer, use and process of “passenger name record data”, drawn from flights between the EU countries and the UK, and provided to the UK’s “competent authority”; it also establishes “specific safeguards” governing its use.71 All such data must be processed “strictly” for the purposes of “preventing, detecting, investigating or prosecuting terrorism or serious crime”, or in “exceptional cases” where it is necessary “to protect the vital interests of any natural person.”72

UK obligations

43.Title III sets out the detailed obligations placed on the UK, and its competent authority, regarding the handling of sensitive PNR data.73 These include requirements that:

The UK PNR derogation

44.Under the terms of the law enforcement agreement, the UK may derogate from the obligation to delete all PNR data after individuals leave the UK, providing it adheres to specific safeguards to protect PNR data, for an interim period. The process for supervising the UK’s derogation is set out in Box 2. In order to establish a need to retain data, the UK shall identify “objective evidence” from which “it may be inferred that certain passengers present the existence of a risk” in terms of the fight against terrorism and serious crime.80 Every year an “independent administrative body” in the UK must assess the UK’s approach to retaining the PNR data of individuals identified on the basis of objective evidence as presenting a risk in terms of terrorism or serious crime.81

Box 2: Supervision of the UK PNR derogation

Under the terms of Part Three of the TCA, the UK has been permitted to derogate from the obligation to delete all PNR data after individuals leave the UK if it applies additional safeguards designed to protect PNR data for an interim period. These additional safeguards reflect the Court of Justice of the EU’s Opinion 1/15 of 26 July of 201782 on the legality of the EU/Canada PNR Agreement, and are listed in Part Three (Article Law.PNR.28 Paragraph 4(11)).83

The law enforcement agreement states that the UK has been allowed to derogate from this principle on the basis of “special circumstances” that prevent the Government from “making the technical adjustments necessary to transform the PNR processing systems” (which the UK operated while EU law applied) “into the systems which would enable PNR data to be deleted” in accordance with paragraph 4. These “special circumstances” are not explained further.

The length of the interim period during which this derogation will apply will be set by the Specialised Committee on Law Enforcement and Judicial Cooperation, after considering a report by the “independent administrative body” on the application of the additional safeguards and on whether the “special circumstances” mentioned above persist. If they do, then the Partnership Council, which oversees the Operation of the entire TCA, may extend the interim period for a year. The Partnership Council can also extend the interim period for a further year, if the UK has made “substantial progress” towards transforming its PNR processing system.

Finally, if the UK considers that a refusal by the Partnership Council to grant either extension is not justified, the UK Government can suspend this Title with one month’s notice.

45.We asked the Government to explain the “special circumstances” that permit the UK derogation under Part Three. Mr Jones told us:

“The phrase ‘special circumstances’ reflects the position the UK is in. Formerly, as a member state, we were cooperating under the PNR directive. As a third country, the EU is now required to treat us as a third country and therefore the CJEU opinion in respect of the EU-Canada Agreement applies to the UK in this respect. At the moment, our technical systems are not set up in a way that can fully comply with the requirements in the Agreement.”84

46.We also asked the Minister to clarify the exact nature of the “independent administrative body” that will annually police the UK’s adherence to standards in relation to PNR data retention. He told us:

“The National Border Targeting Centre’s independent compliance governance team, a functionally independent part of the UK’s passenger information unit, not involved in the operational use of PNR data, has been designated by the Home Secretary as the independent body to undertake this work.”85

47.On 22 February the European Data Protection Supervisor issued a non-binding Opinion questioning the legality of aspects of these arrangements, including the use of the TCA as the sole legal basis for exchanging PNR data with the UK, and the potential three-year length of the derogation.86

Comparison with previous UK-EU arrangements

48.All our witnesses agreed that the continued sharing of PNR data between the UK and EU Member States was of critical importance to law enforcement agencies. Vice Admiral Sir Charles Montgomery, former Head of UK Border Force, described how PNR data had been “of almost equal importance” to the UK, when a Member State, as the data shared via the Schengen Information System (SIS II), discussed at paragraphs 57–74 below.87

49.Mr Steve Rodhouse told us that the new provisions “build upon previous capabilities inasmuch as there will be more frequent pushes of data by the airlines. We certainly do not anticipate a reduction in that very, very important capability.”88 These comments were echoed by Assistant Chief Constable Ayling: “There is little practical change in how we can access and use that information. In fact, there may be future opportunities with a slight readjustment of the thresholds to extend the use, particularly in matters of safeguarding.”89

