rose to move, That this House takes note of the report of the European Union Committee, Prüm: An Effective Weapon against Terrorism and Crime? (18th Report, Session 2006-07, HL Paper 90).
The noble Lord said: My Lords, in speaking to this Motion, I shall also, with your Lordships’ leave, speak to the second Motion standing in my name on the Order Paper. The two reports that are the subject of the debate were prepared by Sub-Committee F of the European Union Select Committee in May and June this year while I was still chairman. I am grateful to my successor, the noble Lord, Lord Jopling, for agreeing that I should open this debate. I also thank the noble Lord and other noble Lords on the committee, our clerk Michael Collon and our specialist adviser Annelise Baldaccini. I am delighted to see that my predecessor as chairman of Sub-Committee F, the noble Baroness, Lady Harris of Richmond, will also be speaking in the debate.
Both reports relate to systems for the exchange of information that is or may be of use to the security services and the police in the prevention of terrorism and serious crime. Both are critical of those systems and more particularly of the manner in which they were set up. Owing to that, and because in this speech I, too, shall be critical, I should like to make one thing clear from the outset: I accept, as did the whole committee, that the exchange of information between the security services and police of different countries can be vital in the fight against terrorism and other serious crime. However, the exchange of information about individuals also carries with it risks. The problem is to strike the balance between public security and individual privacy. In the case of both inquiries, the view of the committee was that the rights of the individual have come off worse.
Before I turn to that question, let me give a summary of the background to each report, starting with Prüm. Prüm is a small town less than 50 miles from Schengen and it shares with Schengen the distinction of having been virtually unknown until a treaty was signed there. Both treaties were the initiatives of member states that felt that matters at EU level were proceeding too slowly for their liking. However, while at the date of the Schengen agreement in 1985 there was no alternative procedure, by the time Germany began negotiations with some of its neighbours in 2004 to improve cross-border co-operation, the procedure of enhanced co-operation was available under the treaties. It had never been used; it still never has. Instead, negotiations took place with very little publicity and led to the signature of the Prüm treaty in May 2005. That treaty provided a mechanism for seven states to exchange among themselves information on DNA profiles, vehicle registrations and what are called dactyloscopic data— though I prefer the Anglo-Saxon term, “fingerprints”. The treaty ignored work already being done at EU level. In evidence to the committee, Mr Peter Hustinx, the European data protection supervisor, said that the states party to the Prüm treaty had,
“evaded the substantive and procedural requirements of enhanced cooperation”.
He thought it arguable that the treaty breached the law of the European Union.
The German presidency began in January this year. Within a fortnight, the German Interior Minister started his attempt to have the main provisions of the treaty incorporated into EU law and, within six months, he had succeeded. Yet that was achieved only because the proposal was put forward with no consultation, no explanatory memorandum, no impact assessment, no overall evaluation of the operation of the treaty, no estimate of the cost to member states and minimal involvement of the European Parliament and national parliaments. The only involvement of this Parliament was the Select Committee’s report. In such negotiations as there were, the only achievement of this Government of any significance was the removal of the provisions on hot pursuit across national borders.
The decision incorporating the treaty into EU law was adopted at the end of June, but much of the detail was left to an implementing decision. This, too, was brought out in June, again without consultation, explanatory memorandum, impact assessment or cost assessment. The committee considered it in July and raised questions with the Government. Last week, the committee considered it again, but now it is too late for our comments to have any effect, as last month the Justice and Home Affairs Council agreed the decision. This, the Home Office tells us, does not amount to a scrutiny override because only a general approach was agreed, not the final text of the decision. That, I submit, is an unreal distinction to draw. Any agreement, whatever name is given to it, that is reached on a document not cleared from scrutiny amounts to a scrutiny override if the result is that negotiations cannot in practice be reopened. That has for some time been the view of your Lordships’ committee, and that view is now shared by the European Scrutiny Committee in another place. The result is that this country has, in effect, been made party to a multilateral treaty with almost no involvement in its terms, let alone the involvement of Parliament. That is no way to legislate in a democracy.
The second report concerns the agreement between the European Union and the United States on passenger name records, or PNR. PNR consists of detailed personal information about airline passengers that has to be transferred to the country of destination if a passenger is to be allowed to land, or even to overfly, that country. The country that is understandably most anxious to be certain of the precise identity of passengers, and hence requires most detail, is the United States, which regards the exchange of personal information as a vital element of the fight against terrorism and serious crime. The purpose of PNR agreements is to ensure that only essential information is disclosed, that it is used only for the purposes intended and that it is kept for no longer than absolutely necessary.
The first agreement with the United States was concluded in 2004. It left much to be desired, but was far better than nothing. However, it very shortly became nothing, for it was annulled by the European Court of Justice in May 2006 for technical reasons with which I shall not weary your Lordships. Suffice it to say that the EU had three months to negotiate a new agreement. The Commission negotiators thus started from a position of weakness. The US was not under any pressure of time, but the EU was. The interim agreement that they concluded repeated all the undertakings in the 2004 agreement but was accompanied—and this is a significant point—by a letter from the United States Department of Homeland Security, the DHS, which,
“is intended to set forth our understandings with regard to the interpretation of a number of provisions of the ... Undertakings”.
This letter reduced the value of the undertakings until they were scarcely worth the paper that they were written on.
However, the 2006 agreement was, as I have said, only an interim agreement. It expired in July this year. The EU thus had until then to negotiate an agreement with provisions that meant what they said. We suggested in our report what those provisions might be: limits on the data elements transferred to the US; limits on the uses to which they could be put; and limits on the time for which the data could be kept. All these matters, we argued, should be limited to what was essential to the fight against terrorism and should all be subject to effective safeguards. We called on the Government to use their considerable influence with the United States to help to achieve this aim.
We hoped for an agreement that, even if it was not ideal, would at least mean what it said. We said that, in our view, the worst possible conclusion would be an agreement that again was accompanied by a letter allowing the United States to disregard its provisions almost at will. Yet this is precisely what emerged in July from the negotiations: an agreement that, taken alone, should and would have been a triumph for the Commission negotiators, accompanied by a letter from the DHS, agreed by the Commission negotiators, allowing the United States to interpret its provisions as broadly as it liked. The vital provisions are in the letter, not the agreement. It is the letter and not the agreement that lists the PNR data to be transferred, a list that appears to be shorter than the one in the previous agreement but in fact contains only two data elements fewer. It is the letter that states that the data will be retained for seven years instead of three and a half years as previously. It is the letter that explains that the United States will use the data strictly for the listed purposes,
“or otherwise as required by law”—
United States law, that is, which the United States is, of course, free to change.
The security of the public is the security of the individual members of the public. The competing interests are their public interests and their private interests. In opening, I said that in the case of the Prüm decision and the PNR agreement the view of the committee is that the private rights of the individual have lost out. That is not just our view. In the case of Prüm, the chief defect was to have yet another EU instrument with its own tailor-made data protection provisions that, in the absence of an overarching data protection framework decision covering all Third Pillar matters, were plainly inadequate. But at least an attempt was made to protect the privacy of individuals. No such thing can be said of the PNR agreement.
Our views were and are shared by the equivalent committee of the European Parliament, by the European data protection supervisor and his deputy, who gave us written and oral evidence, and by the working party of national data protection supervisors, which, of course, includes among its members this country’s Information Commissioner, Mr Richard Thomas. He is now conducting one of the inquiries into the case of the missing disks, an episode that serves to remind us of the consequences that can follow if sensitive data are handled with insufficient safeguards.
