UK: Developments In European Data Protection Law In The Context - Part 1

Last Updated: 15 May 2008
  1. I am going to consider three areas:

    - set the scene with the current balance between privacy rights and the use of data to combat fraud;

    - current developments in relation to data sharing;

    - the effect of these developments for us as fraud litigation practitioners.

  2. My thesis is this: there has been a trend at an EU level in recent years (really kick started by 9/11) but which has gathered pace, to encourage the sharing of information for the purposes of combating fraud and serious crime. We, as practitioners, can take advantage of this trend and get hold of more information now than we ever could before.

Exploring The Effect Across Europe Of The Non-Disclosure Provisions Of The Data Protection Directive 95/46/EC

  1. Starting point: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data 95/46/EC (OJ L281).

When Will The Directive Be Relevant?

  1. FIRST need to dealing with personal data' which means any information relating to a natural person (the data subject') who can be identified, directly or indirectly by reference to the data Art 2(a). So material only relevant to legal persons is not covered by the Directive and all of my remarks can be ignored.

  2. So consider that when ever gathering, consulting, using data about living natural persons, you will fall within the data protection regime.

  3. Bear in mind this definition is subject to different interpretations within the EU. For example in the UK the case of Durant v FSA [2003] EWCA 1746 the Court of Appeal had cause to consider whether a file maintained by the Financial Services Authority in relation to a complaint made to it by Durant in relation to Barclays Bank was personal data. Surprisingly, although the file contained information about Durant's complaint and therefore his financial dealings with Barclays, he court held that it was not personal data':

    Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree.

  4. NEXT - the regime defines the data to which it applies as personal data wholly or partly processed by "automatic means" and data forming, or intended to form, part of a relevant "filing system" - article 3(1).

  5. The relevant filing systems are then defined as "any structured set of personal data which are accessible according to specific criteria" Article 2(c).

  6. Thus the Directive applies to computerised records and paper records if sufficiently structured to satisfy the definition.

How Is The Directive Relevant To Fraud Investigations?

  1. The most significant provisions to the issue of data sharing are the non-disclosure provisions' chief among them:

  2. Article 6(1)(b) data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (where processed' includes disclosure by transmission, dissemination or otherwise making available' Article 2(b)).

  3. Thus the data controller may be restricted in the use that s/he may make of data which was originally collected for a non-investigative purpose. If the disclosure was not contemplated when the data was gathered, and particularly if the data subject was not TOLD that such disclosure might follows and if exemptions do not apply, the disclosure may be unlawful and ultimately the material may lead to admissibility issues.

  4. So: you may not only face difficulty in obtaining data in the first place, but there may even be a possibility that the information has been gathered in breach of the regime and may therefore be inadmissible. Further, once you have it, you will have to comply with the regime.


  1. Article 13(1) allows Member States to adopt legislative measures to restrict the scope of some of the obligations and rights provided by the Directive, when such restrictions constitute a necessary measure to safeguard:

    (d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions

    (g) the protection of the data subject or of the rights and freedoms of others.

  2. The obligations and rights which can be restricted under these exemptions are: Art. 6(1) fair and lawful processing' including the need to tell a data subject when you are processing [disclosing] data about them.

    Art. 10 information to be given to data subjects by data controllers' the need to tell a data subject who you are and why you are processing data about them.

    Art. 11(1) information to be provided to data subjects when first recorded by a third party' the need to tell data subjects that you are processing data about them if you get that information from a source other than the data subject themselves.

    Art. 12 subject access requests' the need to respond to a request for details of your processing from a data subject.

    Art. 21 notification register' the need put your details on the central national register of data controllers.

  3. Be aware that these exemptions have been implemented in different ways in EU Member States:

    The Good

    Belgium: implemented the Directive by modifying its pre-existing Data Protection Act 1992. Under the Act processing of personal data relating to a person's criminal behaviour, including suspicions, prosecutions, litigation, convictions, administrative sanctions or security measures is prohibited save in certain circumstances, which include: processing by natural persons or private or public legal persons, as far as necessary for the management of their own litigation.

