58.  In their response to the Heiligendamm report[38] the Government suggested that "if the Prüm treaty reaches the EU it will be opened up to the same negotiations and processes as all other proposals and a single Member State can prevent it from being enacted." It is true that the Prüm Decision, being a third pillar measure, must be adopted unanimously or not at all;[39] but this is only half the truth. The real picture is that the Decision replicates a deal agreed between a group of Member States, and already ratified by some of them and in force between them. It was the firm and stated intention of those States that it should become binding on the other Member States without amendment; and this, with a single exception, is what they have so far achieved.

59.  The Government, being broadly supportive of the measure, may not wish the United Kingdom to be one of the States—perhaps the only State—preventing its adoption altogether. But this does not mean that it should play a passive role in the negotiations. The Government have already shown that there is one provision they are not prepared to accept. We believe that there are four other matters which the Government should be actively pursuing.

Measures in the event of immediate danger

60.  Article 18 of the draft of the Decision considered by the Council on 15 February,[40] the equivalent of Article 25 of the Treaty, would have allowed officers[41] of one Member State to cross the border into another Member State without that State's prior consent "in urgent situations" to take "any provisional measures necessary to avert immediate danger to life or limb".[42]

61.  In her letter to the Chairman, written on 2 February in advance of the February Council, Ms Ryan wrote:

"Article 18 … is one of the reasons that the UK was cautious about signing the original Prüm Convention … The Article is designed for States with extensive land borders who may have a situation, such as a train crash, which would need to be dealt with by the nearest police. We therefore doubt that it is operationally feasible or desirable for the UK.

In addition, whilst the focus is on urgent situations, the Article does not preclude 'hot pursuit' in a situation such as kidnapping where there may be 'immediate danger to life or limb.' The UK does not participate in Article 41 of the Schengen Acquis on 'hot pursuit'. Furthermore, Article 18(4)[43] requires signatories to accept liability for foreign officers operating in our territory. This would require primary legislation.

Therefore we will seek to ensure our concerns are addressed in negotiations, possibly exploring the possibilities of an opt out or the removal of the Article altogether."

Ms Ryan repeated some of these concerns in her oral evidence. (QQ 6, 16-17)

62.  At the February Council the Government, to their credit, voiced their concerns about this provision, and insisted on its removal from the draft Decision. This has been done: the article was omitted from the draft of 27 February which was forwarded to the European Parliament for its Opinion.

63.  We agree that those drafting Article 18 certainly did not contemplate its applying to maritime borders; the constant references to "crossing the border" are proof of this. But if left in the Decision unamended, this provision would arguably allow foreign police officers and other foreign officers and officials to enter and act in this country uninvited.[44] Given our maritime borders it would be unnecessary and undesirable. Any arrangements affecting the border between the United Kingdom and Ireland have been made and should remain on a bilateral basis.

64.  Portugal has suggested that the mandatory provisions of Article 18 might be replaced by a provision allowing Member States to agree on a bilateral basis to allow officers of another State with a common border to enter their territory without prior permission "in urgent situations". There is a precedent for such a provision in Article 39(5) of the Schengen Convention.[45] Ms Ryan referred to this in evidence (Q 17) but did not state whether the United Kingdom would support this initiative. Mr Faull mentioned an alternative solution under examination which would require Member States with a common border to conclude separate bilateral agreements about measures they would take in the event of an immediate danger in their border regions. (Q 106)

65.  We congratulate the Government on having successfully insisted on the removal from the Prüm Decision of a general provision which would allow designated officers and officials of one Member State to enter the territory of another Member State without prior permission.

66.  Since unanimity is needed for the adoption of the Prüm Decision this shows that, given the will, the Government should be able to secure agreement on other matters which need to be settled before the Decision can be adopted.

Principle of Availability

67.  We explained in paragraph 14 that the draft Framework Decision covered some data not covered by Prüm: ballistics, communications data and identification data in civil registers.[46] We do not know whether those negotiating the Prüm Treaty took a conscious decision to exclude these data, and if they did, what the reason may have been. An explanatory memorandum could have given the reason for this.

68.  Whatever the reason, we need to know what is to be the fate of information, for example data on ballistics, which may well be important for the prevention and detection of crime, and which would have been available under the Framework Decision, but will not be available under Prüm. Despite the importance apparently attached by the Government to progressing the Framework Decision (Q 32)[47] we see no prospect of negotiations on this resuming once the Prüm Decision has been adopted. The obvious solution would be to amend the Prüm Decision to include ballistics and the other categories of information not so far included. There is no suggestion that the States promoting that Decision have given any thought to this.

