Fifteen EU countries have proposed that a treaty governing DNA data sharing signed outside of the structure of the European Union should be adopted as EU policy. The EU's own planned framework on data sharing has not yet been put in place.
Seven countries, not including the UK, have already agreed the Prüm Treaty, which is an agreement to share DNA, fingerprint and vehicle registration data that was signed in the aftermath of bomb attacks in Madrid in 2004. It is not official EU policy and involves only the seven countries which have joined the scheme: Germany, Spain, France, Luxembourg, the Netherlands, Austria and Belgium.
Bulgaria, Slovenia, Italy, Finland, Portugal, Romania, Sweden and Slovakia are now joining those countries in calling for the Treaty to be adopted across Europe.
"The objectives of this Decision, in particular the improvement of information exchange in the European Union, cannot be sufficiently achieved by the member states in isolation owing to the cross-border nature of crime fighting and security issues, and the Member States are forced to rely on one another in these matters, and can therefore be better achieved at European Union level," said the proposal, published two weeks ago in the Official Journal of the EU as a member states' initiative.
The EU itself has yet to implement a planned framework for data protection in police matters, and the German Presidency recently published a proposal for a framework that it hopes will be adopted this year.
EU privacy watchdog the European Data Protection Supervisor has backed the plan, but says that some additional data protection measures are needed.
Data Protection Supervisor Peter Hustinx said that though the Prüm Treaty did have data protection elements, it would need the full EU framework to be in place if citizens are to be properly protected once Prüm was extended across the EU.
"Data protection plays an important role in the Prüm Treaty and the provisions have been carefully drafted," he said. "But they are meant as specific ones, on top of a general framework for data protection, which unfortunately has still not been adopted."
"That framework is needed to give the citizen enough protection, since this decision will make it much easier to exchange DNA and fingerprint data," said Hustinx.
The proposal for extension says that different kinds of information should be treated in different ways, that more sensitive data can be shared for more limited purposes and with fewer people.
Hustinx also said that potential problems with the proposal are that it does not specify who can be included in the DNA database and does not limit the period for which data can be retained.
The proposed agreement specifies the level of data protection that each country should give to data. "Each Member State shall guarantee a level of protection of personal data in its national law at least equal to that resulting from the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 and its Additional Protocol of 8 November 2001," it said.
"Processing of data supplied by the receiving Member State shall be permitted solely in order to establish whether the compared DNA profiles or dactyloscopic data match, or to prepare and submit a police or judicial request for legal assistance in compliance with national law if those data match," it said.