(12 years, 7 months ago)
Commons ChamberI do, and I was going to deal with that matter after raising a number of specific points of concern.
I am grateful to the European Scrutiny Committee for its report, which states that
“there is now the possibility of establishing a comprehensive data protection framework ensuring both a high level of protection of individuals’ data in the area of police and judicial cooperation in criminal matters and a smoother exchange of personal data between Member States’ police and judicial authorities, fully respecting the principle of subsidiarity.”
The report then adds:
“The Commission concludes that the practical difficulties encountered by a number of Member States in distinguishing between rules for domestic and cross-border data processing could be solved through a single set of rules covering data processing both at national level and in a cross-border context”.
The aim might be laudable, but the solution appears to say that, in order to avoid confusion, principles of subsidiarity should in fact give way to an overarching system controlled centrally. One consequence of that that the Minister has already alluded to is an extension of the scope of data processing to include domestic processing for the purpose of policing and judicial co-operation. In other words, the directive will regulate the passing of data between purely domestic organisations, such as neighbouring county police forces, and I share the Minister’s concern in raising that.
In the area of data protection, the draft directive is stronger and, I think, should be broadly welcomed. It includes: new rights of access and information for data subjects, such as the identity of the data controller, the purpose of the data processing and the period for which the data will be stored; a right for data subjects directly to demand the erasure of their personal data by the data controller; an obligation on data controllers to inform supervisory authorities and data subjects of data breaches, informing the former within 24 hours of discovery and the latter without undue delay; and an obligation for data controllers or processors to appoint data protection officers. The incorporation of human rights legislation—the Human Rights Act 1998—into UK law by the previous Labour Government has improved the right to privacy and to protection from intrusion into family life, but we still have some way to go.
I agree with everything that my hon. Friend has said so far, but will he look in particular at the issue of Europol and how this exchange of information affects our obligation to it?
I am happy to do that, and I am even happier to note the support from my Back Benchers—the almost unanimous support—[Interruption.] No, 50% might be a better figure.
The key to the balance that I have talked about is the drafting of the directive within very prescribed bounds to restrain the opportunities for data sharing, thus the controls for in-country transfer, to which the Minister has referred, are restricted—if one accepts what the draft directive says. As currently drafted, it covers data transferred between two UK regional police forces with no cross-border elements, but that will apply to the UK only when such processing is pursuant to an EU measure on police or judicial co-operation, and that is indeed what the draft directive states.
I just worry that sometimes the intention is not carried out in practice, and I cite—on a perhaps analogous subject—from the same Guardian article today this note of caution:
“Last week the European parliament ratified plans to allow airline passenger records, including credit card details, for all transatlantic flights between Europe and the US, including in and out of the UK, to be handed over to the US department of homeland security to be stored for 15 years.”
If these proposals are to go ahead, they need to do so in such a way that there are the tightest possible controls on the exchange of data.