50.Sir Julian King emphasised that, to be effective, the new system had to ensure that PNR data continued to be exchanged between the UK and EU “before the plane lands.”90

Future alignment with EU standards on PNR data

51.On the question of UK alignment with future EU legislative changes to the handling of PNR data, the Minister told us:

“It would be for us to consider what we wish to do if the Union wished to make different standards or to use information in different ways, if they were signing up to agreements with third parties that may see our information shared further on. Again, we would have to consider carefully which partners internationally we would be happy for that to happen with. If the Union were to decide to make an agreement to share information with some countries in the world, I suspect we would not be as happy that it was deciding to do that.”91

Title IV: Operational data

52.The provisions of Title IV relate to cooperation on sharing operational information. Mr Steve Rodhouse told us, though, that “from the NCA’s perspective, we do not anticipate relying on Title IV in any case, because there are alternative powers under the Crime and Courts Act for bilateral sharing of information”.92

53.We also asked whether the provision in Article 5 of Title IV, requiring national police and customs authorities, where “urgent cases” were concerned, to respond to a request for information “as soon as possible”, could undermine the Title by implying a lack of urgency in other cases. In response, Assistant Chief Constable Ayling said: “There is nothing in there that offers us opportunity or gives me cause for concern.”93 Mr Rodhouse commented:

“From the perspective of the National Crime Agency, we will always endeavour to share important information as quickly as possible. I do not see that this undermines Title IV. The operational reality is such that you will always try to share important information, subject to safeguards on information sharing, as swiftly as possible so that it can be used to best effect.”94

Title IX: Criminal records data

54.Mr Rodhouse welcomed the continued sharing of criminal records data between the UK and EU:

“I cannot overstate the importance of understanding the criminal history of somebody when courts are making decisions or investigators are understanding their background. It is phenomenally important.”95

55.Comparing the new arrangements under Title IX to those that applied when the UK was a Member State, under the European Criminal Records Information System (ECRIS),96 Prof Mitsilegas explained that, as a third country, the UK no longer had access to ECRIS but, at the same time “if you read the annexes, the system is built on the ECRIS infrastructure for EU Member States. It says that the UK must build its own infrastructure and it will interact with a member state’s infrastructure, which in turn will be built up on the ECRIS infrastructure.”97

56.Dr Ni Loideáin believed that the sharing of criminal records data between the UK and EU Member States would be slower under the new arrangements, because “we have to set up new systems now to ensure that we make that access a real possibility every day for our law enforcement authorities. That will take some time, and I think investigations will face some delays because of that.”98

57.However, Assistant Chief Constable Ayling explained that under the Agreement, the UK was now building its own infrastructure for the sharing of criminal records data, which “was now being termed UKRIS”. He expressed confidence in the new system: “It is difficult to look too far ahead, but all the indications are that the system is resilient. It will continue to mirror what was previously in place.”99

58.Mr Rodhouse did not expect the sharing of criminal records data under Title IX to be slower than it was under ECRIS, but cautioned that time would tell: “My understanding is that we do not expect any reduction in the timescales by which we share and obtain data from the EU. The average time is six days. Of course, we are 25 days in so we will see.”100 Assistant Chief Constable Ayling added:

“The arrangement was always that the exchange would take place expeditiously, and in any case within 10 days. I understand that it has now been changed to 20 days but all the indications we currently have are that there is no drop in that cooperation, and the timescales are pretty much the same as they were before 1 January.”101

59.Part Three of the TCA does not provide for the exchange of criminal records data in respect of third country nationals.102 Instead, the Government explained that it would seek to access such information by making “bilateral requests” to EU Member States for data about third country nationals.103

Loss of access to the Schengen Information System (SIS II)

60.The Schengen Information System (SIS II) is described by the European Commission as the “most widely used and largest information sharing system for security and border management in Europe”. It “provides a mechanism for EU Member States to share and act on real-time data on persons and objects of interest including wanted and missing persons”.104 Witnesses to past inquiries have repeatedly highlighted the vital role this system has played in supporting the operations of UK law enforcement agencies. At a joint evidence session held by the EU Justice and Home Affairs Sub-Committees in February 2020, Deputy Assistant Commissioner Richard Martin, of the National Police Chiefs’ Council, told us that in 2019 UK police checked SIS II “603 million times”.105

