PART 3: OPINION OF
47. The European Union databases which we have considered
are, for the most part, still at an early stage of development.
Two of them - Eurodac and CIS 3 - are not yet operational. Nevertheless,
we were left in no doubt as to their importance. They will develop
rapidly over the years to come, and will contain sensitive personal
data. It is, therefore, not too early to consider how these databases
will be managed, and what controls and safeguards will be put
in place. The purpose of the databases is to assist in the fight
against cross-border crime and illicit trafficking, and in the
implementation of EU asylum and immigration policy. The Tampere
Summit demonstrated that there is high level political support
to tackle these issues at the EU level.
Heads of State and Government urge the Council of Ministers to
finalise work on Eurodac and provide Europol with the necessary
support and resources to enable it, shortly, to receive operational
data from Member States.
But the European Council recognised that the development of Union-wide
measures must be consistent with the protection of individual
rights and freedoms. Europe has led the field in developing instruments
and mechanisms for the protection of personal data, within the
Council of Europe
and the European Union.
An important question is whether these instruments and mechanisms
have kept pace with the development of pan-European information
48. Informal information networks existed well before
the creation of the European databases. It is important to note
that a great deal of information is already exchanged between
police forces of the Member States of the Union. The new databases
should, however, be designed in such a way as to ensure greater
transparency and be subject to stricter data protection laws than
have hitherto applied.
49. All our witnesses raised the question of potential
overlap of information held on the various databases, and the
extent and desirability of such overlap. We do not believe that
there is sufficient evidence, at this stage, to come to a firm
view on this matter, other than to sound a general note of caution.
We were told that there could be technical problems in establishing
links before the individual databases are up and running. Other
witnesses commented on the risks to individual rights of sharing
data freely. In particular, individuals might experience difficulty
in exercising their right of access to personal data.
50. On the other hand, it seems likely that, whether
or not there are direct links between databases, some form of
data sharing will happen in practice. The Action Plan to Combat
Organised Crime adopted by the JHA Council in April 1997 specifically
recommended that the terminals of several key EU and international
databases should be brought together at a central point in each
Member State. Under these circumstances, it is difficult to imagine
that there would not be some informal sharing of information.
This may enhance operational efficiency, particularly in the investigation
of cross-border crimes, but raises delicate questions about the
preservation of individual rights.
51. Concern as to the adequacy of data protection
rules is all the greater in the case of international links with
databases in non-EU countries. Plans for Europol to enter into
agreements for the exchange of data with third States and non-EU
related bodies are already well advanced. As we have previously
commented, "Information which is incorrect or misused can
seriously undermine individuals' rights and freedoms. The exchange
of data between Europol and Third States or bodies may aggravate
the risk of error or misuse as, in such cases, it may not always
be clear which data protection rules apply and which, if any,
body is responsible for supervising the data flows".
We can foresee considerable pressure from third countries for
access to information held on EU databases once they are fully
operational. The EU will likewise wish to make use of information
held on non-EU databases. Each of the EU databases establishes
a joint supervisory authority. These authorities will have a
crucial role to play in ensuring that agreements between the EU
and third countries or bodies for the exchange of information
provide an adequate level of data protection and sufficient safeguards
for the exercise of individual rights of access.
52. A detailed study of the possible links between
databases within the EU and between EU and international databases
is beyond the scope of this Report, but we agree with JUSTICE
that there is at present a lack of any consistent and transparent
strategy on links. We also support their proposal for an enquiry
at EU level, to examine proposed links between the databases as
well as existing practices on the exchange of information via
informal networks. We urge the Government to press the case for
such an enquiry, and a comprehensive strategy on links, while
discussion is still in its formative stages.
53. Whilst we recommend a cautious approach to establishing
links between databases, we nevertheless think that it is important,
wherever possible, to develop EU systems in ways which would be
compatible with wider international systems. For example, common
formats for the entry of data would facilitate possible future
links, and also simplify the task of operators who might be required
to work on a variety of systems.
54. A further cause for concern is the diversity
of data protection requirements applicable to the various EU databases.
We welcome the proposal for an EC Regulation applying consistent
rules and procedures to Community institutions and bodies. These
should protect the fundamental rights and freedoms of individuals,
in particular their right to privacy, with respect to the processing
of personal data.