    The Bad

    Italy: was among the first countries to implement the Directive through Law No. 675 of December 1996; however this law has been replaced by a comprehensive Data Protection Code effective on 1st January 2004 (the Code). The Code distinguishes between their application to public and private bodies. Specific rules apply to judicial data' which may be processed when legally authorised without the consent of the data subject if such processing is in the substantial public interest. Similarly disclosure of data is generally strictly prohibited save when pursuant to law by the police, judicial authorities and other public bodies for purposes relating to the prevention, detection or suppression of offences.

    The Ugly

    Luxembourg: beware! Uniquely failure to comply with the data protection principles (including unauthorised disclosure) amounts to a criminal offence.

  4. So we can see that depending upon how the Directive has been transposed into national legislation, there is scope to ameliorate the effect of the non disclosure provisions.

  5. This is the starting framework, but what of the recent developments that I spoke of at the outset?

Understanding European Approaches To The Balance Between Privacy And Crime Prevention

  1. Article 3(2) provides that the directive shall NOT apply to the processing of personal data:

    in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.

  2. This is reference back to the pillars' established by the Treaty of Maastricht in 1993:

    TEU Article 29

    Without prejudice to the powers of the European Community, the Union's objective shall be to provide citizens with a high level of safety within an area of freedom, security and justice by developing common action among the Member States in the fields of police and judicial cooperation in criminal matters and by preventing and combating racism and xenophobia.

    That objective shall be achieved by preventing and combating crime, organised or otherwise, in particular terrorism, trafficking in persons and offences against children, illicit drug trafficking and illicit arms trafficking, corruption and fraud, through:

    • closer cooperation between police forces, customs authorities and other competent authorities in the Member States, both directly and through the European Police Office (Europol), in accordance with the provisions of Articles 30 and 32,

    • closer cooperation between judicial and other competent authorities of the Member States including cooperation through the European Judicial Cooperation Unit (Eurojust'), in accordance with the provisions of Articles 31 and 32,

    • approximation, where necessary, of rules on criminal matters in the Member States, in accordance with the provisions of Article 31(e).

  3. Article 30(1)(b) provides for common action in the field of police cooperation including "the collection, storage, processing, analysis and exchange of relevant information, including information held by law enforcement services on reports on suspicious financial transactions, in particular through Europol, subject to appropriate provisions on the protection of personal data"

  4. So, in the context of State activity, although the Directive has no application, where is some residual recognition of the part data protection has to play.

  5. Against this backdrop need to know that there are 6 main European data sharing arrangements:

    • the Schengen Information System (SIS) to be replaced by Schengen II border controls and movements of goods and persons

    • the European Police Force (Europol) databases (i) identification, criminal intelligence and conviction information, (ii) working files re witnesses, associations etc to assist investigations (iii) indexing system (outer/inner ring)

    • the Customs Information System (CIS) personal data and information on the movement of prohibited or restricted goods for the purposes of reporting, surveillance, checks etc

    • the Visa Information System (VIS) applications, issue, rejection and cancelled visas including travel information, documentation, photograph and fingerprints

    • Eurojust judicial cooperation database with details of investigations and working files

    • EURODAC - asylum requests and illegal immigrants

  6. There are also separate arrangements for the exchange of information in specific areas such as arrests/warrants.

  7. Although each was established for a specific purpose with, usually, provisions for limited access by third parties or use for other purposes, there are pressures to extend both access to and use of all available data for law enforcement purposes.

Analysing The Principle Of Availability' - The Work Of The Justice & Home Affairs Ministerial Council

  1. It is against this background that the EU has been expanding cooperative effort.

  2. In November 2004 the overall priorities of Freedom, Justice and Security' were advanced through the Hague Programme'. The Hague Programme had ten priorities at its core:

    • fundamental rights and citizenship

    • the fight against terrorism

    • migration management

    • internal borders, external borders and visas

    • a common asylum area

    • integration: the positive impact of migration

    • privacy and security in sharing information

    • the fight against organised crime

    • civil and criminal justice: and effective European area of justice for all

    • Freedom, Security and Justice: sharing responsibility and solidarity

  3. The Hague Programme says that "new technology" must be fully employed and the means of "exchange" of personal data between agencies could be through:

    1. "reciprocal access to... national databases",

    2. "the interoperability of... national databases" (all agencies have access to each others data), and

    3. "direct online access.. to existing central EU databases such as the SIS"

  4. With effect from 1 January 2008 the exchange of such information is now governed by conditions set out below with regard to the "principle of availability", which means that, throughout the Union, a law enforcement officer in one Member State who needs information in order to perform his duties can obtain this from another Member State and that the law enforcement agency in the other Member State which holds this information will make it available for the stated purpose, taking into account the requirement of ongoing investigations in that State.