61.The UK’s stated negotiating position, published in February 2020, made clear that it was seeking a future agreement on law enforcement cooperation between the UK and EU that provided “capabilities similar to those delivered by SIS II”.106 The Government restated this aspiration in its Draft Agreement on Law Enforcement and Judicial Cooperation in Criminal Matters, published during the future relationship negotiations in May 2020. At the same time the Government acknowledged that:

“The draft EU legal text does not provide for the real-time exchange of alerts on persons or objects. The European Commission has set out its view that it is not legally possible for a non-Schengen third country to cooperate with the EU through the SIS II database, and that the Agreement need not provide similar capabilities.”107

62.Sir Julian described the loss of access to the System as one of “two headline challenges” of Part Three of the TCA (the other being the European Commission’s forthcoming data adequacy decision in respect of the UK).108 He emphasised the historic importance of SIS II to UK policing and law enforcement agencies:

“The Schengen Information System was the go-to system for those on the front line. In many cases, they were able to plug in directly in real time to get access to information that was fed in from all the Member States; tens of thousands of alerts on wanted people and, indeed, objects of interest. That, as you know, was being used extensively, hundreds of millions of times a year, by UK police and law enforcement—billions of times a year if you look across the whole of the EU. It had become a real everyday working tool. That stops.”109

63.Dr Ni Loideáin agreed, emphasising the loss of access to a system providing policing data in real-time would be “a blow” to police officers across the UK, adding: “That is what will hit officers in the short to medium term immediately.”110

64.Assistant Chief Constable Ayling echoed these comments, while emphasising that action was being taken to mitigate the loss of access to SIS II: “The reality is that it is a significant loss of capability in terms of access to data, which is automated and integrated within our systems. Nevertheless, there are contingencies in place.”111

Interpol I-24/7 system

65.In November 2020 we held two evidence sessions with law enforcement practitioners to discuss future UK-EU police cooperation.112 Witnesses told us that the fallback for UK police forces, to replace SIS II after the end of the transition period on 31 December 2020, was the Interpol I-24/7 database.113 Assistant Chief Constable Ayling described this as an arrangement that “falls a long way short of the benefits provided by SIS II. However, it is sufficient, in that it enables us to discharge our responsibilities effectively, and it delivers a mechanism whereby we can cooperate.”114

Double-keying data

66.Mr Rodhouse identified two challenges to ensuring the effectiveness of the Interpol I-24/7 system as a replacement for SIS II. First, EU Member States needed to enter information onto the Interpol I-24/7 system in the same way as they did with SIS II:

“We are reliant on the UK and, probably more significantly, EU Member States making use of that system, both to circulate data that would be useful to us in the UK in protecting the public, and to make our data alerts available on the front line to their law enforcement officers, in the same way Schengen Information System data was.”115

67.Assistant Chief Constable Mark McEwan, Lead for EU Exit at the Police Service of Northern Ireland, told us on 17 November 2020 that EU Member States would have to enter the same data twice, onto both the I-24/7 System and SIS II, to ensure that the UK did not lose access to that information: “We are reliant on European partners double-keying, entering those records and data on to two systems.”116

68.Mr Rodhouse explained that EU Member States would also be making a decision, in each case, about whether to use this process: “Rather than just circulate via SIS II, we want them to take out Interpol notices as well. Clearly, they will make a judgment as to whether that is the right thing to do in the particular case.”117 He explained that work was ongoing to “encourage” EU Member States to undertake this ‘double-keying process’:

“In terms of encouraging EU Member States to take out Interpol notices … we have seen a spike in Interpol notices in recent weeks. A couple of countries have done this, Belgium and Italy in particular. In our messaging, we have been very clear with all our international liaison officers for some time about the importance of this. There seems to be a very strong overlap and no big loss in our access to alerts data.”118

Assistant Chief Constable Ayling echoed those comments, telling us that “at this stage we are confident in the use of that system”.119

69.We asked the Minister to explain what steps the Government was taking to encourage EU Member States to use the I-24/7 system, in addition to SIS II. He replied: “We have been engaging with Member States to encourage them to put appropriate information on to this system and to use it as a system we can share with.”120

Getting Interpol data to the frontline

70.The second challenge in respect of the I-24/7 system is ensuring that information from the database is made promptly available to frontline UK law enforcement officers, via the Police National Computer (PNC). Mr Rodhouse explained the process:

“The route for making that jump between I-24/7 and front-line officers is typically through the UK’s International Crime Bureau, which we operate here at the NCA. When I-24/7 or Interpol notice alerts arrive in the UK, we now have a process to put them on the Police National Computer in a very short time. We are talking a number of hours, not a number of days.”121

71.He then outlined the ongoing technical work to help improve this process:

“We are investing in robotic process automation to make sure that that is done very quickly and efficiently. We are really pleased with the way that is going. It allows us to effectively and efficiently make sure that data is available in the UK within a small number of hours. It is not real time, but it is swift. There are reasons to be positive here.”122

72.In written evidence to the inquiry, Mr Rodhouse gave additional information about the work to reduce the time required to upload Interpol Notices onto the PNC:

“Currently, manual upload of an Interpol notice onto the PNC via the UK International Crime Bureau (UKICB) will generally take a few hours. However, we are in the testing phase of utilising Robotic Processing Automation (RPA) to support our processes, with an aim to ‘go live’ in February. The whole process for one record using an RPA approach takes approximately 15 minutes.”123

73.Mr Jones acknowledged these issues: “The timescales are not real-time in the way that they were under SIS II, but once we receive an Interpol notice or diffusion, it is a matter of hours for the NCA to be able to get that to our front-line policing systems.”124 He then confirmed that plans were in place to speed up the delivery of data: “We are looking, with Interpol, to see whether we can make that a more real-time system. That is something we are looking to do by the end of this calendar year.”125

International Law Enforcement Alert Platform126

74.Both Assistant Chief Constable Ayling and the Government referred to the UK’s “longer-term” plans to improve the exchange of alert data, between the UK, EU and third countries through the International Law Enforcement Alert Platform (ILEAP). Assistant Chief Constable Ayling explained the work to develop the platform was in its “very early stages”. Its purpose was “about increasing the functionality of the Interpol system of notices to make it more readily accessible for UK policing”.127

75.The Government said it was “keen to explore” the development of ILEAP with Member States, and anticipated that this work would be completed “over the next two or three years”. In the meantime, “the immediate priority” was to “get the platform up and running with Interpol … this year”.128

76.The Government also confirmed that it wanted “to connect the alerts to Border Force as well as front-line policing systems”.129

Protecting the UK border

77.Vice Admiral Sir Charles Montgomery said SIS II had been “the most important” database for the UK Border Force.130 He emphasised that any replacement systems and processes employed to mitigate the loss of access to SIS II needed to retain its key components:

“Whatever replaces the Schengen Information System will weaken border security unless it retains the agility, responsiveness and comprehensiveness of data that comes across the border. While I take the NCA and the NPCC’s assurances very seriously, I personally want to hear more about the ability to sustain that agility and responsiveness through the systems.”131

78.Sir Charles also emphasised the need to ensure that data from Interpol was as accessible to UK border security agencies, via the Warnings Index, as it had previously been from SIS II:132

“From a border perspective … it is about the connectivity between the Schengen Information System and the Warnings Index. The Warnings Index is key to controls at the border. SIS II to the Warnings Index was pretty well seamless. Interpol to the Warnings Index was a manual process. We were working to make a more automated process, but it was slower and clunkier. It is important to keep an eye not simply on the linkage between Interpol and the police national computer, but on how that information is translated to the Warnings Index.”133

Conclusions and recommendations

79.We welcome the fact that Part Three of the Trade and Cooperation Agreement provides for the continued sharing of law enforcement and policing data, which is vital for the protection of UK citizens.

80.The ability of UK agencies to exchange data with the EU under Part Three of the Agreement has been made subject to many important caveats. First, the UK’s handling of DNA, fingerprint, and vehicle registration data on the basis of the Prüm system will be subject to an evaluation by the EU later this year.

81.Second, the obligation to delete PNR data the moment the subject leaves the UK’s jurisdiction is subject to a complex derogation, which itself is subject to additional safeguards set down by the Court of Justice of the European Union in its Opinion on the Canadian PNR Agreement. We also note that on 22 February 2021 the European Data Protection Supervisor questioned the use of the TCA as a legal basis for sharing PNR data with the UK and the length of three-year period to which the derogation may apply.