The Regulation, if adopted, would establish an independent European
Data Protection Supervisor to oversee the processing of personal
data. While the operation of the Eurodac database, as a Community
instrument, would fall within the scope of the Regulation, Europol
would remain outside.
55. We regret that little apparent progress seems
to have been made on an Italian proposal, suggested in March 1998,
to look at the question of harmonising data protection rules
and supervision in Third Pillar instruments.
We consider that a single supervisory body to oversee the development
of all of these databases would have greater visibility and authority.
Lines of accountability would be clearer. Such a body could
help to ensure consistency in the interpretation and application
of data protection rules, and have a role in resolving problems
arising from overlaps between the information held on different
56. We were impressed by the criticisms of current
data protection principles made by Ms Colvin, for JUSTICE. She
considered that they had not kept pace with modern methods of
data storage and exchange. She argued that the citizen faced an
almost impossible task in exercising rights of access to information
held on databases, and that more attention needed to be paid to
controlling the entry of information on to computer systems. In
particular, she suggested that the distinction between "hard
data " (factual information) and "soft data" (police
intelligence information) needed to be re-examined. We agree.
57. In addition to a single supervisory authority,
we believe that there is a need for effective judicial control
to ensure compliance with common minimum standards, consistency
of interpretation, and the enforcement of individual data protection
rights in respect of these databases. This is crucial to securing
public confidence. If personal information is to be stored in
European databases, citizens are entitled to expect to have access
to effective legal redress, whether such databases are established
under the First or the Third Pillar.
58. JUSTICE has described judicial supervision of
the databases at EU level as "a lottery". We agree.
The supervisory role of the Court of Justice must, in our view,
be a fully comprehensive one. The Government has, so far, taken
the view that the UK should not opt in to the European Court of
Justice's preliminary ruling jurisdiction in relation to Third
Pillar instruments. In its response to our Report on Preparations
for the Tampere Special European Council, the Government said
that it would "consider whether such a mechanism [i.e. a
judicial mechanism at EU level] is required and how it might be
provided". We find it difficult to reconcile the Government's
reluctance to accept the Court's jurisdiction over Third Pillar
instruments with the need to ensure meaningful safeguards for
individual rights at an EU as well as at a national level.
The Government has not proposed an effective alternative to the
Court of Justice capable of commanding the confidence of the citizens
of the EU. In the absence of such a proposal, we again urge the
Government to reconsider its stance on the Court of Justice.
We consider the Court's involvement to be necessary to provide
consistency and uniformity in the application of the rules in
this most sensitive area of data protection.
59. Finally, we draw attention to the complex potential
problems of computer security in relation to large databases.
These are clearly most acute with regard to the Schengen Information
System, which is at present estimated to have about 49,000 terminals.
It would seem, from the evidence we heard, that it would be practically
impossible to guarantee total security in such a large network.
But risks can be managed in ways which reduce them to "acceptable"
levels, through careful system design, the use of encryption technology
and the monitoring of users. These are highly technical issues
on which this Committee cannot offer an expert opinion. We believe,
however, that it is right to draw them to the attention of the
House and to seek an assurance from the Government that security
of these networks, as they are developed, is being given the high
priority it deserves.
60. The Committee believes that the issues raised
in this report are highly important, and should be debated by
the House in due course. However, the development of these databases
is still in its early stages and we make this Report to the House
for information only.
6 See the Committee's Report on Prospects for the
Tampere Special European Council, (HL Paper 101, Session 1998-99).
Presidency Conclusions of the Tampere Special European Council,
paras 17 and 45. Back
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data of 28 January 1981 and Recommendation
No. R(87) 15 concerning the use of personal data in the police
EC Directive 95/46 on the protection of individuals with regard
to the processing of personal data and on the free movement of
such data, OJ L 281, 23 November 1995. Under Article 286 of the
EC Treaty, the same data protection principles apply to institutions
and bodies set up by, or on the basis of, the Treaty. Back
Europol: Third Country Rules, HL Paper 135, Session 1997-98. Back
Commission document COM(1999) 337 final. Back
We understand that the question of harmonisation was referred
to the Council's Horizontal Working Group on Data Processing in
February this year. Back