63. Article 8 of the Protocol stipulates that,
"Unless otherwise stated in this Protocol or unless a different
intention appears from the context, all the provisions of the
Eurodac Convention shall apply mutatis mutandis to the
Protocol". The Convention sets out substantive data protection
requirements. These include, in Article 13(2), an individual right
to be informed of personal data recorded in the Eurodac central
database and of the Member State responsible for transmitting
such data to the Central Unit. Statewatch contended that this
right of access to data was unqualified. National laws might determine
the modalities for exercising the right but could not allow the
right itself to be extinguished. The purpose of the right of access
was to ensure that inaccurate data could be corrected or that
illegally recorded data could be deleted. Access rights also facilitated
claims for damages against Member States for illegal use of fingerprint
comparisons (under Article 12(1) of the Convention) or against
the Community for negligent acts of its staff in breach of their
duties under the Convention (Article 12(2)) (p 30).
64. Under the Protocol, the only fingerprints
that may be stored in the Eurodac database are those taken from
individuals apprehended in connection with an irregular border
crossing under Article 3. The right of access to such data is
explicitly limited by Article 6 of the Protocol. The effect of
the limitation is to deny illegal immigrants whose fingerprints
are stored in the Eurodac database a direct right of access to
that data if no such right exists under the law of the Member
State responsible for sending the prints to the Central Unit.
Indirect access might still be obtained via the national supervisory
authority. One of its tasks, under Article 14(3) of the Convention,
is to ensure that the recording and transmission of an individual's
data to the Central Unit and the retrieval and use of that data
by a Member State are lawful.
65. JUSTICE questioned why illegal immigrants
should not have the same right of access to data as that enjoyed
by asylum seekers. This differentiation "raises serious questions
with regard to Article 13 of the European Convention on Human
Rights, which requires provision of an effective remedy to individuals
who suspect an infringement of their rights" (p 26). Statewatch
described the limitation in Article 6 of the Protocol as "inexplicable
and wholly unacceptable". Like JUSTICE, it believed that
there was an arguable case "that the proposed extinction
of a fingerprinted person's individual data protection rights
would constitute a violation of the effective remedies obligations
of Article 13 ECHR". Moreover, the sole purpose of the fingerprint
comparisons under the Protocol was to determine the Member State
responsible for an asylum application: "This in no way involves
criminal investigations or prosecutions or the protection of national
security, so there is no apparent justification for a Member State
to abolish a fingerprinted person's right to access to data".
A further flaw was the absence of controls on the use of fingerprint
data after these had been sent from the Eurodac database
to the requesting national authority. Statewatch considered this
to be "a glaring omission" (p 30).
66. The Government explained that Article 6 of
the Protocol did not take away from the data subject any rights
available under national law. In the case of fingerprints sent
to the Central Unit by UK authorities, the data subject would
have full access rights to personal information stored in the
central database. Article 6 reflected the fact that domestic data
protection legislation in some other Member States did not confer
a direct right of access to certain types of data. It was reasonable
that national law on access should continue to apply, "as
data in the central database remains the data of individual Member
States rather than becoming 'Eurodac' data" (p 6).
67. The Data Protection Registrar emphasised
the importance of viewing data protection "in a human rights
context". She did not believe that the differentiation between
the rights of access of asylum seekers and illegal immigrants
to data stored in the Eurodac database created a significant discrepancy,
"where a request for access is made in the United Kingdom".
Domestic law allowed a direct right of access in both cases. If
a request for access was refused in reliance on Article 6 of the
Protocol, a means of redress could be sought through the office
of the Data Protection Commissioner (once the Data Protection
Act 1998 enters into force in autumn) or the data subject could
apply directly to the court for an order compelling access. The
Registrar believed that these procedures would satisfy the need
for a public judicial remedy under the European Convention on
Human Rights. As regards other Member States, if requests for
access had to be channelled through the national supervisory authority,
this would be the case "regardless of whether or not the
individual is an illegal immigrant or an asylum seeker" (p
68. Mrs Hadland, for the Home Office, confirmed
that there would be direct rights of access to fingerprint data
taken by the UK authorities and stored in the Eurodac database.
In at least one other Member State (Belgium) the fingerprints
of illegal immigrants were regarded as police rather than immigration
data and domestic law only allowed indirect access to police data.
The Protocol did not create any disadvantage in relation to existing
data protection rights. It gave expression to national policy
and practice (Q 52).
69. Statewatch suggested that the effects of
Article 6 of the Protocol could be mitigated by a provision ensuring
that only those Member States whose national laws currently deny
direct access to personal data may invoke the right to derogate
from Article 13(2) of the Eurodac Convention. The derogation should
be subject to review at regular intervals (p 31).
70. The Data Protection Registrar referred to
two further principles relevant to the operation of the Protocol.
The first was that personal data should not be kept for longer
than is necessary for the stated purpose. The second was that
personal data held for any purpose should be "adequate, relevant
and not excessive in relation to that purpose". She was content
that both principles had been satisfactorily addressed in the
Protocol (p 24).
71. The Government noted that the data protection
provisions in the Convention and Protocol did not give "a
clear indication of the shape of the future proposals" as
these would "need to be reworked in the light of the rather
different requirements of the First Pillar when the Commission
bring forward an instrument under Title IV of the EC Treaty"
(p 7). ILPA, JUSTICE and Statewatch anticipated the application
of the Community Data Protection Directive
as a positive development (pp 24, 27, 30).