Terrorism and Crime (EUC Report)

My Lords, I, too, have found this a most interesting and important debate. As ever, I am disappointed by the number of noble Lords present, but anyone who has been involved in European Union Sub-Committee reports presented to the House will recognise that this is a similar turnout to most other reports that are read. It is a shame that more Members are not here to listen to what has been a fascinating and important debate. Before I begin, I must declare an interest as a former chair of Sub-Committee F. I well recall the time when that excellent committee looked in horror at the proposals being put in place between the EU and the United States on the exchange of data, which I will address in a moment. Before I get there, I was leafing through some of my back papers on the exchange of data within the EU, which is relevant to this debate. I find that it always pays to keep past papers, no matter how old they are, because they can always be referred to and people can be reminded of what was said at the time. The then-Secretary of State, David Blunkett, so many Home Secretaries ago, in a letter to the noble Lord, Lord Grenfell, the chairman of the Lords European Union Committee, said, "““A large quantity of the data held by UK law enforcement authorities is tightly controlled even within the organisation concerned. This may be necessary for a variety of reasons, including privacy/data protection laws, national or personal security concerns, legal or ethical restrictions on the use to which information may be put, or the need to closely protect information during an investigation or pending a trial””." That is what Mr Blunkett said on 9 September 2004, and how hollow that statement now looks. During that inquiry into EU counterterrorism activities, the evidence we received from the Joint Supervisory Authority incorporating Europol, Eurojust, Schengen and Customs, also dated in September 2004, stated, "““In addition to the right to respect for private and family life guaranteed by Article 8 of the ECHR and reaffirmed by Article 7 of the Charter of Fundamental Rights of the European Union, the new fundamental right to data protection is enshrined in Article 8 of the Charter. The draft Treaty Establishing a Constitution for Europe that includes the Charter, also guarantees in Article 1-51 the right to data protection and states that compliance with data protection rules shall be subject to the control of an independent authority””." I wonder whether the independent authority was consulted in either of the reports that we are discussing today. I turn to the specifics. Especially on Prüm, of course we recognise the real value of the exchange of information between states in fighting terrorism and serious international crime. Most noble Lords have referred to that. The noble Lord, Lord Wright of Richmond, in his opening, said that while accepting the exchange of information was critical in the fight against serious crime and terrorism—a point addressed also by my noble friend Lady Ludford and the noble Lord, Lord Marlesford, there was no consultation, no estimate of costs, no impact assessment and so on. We must work closely with our international partners to ensure that those dangerous and serious criminals and terrorists who seek to threaten the UK and its citizens are prevented from doing so. However, our concerns are not about the intention of the Prüm treaty but about the way in which it is being implemented. In that we agree with the concerns raised by the EU committee. The treaty of Prüm, as we have heard, was negotiated and signed without any parliamentary oversight. The intergovernmental nature of co-operation in the field of security in the EU inhibits democratic checks where a treaty is presented, already negotiated, for ratification or rejection. Changes are not permitted. In addition, transposing the provisions of the treaty of Prüm into EU law through council decision will leave the European Parliament, whose rapporteur is still to be appointed, with the simple consultation procedure. Is that the appropriate way to proceed with such a treaty when we are dealing with sensitive personal data? I do not think so, and my noble friend Lady Ludford suggested that we are going too fast properly to scrutinise EU law enforcement efforts. She referred to Prüm as a particular scandal and not the way to run a whelk stall. She said that it was a merry-go-round out of control and that periodic reviews are simply not good enough. We are very uneasy about how the security of such data can be protected when an exchange is taking place. We very much share the committee’s concerns in paragraphs 81 to 98, where it recommends that negotiations on the data protection framework decision, instead of being sidelined, should proceed in parallel with those on the Prüm decision. What are the Government doing to ensure that the very high standards of data protection that the UK has applied to information processed in the law enforcement field are replicated across the EU? I thank the Government for their response to the recommendation in paragraph 102, in which the committee states: "““The threshold for holding DNA profiles on the United Kingdom DNA database is far lower than in any other Member State, and the proportion of the population on the database correspondingly far higher. The Government should as a matter of urgency examine the implications of DNA exchanges for those on the United Kingdom database””." I understand that there are roughly 4 million hits on the database at present. This worried me and I thank the Government for stating in their response: "““The UK (as with other Member States) will decide which profiles on the national database should be exposed to search requests from other member states. There need be no assumption that all profiles would be searched routinely under Prüm””." Can the Minister inform the House how the decision will be made about which profiles will be available for a search request? Will this be done, for instance, by type of crime or by sentence imposed? Will the DNA of those who have been arrested but not charged be available for searching? Will there be any parliamentary oversight of such decisions? The EU-US Passenger Name Record Agreement is equally of great concern to us, as every noble Lord reminded us. Since the EU committee’s report was published, a new agreement has been put in place, which seems to put EU citizens in a substantively worse position than under the 2004 agreement. As we have heard, the retention period has been extended from 3.5 to 15 years. The data will first be held in active analytical databases for seven years. The Department of Homeland Security will then move the data to ““dormant”” status and has stated that it ““expects”” to erase it after 15 years, although that expiration will be subject to further discussions. There will be greater data sharing across US agencies and with third countries. There is a weak legal mechanism for EU citizens to challenge misuse of their personal information. The data can be used, "““where the life of a data subject or of others could be imperilled or seriously impaired””." So this use is not restricted just to terrorism or serious crime. The agreements have ignored a number of questions. What data mining will occur? Rarely has there been much consideration of how these data are being put to use by the US Government. Why are all these data important and how are they being processed? The disclosures regarding the profiling system ATS raised more concerns in the US than they appear to have done within the EU, despite the fact that it leaves us to question whether the US is abiding by the agreements at all, while it implements secret risk assessment systems. How legally binding are these agreements? They do not hold the status of treaties within US law, and because they are not ratified by the US Senate, do not become binding US law. Any promises made in the agreements regarding granting legal rights to EU citizens are not truly actionable. What about data from other sources? While major carriers have their own reservation systems, reservation systems are also outsourced or run by third parties. There are global reservation systems such as Galileo, Sabre and others, which are not within the remit of the agreement, because the agreement applies only to carriers’ databases. The computerised reservation systems—CRS—will permit broad access by US authorities to data regarding citizens from around the world without any restrictions, because many of the companies are based in the US or have databases within US jurisdiction. Similarly, EU citizens flying on any US-based airline, even from EU airports, have less control over their personal information, as those transfers are not governed by the agreements. When I was travelling here in a taxi this afternoon, I was telling the driver about the debate in which I was about to speak, and I told her how difficult these arrangements are. I asked her whether she was aware that information on her would be picked up very quickly and known about if she decided to fly to the United States; and she was absolutely horrified. She asked, ““Why haven’t we heard about it?””. I ask the same question, because the majority of British citizens have no idea what is being held on them. Both reports raise a number of general concerns in relation to the mechanisms whereby the Prüm treaty and the EU-US PNR agreement came into effect. There is a distinct lack of democratic oversight and parliamentary scrutiny, as many noble Lords have said, in regard to both. There have been insufficient opportunities for national parliaments to exercise any influence over the negotiations or to propose any modifications. Most worrying is the seeming lack of protection of the personal data that are to be transferred and the lack of any remedies for citizens. Finally, how are we expected to believe that the Government, which cannot even protect the data of their citizens when they are being transferred between HMRC and the National Audit Office, as other noble Lords have said, have adequate procedures in place to protect personal data when they are being transferred to another country?