47. The European Union databases which we have considered are, for the most part, still at an early stage of development. Two of them - Eurodac and CIS 3 - are not yet operational. Nevertheless, we were left in no doubt as to their importance. They will develop rapidly over the years to come, and will contain sensitive personal data. It is, therefore, not too early to consider how these databases will be managed, and what controls and safeguards will be put in place. The purpose of the databases is to assist in the fight against cross-border crime and illicit trafficking, and in the implementation of EU asylum and immigration policy. The Tampere Summit demonstrated that there is high level political support to tackle these issues at the EU level[6]. Heads of State and Government urge the Council of Ministers to finalise work on Eurodac and provide Europol with the necessary support and resources to enable it, shortly, to receive operational data from Member States.[7] But the European Council recognised that the development of Union-wide measures must be consistent with the protection of individual rights and freedoms. Europe has led the field in developing instruments and mechanisms for the protection of personal data, within the Council of Europe[8] and the European Union[9]. An important question is whether these instruments and mechanisms have kept pace with the development of pan-European information systems.

48. Informal information networks existed well before the creation of the European databases. It is important to note that a great deal of information is already exchanged between police forces of the Member States of the Union. The new databases should, however, be designed in such a way as to ensure greater transparency and be subject to stricter data protection laws than have hitherto applied.

49. All our witnesses raised the question of potential overlap of information held on the various databases, and the extent and desirability of such overlap. We do not believe that there is sufficient evidence, at this stage, to come to a firm view on this matter, other than to sound a general note of caution. We were told that there could be technical problems in establishing links before the individual databases are up and running. Other witnesses commented on the risks to individual rights of sharing data freely. In particular, individuals might experience difficulty in exercising their right of access to personal data.

50. On the other hand, it seems likely that, whether or not there are direct links between databases, some form of data sharing will happen in practice. The Action Plan to Combat Organised Crime adopted by the JHA Council in April 1997 specifically recommended that the terminals of several key EU and international databases should be brought together at a central point in each Member State. Under these circumstances, it is difficult to imagine that there would not be some informal sharing of information. This may enhance operational efficiency, particularly in the investigation of cross-border crimes, but raises delicate questions about the preservation of individual rights.

51. Concern as to the adequacy of data protection rules is all the greater in the case of international links with databases in non-EU countries. Plans for Europol to enter into agreements for the exchange of data with third States and non-EU related bodies are already well advanced. As we have previously commented, "Information which is incorrect or misused can seriously undermine individuals' rights and freedoms. The exchange of data between Europol and Third States or bodies may aggravate the risk of error or misuse as, in such cases, it may not always be clear which data protection rules apply and which, if any, body is responsible for supervising the data flows"[10]. We can foresee considerable pressure from third countries for access to information held on EU databases once they are fully operational. The EU will likewise wish to make use of information held on non-EU databases. Each of the EU databases establishes a joint supervisory authority. These authorities will have a crucial role to play in ensuring that agreements between the EU and third countries or bodies for the exchange of information provide an adequate level of data protection and sufficient safeguards for the exercise of individual rights of access.

52. A detailed study of the possible links between databases within the EU and between EU and international databases is beyond the scope of this Report, but we agree with JUSTICE that there is at present a lack of any consistent and transparent strategy on links. We also support their proposal for an enquiry at EU level, to examine proposed links between the databases as well as existing practices on the exchange of information via informal networks. We urge the Government to press the case for such an enquiry, and a comprehensive strategy on links, while discussion is still in its formative stages.

53. Whilst we recommend a cautious approach to establishing links between databases, we nevertheless think that it is important, wherever possible, to develop EU systems in ways which would be compatible with wider international systems. For example, common formats for the entry of data would facilitate possible future links, and also simplify the task of operators who might be required to work on a variety of systems.