The consequences are not only financial. Mistakes over PNR can and do lead to individuals being wrongly banned from flying. Our report describes the fate of Maher Arar, a Canadian citizen born in Syria, who, on the basis of wrong information, was sent by the United States authorities in chains to Syria where he was kept for over a year in appalling conditions, beaten and tortured. The Canadian Government have awarded him compensation of 10.5 million Canadian dollars. The United States authorities still keep him on their no-fly list.
Both reports contain strong criticism of the way in which these issues have been handled, but I hope that the Minister can assure the House that the lessons of both reports have been learnt. I have, however, a number of questions to put to the Government. In the case of Prüm, why did they allow themselves to be browbeaten into accepting a proposal with no sort of cost-benefit analysis? Why did they accept the proposal before an adequate data protection framework had been agreed? Why have they quite unnecessarily agreed an implementing decision that is still subject to scrutiny? In the case of PNR, the questions are still more serious. To what extent, if at all, did they make use of our special relationship with the United States to attempt to influence the negotiations? Why are they content to be party to an agreement that, like the bilateral extradition treaty, is so biased in favour of the United States? What steps are they taking to protect the interests of those British subjects who inevitably will suffer from the misuse of their personal information? I commend both reports to the House and I beg to move.
Moved, That this House takes note of the report of the European Union Committee, Prüm: An Effective Weapon against Terrorism and Crime? (18th Report, Session 2006-07, HL Paper 90).—(Lord Wright of Richmond.)
My Lords, I am delighted to be able to take part in this important debate this afternoon. It is more important than is apparent from the time slot it has been allocated. That is to pay no disrespect to the authors of the report. I have the highest regard for Sub-Committee F, and, if I may say on a personal basis, for its former chairman, the noble Lord, Lord Wright of Richmond, who often visits us in Brussels in the civil liberties committee. Like him, I have no hesitation in stressing the need for data exchange, both within the European Union and across the Atlantic. We need to overcome bureaucratic obstacles, eliminate turf wars and jealousies and make our legal systems and the safeguards interactive. We need to have effective arrangements to ensure that suspected terrorists and major criminals are apprehended. Therefore, I do not wish anything I say from now on to give grounds to a charge of being soft on terrorism.
The problem is that both the Prüm decision and the PNR agreement have run far ahead of data protection safeguards and outwith proper democratic controls. That matters particularly because we are on what I will refer to as a merry-go-round, which is spinning faster and faster in terms of data sharing and the creation of databases. I believe that there is a sort of Ministers’ and officials’ playground in which they are using and abusing the inadequate framework for EU law enforcement efforts.
There is a democracy deficit of both Prüm and PNR. MEPs’ views could simply be ignored as we had no co-decision on either, and if you have mere consultation, believe me, it gives you no leverage whatever. On PNR, national Parliaments will be given a take-it or leave-it choice, simply being asked to ratify a concluded agreement. Prüm is a particular scandal. It was negotiated as a simple international treaty, ratified by the Bundestag after a mere half an hour’s debate and then pushed through the Council machinery in Brussels as a German member state initiative to emerge as an EU decision. That is not the way to run a whelk stall.
The Government tell us in response to the committee’s proper call to require the Commission to produce an evaluation report for the Council, the European Parliament and national Parliaments, that the Commission will submit a report after four years, but that it will be to the Council only and more detailed provisions will be set out in an implementing decision, which will not be subject to the views of anyone but the member states. That is not democratic.
There will be periodic reviews of the PNR agreement by the parties. For the European Union that will be the EU justice commissioner Franco Frattini. The Government say that “modalities”—that is a Franglais word—“will be mutually agreed”. They claim that the information “should be disclosed”. I do not think it is good enough to rely on future modalities or some sort of promise that information should be disclosed. My actual experience for the evaluation of the 2004 agreement was that the review report was six months late and MEPs were only allowed restricted access. We were only allowed to go in a room and read the report, not have copies, and it had been redacted—that is, censored—so we never saw the full report.
There is also a data protection deficit to both these instruments. When and if we get a data protection framework decision, it will be weak and hardly worth the paper it is written on. The promise was that we would have a high-quality data protection framework, on top of which specific measures appropriate to each instrument could be added.
The Government’s response to the committee’s call that Peter Hustinx, the European Data Protection Supervisor, should be regularly consulted in the case of member state initiatives such as Prüm, was that they saw no tangible benefits in such a requirement. Is the real reason that they do not like what he says? Two weeks ago he came to the civil liberties committee of the European Parliament and described the compromise on which there is now political agreement—so it is too late to change anything—as far from satisfactory, a minimum common denominator and unfortunate. He said that the text is neither consistent, effective nor adequate. His main objection is that the scope is limited to the exchange of data—in other words, the data protection safeguards will not cover the collection of data or the processing of data.
Prüm is about setting up databases and collecting data. PNR is largely about collection and processing. So to restrict EU data protection rules only to the exchanges of data leaves a big loophole. Peter Hustinx draws attention to other weaknesses, such as purpose limitation and acceptable use; indeed he says it is weaker than the 1981 Council of Europe Convention. So, in over a quarter of a century, the EU has been unable to move further than the Council of Europe. He said that because it had to be agreed unanimously a minority of member states had watered it down because of the veto and the proposal would have looked a lot better under qualified majority voting. He drew attention to the fact that it does not regulate data protection as regards third party agreements already in place, which of course includes the PNR agreement with the US as well as other things, such as the SWIFT agreement on financial data. A cynic would wonder whether the three-year delay in getting the data protection framework decision—we have not quite got it—had some ulterior motive to it. In the mean time you get all these agreements through—Prüm, SWIFT, PNR—and then say, “Oh heavens, we cannot apply it retrospectively”.
I referred to what I call a merry-go-round which is, frankly, becoming out of control. Governments, Ministers and national officials are giving themselves arrogant licence to do what they like and then try to pull the wool over our eyes. If I sound rather harsh and strong, believe me, I am feeling rather fed up about all of this. We are told that measures are justified for anti-terrorism purposes. Then they get extended, as in the example of the PNR and, as the noble Lord, Lord Wright of Richmond, said, to any judicial proceedings or as otherwise required by law. That is potentially huge.
The longer retention period under the 2007 PNR agreement will be retrospective to the 2004 and 2006 agreements. That was three and a half; the new one would be seven; after seven, in the so-called dormant period it will only need a senior official from the Department of Homeland Security to authorise the data to be processed again.
We were promised a push system three years ago instead of the law enforcement authorities being able to pull the data. Now we are told that January—next month—is the target. We are told that the US unilateral undertakings are binding. Do they take us for fools? How can “unilateral undertakings” be binding? As the noble Lord, Lord Wright, says, they tell us that the data elements have been reduced from 34 to 19. This is just a merge of categories—there has been no material reduction in the scope of the information. All we have to do is look at it and read it—we are not illiterate.
We were told that the US federal Privacy Act would apply, not by right, but by grace and favour, to the processing of data of EU citizens. Then, the automated targeting system which would process the PNR data was taken outside the scope of the Privacy Act, thereby totally pulling the rug from under that particular promise.
My favourite one is the whole basis for the use of PNR for profiling. We could have a good argument—which I do not intend to have now—about whether profiling is useful, what are the civil liberties implications and what safeguards we need. The Government accept that, because they state that the system is,
“an important source of data for risk assessment and intelligence ... through a combination of operational experience, specific intelligence and historical analysis, we can build up pictures of suspect passengers or patterns of travel behaviour. PNR data may then be used to indicate suspect behaviour by enabling the identification of individuals whose travel details share common characteristics with those pre-defined profiles”.
So it is a profiling system. Two weeks ago, Commissioner Frattini came to the civil liberties committee and gave a very similar description of the system to be used under the EU PNR system—I do not have time to explain. Until he was blue in the face, he would not accept that it is a profiling system. So we cannot even have a discussion about whether profiling is useful or dangerous because there is no agreement. Member states and the Commission do not have their ducks in a row as to whether we are using a profiling system.
