Select Committee on European Union Forty-Ninth Report


AGREEMENTS BETWEEN EUROPOL AND BULGARIA, CYPRUS AND THE SLOVAK REPUBLIC

Letter from the Chairman to Bob Ainsworth MP, Under-Secretary of State Home Office

  Sub-Committee F (Social Affairs, Education and Home Affairs) considered these documents on 29 January. We note that, according to the Joint Supervisory Body, there are no data protection obstacles to the conclusion of the Agreement. There are, however a number of points on the text (very similar to points we are raising on the Europol/Bulgaria Agreement) on which we would welcome clarification.

Competent authorities

  We note that the list of Slovak competent authorities in Annex 2 of the Agreement is already broad, including "police authorities" and "prosecutors" offices'. Article 6(1) further states that Slovakia "shall notify Europol of any changes to this list within three months after such changes come into effect". It appears that the only condition for the extension of the list of Slovak authorities which can receive Europol data (which would constitute an amendment to one of the Annexes of the Agreement) is a mere notification by the Slovak authorities, with no control by Europol or the Council of Ministers. I would be grateful if you could confirm whether this is the case as there would then seem to be no check on the proliferation of competent authorities.

Termination of supply of personal data

  Article 9(5) states that "no personal data shall be supplied where an adequate level of data protection is no longer guaranteed". It is not clear how this would be assessed and which body would decide the termination of data supply. Can this be done unilaterally by one of the Parties?

Amendments to the Agreement

  Article 19(1) states that the Agreement may be amended "by mutual consent between the Contracting Parties". It is unclear whether such an amendment would require fresh Council approval, and to what extent it would be subject to national Parliamentary scrutiny.

  We would welcome your comments on these points. In the meantime, the Committee will retain the documents under scrutiny.

30 January 2003

Letter from the Chairman to Bob Ainsworth MP Under-Secretary of State Home Office

  Sub-Committee F (Social Affairs, Education and Home Affairs) considered these documents on 29 January.

  We note that the Joint Supervisory Body has in principle given the green light for the conclusion of the Agreement. There remain, however, substantial concerns on its implementation, most notably regarding the fact that the Bulgarian Data Protection Commission has apparently not yet been established. The JSB notes that no transmission of data from Europol to Bulgaria may take place prior to the establishment of this body, but it seems doubtful whether there is any power to prevent data exchange taking place once the Agreement is concluded as it does not itself contain any reference to the Data Protection Commission. It is thus essential to ensure that the Bulgarian Data Protection Commission is in place prior to the conclusion of the Agreement, and we would be grateful for confirmation of that.

  There are a number of other points on the text of the Agreement on which we would be grateful for clarification.

Competent authorities

  Article 6(1) states that the Republic of Bulgaria shall notify Europol of any changes to the list of competent authorities within three months after such changes come into effect. It appears thus that the only condition for the extension of the list of Bulgarian authorities which can receive Europol data (which would constitute an amendment to one of the Annexes of the Agreement) is a mere notification by the Bulgarian authorities, with no control by Europol or the Council of Ministers. I would be grateful if you could confirm whether this is the case as there would then seem to be no check on the proliferation of competent authorities.

Termination of supply of personal data

  Article 9(5) states that "no personal data shall be supplied where an adequate level of data protection is no longer guaranteed". It is not clear how this would be assessed and which body would decide the termination of data supply. Could this be done unilaterally by one of the Parties?

Amendments to the Agreement

  Article 19(1) states that the Agreement may be amended "by mutual consent between the Contracting Parties". It is unclear whether such an amendment would require fresh Council approval, and to what extent it would be subject to national Parliamentary scrutiny.

  We would welcome your comments on these points. In the meantime, the Committee will retain the documents under scrutiny.

30 January 2003

Letter from the Chairman to Bob Ainsworth MP Under-Secretary of State Home Office

  Sub-Committee F (Social Affairs, Education and Home Affairs) considered these documents on 12 February.

  We note that the Joint Supervisory Body has in principle given the green light for the conclusion of the Agreement. There remain, however, some concerns about its implementation, as it appears that Cypriot data protection legislation has not yet entered into force. The JSB notes that no data exchange can take place before such legislation enters into force, but it is doubtful whether there is any power to ensure that data exchange will not take place once the Agreement is concluded. It is thus essential to ensure that the appropriate legislation has entered into force prior to the conclusion of the Agreement, and we would be grateful for confirmation of that.

