The Government is not serious enough about protecting citizens' data when it comes to pan-European data sharing schemes, a parliamentary committee warned today. The Government should back the adoption of a sidelined data protection measure, it said.
The Select Committee on Home Affairs said that the Government was so focused on law enforcement that it was ignoring the need to ensure adequate protection of citizens' personal information.
"We consider that in the area of data protection there is evidence of insufficient political appetite for protective measures as compared to law enforcement ones," said the Committee's just-published Third Report. "We note the Minister's expression of continuing Government support for the Data Protection Framework Decision. However, if proposals for a Framework Decision were to be superseded by the data protection provisions in the Prüm Treaty, we would have serious concerns as to whether these were adequate."
The Prüm Treaty is an agreement between seven European countries on the sharing of police DNA and fingerprint information. Agreed outside of the structures of the European Union, it is regarded as a more lax agreement when it comes to privacy than any which would be agreed within Europe.
There is now a proposal to have the Prüm Treaty adopted as EU policy.
"We note the lack of EU-wide consultation over the contents of the Prüm Treaty, arising from its origins as an agreement between a small group of member states which did not include the UK," said the Committee's report. The Committee said that the Government should pursue a policy of ensuring data protection in matters of justice and home affairs, known as the 'third pillar'.
Such an agreement has been debated, but has floundered as the various parts of EU government could not reach agreement on the proposal.
The Prüm Treaty is based on a 'principle of availability' of police information agreed by its signatories in the aftermath of terrorist bombings in Madrid in 2004. That principle is open to abuse.
"You would certainly hope that every police force in the EU would restrict itself to only searching for very important information where it has legitimate reasons to search," Professor Steve Peers of the University of Essex told the Committee. "But I suspect there is a risk that in some cases some uncontrolled fishing expeditions will take place. That is the risk from the data protection point of view."
The Committee said that the Government should be worried about the problems the Prüm Treaty could cause. "The proposed transposition of the Prüm Treaty into the legal framework of the EU raises serious questions," it said. "The UK has missed out on an opportunity to influence a major European multi-country project from the start. Even more importantly, Prüm sets a worrying precedent whereby a small group of Member States may reach an agreement amongst themselves which then is presented to the wider EU almost as a fait accompli."
The Committee also attacked two high profile examples of wide data sharing that have attracted severe criticism, the sharing of airline passenger name records (PNR) with US authorities and international funds transfer body SWIFT's sharing of European transaction details with US authorities.
"Both the Passenger Name Record and SWIFT cases give cause for serious concern," said the Committee. "We consider that the casual use of data about millions of EU citizens, without adequate safeguards to protect privacy, is an issue of much greater significance than many of the other EU-related matters put to the UK Government and Parliament for consideration.
"We recommend that the Government and the European Commission should prioritise the question of provision of personal information to countries outside the EU as an issue of the greatest practical concern to its citizens. We repeat our earlier recommendation that the Government should seek urgent agreement on a comprehensive EU-wide data protection framework in the third pillar and ensure that specific minimum standards ensuring adequate data protection are agreed for data exchange with third countries," said the Committee.