I am running out of time, so I really must wind up. I wanted to draw the attention of the House to the dangers of where we are going. Mixing my metaphors, I think that we also have a problem of policy laundering, where one measure is used as a pretext for another. An EU measure is used as the justification for having to do things at national level, such as setting up DNA databases, which Prüm will require. EU-US PNR is the pretext and model for an EU PNR system. We must end the democracy and data protection deficits, and end this out-of-control system. I hope that it will not take a catastrophe such as disk gate or the rendition of Maher Arar, who also testified to the European Parliament Temporary Committee on Extraordinary Rendition, of which I was vice-chair, giving his harrowing tale, to make us realise that we are going in the wrong direction.
My Lords, the noble Lord, Lord Wright, referred to the fact that a few weeks ago I succeeded him as chairman of Sub-Committee F. I was delighted to be able to do that. I am also delighted to be able to take this opportunity to thank him most warmly on behalf of all previous and present members of the committee for everything that he did to make the committee run smoothly and efficiently during the years when he was the chairman. Concerning Prüm and PNR, I echo his thanks to Michael Collon and his team of Clerks and our advisers for all the hard work that they have done to help us with these two reports.
I have considerable doubt and misgivings, as well as the ones, which I support, which have already been drawn to the attention of your Lordships’ House by both the noble Lord, Lord Wright, and the noble Baroness, Lady Ludford. I am especially concerned about how DNA profiles are to be handled. The Prüm treaty made arrangements for reciprocal access to national databases containing DNA profiles.
The German presidency was extremely enthusiastic about that arrangement, but the truth is that there is no harmonisation on either the collection or the retention of DNA profiles. Most countries use those profiles and databases for serious crime only. That is not the case in the United Kingdom, where our DNA database is half as big again as the combined databases of all the other countries in the Union. In the UK new entries end up on the DNA database with all offences, whether serious or minor. If people are arrested, but subsequently not charged, their DNA details go on the database. I see a problem. If other states use the UK evidence, they are in danger of assuming that the people on the database could have been involved in serious crime; they have different national standards.
I must ask the Minister some important questions. Is he happy that the UK will be divulging more DNA data than it receives? What does he believe the United Kingdom’s share of the traffic between states of DNA details from national databases will be? What grounds does he have for believing that other member states will accept not being given full details, if we choose not to provide them? Will the implementing decision set that out fully, or will there be guidelines about how the information should be transferred? Has the Minister explained to other member states the basis on which we collect DNA information?
The noble Lord, Lord Wright, explained that there was no consultation, no Explanatory Memorandum, no impact assessment, and no cost-benefit analysis on the Prüm treaty. The Germans have claimed a great deal of success with the passage of this information. They have told us that information exchanged under the Prüm treaty has, in only two months, resulted in 1,510 hits by Germany against the Austrian DNA database. That included 41 hits on homicide or murder cases, 885 hits on theft cases and 85 on robbery or extortion cases. The German Government have suggested that figures will increase. Surely, that will not happen. Those rather dramatic figures are the result of clearing up a backlog of crimes committed before the means of transferring information was created. Once those backlogs are cleared, a decline in the figures is likely.
Does the Minister not believe that the figures that the Germans have been peddling are highly misleading? Why were Ministers prepared to agree with the decision without any realistic assessment of its benefits for combating serious crime, let alone the cost, which must be enormous? Has he made any estimate of the likely number of serious crimes that may be solved as the result of the Prüm treaty that would not otherwise have been solved?
The noble Lord, Lord Wright, told us in his opening remarks that the PNR data quite correctly were allegedly to be used only to combat terrorism and organised crime. However, the notorious letter from the United States Department of Homeland Security that we have been hearing about tells us that the US will use PNR to protect the data subject or others from dangerous communicable diseases. It may be very worth while to use this sort of information to deal with dangerous communicable diseases, but does the Minister not think that, if we are to have an agreement of that sort, it should be done through an agreement negotiated for that purpose and not through an agreement to combat serious crime?
On the negotiating mandate, the present Leader of the House told the committee in her evidence that she was not prepared to disclose the Commission’s negotiating mandate while negotiations were going on. However, they are now over, and I wonder whether the Minister can disclose to us now what that mandate was and say to what extent he believes the negotiators achieved their objective. I discussed the Prüm treaty and the PNR arrangements at the European Parliament last week, and I said that I remembered my role many years ago as president of the Agriculture and Fisheries Council, when I quite often became exasperated at the lack of negotiating skills of some people in the Commission. I caused some amusement when I said that I would not send some of them to market to sell a cow on my behalf. I stick by that, because many of them do not have the first idea of how to negotiate.
Finally, on the European Union’s PNR initiative, Jonathan Faull, the director-general at the Commission’s Directorate-General for Justice, Freedom and Security, has said that the EU should have its own common approach to the PNR system. The Commission has now published a proposal. Sub-Committee F is still awaiting an Explanatory Memorandum before it can scrutinise that document. In order to help the committee, I ask the Minister to say whether the Government support this initiative and will seek to have a system as wide ranging as the United States system, or whether they will look for a system with guarantees for a purpose limitation, with full data protection provisions. I ask this because, when Sub-Committee F comes to examine this document, we may well consider making it the subject of a further short PNR inquiry.
I have asked the Minister a good many questions. I hope that he will be able to answer all of them, but if he cannot answer some of them, I hope that he will write to me.
My Lords, I thank Michael Collon and Anneliese Baldaccini, the ever helpful amanuenses of Sub-Committee F, for their help in preparing these reports. I have not had the opportunity to enjoy the chairmanship of that committee by the noble Baroness, Lady Harris of Richmond, but I have enjoyed the chairmanship of the noble Lord, Lord Wright of Richmond, and now the noble Lord, Lord Jopling, not quite of Richmond. I can say that they are both wonderful rapporteurs and raconteurs. They have both, on behalf of the committee, explained the issues before us in the case of PNR and Prüm, and illustrated them well from their own experiences. We are grateful for that.
I will not repeat the exegeses that have been presented, most notably by the noble Lord, Lord Wright, as the former chairman, of Prüm and PNR. In turning to the Prüm treaty, I ask my noble friend why we so hastily agreed to these matters. Indeed, it seemed that we were bounced into agreeing to Prüm when there was no proper consultation, impact assessment or costing of what it might mean for us and other member states. We resisted the German presidency ganging up, as it were, with others to present a fait accompli to us all at the end of the story. In many ways I accept Prüm and would like to know why the British Government have been so reluctant to accept the treaty, lock, stock and barrel. I understand that this was under very serious consideration for 12 months and I invite my noble friend to say a few more words about why, in the end, we did not take the plunge.
With respect to passenger name records, there is concern that we have so readily capitulated to the Americans in the area of disclosure of personal data. My particular concern is not only that the agreement is so one-sided, but that another element of this was the American demand that any data received under these institutions should be capable of being farmed out to any institution within the United States that the Americans so choose. Indeed, they told us that this is what they were going to do. That really is reprehensible, and I wonder whether we could have exercised our influence under the special relationship to advise them that this was quite unacceptable.
Before coming into this debate today, I had the pleasure of hosting Charlie McCreevy, European Commissioner for the Internal Market and Services, who talked about financial services issues and the regulatory framework that we are building up in the European Union and with the USA. It did not surprise me that the first question posed to the commissioner was why the USA and the European Union cannot trust each other more on these issues. Again, I invite the Minister to think about the relationship that we have had with the USA over so many years, which has been so fruitful and is often called the “special relationship”.