69.  We asked Jonathan Faull whether the Commission believed that ballistics, communications data and identification data in civil registers should have been included in the Prüm Treaty. He was unable to explain why these categories of data had been left out, but he believed that their exchange under the principle of availability remained a priority for the EU. (Q 110)

70.  There is another way in which the Framework Decision is (or would have been) an improvement on Prüm, and that is the involvement of Europol. Europol is an agency created by a Convention between all the Member States, and as such could not be given access to data by a multilateral treaty between seven of those States; yet under the Framework Decision it would have had access to data available to all Member States. According to Jonathan Faull, this point is likely to be taken up in the wider discussions on the future role of Europol. (Q 112)

71.  If and when the Prüm Decision is agreed, any matters in the Framework Decision on the principle of availability which have not been adequately dealt with must continue to be the subject of negotiation.

The cost of implementation

72.  If this had been a Commission initiative, there would have been an explanatory memorandum from the Commission which would have given an estimate, however rough, of the cost of implementing the Prüm Decision. But the States whose initiative this is have not done so. While they were under no legal obligation to supply an explanatory memorandum, we believe that they should have done so.

73.  There should be a convention that any legislative proposals by Member States should, like Commission proposals, be accompanied by full explanatory memoranda and regulatory impact assessments.[48]

74.  Member States which are asked to consider an initiative by some of their number should normally decline to do so unless and until they have been supplied with a full explanatory memorandum covering in particular the estimated cost of the initiative.

75.  Ms Ryan's letter of 2 February states, and the Government's Explanatory Memorandum on the Prüm Decision repeats:

"Germany has stated that the costs to them of implementing the Prüm Convention, including the provisions that are included in the draft Council Decision, have been in the region of €900,000. We are considering in detail what the financial implications for the UK might be but the initial view of UK experts is that the costs associated with implementing Prüm among all 27 EU Member States may be considerably higher, depending in part on the precise technical arrangements for allowing Member States to link into one another's systems. We are currently exploring with Germany and other existing Prüm participants the basis on which their costings were developed, with a view to further developing our own cost analysis."

76.  In a further letter to the Chairman of 19 April 2007 (p 11) Ms Ryan explains that the question of cost was discussed at a technical workshop at Wiesbaden on 9 March to which the Government sent experts from the DNA National Database, the Police Information Technology Organisation and the Driver and Vehicle Licensing Agency (DVLA). She tells us that the figures used at the meeting "in some cases appear considerably higher than the German or Austrian costs … the figures from other signatories do not include project or business costs, which can often be some of the most expensive elements." On the basis of these discussions "the Government estimates that the total start-up cost for the United Kingdom will be in the region of £31 million pounds for the exchange of fingerprint, DNA and vehicle registration data"; but the Minister stresses that "these are informed but necessarily limited estimates of cost based on the information currently available". She tells us that the Government do not consider the £31 million estimated start-up cost unreasonable "considering the benefits that the draft Council Decision will bring."

77.  What Ms Ryan does not give us is any estimate of the annual cost of running the Prüm system. It seems to us possible that the German assessment of the cost of exchanging information with Austria, whose population is just over 8 million, may be only a fraction of the cost of exchanges with 26 other States whose total population is over 400 million. The cost to the United Kingdom of supplying information to other States may be one of the highest, given the size of its DNA database to which we have referred in paragraphs 40 to 42 above.

78.  The Government should not allow the Prüm Decision to be incorporated into EU law unless and until there is available a reliable estimate of the start-up cost and the running costs of doing so, and then only if they believe that the benefits to the United Kingdom of implementing the Decision justify these costs.

Supervision of operation

79.  The draft Decision does not include any provision for the collection of statistics, or for monitoring and evaluating its operation. This is unacceptable in an instrument of this type. The Regulation on the establishment, operation and use of the Second Generation Schengen Information System (SIS II) sets up a Management Authority whose duties include the collection and publication of statistics.[49] Every two years the Authority has to submit to the European Parliament and the Council a report on the technical functioning of Central SIS II, including its security, and every four years the Commission has to produce an overall evaluation of Central SIS II and of the bilateral and multilateral exchange of information between Member States. We believe that this provides a good model for the sort of supervision which is essential for the Prüm Decision.

80.  The Government should insist on the inclusion in the Prüm Decision of provisions to ensure that its operation is properly monitored. What is required is at the very least:

• an obligation on national agencies to produce annual reports, including statistics, on the use of their powers under the Decision; and
• an obligation on the Commission to produce an overall evaluation of the operation of the Decision, for submission to the Council, the European Parliament and national parliaments, to see whether it needs amendment.

Data protection

81.  We have referred in paragraphs 72 to 74 to the desirability of initiatives of Member States, like Commission initiatives, including full explanatory memoranda. There should be a similar requirement that Member States putting forward initiatives with data protection implications should consult the European Data Protection Supervisor.

