Terrorism and Crime (EUC Report)

My Lords, a number of important points have been made in this debate on the two excellent reports from the committee chaired by the noble Lord, Lord Wright, who taught me much of the craft of diplomacy and negotiation that I learnt in the Foreign Office. He is a master practitioner. I am sure that the House would agree with the aim of both agreements, which is to improve cross-border co-operation in combating terrorism, serious border crime and illegal immigration, in the case of the Prüm agreement and, in the case of the passenger name record agreement between the United States and the EU, to combat terrorism. The question is whether the agreements fulfil their stated aims on acceptable conditions. Like the noble Lord, Lord Wright, and other speakers, I find in that respect that I have to be rather critical. I shall take the PNR agreement first. Before I get to the substantive point, I echo the comments that have been made by a number of speakers to the effect that it is a pity, to put it mildly, that the Government’s response to a report published in May came out only in October, almost five months after the report and two months after the agreement reported on had been struck. That obviously means that we are debating a report and a response after the point at which they can have any effect on the outcome. Moreover, a substantial number of the committee’s recommendations have been ignored in the final outcome, and that is a poor outcome for parliamentary scrutiny. All of this is against the background of an unsatisfactory negotiation with the United States involving a unilateral interpretative letter from the Americans. I entirely concur with what my noble friend Lord Marlesford said about the public interest being the loser in this respect. On the substance of the issue, it is clear that there are many advantages to allowing the intelligence services of the United States to have access to certain information about people travelling to their country. My party supports such mutual help, provided that there are safeguards. Indeed, on this side of the House we would argue strongly that the United Kingdom would be better protected and more able to manage immigration if the Government took the importance of border protection as seriously as the United States. It is imperative to have real-time information about movement across our borders, so that at any time it will be possible to know and how many people are in our territory and jurisdiction and who they are. There is obviously no quarrel there about the aims, but we need safeguards. In his reply, could the Minister say how relevant and successful the agreement with the United States has been in its proclaimed aim of combating terrorism? The committee expressed some anxiety that there was very little evidence on this point. Obviously, there may be a need for confidentiality, but it would be of interest to know whether such systems, which increase public and private-sector costs, are really effective in meeting their proclaimed objectives. We should not be frightened of reducing bureaucratic burdens if they turn out not to be fit for purpose or proportionate. Protection of personal data is another area where public authorities need to be conscious of their duties to the owners of the data—in this case, airline passengers. It is very easy for the state in its various guises to treat information about people’s identities as if it belonged to the state and not to the real owner, the individual. Now that personal data passes from airlines to US Customs and Border Protection within the Department of Homeland Security and the Transportation Security Administration, there must be an increased danger that the information may in practice be used for purposes for which it was not initially given. Can the Minister say if any regular monitoring procedures will be in place to ensure proper use of data and effective protection thereof? This is not an idle consideration. Many UK citizens are going to be caught in this net. This is a real cause for concern on the part of ordinary citizens as more than 2 million Britons travel to the United States annually. In their response to the committee’s report the Government said that, "““the retention periods negotiated under the new Agreement will also apply to data collected under the 2004 and 2006 Agreements””." As the noble Baroness, Lady Ludford, noted, given that the new agreement doubles the previous retention period, from 3.5 to seven years and adds on a further eight years of dormant, non-operational retention, can the Minister explain what has changed fundamentally since 2004 to require this long period of retention? Why is this necessary? To what purposes might this vast quantity of data possibly be put? I will posit one uncomfortable possibility. According to the Government’s response to the committee, PNR may be used, "““for the protection of vital interests of the data subject of other persons, or in any criminal judicial proceedings””." Could the Minister explain the purport of this apparently vast let-out provision on potential use? Who is to judge the need for such use? Would British authorities be consulted in such cases? Indeed, would the UK authorities be informed? What would the data subject be allowed to know about the decision to protect their vital interests or those of other persons? Indeed, the PNR having been put in place in the name of combating terrorism, here is a provision which would permit, in an apparently wholly uncircumscribed way, the use of information given for this purpose to be used in any—I repeat, any— criminal proceedings. The committee requested that there should be safeguards to ensure that the data were not used for general law enforcement purposes. Would the Minister respond on that important point? On this side of the House, our anxieties on that point are increased by the quantity of data demanded of travellers under the PNR. Anybody who has filled in the forms knows that they are quite intrusive and reach into personal and financial matters. Can the Minister please clarify the meaning of the quantity of data elements that are to be exchanged? The original agreement allowed for 34 types to be collected. The new agreement ostensibly reduces that to 19, but the Government’s response to the Committee’s report states that the number has been reduced as a result of: "““merging of a number of data elements that cover the same type of information””." As the noble Baroness, Lady Ludford, remarked, that sounds less like a reduction in the amount of data that has to be given, than a recategorisation thereof; that is to say, bigger data groups. No doubt the Minister will inform us if another interpretation is possible. The second of the reports under discussion today deals with the Council of Ministers’ decision based on the Prüm treaty concerning cross-border data exchange in three areas—DNA profiles, fingerprints and certain vehicle registration data—with the aim of combating terrorism, serious border crime and illegal immigration. The Conservative Benches are evidently not against such mutual assistance as a matter of principle, but the safeguards that apply at home to data protection—which, in our view, are in any case weak in implementation if not in concept—need to be present to safeguard much wider exchange across borders, where the risks increase. We do not believe that these safeguards are in place. As with the PNR agreement, the Government had at their disposal the Committee’s report before they gave their agreement last summer to the Council decision. Despite that, as many noble Lords who have spoken in this debate have noticed, a considerable number of the points it made—some of them significant—have not been taken up or reflected in the outcome. On the plus side, we on these Benches congratulate the Government on their success in removing provisions