The noble Baroness, Lady Ludford, made some very interesting comments about both of these issues. I am a little more uncertain about the question of profiling. We require a definition of what profiling is done, which is advantageous, right and proper for the defence of the people of the United Kingdom and the European Union, and what profiling oversteps the limits? I am very interested to hear my noble friend’s views on what is legitimate or illegitimate profiling.
Last week, I, too, was with the noble Lord, Lord Jopling, in Brussels. The gathering together of the appropriate committees of national parliaments with our friends and colleagues in the European Parliament is very worth while. On this occasion, we discussed justice, freedom and security matters. As the noble Lord said, the third session, which he addressed in his inimitable way, concentrated on and gave opportunities for us to discuss the Prüm treaty and the PNR reports, which I understand are so valued in Brussels by our colleagues. It would be true to say that the tenor of the debate as it developed was one of trying to find a balance between personal data and the personal safety of the citizen. I do not think that the issue was resolved, but it was well aired, to the benefit of all.
I shall conclude with further information from that session in Brussels. Jonathan Faull, the director-general of the directorate concerned with justice, freedom and security, reported on the success of the European arrest warrant. Noble Lords may recall that it was the subject of high controversy in this country. He told us that the 7,000 arrests made in the 12 months since it came into practice is double the number of arrests of persons who were examined for nefarious activities of one kind or another relating to terror. That is an example of the member states of the European Union acting together and swapping information, thus easing our ability to bring to justice those who need to be brought to justice.
I say that because I return in particular to the Prüm treaty. Sometimes there is a dislocation between the ambitions of our Government to alert us and the rest of the European Union to the very real threats of terror that beset us in the modern world and our reluctance from time to time to engage more closely with our European Union colleagues to put into practice those measures which would aid and abet us in that task. I have long thought that I should add my enthusiastic support for Labour Governments to my record in the hobbies section of Dod’s. It is a hobby that I have practised over many years. I invite my noble friend to say a little more on the very real opportunities that from time to time we neglect, particularly these two very difficult subjects.
My Lords, I too congratulate the noble Lord, Lord Wright, on his skilful chairmanship of Sub-Committee F. He was very good at dealing with people, however difficult they were and whether they were members of the committee or witnesses. I was lucky enough to be a member while it was inquiring into the Prüm convention and the EU-US Passenger Name Record agreement. I should also like to congratulate the noble Lord on his excellent introduction to this debate, which set out so clearly the nature and importance of the somewhat esoteric subjects of our two reports. I hope that his speech will be widely read in Brussels and, of course, in both the Home Office and the Foreign and Commonwealth Office. Our reports, which owe much to the perceptive intellect of our Clerk Michael Collon, brought out several important and general points that the noble Lord, Lord Wright, highlighted. In my short contribution, I want to focus on those aspects.
First, the way in which Prüm was handled demonstrates some serious shortcomings in how the EU operates, and the extent to which Parliament is able to scrutinise effectively what the Commission gets up to. I should say straight away that when we are dealing with urgent and serious challenges such as terrorism and crime, I have no objection to some countries in the EU getting together to make faster progress than might be possible if the Commission is left to initiate action on the basis of discussions with all 27 member states. However, that cannot and must not be a reason, let alone an excuse, for any agreement reached by that self-selecting group of EU member states being converted into EU law without the fullest consultation and discussion by all 27 members. That consultation takes time and may throw up problems. But rushing into legislation that has not been properly discussed will not only risk bad legislation but can irritate and even alienate individual member states and thus reduce the reputation of the EU among the populations.
As the noble Lord, Lord Wright, has illustrated, the way in which Prüm was handled failed to ensure that UK concerns were fully taken into account, especially on costs to the taxpayer. More serious still is that the Home Office appeared to us to have scant regard for the importance of parliamentary scrutiny, for which your Lordships’ House not only has a special responsibility but a high reputation in Brussels. For the Government to have agreed on the incorporation by other states of aspects of Prüm at the Justice and Home Affairs Council before our concerns were met and for the Home Office then to suggest that that did not amount to scrutiny override is, frankly, as deplorable as it is unacceptable.
We are all well aware that much of what is decided in Brussels is based on deals between Governments. It is usually called horse trading, or, as my noble friend Lord Jopling would say, cow trading. I recognise that it would be difficult to give training in those excellent arts to the majority of civil servants, whether in Brussels or home departments, but I was reflecting that I might suggest an alternative way of assessing their abilities—by assessing their prowess at playing the wonderful game of chess.
Obviously, the FCO plays a major part in such deal-making: that is one function of diplomacy. But that is precisely why parliamentary scrutiny of the merits of actual issues is so crucial. The deal-making aspects of the EU are among the things making it so unpopular at street level. Although we will never achieve it, we should at least strive for purity, objectivity and integrity in EU decision-making.
This Government, with their emasculation of the scrutiny of domestic legislation by the House of Commons through the hugely retrograde step of imposing a timetable, or guillotine, on every Bill immediately after Second Reading, have in that respect shown scant regard for Parliament. Frankly, the Home Office has been one of the worst culprits by rushing one law and order or justice Bill after another through Parliament, with the result that the inadequacies of ill-digested legislation instantly seem to make necessary further legislation, which is once again drafted at lightning speed. I am afraid that it is part of the cultural arrogance of the Home Office. It is an arrogance which has become more destructive as the quality, ethos and morale of civil servants in many departments have deteriorated over the 40 years that I have been a Whitehall watcher.
As an aside, I would like to tell the House how delighted I was to learn in a Written Answer last week from the noble Lord, Lord West of Spithead, that the National Firearms Licensing Management System has at last gone live. I say “at last” because it has taken 10 years from the time that the Government were required by Parliament to do so by Clause 39 of the Firearms (Amendment) Act 1997. It was originally my amendment, passed against Home Office wishes, with all-party support in this House. For years, the Home Office ignored it and then tried to sabotage it.
I owe a debt to several successive Home Office Ministers, including our late and much-lamented colleague Gareth Williams, the noble Lord, Lord Rooker, and the noble and learned Baroness, Lady Scotland, all of whom pressed the Home Office to introduce the gun register. Of course, I also owe a deep debt to my noble friend Lady Anelay, and the noble Lords, Lord McNally and Lord Corbett, for their constant support. But it was a shameful saga.
I now turn to the passenger name record. Here again, I support the concept of allowing the United States to have access to personal information about passengers to prevent terrorists or serious criminals flying. However, there were, as the noble Lord, Lord Wright, and others have described, all sorts of specific problems with the scheme proposed and then adopted. The greater the threat we face, the more discriminating we must be in the methods of defence that we use. PNR was eventually forced through, virtually unamended, by the American Government and I agree with the noble Lord, Lord Wright, that it is lamentable that HMG did not stand up a great deal more firmly for our national interests. I feel that the FCO should have brought this issue to the notice of the American Administration at a high level, together with the other problems that we are having with the United States, to make it clear that it is wholly unacceptable for the Americans to treat the EU as some sort of third world country to be patronised and ordered about.
It was only this week that the Times, on 2 December, reported the amazing claim by Mr Alun Jones QC, representing the American Government in a case being heard by the Court of Appeal, that it was acceptable under American law to kidnap people overseas if they were wanted for offences in the United States. Sadly, in all too many ways, the United States has in recent years been using its great power, which should be for the good of the world—as it has been historically—in ways that have reduced American international influence. From that we are all losers.
There are, as I have tried to show, important lessons to learn from these two reports and I hope very much that the noble Lord, Lord West, will indicate that the Government will take them to heart.
My Lords, I, too, have found this a most interesting and important debate. As ever, I am disappointed by the number of noble Lords present, but anyone who has been involved in European Union Sub-Committee reports presented to the House will recognise that this is a similar turnout to most other reports that are read. It is a shame that more Members are not here to listen to what has been a fascinating and important debate.