82.Third, by their nature, the data sharing arrangements are reciprocal. The Prüm system, for example, is supported by an Annex to the TCA containing 91 pages of EU legislation. The Government told us that it will be a matter of ‘choice’ whether or not it remains aligned to EU legislation as it evolves. If it does not, the UK could lose access to vital policing and law enforcement data, or find itself facing a formal dispute with the EU. Therefore, it will be necessary for Parliament to constantly monitor the development of EU legislation in this field.

83.The Government is confident that the UK’s former EU membership will enable it to satisfy all these requirements. Given their complexity and seriousness, we do not share that confidence.

84.The Government should be congratulated for securing an agreement whereby criminal records data will be shared with the EU on a very similar basis to that which applied when the UK had access to the European Criminal Records information Service (ECRIS), including within comparable time frames. It will be important for parliamentary committees to continue to monitor the future effectiveness of the replacement system now being built, to assess whether it provides capability comparable to ECRIS, in terms of the data that can be accessed and the speed with which it is made available to UK law enforcement agencies.

85.The UK’s loss of access to the Schengen Information System leaves the most significant gap in terms of lost capability. It means that, for the time being, law enforcement officers can no longer immediately have access to real-time data about persons and objects of interest, including wanted and missing persons. The fallback system, the Interpol I-24/7 database, currently provides data in a matter of hours, not seconds. However, we note that work is underway to increase the speed at which Interpol Notices are available to UK frontline law enforcement officers.

86.At the same time, we note that the effectiveness of the Interpol I-24/7 database as a substitute for the Schengen Information System depends heavily on EU Member States accepting the additional workload of ‘double-keying’ data into both systems, on a continuing basis. We did not receive any clear evidence from the Government on how it planned to secure such commitments from EU Member States to do so.

87.We therefore remain concerned about the effect of the loss of access to SIS II on the operational effectiveness of UK police and law enforcement agencies. We recommend that the Government report on a regular basis to relevant committees of both Houses on progress in improving current processes for uploading Interpol alerts onto the Police National Computer, and on its progress in encouraging EU Member States to ‘double-key’ data into Interpol databases.

Data protection and conditionality

88.Cooperation in Part 3 of the TCA is based not only on the Parties’ “longstanding respect” for democracy, the rule of law and the protection of fundamental rights and freedom of individuals, but also on the Parties’ “long-standing commitment” to ensuring a “high-level of protection” of personal data.134 To “reflect” this commitment, the Parties undertake that the personal data processed under Part Three of the Agreement shall be subject to “effective safeguards”, such as:

Part Three of the TCA can, as we have noted (see paragraph 19) be suspended in whole or in part if either Party demonstrates a “serious and systemic” deficiency in respect of “the protection of personal data”, including where this has led to a “relevant adequacy decision ceasing to apply”.136

89.Dr Ni Loideáin described the suspension provision in relation to data protection as “a very significant provision that makes all the other arrangements under Part 3 extremely vulnerable”.137 As a country outside the EU, she noted, the UK will be expected to apply higher standards of data protection:

“As a third country we are no longer being given that margin of appreciation which the European Court of Human Rights accorded us, for instance in the Big Brother Watch judgment in 2018138 with regard to the bulk and generalised access that intelligence authorities and security agencies have to that kind of data.”139

She also referred to the successive legal challenges to EU-United States agreements on data transfers: “The Schrems judgment of 2015 and the recent Schrems II judgment of 2020 also confirm that these particular safeguards and requirements now apply to us as a third country.”140

90.Prof Mitsilegas also referred to the UK’s bulk retention of data, authorised under the Investigatory Powers Act 2016:141

“It is not enough for the Government to say that the GDPR is transposed into the UK law and this is enough. We need to look at the bigger picture, including the elephant in the room—the bulk retention of data and access to this data by national security and intelligence authorities for the UK. This is a big issue, and it is currently contrary to the Court of Justice case law.”142

91.Prof Mitsilegas also emphasised the EU’s continued monitoring of the UK’s data protection regimes: “Although the UK is a third country, it is subject to ongoing monitoring by the EU and its institutions with regard to the adequacy of its data protection arrangements. It cannot really be a clean break if you want to have close cooperation in this way.”143

92.Sir Julian King noted that the EU’s interest in UK data protection standards could extend to “the so-called ‘onward transfer of data’—the data-sharing arrangements, particularly on the law enforcement side, between, for example, UK authorities and authorities in other countries, specifically the United States.” Such areas “will get very closely scrutinised.”144