  5. The Commission was invited to submit proposals and in June 2005 it did so:

    1. Adoption of a legislative instrument on the retention of data processed in connection with the provision of public electronic communication services for the detection, investigation and prosecution of criminal offences.

      Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communication services or of public communication networks (amending Directive 2002/58/EC)

    2. Proposal on the establishment of a principle of availability of law enforcement relevant information.

    3. Proposal on adequate safeguards and effective legal remedies for the transfer of personal data for the purpose of police and judicial cooperation in criminal matters. In October 2005 the Commission presented a proposed Framework Decision on exchange of information under the establishment of the principle of availability, with a parallel proposal on appropriate guarantees and rights of effective remedies for the transfer of personal data processed in the framework of police and judicial cooperation in criminal matters, already mentioned: COM 2005/475

      The proposed Framework Decision includes general rules on the lawfulness of processing of personal data, provisions concerning specific forms of processing (transmission and making available of personal data to the competent authorities of other Member States, further processing, in particular further transmission, of data received from or made available by the competent authorities of other Member States), rights of the data subject, confidentiality and security of processing, judicial remedies, liability, sanctions, supervisory authorities and a working party on the protection of individuals with regard to the processing of personal data for the purpose of the prevention, investigation, detection and prosecution of criminal offences. Particular emphasis was placed on the principle that personal data are only transferred to those third countries and international bodies that ensure an adequate level of protection. The Framework Decision provides for a mechanism aiming at EU wide compliance with this principle.

      The proposal has been back and forth between the Parliament and the Council of Ministers and is still under consideration (last considered by the Council on 8-9 November 2007 in Brussels).

      Pending the lifting of some parliamentary scrutiny reservations, the Council agreed on a general approach on a proposal to ensure a high level of protection for the basic rights and freedoms, and in particular the privacy of individuals, while guaranteeing a high level of public safety when exchanging personal data.

      By setting data protection norms for the first time in the framework of police and financial cooperation in criminal matters, the Council highlighted the importance it attaches to safeguarding of the very basic rights of citizens while at the same time fostering confidence between Member States.

      The text agreed envisages that the exchange of personal data will be supported by clear binding rules enhancing mutual trust between the competent authorities. Relevant information will be protected in a way excluding any obstruction of this cooperation between the Member States while fully respecting the fundamental rights of individuals, in particular the right to privacy and to protection of personal data. Common standards on the confidentiality and security of the processing, on liability and sanctions for unlawful use will contribute to achieving both aims.

      In particular, the text defines the right of access to data, the right to rectification; erasure or blocking, the right to compensation and the right to seek judicial remedies.

      This Framework Decision does not preclude Member States from providing safeguards for the protection of personal data higher than those established in this Framework Decision.

      The file was discussed at the Council meeting of 18 September 2007 and an agreement was reached on the regime for onward transfer on personal data obtained from another Member State to third States. The Council also confirmed the understanding that the text applies to the cross-border exchange of personal data only.

      BUT it remains un-adopted.

    4. Adoption of a proposal for a Framework Decision on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States.

      The Framework Decision on simplifying the exchange of information and intelligence was adopted by the Council on 18 December 2006 (2006/960/JHA).

      The Framework Decision provides

      1. Information and intelligence shall be provided at the request of a competent law enforcement authority, acting in accordance with the powers conferred upon it by national law, conducting a criminal investigation or a criminal intelligence operation.