Before I begin, I must declare an interest as a former chair of Sub-Committee F. I well recall the time when that excellent committee looked in horror at the proposals being put in place between the EU and the United States on the exchange of data, which I will address in a moment.
Before I get there, I was leafing through some of my back papers on the exchange of data within the EU, which is relevant to this debate. I find that it always pays to keep past papers, no matter how old they are, because they can always be referred to and people can be reminded of what was said at the time. The then Secretary of State, David Blunkett, so many Home Secretaries ago, in a letter to the noble Lord, Lord Grenfell, the chairman of the Lords European Union Committee, said:
“A large quantity of the data held by UK law enforcement authorities is tightly controlled even within the organisation concerned. This may be necessary for a variety of reasons, including privacy/data protection laws, national or personal security concerns, legal or ethical restrictions on the use to which information may be put, or the need to closely protect information during an investigation or pending a trial”.
That is what Mr Blunkett said on 9 September 2004, and how hollow that statement now looks. During that inquiry into EU counterterrorism activities, the evidence we received from the Joint Supervisory Authority incorporating Europol, Eurojust, Schengen and Customs, also dated in September 2004, stated:
“In addition to the right to respect for private and family life guaranteed by Article 8 of the ECHR and reaffirmed by Article 7 of the Charter of Fundamental Rights of the European Union, the new fundamental right to data protection is enshrined in Article 8 of the Charter. The draft Treaty Establishing a Constitution for Europe that includes the Charter, also guarantees in Article 1-51 the right to data protection and states that compliance with data protection rules shall be subject to the control of an independent authority”.
I wonder whether the independent authority was consulted in either of the reports that we are discussing today.
I turn to the specifics. Especially on Prüm, of course we recognise the real value of the exchange of information between states in fighting terrorism and serious international crime. Most noble Lords have referred to that. The noble Lord, Lord Wright of Richmond, in his opening, said that while accepting the exchange of information was critical in the fight against serious crime and terrorism—a point addressed also by my noble friend Lady Ludford and the noble Lord, Lord Marlesford—there was no consultation, no estimate of costs, no impact assessment and so on.
We must work closely with our international partners to ensure that those dangerous and serious criminals and terrorists who seek to threaten the UK and its citizens are prevented from doing so. However, our concerns are not about the intention of the Prüm treaty but about the way in which it is being implemented. In that we agree with the concerns raised by the EU committee. The treaty of Prüm, as we have heard, was negotiated and signed without any parliamentary oversight. The intergovernmental nature of co-operation in the field of security in the EU inhibits democratic checks where a treaty is presented, already negotiated, for ratification or rejection. Changes are not permitted.
In addition, transposing the provisions of the treaty of Prüm into EU law through Council decision will leave the European Parliament, whose rapporteur is still to be appointed, with the simple consultation procedure. Is that the appropriate way to proceed with such a treaty when we are dealing with sensitive personal data? I do not think so, and my noble friend Lady Ludford suggested that we are going too fast properly to scrutinise EU law enforcement efforts. She referred to Prüm as a particular scandal and not the way to run a whelk stall. She said that it was a merry-go-round out of control and that periodic reviews are simply not good enough.
We are very uneasy about how the security of such data can be protected when an exchange is taking place. We very much share the committee’s concerns in paragraphs 81 to 98, where it recommends that negotiations on the data protection framework decision, instead of being sidelined, should proceed in parallel with those on the Prüm decision. What are the Government doing to ensure that the very high standards of data protection that the UK has applied to information processed in the law enforcement field are replicated across the EU?
I thank the Government for their response to the recommendation in paragraph 102, in which the committee states:
“The threshold for holding DNA profiles on the United Kingdom DNA database is far lower than in any other Member State, and the proportion of the population on the database correspondingly far higher. The Government should as a matter of urgency examine the implications of DNA exchanges for those on the United Kingdom database”.
I understand that there are roughly 4 million hits on the database at present. This worried me and I thank the Government for stating in their response:
“The UK (as with other Member States) will decide which profiles on the national database should be exposed to search requests from other member states. There need be no assumption that all profiles would be searched routinely under Prüm”.
Can the Minister inform the House how the decision will be made about which profiles will be available for a search request? Will this be done, for instance, by type of crime or by sentence imposed? Will the DNA of those who have been arrested but not charged be available for searching? Will there be any parliamentary oversight of such decisions?
The EU-US passenger name record agreement is equally of great concern to us, as every noble Lord reminded us. Since the EU committee’s report was published, a new agreement has been put in place, which seems to put EU citizens in a substantively worse position than under the 2004 agreement. As we have heard, the retention period has been extended from 3.5 to 15 years. The data will first be held in active analytical databases for seven years. The Department of Homeland Security will then move the data to “dormant” status and has stated that it “expects” to erase it after 15 years, although that expiration will be subject to further discussions.
There will be greater data sharing across US agencies and with third countries. There is a weak legal mechanism for EU citizens to challenge misuse of their personal information. The data can be used,
“where the life of a data subject or of others could be imperilled or seriously impaired”.
So this use is not restricted just to terrorism or serious crime.
The agreements have ignored a number of questions. What data mining will occur? Rarely has there been much consideration of how these data are being put to use by the US Government. Why are all these data important and how are they being processed? The disclosures regarding the profiling system ATS raised more concerns in the US than they appear to have done within the EU, despite the fact that it leaves us to question whether the US is abiding by the agreements at all, while it implements secret risk assessment systems. How legally binding are these agreements? They do not hold the status of treaties within US law, and because they are not ratified by the US Senate, do not become binding US law.
Any promises made in the agreements regarding granting legal rights to EU citizens are not truly actionable. What about data from other sources? While major carriers have their own reservation systems, reservation systems are also outsourced or run by third parties. There are global reservation systems such as Galileo, Sabre and others, which are not within the remit of the agreement, because the agreement applies only to carriers’ databases. The computerised reservation systems—CRS—will permit broad access by US authorities to data regarding citizens from around the world without any restrictions, because many of the companies are based in the US or have databases within US jurisdiction. Similarly, EU citizens flying on any US-based airline, even from EU airports, have less control over their personal information, as those transfers are not governed by the agreements.
When I was travelling here in a taxi this afternoon, I was telling the driver about the debate in which I was about to speak, and I told her how difficult these arrangements are. I asked her whether she was aware that information on her would be picked up very quickly and known about if she decided to fly to the United States; and she was absolutely horrified. She asked, “Why haven’t we heard about it?”. I ask the same question, because the majority of British citizens have no idea what is being held on them.
Both reports raise a number of general concerns in relation to the mechanisms whereby the Prüm treaty and the EU-US PNR agreement came into effect. There is a distinct lack of democratic oversight and parliamentary scrutiny, as many noble Lords have said, in regard to both. There have been insufficient opportunities for national parliaments to exercise any influence over the negotiations or to propose any modifications. Most worrying is the seeming lack of protection of the personal data that are to be transferred and the lack of any remedies for citizens.
Finally, how are we expected to believe that the Government, who cannot even protect the data of their citizens when they are being transferred between HMRC and the National Audit Office, as other noble Lords have said, have adequate procedures in place to protect personal data when they are being transferred to another country?
My Lords, a number of important points have been made in this debate on the two excellent reports from the committee chaired by the noble Lord, Lord Wright, who taught me much of the craft of diplomacy and negotiation that I learnt in the Foreign Office. He is a master practitioner.
I am sure that the House would agree with the aim of both agreements, which is to improve cross-border co-operation in combating terrorism, serious border crime and illegal immigration, in the case of the Prüm agreement and, in the case of the passenger name record agreement between the United States and the EU, to combat terrorism. The question is whether the agreements fulfil their stated aims on acceptable conditions. Like the noble Lord, Lord Wright, and other speakers, I find in that respect that I have to be rather critical.
