Terrorism and Crime (EUC Report)

My Lords, I am delighted to be able to take part in this important debate this afternoon. It is more important than is apparent from the time slot it has been allocated. That is to pay no disrespect to the authors of the report. I have the highest regard for Sub-Committee F, and, if I may say on a personal basis, for its former chairman, the noble Lord, Lord Wright of Richmond, who often visits us in Brussels in the civil liberties committee. Like him, I have no hesitation in stressing the need for data exchange, both within the European Union and across the Atlantic. We need to overcome bureaucratic obstacles, eliminate turf wars and jealousies and make our legal systems and the safeguards interactive. We need to have effective arrangements to ensure that suspected terrorists and major criminals are apprehended. Therefore, I do not wish anything I say from now on to give grounds to a charge of being soft on terrorism. The problem is that both the Prüm decision and the PNR agreement have run far ahead of data protection safeguards and outwith proper democratic controls. That matters particularly because we are on what I will refer to as a merry-go-round, which is spinning faster and faster in terms of data sharing and the creation of databases. I believe that there is a sort of Ministers’ and officials’ playground in which they are using and abusing the inadequate framework for EU law enforcement efforts. There is a democracy deficit of both Prüm and PNR. MEPs’ views could simply be ignored as we had no co-decision on either, and if you have mere consultation, believe me, it gives you no leverage whatever. On PNR, national Parliaments will be given a take-it or leave-it choice, simply being asked to ratify a concluded agreement. Prüm is a particular scandal. It was negotiated as a simple international treaty, ratified by the Bundestag after a mere half an hour’s debate and then pushed through the Council machinery in Brussels as a German member state initiative to emerge as an EU decision. That is not the way to run a whelk stall. The Government tell us in response to the committee’s proper call to require the Commission to produce an evaluation report for the Council, the European Parliament and national Parliaments, that the Commission will submit a report after four years, but that it will be to the Council only and more detailed provisions will be set out in an implementing decision, which will not be subject to the views of anyone but the member states. That is not democratic. There will be periodic reviews of the PNR agreement by the parties. For the European Union that will be the EU justice commissioner Franco Frattini. The Government say that ““modalities””—that is a Franglais word—““will be mutually agreed””. They claim that the information ““should be disclosed””. I do not think it is good enough to rely on future modalities or some sort of promise that information should be disclosed. My actual experience for the evaluation of the 2004 agreement was that the review report was six months late and MEPs were only allowed restricted access. We were only allowed to go in a room and read the report, not have copies, and it had been redacted—that is, censored—so we never saw the full report. There is also a data protection deficit to both these instruments. When and if we get a data protection framework decision, it will be weak and hardly worth the paper it is written on. The promise was that we would have a high-quality data protection framework, on top of which specific measures appropriate to each instrument could be added. The Government’s response to the committee’s call that Peter Hustinx, the European Data Protection Supervisor, should be regularly consulted in the case of member state initiatives such as Prüm, was that they saw no tangible benefits in such a requirement. Is the real reason that they do not like what he says? Two weeks ago he came to the civil liberties committee of the European Parliament and described the compromise on which there is now political agreement—so it is too late to change anything—as far from satisfactory, a minimum common denominator and unfortunate. He said that the text is neither consistent, effective nor adequate. His main objection is that the scope is limited to the exchange of data—in other words, the data protection safeguards will not cover the collection of data or the processing of data. Prüm is about setting up databases and collecting data. PNR is largely about collection and processing. So to restrict EU data protection rules only to the exchanges of data leaves a big loophole. Peter Hustinx draws attention to other weaknesses, such as purpose limitation and acceptable use; indeed he says it is weaker than the 1981 Council of Europe Convention. So, in over a quarter of a century, the EU has been unable to move further than the Council of Europe. He said that because it had to be agreed unanimously a minority of member states had watered it down because of the veto and the proposal would have looked a lot better under qualified majority voting. He drew attention to the fact that it does not regulate data protection as regards third party agreements already in place, which of course includes the PNR agreement with the US as well as other things, such as the SWIFT agreement on financial data. A cynic would wonder whether the three-year delay in getting the data protection framework decision—we have not quite got it—had some ulterior motive to it. In the mean time you get all these agreements through—Prüm, SWIFT, PNR—and then say, ““Oh heavens, we cannot apply it retrospectively””. I referred to what I call a merry-go-round which is, frankly, becoming out of control. Governments, Ministers and national officials are giving themselves arrogant licence to do what they like and then try to pull the wool over our eyes. If I sound rather harsh and strong, believe me, I am feeling rather fed up about all of this. We are told that measures are justified for anti-terrorism purposes. Then they get extended, as in the example of the PNR and, as the noble Lord, Lord Wright of Richmond, said, to any judicial proceedings or as otherwise required by law. That is potentially huge. The longer retention period under the 2007 PNR agreement will be retrospective to the 2004 and 2006 agreements. That was three and a half; the new one would be seven; after seven, in the so-called dormant period it will only need a senior official from the Department of Homeland Security to authorise the data to be processed again. We were promised a push system three years ago instead of the law enforcement authorities being able to pull the data. Now we are told that January—next month—is the target. We are told that the US unilateral undertakings are binding. Do they take us for fools? How can ““unilateral undertakings”” be binding? As the noble Lord, Lord Wright, says, they tell us that the data elements have been reduced from 34 to 19. This is just a merge of categories—there has been no material reduction in the scope of the information. All we have to do is look at it and read it—we are not illiterate. We were told that the US federal Privacy Act would apply, not by right, but by grace and favour, to the processing of data of EU citizens. Then, the automated targeting system which would process the PNR data was taken outside the scope of the Privacy Act, thereby totally pulling the rug from under that particular promise. My favourite one is the whole basis for the use of PNR for profiling. We could have a good argument—which I do not intend to have now—about whether profiling is useful, what are the civil liberties implications and what safeguards we need. The Government accept that, because they state that the system is, "““an important source of data for risk assessment and intelligence ... through a combination of operational experience, specific intelligence and historical analysis, we can build up pictures of suspect passengers or patterns of travel behaviour. PNR data may then be used to indicate suspect behaviour by enabling the identification of individuals whose travel details share common characteristics with those pre-defined profiles””." So it is a profiling system. Two weeks ago, Commissioner Frattini came to the civil liberties committee and gave a very similar description of the system to be used under the EU PNR system—I do not have time to explain. Until he was blue in the face, he would not accept that it is a profiling system. So we cannot even have a discussion about whether profiling is useful or dangerous because there is no agreement. Member states and the Commission do not have their ducks in a row as to whether we are using a profiling system. I am running out of time, so I really must wind up. I wanted to draw the attention of the House to the dangers of where we are going. Mixing my metaphors, I think that we also have a problem of policy laundering, where one measure is used as a pretext for another. An EU measure is used as the justification for having to do things at national level, such as setting up DNA databases, which Prüm will require. EU-US PNR is the pretext and model for an EU PNR system. We must end the democracy and data protection deficits, and end this out-of-control system. I hope that it will not take a catastrophe such as disk gate or the rendition of Maher Arar, who also testified to the European Parliament Temporary Committee on Extraordinary Rendition, of which I was vice-chair, giving his harrowing tale, to make us realise that we are going in the wrong direction.