54. A further cause for concern is the diversity of data protection requirements applicable to the various EU databases. We welcome the proposal for an EC Regulation applying consistent rules and procedures to Community institutions and bodies. These should protect the fundamental rights and freedoms of individuals, in particular their right to privacy, with respect to the processing of personal data[11]. The Regulation, if adopted, would establish an independent European Data Protection Supervisor to oversee the processing of personal data. While the operation of the Eurodac database, as a Community instrument, would fall within the scope of the Regulation, Europol would remain outside.

55. We regret that little apparent progress seems to have been made on an Italian proposal, suggested in March 1998, to look at the question of harmonising data protection rules and supervision in Third Pillar instruments.[12] We consider that a single supervisory body to oversee the development of all of these databases would have greater visibility and authority. Lines of accountability would be clearer. Such a body could help to ensure consistency in the interpretation and application of data protection rules, and have a role in resolving problems arising from overlaps between the information held on different databases.

56. We were impressed by the criticisms of current data protection principles made by Ms Colvin, for JUSTICE. She considered that they had not kept pace with modern methods of data storage and exchange. She argued that the citizen faced an almost impossible task in exercising rights of access to information held on databases, and that more attention needed to be paid to controlling the entry of information on to computer systems. In particular, she suggested that the distinction between "hard data " (factual information) and "soft data" (police intelligence information) needed to be re-examined. We agree.

57. In addition to a single supervisory authority, we believe that there is a need for effective judicial control to ensure compliance with common minimum standards, consistency of interpretation, and the enforcement of individual data protection rights in respect of these databases. This is crucial to securing public confidence. If personal information is to be stored in European databases, citizens are entitled to expect to have access to effective legal redress, whether such databases are established under the First or the Third Pillar.

58. JUSTICE has described judicial supervision of the databases at EU level as "a lottery". We agree. The supervisory role of the Court of Justice must, in our view, be a fully comprehensive one. The Government has, so far, taken the view that the UK should not opt in to the European Court of Justice's preliminary ruling jurisdiction in relation to Third Pillar instruments. In its response to our Report on Preparations for the Tampere Special European Council, the Government said that it would "consider whether such a mechanism [i.e. a judicial mechanism at EU level] is required and how it might be provided". We find it difficult to reconcile the Government's reluctance to accept the Court's jurisdiction over Third Pillar instruments with the need to ensure meaningful safeguards for individual rights at an EU as well as at a national level. The Government has not proposed an effective alternative to the Court of Justice capable of commanding the confidence of the citizens of the EU. In the absence of such a proposal, we again urge the Government to reconsider its stance on the Court of Justice. We consider the Court's involvement to be necessary to provide consistency and uniformity in the application of the rules in this most sensitive area of data protection.

59. Finally, we draw attention to the complex potential problems of computer security in relation to large databases. These are clearly most acute with regard to the Schengen Information System, which is at present estimated to have about 49,000 terminals. It would seem, from the evidence we heard, that it would be practically impossible to guarantee total security in such a large network. But risks can be managed in ways which reduce them to "acceptable" levels, through careful system design, the use of encryption technology and the monitoring of users. These are highly technical issues on which this Committee cannot offer an expert opinion. We believe, however, that it is right to draw them to the attention of the House and to seek an assurance from the Government that security of these networks, as they are developed, is being given the high priority it deserves.

Recommendation

60. The Committee believes that the issues raised in this report are highly important, and should be debated by the House in due course. However, the development of these databases is still in its early stages and we make this Report to the House for information only.

7   Presidency Conclusions of the Tampere Special European Council, paras 17 and 45. Back

8   Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 and Recommendation No. R(87) 15 concerning the use of personal data in the police sector. Back

9   EC Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23 November 1995. Under Article 286 of the EC Treaty, the same data protection principles apply to institutions and bodies set up by, or on the basis of, the Treaty. Back

10   Europol: Third Country Rules, HL Paper 135, Session 1997-98. Back

11   Commission document COM(1999) 337 final. Back

12   We understand that the question of harmonisation was referred to the Council's Horizontal Working Group on Data Processing in February this year. Back