I shall take the PNR agreement first. Before I get to the substantive point, I echo the comments that have been made by a number of speakers to the effect that it is a pity, to put it mildly, that the Government’s response to a report published in May came out only in October, almost five months after the report and two months after the agreement reported on had been struck. That obviously means that we are debating a report and a response after the point at which they can have any effect on the outcome. Moreover, a substantial number of the committee’s recommendations have been ignored in the final outcome, and that is a poor outcome for parliamentary scrutiny. All of this is against the background of an unsatisfactory negotiation with the United States involving a unilateral interpretative letter from the Americans. I entirely concur with what my noble friend Lord Marlesford said about the public interest being the loser in this respect.
On the substance of the issue, it is clear that there are many advantages to allowing the intelligence services of the United States to have access to certain information about people travelling to their country. My party supports such mutual help, provided that there are safeguards. Indeed, on this side of the House we would argue strongly that the United Kingdom would be better protected and more able to manage immigration if the Government took the importance of border protection as seriously as the United States. It is imperative to have real-time information about movement across our borders, so that at any time it will be possible to know how many people are in our territory and jurisdiction and who they are. There is obviously no quarrel there about the aims, but we need safeguards.
In his reply, could the Minister say how relevant and successful the agreement with the United States has been in its proclaimed aim of combating terrorism? The committee expressed some anxiety that there was very little evidence on this point. Obviously, there may be a need for confidentiality, but it would be of interest to know whether such systems, which increase public and private-sector costs, are really effective in meeting their proclaimed objectives. We should not be frightened of reducing bureaucratic burdens if they turn out not to be fit for purpose or proportionate.
Protection of personal data is another area where public authorities need to be conscious of their duties to the owners of the data—in this case, airline passengers. It is very easy for the state in its various guises to treat information about people’s identities as if it belonged to the state and not to the real owner, the individual. Now that personal data pass from airlines to US Customs and Border Protection within the Department of Homeland Security and the Transportation Security Administration, there must be an increased danger that the information may in practice be used for purposes for which it was not initially given. Can the Minister say if any regular monitoring procedures will be in place to ensure proper use of data and effective protection thereof?
This is not an idle consideration. Many UK citizens are going to be caught in this net. This is a real cause for concern on the part of ordinary citizens as more than 2 million Britons travel to the United States annually. In their response to the committee’s report the Government said that,
“the retention periods negotiated under the new Agreement will also apply to data collected under the 2004 and 2006 Agreements”.
As the noble Baroness, Lady Ludford, noted, given that the new agreement doubles the previous retention period, from 3.5 to seven years and adds on a further eight years of dormant, non-operational retention, can the Minister explain what has changed fundamentally since 2004 to require this long period of retention? Why is this necessary? To what purposes might this vast quantity of data possibly be put? I will posit one uncomfortable possibility.
According to the Government’s response to the committee, the PNR may be used,
“for the protection of vital interests of the data subject of other persons, or in any criminal judicial proceedings”.
Could the Minister explain the purport of this apparently vast let-out provision on potential use? Who is to judge the need for such use? Would British authorities be consulted in such cases? Indeed, would the UK authorities be informed? What would the data subject be allowed to know about the decision to protect their vital interests or those of other persons? Indeed, the PNR having been put in place in the name of combating terrorism, here is a provision which would permit, in an apparently wholly uncircumscribed way, the use of information given for this purpose to be used in any—I repeat, any— criminal proceedings. The committee requested that there should be safeguards to ensure that the data were not used for general law enforcement purposes. Would the Minister respond on that important point?
On this side of the House, our anxieties on that point are increased by the quantity of data demanded of travellers under the PNR. Anybody who has filled in the forms knows that they are quite intrusive and reach into personal and financial matters. Can the Minister please clarify the meaning of the quantity of data elements that are to be exchanged? The original agreement allowed for 34 types to be collected. The new agreement ostensibly reduces that to 19, but the Government’s response to the committee’s report states that the number has been reduced as a result of the,
“merging of a number of data elements that cover the same type of information”.
As the noble Baroness, Lady Ludford, remarked, that sounds less like a reduction in the amount of data that has to be given, than a recategorisation thereof; that is to say, bigger data groups. No doubt the Minister will inform us if another interpretation is possible.
The second of the reports under discussion today deals with the Council of Ministers’ decision based on the Prüm treaty concerning cross-border data exchange in three areas—DNA profiles, fingerprints and certain vehicle registration data—with the aim of combating terrorism, serious border crime and illegal immigration. The Conservative Benches are evidently not against such mutual assistance as a matter of principle, but the safeguards that apply at home to data protection—which, in our view, are in any case weak in implementation if not in concept—need to be present to safeguard much wider exchange across borders, where the risks increase. We do not believe that these safeguards are in place.
As with the PNR agreement, the Government had at their disposal the committee’s report before they gave their agreement last summer to the Council decision. Despite that, as many noble Lords who have spoken in this debate have noticed, a considerable number of the points it made—some of them significant—have not been taken up or reflected in the outcome.
On the plus side, we on these Benches congratulate the Government on their success in removing provisions concerning the unauthorised entry of officials of one state into another. Against this, it is generally disappointing that more notice was not taken by the Government of the report. I share the view expressed by many speakers and I believe that the Government could have applied more leverage, given the need for unanimity to adopt the decision.
Procedure is important. Noble Lords have noted the strong desirability of proper information provided alongside proposals, including impact assessments in particular. The Conservative Benches consider that, whatever the formal position in relation to initiatives taken by member states as distinct from the Commission, Her Majesty’s Government will be serving the public interest in pressing for that rather than excusing failure to follow good practice. Rushing legislation through in the name of protection of the safety of society—and I fear that is what happened— shows a disregard for the rights of the citizen in respect of other protections to which individuals are entitled, including their privacy and the protection of their data. It would have been a sign of seriousness of intent in this regard if the Government had accepted the committee's proposed condition that member states be obliged to consult the European Data Protection Supervisor on initiatives with data protection implications.
As others have noticed, the Government commented in their reply that they saw no tangible benefits in that. I hope the day does not come when they have cause to rue this view. Given the increased powers which the UK Information Commissioner now—at last—has had to be given by the Government as a result of the latest data losses in government, one might have thought that the obligation to consult the data supervisor would be seen as a useful protection for the Government and a potent means of forcing up other countries’ standards of data protection nearer to those already obtained in the UK.
In his opinion, the European data protection Supervisor made a number of critical comments on that decision. If the Government are not disposed to listen to the committee of this House, perhaps they will take the views of the European Data Protection Supervisor seriously. He complains of ambiguity in the purposes of collection and exchange. He queries the scheme’s proportionality, the failure properly to assess the value of data exchange so far and its relevance to wider exchange among all member states. He noted that some of the procedures governing handover by national authorities of data, on which HMG apparently intend to rely for protection, constitute derogations from the principle of availability. He does not say that this is wrong, but one is bound to wonder how long it will be before such reliance is challenged and the safeguards dependent on it weakened. What would then happen to the UK citizen’s right to receive protection from UK courts?
The European Data Protection Supervisor states categorically that the lack of a harmonised legal framework for data protection, which he considers a sine qua non of cross-border data exchange on this potential scale, is a serious shortcoming. The Government, on the other hand, state in their reply that they do not consider it necessary to complete work on a data framework before proceeding. One wonders about the prudence of this. The committee makes the same recommendation. The Government ought to be listening to such experts and to Parliament, and take their advice seriously instead of waiting until they have another data accident. How many more do the Government want?