  There are a number of other points on the text of the Agreement on which we would be grateful for clarification. These are similar to points we have raised on the draft Agreements with Bulgaria and Slovakia, but I repeat them here for convenience.

Competent authorities

  Article 6(1) states that the Republic of Cyprus shall notify Europol of any changes to the list of competent authorities within three months after such changes come into effect. It appears that the only condition for the extension of the list of Cypriot authorities which may receive Europol data (which would constitute an amendment to one of the Annexes of the Agreement) is a mere notification by the Cypriot authorities, with no control by Europol or the Council of Ministers. I would be grateful if you could confirm whether this is the case as there would then seem to be no check on the proliferation of competent authorities.

Termination of supply of personal data

  Article 9(5) states that "no personal data shall be supplied where an adequate level of data protection is no longer guaranteed". It is not clear how this would be assessed and which body would decide the termination of data supply. Could this be done unilaterally by one of the Parties?

Amendments to the Agreement

  Article 19(1) states that the Agreement may be amended "by mutual consent between the Contracting Parties". It is unclear whether such an amendment would require fresh Council approval, and to what extent it would be subject to national Parliamentary scrutiny.

  We would welcome your comments on these points. In the meantime, the Committee will retain the documents under scrutiny.

14 February 2003

Letter from Lord Filkin Parliamentary Under Secretary of State to the Chairman

  I am replying on Bob Ainsworth's behalf to your letter of 14 February 2003 in which you raised on behalf of Sub-Committee F (Social Affairs, Education and Home Affairs) a number of questions concerning the draft agreement between Europol and the Republic of Cyprus.

1.  CYPRIOT DATA PROTECTION LEGISLATION

  You explain that the Committee is concerned to ensure that the agreement will not be concluded before the Cypriot data protection legislation, that is mentioned in the Joint Supervisory Body's opinion, has entered into force. My officials have raised this matter with Europol, emphasising that it is important to us that the legislation should be in force before the agreement is concluded. Europol have now advised that there has apparently been a misunderstanding between the Cypriot authorities and the JSB: the extra data protection legislation that Cyprus is currently introducing relates to marketing data, and does not concern the handling of data for law-enforcement. Cyprus does in fact already have in place the necessary legislation to meet all the data protection provisions in the text of the agreement. The General Secretariat of the Council have now received confirmation of this from the Office of the Commissioner for Personal Data Protection in Cyprus, see the attached communication under cover of a note of 19 February 2003 from Europol. In the light of this assurance, we would not wish to stand in the way of concluding this agreement.

  As you note in your letter, the other points raised by the Committee in relation to this agreement are similar to those raised on the draft agreements with Bulgaria and the Slovak Republic. Bob Ainsworth wrote to you on 17 February providing explanations on these points, and they apply equally to the Cyprus agreement. I repeat them here for ease of reference.

2.  COMPETENT AUTHORITIES

  The Committee seeks clarification of the procedure for amending the list of competent authorities under Article 6(1). We agree that a change to the list would constitute an amendment to the agreement. It would therefore require approval of the Council as I explain under point 4 below.

2.  TERMINATION OF SUPPLY OF PERSONAL DATA

  The Committee asks about Article 9(5) which provides that personal data shall not be supplied where an adequate level of data protection is no longer guaranteed. The Committee asks how the adequacy would be assessed, which body would decide on termination, and whether termination could be done unilaterally by one of the Parties. We understand that there is not a formal procedure for assessing the continued adequacy of the data protection arrangements, but that if, in operating the agreement, it came to Europol's attention that the arrangements were not, or possibly not, working as intended, then the circumstances and relevant indications giving cause for concern would be reported up the management line for further consideration. In the event that a situation arose where Europol concluded that the arrangements could no longer be regarded as satisfactory, then termination of the supply of data would be a certain consequence, determined administratively by the Director of Europol, in the absence of immediate remedial action by the Cypriot competent authorities. We understand that there is no impediment under the agreement to termination of the supply being by way of unilateral action.