concerning the unauthorised entry of officials of one state into another. Against this, it is generally disappointing that more notice was not taken by the Government of the report. I share the view expressed by many speakers and I believe that the Government could have applied more leverage, given the need for unanimity to adopt the decision. Procedure is important. Noble Lords have noted the strong desirability of proper information provided alongside proposals, including impact assessments in particular. The Conservative Benches consider that, whatever the formal position in relation to initiatives taken by member states as distinct from the Commission, Her Majesty’s Government will be serving the public interest in pressing for that rather than excusing failure to follow good practice. Rushing legislation through in the name of protection of the safety of society—and I fear that is what happened—shows a disregard for the rights of the citizen in respect of other protections to which individuals are entitled, including their privacy and the protection of their data. It would have been a sign of seriousness of intent in this regard if the Government had accepted the Committee's proposed condition that member states be obliged to consult the European Data Protection Supervisor on initiatives with data protection implications. As others have noticed, the Government commented in their reply that they saw no tangible benefits in that. I hope the day does not come when they have cause to rue this view. Given the increased powers which the UK Information Commissioner now—at last—has had to be given by the Government as a result of the latest data losses in government, one might have thought that the obligation to consult the data supervisor would be seen as a useful protection for the Government and a potent means of forcing up other countries’ standards of data protection nearer to those already obtained in the UK. In his opinion, the European Data Protection Supervisor made a number of critical comments on that decision. If the Government are not disposed to listen to the committee of this House, perhaps they will take the views of the European Data Protection Supervisor seriously. He complains of ambiguity in the purposes of collection and exchange. He queries the scheme’s proportionality, the failure properly to assess the value of data exchange so far and its relevance to wider exchange among all member states. He noted that some of the procedures governing handover by national authorities of data, on which HMG apparently intend to rely for protection, constitute derogations from the principle of availability. He does not say that this is wrong, but one is bound to wonder how long it will be before such reliance is challenged and the safeguards dependent on it weakened. What would then happen to the UK citizen’s right to receive protection from UK courts? The European Data Protection Supervisor states categorically that the lack of a harmonised legal framework for data protection, which he considers a sine qua non of cross-border data exchange on this potential scale, is a serious shortcoming. The Government, on the other hand, state in their reply that they do not consider it necessary to complete work on a data framework before proceeding. One wonders about the prudence of this. The committee makes the same recommendation. The Government ought to be listening to such experts and to Parliament, and take their advice seriously instead of waiting until they have another data accident. How many more do the Government want? Finally, like the noble Lord, Lord Jopling, I am concerned about the UK situation. We have over 3 million entries on the police database—more than all other member states put together. On this database there are details of convicted criminals, people arrested but never convicted and volunteered samples of otherwise totally uninvolved people. It is, of course, open to question whether this should be the case but, for now, it is. The comparable German register contains the names of convicted criminals only. Here is a big information mismatch. Secondly, the protections are different. Not surprisingly, and perfectly reasonably, the German protections are lower. Relying entirely on national practice, and in a situation where there is an obligation on the state receiving a request for data to follow it up, can the House be confident that there will never be a case of information about a UK national improperly and unnecessarily crossing borders and/or being improperly released, thus rendering such data exchange open to challenge—quite apart from the damage that it might do to the individual concerned? I, for one, would not be so confident. It is surely unwise of the Government not to accept the need for national systems and practices in data protection and security to be made more compatible, if not fully aligned, before extending obligations in this field. At the very least, data on a database should be carefully categorised. The noble Baroness, Lady Harris, made some pertinent points on this. It would also be reassuring to know that, when a data file is handed over, there was a definite time limit on the retention of that data file by the third-party country; this point is obscure. What can the Minister tell us about these various issues which will help quieten well founded anxieties on these various scores? Moreover, rushing this decision has meant that the committee's recommendation that there should be a reliable estimate of start-up costs before incorporation into EU law has been neglected, despite the European data supervisor taking the same view. Along with being willing to take risks with our personal information, the Government seem willing potentially to get into a financial muddle. They say they have an estimate: £31 million, including running costs for the first year. They stress, however, that this is just an estimate and that a feasibility study will follow. I suggest that it is normal do a feasibility study beforehand; £31 million is not a trivial sum and, given the history of undercostings and expenditure overruns in the public sector, I fear that the House is entitled to view this figure with considerable scepticism. Can the Minister give more detail which might increase our confidence in the accuracy of this figure and the value for money that it may represent? The Government say that the public benefit deriving from the high cost will be justified. What is the evidence? Illustrations from Prüm have been cited as examples but as the noble Lord, Lord Jopling, has noted, it is open to question whether, when the backlog of crimes has been cleared, the ““hit”” system will make a yield which is nearly so fruitful. Can the Minister give us more detail on the Government’s realistic expectations on the cost benefit of this measure and the increases in crime detection that are actually likely to occur? Many of the concerns of the committee, which are shared on these Benches, involve aspects of data protection—the circumstances in which data may be handed over, the uses to which they may be put and the protection their storage and retention will be given. In this area there are now an alarming number of loose ends. On these Benches we hope that the Government will in subsequent negotiation pursue these important points and be willing to report further to the House on progress in establishing effective EU-wide rules of a sufficiently high standard. As I have said, the Conservatives welcome much of this agreement but the important questions raised on all sides of the House need to be answered to ensure greater clarity and public confidence, especially at a time when data security is so prominent in the public’s mind. Confidence in this Government’s record in this area is at present low, so I hope the Minister will be able to give some information which will go some way to restoring it.