Finally, like the noble Lord, Lord Jopling, I am concerned about the UK situation. We have over 3 million entries on the police database—more than all other member states put together. On this database there are details of convicted criminals, people arrested but never convicted and volunteered samples of otherwise totally uninvolved people. It is, of course, open to question whether this should be the case but, for now, it is. The comparable German register contains the names of convicted criminals only. Here is a big information mismatch.
Secondly, the protections are different. Not surprisingly, and perfectly reasonably, the German protections are lower. Relying entirely on national practice, and in a situation where there is an obligation on the state receiving a request for data to follow it up, can the House be confident that there will never be a case of information about a UK national improperly and unnecessarily crossing borders and/or being improperly released, thus rendering such data exchange open to challenge—quite apart from the damage that it might do to the individual concerned? I, for one, would not be so confident. It is surely unwise of the Government not to accept the need for national systems and practices in data protection and security to be made more compatible, if not fully aligned, before extending obligations in this field.
At the very least, data on a database should be carefully categorised. The noble Baroness, Lady Harris, made some pertinent points on this. It would also be reassuring to know that, when a data file is handed over, there was a definite time limit on the retention of that data file by the third-party country; this point is obscure. What can the Minister tell us about these various issues which will help quieten well founded anxieties on these various scores? Moreover, rushing this decision has meant that the committee's recommendation that there should be a reliable estimate of start-up costs before incorporation into EU law has been neglected, despite the European data supervisor taking the same view.
Along with being willing to take risks with our personal information, the Government seem willing potentially to get into a financial muddle. They say they have an estimate: £31 million, including running costs for the first year. They stress, however, that this is just an estimate and that a feasibility study will follow. I suggest that it is normal do a feasibility study beforehand; £31 million is not a trivial sum and, given the history of undercostings and expenditure overruns in the public sector, I fear that the House is entitled to view this figure with considerable scepticism. Can the Minister give more detail which might increase our confidence in the accuracy of this figure and the value for money that it may represent? The Government say that the public benefit deriving from the high cost will be justified. What is the evidence? Illustrations from Prüm have been cited as examples but as the noble Lord, Lord Jopling, has noted, it is open to question whether, when the backlog of crimes has been cleared, the “hit” system will make a yield which is nearly so fruitful. Can the Minister give us more detail on the Government’s realistic expectations on the cost-benefit of this measure and the increases in crime detection that are actually likely to occur?
Many of the concerns of the committee, which are shared on these Benches, involve aspects of data protection—the circumstances in which data may be handed over, the uses to which they may be put and the protection their storage and retention will be given. In this area there are now an alarming number of loose ends. On these Benches we hope that the Government will in subsequent negotiation pursue these important points and be willing to report further to the House on progress in establishing effective EU-wide rules of a sufficiently high standard. As I have said, the Conservatives welcome much of this agreement but the important questions raised on all sides of the House need to be answered to ensure greater clarity and public confidence, especially at a time when data security is so prominent in the public’s mind. Confidence in this Government’s record in this area is at present low, so I hope the Minister will be able to give some information which will go some way to restoring it.
My Lords, I welcome the opportunity provided by this debate to discuss the two reports. I shall address the points that have been raised in a moment, but first I should like to acknowledge and commend the European Union Committee’s valuable and thorough work in its scrutiny of the European legislation and add my praise for the noble Lord, Lord Wright of Richmond, and his work in leading that committee.
The committee recognises in its report the value of data sharing in the fight against terrorism and serious crime and the benefits delivered both for the United Kingdom and for all the participating member states. The Government are in agreement with the committee on this issue. Criminals do not respect borders, so it is vital that we develop a cross-border capacity to respond to crime. This includes co-operation with our European counterparts as well as those in the United States in sharing data specific to countering terrorism and combating serious crime.
The review that I carried out, which was reported in the Prime Minister’s Statement on security to Parliament on 25 July, also highlighted the importance of enhancing existing co-operation to share more information between police and immigration services and internationally across countries. The first line of defence against terrorism is overseas at other countries’ ports and airports, where people embark on journeys and where terrorist suspects can be identified and stopped before they board planes, ships and so on. The Government have already announced how the Home Secretary will enhance the existing e-borders programme to incorporate all passenger information to help to track and intercept terrorists and criminals. We also set out that, in the identification of potential terrorist suspects, there should be maximum co-operation internationally. Both the EU-US agreement on exchanging passenger name records data and the Prüm Council decision are important tools in the fight against terrorism and serious and organised crime. Wherever we take steps to enforce security, there must be proper safeguards in place to protect the individual.
I will address the EU-US agreement and Prüm separately. I had hoped to speak for about 20 minutes; there are rather a lot of questions but I will try to keep to that. On the EU-US PNR, the Government welcome the fact that a long-term agreement has been reached on the transfer of passenger data to the United States. This agreement recognises the need to balance preventing and combating serious crime and terrorism with providing data protection safeguards for air passengers. The letter from the United States provides the EU with assurances on the way in which the US intends to protect personal data under the agreement. In return, the EU has confirmed that, on the basis of the assurances that it has received, it considers the level of protection of PNR data in the United States to be adequate. There is a mechanism—the periodic review—for the EU to reassure itself that the assurances are being adhered to.
The noble Lord, Lord Wright, went into more detail about this letter. All I would add is that the letter provides the EU with assurances on how the US intends to protect personal data. The agreement is a legal instrument. Paragraph 1 refers to the assurances. The assurances from the US are contained in a statement about how it intends to apply its policies. You cannot really unpick the agreement and the letter; they are a package. The agreed package contains important commitments on how the US will handle PNR in respect of data protection.
The EU-led negotiations on PNR set out in the report were valuable. A copy of the report was given to the Commission and to the United Kingdom’s permanent representation to the European Union, and it was discussed with them. The EU Commission was aware of all the points at the time of the negotiations, which I think was very helpful.
My Lords, I apologise for interrupting the Minister, but could he clarify what he just said? He said that the agreement is legally binding. Does he maintain that the whole package—the agreement plus the letter and the undertakings—is legally binding?
My Lords, perhaps I may get back in writing to the noble Baroness on that specific point. I am not clear on it myself.
The noble Lord, Lord Wright, also mentioned the view of the Commission and the presidency. The Commission and the presidency, which led the negotiations, were well aware of the views of the European Parliament and the European data protection supervisor. A copy of the Select Committee’s report was given to the Commission. As the Article 29 working party on data protection acknowledged, these were extremely tough negotiations, in which the United States had a strongly held position.
The noble Baroness, Lady Ludford, mentioned the incentive for the US to move to a push system. A push system is obviously much better than a pull system for the reason that she gave. A deadline of 1 January 2008 obliges the DHS to move to a push system for all carriers operating out of the European Union that have implemented a system that complies with the DHS technical requirements.
Noble Lords mentioned the use of PNR data. The purpose set out in the previous interim agreement was retained in this new agreement. The US receives only that PNR that is necessary to prevent and combat,
“Terrorism and related crimes … Other serious crimes, including organized crime, that are transnational in nature; and … Flights from warrants or custody”,
for these crimes. The agreement also states that PNR data may be used, where necessary, for the protection of the vital interests of the data subject or other persons, for any criminal judicial proceedings or as otherwise required by law. This use of PNR data is not a new concept; it was mentioned in former undertakings.
I do not have the statistics for the agreement between the EU and the US on what has been achieved by PNR data. I would just cite Project Semaphore, which we have talked about in this House before. For example, on the very small quantity of PNR data that we have gathered on specific routes, we found that, as opposed to the one in 2,200 people whom in the past we were able to do anything about, we are able to get something like one in 12 of those people in whom we believe we have a legitimate interest. That shows the extent to which the data safeguard and enhance the rights of legitimate travellers who do not need to be subject to such detailed scrutiny, while successfully detecting the very small proportion of travellers who are breaking the law.