82.  Even without such a requirement, the EDPS could have been consulted; but he was not. Nevertheless on 4 April 2007 he sent to the German Presidency a very full Opinion, which was published on 11 April.[50] We congratulate him on having taken this step; his Opinion makes a number of useful points, many of them repeating views he had already given us in evidence and supporting conclusions we had already reached.

83.  Data protection issues in first pillar instruments are governed by the 1995 Data Protection Directive.[51] The Hague Programme instructed the Commission to bring forward proposals for a third pillar Data Protection Framework Decision (DPFD) at the same time as it put forward proposals for a Framework Decision on the Principle of Availability, since the two were intimately connected. This it did in October 2005. Data transferred under the second of these Framework Decisions would be governed by the DPFD. Importantly, the Commission's impact assessment accompanying the Framework Decision on the principle of availability highlighted that the risk for personal data involved in that proposal would be significantly diminished by the existence of the third pillar data protection regime which was then envisaged.[52] As we have explained, negotiations on the Framework Decision on the principle of availability have already foundered; we are anxious that the same fate should not await the DPFD.

84.  In three of our recent reports we have commented on the number of EU initiatives for the exchange of information which have data protection provisions, the extent to which they differ, and the difficulty of determining how they interact.[53] In Chapter 6 of our recent report on the second generation Schengen Information System[54] we considered in some detail the problems caused by the differences between the provisions in the Schengen Decision and those in what was then the latest draft of the DPFD.

85.  Inevitably, the data protection provisions in Chapter 7 of the Prüm Treaty, and hence in Chapter 6 of the Prüm Decision, are yet again different from those in the latest formal draft of the DPFD.[55] The protection is to be no less than that of the Council of Europe Convention 108; the purpose of the supply of information is to be respected; and the data subject has a right to know what information is held about him, and a right to damages for injury from inaccurate information. There are also provisions for the deletion of information which is inaccurate, or has become irrelevant, or which has reached the date of deletion under the law of the State which supplied the information.

86.  There is nothing to say whether these provisions or those of a future DPFD are to prevail in case of conflict. The Information Commissioner hopes and expects that "the DPFD will provide the lex generalis and the Prüm Convention will provide the lex specialis. Thus the general provisions of the DPFD will apply except where there are more specific provisions [e.g. in relation to logging and recording] in the Prüm Convention." (p 37) This is also the view of Baroness Ashton, the Parliamentary Under-Secretary of State at the Department for Constitutional Affairs who is responsible for data protection. (Q 39)

87.  The EDPS believes that these provisions "offer in substance an appropriate protection", but points out that they are "intended to build on a general framework for data protection that … has not been adopted". He believes (and has stated more than once in his earlier formal Opinions) that the Prüm Decision should build on a general framework of data protection in the third pillar, and should not be adopted before the adoption of a framework on data protection guaranteeing an appropriate level of data protection. But he points out that "in practice legislation facilitating exchange of data is adopted before an adequate level of data protection is guaranteed. This order should be reversed." (p 32) He repeats these views in his latest formal Opinion.[56]

88.  The German Presidency does not share these views. In the press notice reacting to the EDPS' Opinion, it stresses that "incorporating the Prüm Treaty into the EU's legal framework does not depend on first achieving agreement on the proposed data protection framework decision. On the contrary, both the Prüm Treaty and the draft Council Decision to replace the treaty already contain very carefully drafted data protection provisions". The EDPS had indeed said that he felt these provisions had been carefully drafted, but he saw them only as "specific provisions on top of a general framework for data protection".

89.  Mr Faull helpfully reminded the Committee that "[T]he Justice and Home Affairs Council on 14 April 2005 considered how the principle of availability should be implemented and in doing that confirmed that an appropriate system of data protection needed to be put in place". The Commission too thought that "the right way to do that is to adopt the Framework Decision on data protection", and he hoped that "we will have, alongside the Prüm Treaty having become part of law of the European Union, a dedicated data protection system for the third pillar as well." (Q 108)

90.  We share the view that negotiations on the Data Protection Framework Decision, instead of being sidelined, should proceed in parallel with those on the Prüm Decision.

91.  The Government should seize the opportunity to stipulate that they will agree to the Prüm Decision only if other Member States, led by the German Presidency, simultaneously agree to a Framework Decision setting high standards for the protection of data across the third pillar.

92.  If the Presidency wishes other Member States to accept its own views on the exchange of information, it must be prepared to listen to views on how that information is to be safeguarded, and to act on those views.