93.Mr Jones emphasised that, in return, the UK could find the EU in breach of the data protection principles enshrined in Part Three: “The UK may have concerns about serious and systemic data protection breaches by the EU, or vice versa. That is the legal test under this Agreement that needs to be applied.”145

Data adequacy

94.At the time of writing, the UK was seeking a data adequacy decision from the European Commission, under both the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED).146 To date, the Commission has published draft decisions in favour of granting the UK adequacy in respect of both the Law Enforcement Directive and GDPR. However, subsequently, the European Data Protection Supervisor has published an Opinion on the TCA which expresses concerns about some of its data protection safeguards, including in relation to Part Three.147

95.Until the decision is confirmed, the TCA provides for a temporary “bridging mechanism”, for up to a maximum of six months, to allow the continued lawful transfer of personal data from the EU to the UK.148 If adequacy is granted, the UK will join other third countries including Israel, Switzerland, and Japan which the European Commission has declared to be a safe place to send personal data from the EEA, in accordance with the GDPR’s strict rules about international data transfers.

96.Quite apart from the data adequacy regime, Part Three of the TCA enshrines a commitment by the Parties to uphold specific data protection standards, which are themselves supported by safeguards set out in the Agreement. While these provisions might appear to insulate the law enforcement agreement from any adequacy decision, either now or in the future, it is important to note that the suspension clause relating to a “serious and systemic” deficiency within one Party in “the protection of personal data” specifically includes the possibility that this has led to a “relevant adequacy decision ceasing to apply”.149

97.Dr Ni Loideáin noted that the then pending adequacy decision would not be the end of the story:

“Data adequacy decisions are reviewed periodically, so it is not like after six months we no longer have to worry about the UK legal provisions in law enforcement and security. Given recent judgments of the Court of Justice, national security matters will also come under the scope of that review, since the Schrems judgment and more recent judgments.”150

98.On the other hand, Home Office Minister Kevin Foster MP told us:

“Part Three of the TCA … is not innately bound up with whether we get an adequacy decision. There is still an ability to operate those provisions without that determination having been made. Although we do not expect it to be a refusal, we could still operate the provisions without it, given that there are a number of mechanisms for doing so; for example, with appropriate safeguards.”151

Mr Jones added:

“The Agreement provides some high-level data protection principles up front … drawn from conventions such as the Council of Europe Convention. Those principles are key underpinnings for data protection for law enforcement and criminal justice cooperation. They are supplemented in the individual capabilities covered by the agreements, with specific data protection rules. Whether that is on Prüm, for DNA and fingerprint exchange, PNR or some of the other areas, there are specific data protection provisions.”152

99.We also asked the Minister about the possible consequences to Part Three of the TCA if an adequacy decision were to be successfully challenged in the CJEU.153 He declined to speculate, but observed that a “high bar” would need to be cleared for the law enforcement agreement to be suspended.154 More broadly, he commented: “If we got to the stage where our data-handling was found to have serious deficiencies, first, I suspect that would raise some quite immense questions about our own criminal justice system. Secondly, it would probably be an issue that had been raised a time before.” He added that such concerns could be “raised via an adequacy process without the whole system being suspended or removed, unless, as touched on, there are serious and systemic problems”.155

100.We note that, in recent times, there have been repeated instances of Home Office errors in the handling of police and criminal justice data, leading to concerns raised in the EU about the reliability of UK data sharing processes.156

Conclusions and recommendations

101.As we anticipated in 2017 in our Report on Brexit and Data Protection, now that the UK is a third country it will be held to higher standards by the EU in respect of data protection. For example, it will no longer be able to benefit from the national security exemption in the EU Treaties that is available to EU Member States when their individual data retention and surveillance regimes are tested before the CJEU. In the Privacy International case the CJEU has already questioned the former UK law on the acquisition and use of bulk communications data.

102.Similarly, it is clear to us that to maintain the necessary confidence among the UK’s EU partners about its policing and criminal justice data sharing processes, the Home Office should always ensure the highest standards of data handling.

103.Despite the Government’s claims that the UK has left the CJEU’s jurisdiction, there is abundant scope for legal challenge on data protection grounds that could have implications for the UK. The Schrems and Schrems II cases demonstrate the real possibility of a successful challenge to the award of a data adequacy decision to the UK by the Commission. Moreover, Part Three can be suspended in the event of “serious and systemic” deficiencies in respect of the protection of personal data, including where these have led to a relevant adequacy decision ceasing to apply.