      2. Member States shall ensure that conditions not stricter than those applicable at national level for providing and requesting information and intelligence are applied for providing information and intelligence to competent law enforcement authorities of other Member States. In particular, a Member State shall not subject the exchange, by its competent law enforcement authority with a competent law enforcement authority of another Member State, of information or intelligence which in an internal procedure may be accessed by the requested competent law enforcement authority without a judicial agreement or authorisation, to such an agreement or authorisation.

    5. Proposal on access by law enforcement to the Visa Information System.

      The Draft Proposal for a Council Decision concerning "access for consultation of the Visa Information System (VIS) by the authorities of Member States responsible for internal security and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences" was presented by the Commission on 24th November 2005. Its adoption is linked to the adoption of the VIS Regulation. Political agreement on this Decision between the European Parliament and the Council was reached in June 2007.

    6. Development of the Europol Information System

    7. Development of links between the SIS II and the Europol information system

    8. Implementation of the principle of availability, concerning the following areas:

      - DNA (postponed to 2006)

      - fingerprints

      - ballistics

      - telephone numbers

      - vehicle registrations

      - civil registers

    9. Communication on enhanced synergies between SIS II, VIS and Eurodac.

    10. Proposal for a general Community architecture on forensic/police databases.

    11. Definition of a policy for a coherent approach on the development of information technology to support the collection, storage, processing, analysis and exchange of information

  6. So significant progress has already been made on the Hague Programme. However, these developments, and their consequences in terms of individual privacy and data protection norms, have not passed without a note of concern

  7. On 14 September 2004 the European Data Protection Commissioners met in Wroclaw, Poland and adopted a Resolution to set up a "joint EU forum on data protection in police and judicial cooperation matters (data protection in the third pillar)". The Resolution says that in contrast to the "first pillar" (economic and social issues) where the Article 29 Working Party is in place, there is no equivalent to cover the "third pillar". The three joint supervisory bodies covering Europol, Schengen and Eurojust have specific mandates and "a broader approach is required to secure a uniform level of data protection safeguards for the whole area of police and judicial cooperation".

  8. The creation of a parallel group to the Article 29 Working Group covering the "third pillar" would fill a gap in the role of data protection commissioners. However, it is only part of the answer as the Opinions of the Article 29 Working Party are often simply ignored by the Council and Commission. European Parliament reports do take notice of the Working Party's Opinions but at present their views on "third pillar" issues are also routinely ignored.

  9. The three supervisory bodies (Europol, Eurojust and Schengen) have submitted evidence to the UK House of Lords Select Committee on the European Union's inquiry into EU counter-terrorism activities. They say that "large quantities of personal data for intelligence and law enforcement agencies" are being processed "in the fight against terrorism and serious crime". Recent proposals involve the: "processing of personal data from different sources on an unprecedented scale".

  10. The retention of communications data and the passing of passenger data to the USA are examples they say of a "new trend involving the collection of information on individuals (and not only suspects)".

  11. The EU supervisory bodies say that the gathering of data on individuals is not isolated to one or two agencies but "involves a huge number of agencies throughout the EU". Their experience in trying to assess the Europol-USA agreement showed that trying to limit the number of agencies who have access to personal data is difficult if not impossible:

    "in the USA some 1,500 authorities on Federal, State and community level are involved in dealing with criminal offences including terrorism".

  12. The exchange of data on the scale proposed: "often involving processing of information on those who are not suspected of any crime" requires, they say, "purpose restriction" (i.e.: that data collected for one purpose cannot be use for another) and supervision to ensure compliance with legal instruments. These limitations do not exist at present.

  13. They conclude that a "specific set of data protection rules for police and intelligence authorities" has to be put in place. There needs to be a common legal basis in every member state - as existing national data protection authorities "have different competencies in the field of law enforcement" - and sufficient funds and staff to ensure they have the capacity to do their work.

  14. Such proposals are not without precedent.

  15. The Council of the European Union (then 15 governments) set up a working party on data protection in the "third pillar" in May 1998. The "Action Plan of the Council and the Commission on how best to implement the provisions of Amsterdam establishing an area of freedom, security and justice" (13844/98) said that data protection issues in the "third pillar" should be: "developed within a two year period" (IV.47(a)). Not until August 2000 was a draft Resolution drawn up by the Working Party, this was revised five times, the last being on 12 April 2001 under the Swedish Presidency of the EU (6316/2/01) when agreement appeared to have been reached and the Article 36 Committee was asked to address outstanding reservations. From this point on there has been silence - and the Working Party was abolished in 2001 when the Council was restructured to "streamline" decision-making.