4.  AMENDMENTS TO THE AGREEMENT

  The Committee asks whether amendment of the agreement under Article 19(1) would require approval of the Council. Europol's agreements with third countries are governed by the Council Act of 3 November 1998 laying down rules governing Europol's external relations with third States and non-European Union related bodies. Article 2(3) provides that such agreements can only be concluded after unanimous approval by the Council. We understand that amendments to the agreements would similarly require the unanimous approval of the Council. Accordingly, amendments would be subject to Parliamentary scrutiny.

20 February 2003

Europol: Additional Information-Data Protection Situation Cyprus

  It has come to the attention of Europol that certain questions have been raised with respect to the entry into force of amendments to the Cyprus Data Protection Law. In response to this, Europol has asked the Data Protection Commissioner of Cyprus for further clarification. Attached to this document you will find the statement received today by Europol on this issue from the Cyprus Data Protection Commissioner.

Republic of Cyprus

Office of the Commissioner for Personal Data Protection

  "The Processing of Personal Data Law of the Republic of Cyprus (138(1) of 2001) regulates all areas of data processing within the Republic of Cyprus. I can confirm that the Processing of Personal Data Law is fully in line with the relevant European legislation in the area of data protection. An amendment of the Law which relates to direct marketing is currently pending before Parliament.

  I would like to stress that the proposed amendments to the Processing of Personal Data Law solely cover aspects of direct marketing, and do not change the provisions of data protection that are relevant for data processing for the purpose of law enforcement, or data processing by law enforcement authorities. In this respect the draft amendments will bring about no change to the Processing of Personal Data Law of 2001. As a consequence, the references to the provisions of the Processing of Personal Data Law mentioned in the Europol Data Protection Report on the Republic of Cyprus (Europol file number 2641-33) will remain valid also after the entering into force of the amended Law."

Goulla Frangou

Commissioner for the Personal Data Protection

DRAFT AGREEMENT BETWEEN EUROPOL AND THE REPUBLIC OF CYPRUS (doc. 3710-90)

DRAFT AGREEMENT BETWEEN EUROPOL AND THE REPUBLIC OF CYPRUS JOINT SUPERVISORY BODY'S OPINION (doc. 15750/02 Add 1)

Letter from the Chairman to Bob Ainsworth MP, Under-Secretary of State Home Office

  Sub-Committee F (Social Affairs, Education and Home Affairs) considered these documents on 12 February.

  We note that the Joint Supervisory Body has in principle given the green light for the conclusion of the Agreement. There remain, however, some concerns about its implementation, as it appears that Cypriot data protection legislation has not yet entered into force. The JSB notes that no data exchange can take place before such legislation enters into force, but it is doubtful whether there is any power to ensure that data exchange will not take place once the Agreement is concluded. It is thus essential to ensure that the appropriate legislation has entered into force prior to the conclusion of the Agreement, and we would be grateful for confirmation of that.

  There are a number of other points on the text of the Agreement on which we would be grateful for clarification. These are similar to points we have raised on the draft Agreements with Bulgaria and Slovakia, but I repeat them here for convenience.

Competent authorities

  Article 6(1) states that the Republic of Cyprus shall notify Europol of any changes to the list of competent authorities within three months after such changes come into effect. It appears that the only condition for the extension of the list of Cypriot authorities which may receive Europol data (which would constitute an amendment to one of the Annexes of the Agreement) is a mere notification by the Cypriot authorities, with no control by Europol or the Council of Ministers. I would be grateful if you could confirm whether this is the case as there would then seem to be no check on the proliferation of competent authorities.

Termination of supply of personal data

  Article 9(5) states that "no personal data shall be supplied where an adequate level of data protection is no longer guaranteed". It is not clear how this would be assessed and which body would decide the termination of data supply. Could this be done unilaterally by one of the Parties?

Amendments to the Agreement

  Article 19(1) states that the Agreement may be amended "by mutual consent between the Contracting Parties". It is unclear whether such an amendment would require fresh Council approval, and to what extent it would be subject to national Parliamentary scrutiny.

  We would welcome your comments on these points. In the meantime, the Committee will retain the documents under scrutiny.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2003