104.In summary, a positive adequacy decision will support the operation of the TCA, but CJEU judgments in respect of UK data protection standards may yet have an indirect but far-reaching impact. The provisions designed to insulate the TCA from any negative decision on data adequacy are yet to be tested.

55 The UK participated in the initial ‘Prüm Decisions’: Council Decision 2008/615 JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime 6 August 2008 OJ L 210/1 and Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime 6 August 2008 OJ L 210/12, establish a framework for cross-border police cooperation to support the prevention and investigation of crime but failed to implement them fully. At their core is a decentralised system for the automated exchange of DNA profiles, fingerprint and vehicle registration data held in the national databases of the EU Member States (there is no central EU database). One of the main benefits of Prüm for law enforcement is the ability to compare DNA and fingerprints found at a crime scene in one Member State with data held in other Member States to see if there is a match (“hit”). Information revealing the identity of a possible suspect can only be exchanged once a match has been confirmed. The UK left the Prüm system as part of the Protocol 36 block opt-out decision in 2014 and opted back in in 2015. See: European Union Committee, The United Kingdom’s participation in Prüm (5th Report, Session 2015–16, HL Paper 66)

65 Ibid.

69 Ibid.

72 Ibid.,(Article LAW.PNR.20: Purposes of the use of PNR data sub paragraphs (1) and (2)). Terrorism offences are listed in ANNEX LAW-7 of the TCA and serious crime is defined as any offence punishable by a custodia sentence or a detention order for a maximum period of at least three years under the domestic law of the UK (see Trade and Cooperation Agreement, 24 December 2020 (Article LAW.PNR.19: Definitions (f)).

73 The Commission describes Passenger Name Record data system established by Directive 2016/681 of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime 4 May 2016 OJ L 119/132 as: “unverified information provided by passengers and collected by air carriers to enable the reservation and check-in processes”. It contains, for example, the dates of travel and its itinerary, ticket information, contact detail, travel and payment information, seat number, and baggage information. The Commission says that this is useful because it can provide the authorities with “important elements from a criminal intelligence point of view, allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement”. Adding that the processing of PNR data has “become a widely used essential law enforcement tool, in the EU and beyond, to prevent and fight terrorism and other forms of serious crime, such as drugs-related offences, human trafficking, and child sexual exploitation”. European Commission, ‘Migration and Home Affairs’ (no date) [accessed 3 March 2021]

82 Court of Justice of the European Union, Opinion 1/15 (26 July 2017)

83 These additional safeguards include for example: access to PNR data by a limited number of people and only where necessary; deletion of PNR data as soon as possible “using best efforts, taking into account” special circumstances; increased use of documentation and logging of the processing of PNR data.

85 Ibid.

86 The European Data Protection Supervisor is the European Union’s independent data protection authority. It exercises a number of roles including: advising, on request, the EU institutions on matters relating to the processing of personal data, for example, on proposals for legislation and international agreements such as the TCA; monitoring the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals; monitoring new technology that may affect the protection of personal information; intervening before the CJEU to provide expert advice on interpreting data protection law; and, cooperating with national supervisory authorities and other supervisory bodies to improve consistency in protecting personal information. See: EDPS Opinion on the conclusion of the EU and UK trade agreement and the UK and EU exchange of classified information agreement (22 February 2021)–02/2021_02_22_opinion_eu_uk_tca_en.pdf [accessed 3 March 2021]

89 Ibid.

93 Ibid.

94 Ibid.

96 The Commission’s website says that the European Criminal Records Information System (ECRIS) was established in April 2012 in order to improve the exchange of information on criminal records throughout the EU. All EU countries are currently connected to ECRIS. It ensures that information on convictions is exchanged between EU countries in a uniform, fast and compatible way, provides judges and prosecutors with easy access to comprehensive information on the criminal history of persons concerned, including in which EU countries that person has previously been convicted and removes the possibility for offenders to escape the consequences of their previous convictions in another EU Member State. European Commission, ‘European Criminal Records Information System’: [accessed 3 March 2021]