93.  After months of stalemate in the negotiations on the Framework Decision, the German Presidency came forward in March with a new draft. We are by no means sure that it will prove satisfactory. The Assistant EDPS said that he had "spotted some positive things" about it, but was also worried that it was a text with more general principles than the Commission proposal. As in the case of the Prüm Decision itself, the EDPS has not been consulted on this draft because it is not a formal proposal. (QQ 138-140)

94.  Mr Faull told us he was "confident" that adoption of the Framework Decision was possible under the German Presidency. (Q 108) This would certainly be a momentous achievement—provided of course that the Framework Decision offered adequate safeguards. However we believe it may be optimistic to expect negotiations on a draft DPFD to be concluded in time for agreement by the JHA Council in June. Article 39(1) of the Treaty on European Union requires a minimum of three months for consultation of the European Parliament, and even if the Parliament agreed on a shorter time, the opportunity for scrutiny by national delegations and Parliaments and by the European and national data protection authorities would scarcely be adequate.

95.  Negotiations leading to a satisfactory DPFD which offers adequate safeguards may well therefore last beyond the end of the German Presidency. If, as we hope, they proceed in parallel with those on the Prüm Decision, it follows that the adoption of both instruments may be delayed. Perhaps the Presidency is hoping that agreement on a statement of principles on third pillar data protection will suffice. The Government should strongly resist any such suggestion.

96.  Baroness Ashton has told this Committee more than once that the United Kingdom has high data protection standards which apply to information processed in the law enforcement field. We accept that this country's legislation is stricter than most. But once the principle of availability is fully implemented, Member States will lose the power to control the flow of information to other States, and so lose the power to impose their own standards. The relevant standard becomes that of the Member State with the weakest legislation, offering the least protection.

97.  The Government should try to ensure that United Kingdom data protection standards are replicated across the EU. The only way to achieve this is to adopt for all third pillar measures a Framework Decision which will guarantee those standards for the protection of personal data in all Member States.

98.  We believe that, given the need for unanimity, the negotiations on the Prüm Decision provide an unrivalled opportunity for adopting a data protection regime at the same time as the legislation facilitating data exchange is adopted.

39   Article 34(2) of the Treaty on European Union. Back

40   This Article is reproduced in Appendix 5 to this report. Back

41   "Officers" is the word used in the official English text of the Prüm Treaty and in the text of the Prüm Decision of 6 February. The Article does not feature in the text of 27 February. "Officers" is used as shorthand for "designated officers and other officials": see Article 17(1) of the Decision. Back

42   In Article 25 of the Treaty this reads "…to avert imminent danger to the physical integrity of individuals". There is no difference between the German texts ("Gefahr für Leib oder Leben"). Back

43   Sic: in fact Article 18(5). Back

44   French and Belgian customs officers are already present at the Eurostar terminal of Waterloo station in London, but that of course is by invitation. Back

45   "The provisions of this Article [on police cooperation] shall not preclude present or future bilateral agreements between Contracting Parties with a common border." Back

46   The six types of information had been identified by the Council in Decision 7641/2/05 of 14 April 2005. At the meetings of the Article 36 Committee on 8 December 2005 and 3 February 2006 a majority of Member States opted for a progressive implementation of the principle of availability starting with the exchange of DNA data, and followed by the exchange of fingerprint and vehicle registration data, as well as the other types of information identified by the Council: Document 6259/3/06 of 20 April 2006 from the Presidency to Coreper. For the meaning of "civil registers" see paragraph 14 above. Back

47   See also paragraph 18 above. Back

48   We made a similar recommendation in our report on Human Rights Proofing EU Legislation, where we said: "It is our experience that Third Pillar measures commonly raise issues relating to fundamental rights. We have no doubt that impact assessments are particularly important in respect of such proposals. Indeed the failure of Member States to provide background information and explanations for the measure being proposed makes our own scrutiny work that much more difficult and places a further burden on the Government faced with our requests for clarification. We therefore recommend that Member States should carry out impact assessments before bringing forward any proposal under the Third Pillar. Any such proposal should also be supported by a full explanatory memorandum including a section dealing with fundamental rights." (16th Report, Session 2005-06, HL Paper 67, paragraph 41) Back

49   Regulation (EC) 1987/2006 of 20 December 2006, Article 50 (OJ L 381 of 28 December 2006). Back

50   www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2007/07-04-04_crossborder_cooperation_EN.pdf Back

51   Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L281, 23 November 1995, p 31. Back

52   Document 13413/05 Add 1. Back

53   Behind Closed Doors: the meeting of the G6 interior ministers at Heiligendamm: 40th Report, Session 2005-06, HL Paper 221, Chapter 3, to which we refer in paragraph 32 above; After Heiligendamm:doors ajar at Stratford-upon-Avon: 5th Report, Session 2006-07, HL Paper 32, paragraphs 22-28. Back

54   Schengen Information System II (SIS II): 9th Report, Session 2006-07, HL Paper 49. Back

55   Document 13246/2/06. Back

56   Paragraphs 57-59 of the Opinion. Back