  16. Mr Franco Frattini, the Commissioner for "Justice, Freedom and Security", addressed the issue at a meeting on the EU Joint Supervisory authorities at a meeting in Brussels on 21 December 2006. He said the Commission was committed to safeguarding "the commitments" to data protection in the Charter and the Treaty and "cooperation with the agencies safeguarding these rights" - and asks the question: "What new balances will it be necessary to find between privacy and security?"

  17. He agreed with the authorities that a new framework was needed, taking "account of the times we are living in". The current lack of "coherence" had led to: "some of the supposed obstacles thrown up by the notion of privacy"

  18. Mr Frattini went on to say that the Tampere Summit (1999) stressed the need for "coherent action to promote access to available databases and information sharing between the authorities concerned" and now the "Hague Programme" had introduced "the principle of availability".

  19. The questions to be tackled include:

    1. "adapting the principles to the objectives pursued, for example, in the case of information sharing the principle set out in the Hague Programme" (i.e.: availability)

    2. "developing special rules governing the transfer of data to third countries and other bodies, incorporating the principle that information received may be passed on with the prior consent of the party forwarding it"

  20. This would mean, under the "principles of availability", that any agency in the EU could agree with the USA that it can pass data on to all the agencies it wants (some 1,500) to use for their own purposes. The "principle of availability" and the "principle that information received may be passed on" utterly undermines any concept of data protection which, as we have seen, requires that data can only be collected for a specific, stated, purpose and cannot be used or added to for any other purpose. Once this principle is breached the rights of the individual (and of privacy) disappear.

The Prüm Treaty

  1. In May 2005, seven Member States (Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain) decided on their own common action for improving cooperation in combating terrorism and serious cross-border crime. They duly signed the Treaty of Prüm. It is not a EU document; it was not negotiated by EU policy-making bodies and there was no consultation with the European Parliament. However, now there is a move to incorporate the Treaty into EU law. A Decision based on the Prüm Treaty can only be adopted unanimously.

  2. The Treaty deals with common action for improving cooperation in combating terrorism and serious cross-border crime, are now attempting to incorporate it into EU law.

  3. Its purpose is to increase the signatories' effectiveness in preventing and investigating terrorism and cross-border crime by greater cooperation. So, for example, the Treaty makes provision for one signatory ("the receiving State") to have access to the automated database of another signatory ("the requested State") to check whether it contains a match for a DNA profile or a fingerprint.

  4. Since the Treaty was signed, eight more Member States have notified their intention to join the Prüm Treaty: Bulgaria, Finland, Italy, Portugal, Romania, Slovakia, Slovenia and Sweden. Article 1(4) of the Treaty requires a proposal to be made for the Treaty to be incorporated into the law of the European Union.

  5. Article 2 requires Member States to open and keep national DNA analysis files for the investigation of criminal offences. The processing of data in those files by a Member State must be done in accordance with the Decision and in compliance with the national law of the processing state.

  6. Article 3 provides that Member States must give any other Member State access to the "reference data" in their DNA files for the purposes of the investigation of a crime. The Member State making the enquiry (the receiving State) is authorised to make an automated search of the requested State's database to see if it contains a DNA profile that matches the profile held in the receiving State's database.

  7. Article 5 provides that, if a match is found, the requested State is to provide the receiving State with personal information about the data subject in accordance with the national law of the requested State.

  8. Article 7 requires that, if it has not got a matching DNA profile for a particular person, the requested State must collect "cellular material" from that person and derive from it the person's DNA profile if the receiving State; specifies the purpose for which the information is required; produces an investigation warrant or suitable statement showing that the legal requirements for collecting the material would be satisfied if the person were present in the receiving state's territory; and under the law of the requested State, the requirements for collecting the material are satisfied.

  9. Articles 8, 9 and 10 make provision about fingerprint data which is similar to the provision in Articles 2, 3 and 5 about DNA data.