98 Ibid.

101 Ibid.

102 The UK opted into Regulation 2019/816 of 17 April 2019, establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System. and amending Regulation (EU) 2018/1726, OJL 135/1 22 May 2019. This enables the Member State to develop the ECRIS system to include records of third country nationals, but the UK’s participation ended when the transition period ceased on 31 December 2020

104 European Commission, ‘Schengen information System’: [accessed 16 February 2021]

105 Oral evidence taken before the EU Justice and EU Home Affairs Sub-Committees session on criminal justice cooperation after Brexit on 3 March 2020 (Session 2019–20) Q 5

106 HM Government, The Future Relationship with the EU: The UK’s Approach to Negotiations, CP 211, (February 2020): [accessed 16 February 2021]

107 HM Government, Draft Agreement on Law Enforcement and Judicial Cooperation in Criminal Matters (May 2020), part 10: [accessed 16 February 2021]

112 Oral evidence taken before the EU Security and Justice Sub-Committee session on post-Brexit police cooperation on 3 November 2020 and 17 November 2020 (Session 2019–21)

113 The International Criminal Police Organisation, known as ‘Interpol’, facilitates crime prevention and crime control worldwide across its 194 Member States, providing expertise, support and training. It operates 18 different databases, containing information and data relating to criminals and crimes. The databases contain millions of records on a range of intelligence from fingerprints, stolen property, passports to vehicles and weapons. All databases are accessed via I-24/7, Interpol’s global police communication system. Member countries of Interpol, including the UK, upload data onto Interpol’s databases, according to “a strict legal framework and data protection rules.” See: Interpol: ‘Who We Are’: [accessed 16 February 2021]

116 Ibid.

123 Written evidence from National Crime Agency (PBS0001)

125 Ibid.

126 HM Government, 2025 UK Border Strategy, CP 352 (December 2020): [accessed 20 February 2021] “ILEAP will enable real-time alert data sharing between UK law enforcement agencies and international partners (including INTERPOL databases) and will ensure the UK can continue to respond in real time to intelligence identifying potential security threats. The platform represents the practical enabler for future security data sharing agreements. This new capability will be critical to mitigate the UK’s withdrawal from EU-wide real-time alert data sharing agreements.” (p 45)

129 Ibid.

132 Intelligence on persons of interest is collated in the Warnings Index system, which can be used by border officials or the National Border Targeting Centre.

136 “Relevant adequacy decision” is defined within the Agreement in relation to the relevant EU law (the General Data Protection Regulation 2016/679 and Directive 2016/680) and UK law (the Data Protection Act 2018) see Trade and Cooperation Agreement, 24 December 2020 (Article LAW.OTHER.137(3) and (4)).

138 European Court of Human Rights, Big Brother Watch and others v the UK Case 58170/13 (13 September 2018)

140 Court of Justice of the European Union, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems C-311/18 (16 July 2020)

141 Court of Justice of the European Union, Privacy International v The Secretary of State of State for Foreign and Commonwealth and others C-623/17 (6 October 2020)

143 Ibid.

146 Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law. When a country has been awarded the status, information can pass freely between it and the EEA without further safeguards being required. The Commission’s draft decisions in favour of awarding the UK adequacy under both GDPR and the LED are not the end of the process. Before adequacy can finally be conferred upon the UK, the Commission’s draft decisions must also be endorsed by the European Data Protection Board, and the European Parliament. At the time of writing, these had not yet been given.

147 On 19 February 2021 the Commission published draft decisions in favour of awarding UK adequacy in respect of both GDPR and the Law Enforcement Directive. See: European Commission, ‘Press Statement: Data protection: European Commission launches process on personal data flows to UK’, 19 February 2021: [accessed 24 February 2021]. The European Data Protection Supervisor’s report on the TCA, which is a process independent of the data adequacy decision, was published on 22 February 2021, see: [accessed 24 February 2021]

153 Court of Justice of the European Union, Maximillian Schrems v Data Protection Commissioner (Safe Harbor) C-362/14 (6 October 2015)

155 Ibid.

156 In March 2021, the media reported that the Home Office had failed to pass on to EU Member States the details of over 112,00 criminal convictions; in January 2021, the Home Office admitted accidentally deleting 15,000 records from the Police National Computer, including fingerprint and DNA records; in February 2020 our predecessor Committee asked the Home Office to respond to reports that, between 2012 and 2019, it had failed to pass on the details of 75,000 convictions of foreign criminals to their home EU countries.

© Parliamentary copyright 2021