A number of speakers asked about profiling. By using PNR, we can build up a picture of suspect passengers; it is more their patterns of travel than a profile of the person. This enables us to identify individuals conducting those patterns of travel and to see whether they share common characteristics. That has enabled us to identify people who are more of a risk to us. It can also be used to facilitate legitimate travel and allow us not to have to bother with people who are travelling legitimately.
A number of speakers asked about the retention of data for longer. All I will say on that is that terrorist groups often operate over a long period and the recruitment and training of their personnel may be spaced over several years. It is therefore important that data be retained to allow retrospective analysis of intelligence to identify links between known operatives and others.
The noble Baroness, Lady Harris, asked whether passengers were aware of what personal data were held and under what conditions. The main United Kingdom airlines already provide passengers with information about how their data will be used; the EU and the US work with the aviation industry to publicise PNR systems and to raise awareness among passengers. In terms of redress, the new agreement allows people to seek redress if they think their PNR data are inaccurate or have been used. Passengers can also ask for their PNR data from the Department of Homeland Security under the US Privacy Act and Freedom of Information Act. I cannot talk much more about that on the Floor of the House, but if the noble Baroness would wish, I can write to her, setting out the interface between the US Privacy Act and Freedom of Information Act.
The noble Baroness, Lady Neville-Jones, asked about a proper mechanism for reviewing the workings of the agreement. The details of how the review will be carried out have yet to be agreed. For the European Union, the review will be undertaken by the Commissioner responsible for justice, freedom and security or by somebody whom he designates.
Finally, there was a question about PNR data elements and their purpose. The data will be received only to the extent to which carriers collect those data as part of their normal business, as they already collect a lot of data under the EU borders scheme. The agreement specifically limits the purposes for which they may be used.
I hope that I have answered all the questions on the PNR side. This particular agreement is a proportionate measure. It provides certainty to air carriers that they may transfer passenger name record data to US authorities in compliance with their data protection obligations. The Department of Homeland Security has made a policy decision to extend administrative Privacy Act protections to non-US citizens. That is an improvement over the previous agreement. Furthermore, as I have already mentioned, greater visibility for notices describing the PNR system will enhance transparency.
Turning now to Prüm, the Government expect substantial benefits from this proposal for the work of UK law enforcement authorities. It will offer an enhanced UK law enforcement ability to search across the whole EU to establish matches of crucial forensic evidence in quicker time. This will allow officers to determine whether to pursue or eliminate lines of inquiry. The Prüm model returns a hit or no hit on average in 50 seconds, but it can take up to a maximum of 24 hours.
I know that during the course of the committee’s inquiry, in the report which preceded this debate, and in today’s debate, there have been a number of what could be termed “process-related” issues and questions. I want to reiterate that, despite my short time in this post, I am none the less more than aware of the importance of the parliamentary processes and seek to ensure that we work within them.
The Government have endeavoured to keep Parliament informed of events as they have unfolded. The negotiations did move fast, but that is not necessarily a bad thing if it means that we see the benefits in quicker time.
The negotiations did not however bypass the usual requirements. All member states were offered opportunities in the relevant council committee and at the JHA Council to question and propose amendments to the text, and indeed the UK secured three significant changes to meet UK concerns, including concerns raised by the European Union Committee. Specifically, we secured the deletion of the provision on hot pursuit, which was an issue that the committee felt particularly concerned about; we secured a limitation to vehicle registration data to serious crime; and secured data protection provisions that were both robust and consistent with national law and sought to include a council declaration on the application of existing non-automated data searching between member states.
It was unfortunate that it was not possible to clear the proposal from scrutiny before it was agreed. In responding to the committee’s report within a week, we hoped to be in a position to have this debate before the June JHA Council. That did not prove possible. As such, after much consideration, the then Home Office Minister decided to override the parliamentary scrutiny reserve and agree the Prüm Council decision. The reasons for that were set out in a letter to the committee dated 11 June 2007.
As noble Lords will be aware, we have recently participated in a general approach to the Prüm implementing agreement. I am aware of the committee’s views on the use of general approaches, but place on record that the Government do not consider this to be an override, given that work is continuing at expert level on the detailed accompanying technical annexe.
Coming to the data protection issues, I reiterate that the Government secured specific data-sharing provisions to be included in the Council decision to ensure a balance between the rights of the individual and the need to share data for public security purposes. We believe that the Prüm Council decision and implementing agreement provide such provisions and safeguards.
The noble Lord, Lord Wright, asked why we had been browbeaten into accepting Prüm without cost analysis. We were not browbeaten. There was a full discussion of the text. However, it was not accompanied by full and proper cost analysis—in that, he is completely right. I have to say that that was extremely unfortunate. During the negotiation, there was an expert seminar to explore the experience of the seven original Prüm states, which allowed us to assess resource and cost implications—it was not fully satisfactory, I have to say, but it gave us a baseline. The noble Lord asked why we accepted that before a data protection framework was in place. Prüm has its own data protection framework, which is robust and tailored to the specific system. It is a bespoke system.
The noble Lord also asked why we agreed to implement the agreement while it was under scrutiny. The Government do not accept that the general approach at the November JHA Council—the ongoing negotiations are detailed in the annexe—is an override, because we reserve the right to reopen the text at any time.
A number of speakers asked about access to our own databases and the complexities of our databases compared with those in the European Union. It would not be appropriate to allow direct access to our databases; indeed, that is not intended. We would allow a search on data from reference or shadow DNA or fingerprint databases, but that would be only to ascertain whether there was a hit or no hit on the data. Further information would have to go through the current secure police channels, including mutual legal assistance, once we knew that there had been a hit. Consequently, any disclosure of personal information about individuals whose profiles are on the UK databases would be under existing conditions. That provides for a case-by-case consideration of the legal basis, as well as the necessity for proportionality and justification of disclosure, taking into account data protection and ECHR considerations.
In closing, I stress the importance that the Government attach to these initiatives. The UK Government take data protection very seriously. It is paramount to ensure that when we share information proper measures are in place to protect the data shared. Data sharing is a key part of keeping our communities safe and protected. With ever-increasing travel by offenders and the transnational nature of organised crime, the necessity to share information increases accordingly.
Prüm is a new system for tackling organised transnational crime in a more modern way, allowing for a speedier and more efficient data-sharing mechanism. An important element in ensuring that we are able to share, retain and use data is the data protection standards and safeguards that the Prüm Council decision provides, with which the Government are satisfied.
The agreement between the EU and the US on the exchange of PNR also strikes that balance between the need to combat terrorism and serious and organised crime and the need to provide data protection safeguards. We all agree that the collection of PNR data is a valuable weapon in the fight against terrorism. However, we should not lose sight of the immense value of PNR in combating serious crime, including human trafficking and drug smuggling, as well as its value in securing borders.
I hope that I have addressed all your Lordships’ concerns satisfactorily, but I am willing to write on any issues that I have failed to cover in my speech.
My Lords, I am grateful to all noble Lords who have taken part in the debate. I would like to express my particular pleasure in sharing a debate for the first time with my former colleague—colleague, not pupil—the noble Baroness, Lady Neville-Jones. I thank the Minister for his attempt to respond. I do not say “attempt” condescendingly; I mean an attempt to respond to our criticisms. They are criticisms mainly of delays and failures that predate his watch—if I have the expression right. I am also grateful for his offer to write further, if, on looking at Hansard, he and his officials consider it useful to bring up other things.
I merely want to take up one point that the Minister made that relates to the intervention of the noble Baroness, Lady Ludford. He said that we cannot unpick the package of the PNR agreement and the DHS letter. Our particular criticism is that the letter does unpick the agreement.
On Question, Motion Agreed to.