  10. Article 12 requires requested States to provide receiving States with access to their vehicle registration data to obtain information about owners, operators and vehicles for the purposes of the prevention or investigation of a crime or the maintenance of public order and security. The receiving State may make a search only in individual cases and only if it has the full chassis number or vehicle registration number. Article 13 requires Member States, either on request or of their own accord, to provide other Member States with non-personal information for the prevention of criminal offences and to maintain public order and security at major events "with a cross-border dimension" and, in particular, sporting events or meetings of the European Council.

  11. Article 14 requires Member States to provide, for the same purposes as in Article 13, personal data about individuals if there is reason to believe that the person will commit a criminal offence or pose a threat to public order and security. Such personal data may be processed only for the purposes for which it is supplied and for the particular event concerned. The information must be deleted once the purposes for which it is supplied have been achieved and, in any event, within a year.

  12. Article 16 authorises Member States, on request or of their own accord, to supply other Member States with specified personal information because there is reason to believe that the data subject will commit terrorist offences. The specified information which may be provided is the data subject's name and date and place of birth and the reason for the belief that the person will commit a terrorist offence. The Member State which supplies the information may attach binding conditions on the use of the data.

  13. Article 17 authorises a Member State to run joint patrols and other joint operations within its territory with other Member States' law enforcement officers in order to maintain public order and security and prevent crime. If its national law allows, the host State may (with the seconding State's consent) confer "executive powers" on the officers seconded to the joint operation.

  14. Article 18 requires Member States to give each other assistance "in connection with mass gatherings and similar major events, and serious accidents, by seeking to prevent criminal offences and maintain public order and security&".

  15. Article 19 allows law enforcement officers seconded to a joint operation in another Member State to wear their national uniforms and, with the consent of the host State, to carry weapons, ammunition and equipment.

  16. Articles 24 to 32 make detailed provision about the processing and protection of information supplied under the Decision. For example, they require that the protection is to be no less than that of Council of Europe Convention 108; and they give the data subject the right to know that information about him is held and the right to damages for injury from incorrect information.

  17. Article 36 authorises the continuation of existing, and the making of new, bilateral or multilateral agreement or arrangements between Member States or between them and third countries "in so far as such agreements or arrangements provide for the objectives of this Decision to be extended or enlarged".

  18. The UK Government has broadly welcomed the proposed Decision as a way to improve practical cooperation between Member States. The provisions on the exchange of information about DNA, fingerprints and vehicle registration are consistent with "the principle of availability", which the Government also supports. It says that the proposal would not give receiving Member States greater access to personal information than is currently available through existing legal assistance arrangements; but the right to make automated searches for a data match ("hit") would allow the police to establish more quickly whether relevant information exists in another Member State. It is said that in Germany and Austria, where parts of the Prüm Treaty are already being implemented, the operation of the DNA and fingerprint provisions has "resulted in hits on a large number of murders, rapes and other serious crimes with a cross-border element".

  19. What is not clear is why the Framework Decision on the exchange of information and intelligence between law enforcement authorities does not make sufficient provision for police cooperation and why the incorporation of the Treaty of Prüm is needed. Nor is it clear whether the draft Data Protection Framework Decision would or would not take precedence over the Treaty of Prüm if it were incorporated into EU law. What would be the position if there were a conflict between the data protection Articles of the two measures? Will provision be made to specify how any such conflicts would be resolved?

Impact Of The Lisbon Treaty

  1. The Reform Treaty was agreed by EU governments in Lisbon on 17-18 October 2007. All EU governments are expected to adopt it by the end of 2008 so that it can come into effect by the time of the European Parliament elections in June 2009. National parliaments will be allowed to "debate" the contents of the Treaty but not to change a "dot or comma - they either have to accept or reject the whole package.

  2. Much play has been made of the fact that "third pillar" police and judicial cooperation is finally to be brought under "normal" EU legislative procedures (immigration and asylum was moved over in 2006). This means the Council and the European Parliament having to jointly agree on new measures replacing "consultation" where the opinion of the parliament was routinely ignored by the Council.

  3. The legal status of the third pillar acquis, some 700-plus measures adopted between 1976-2009 will be preserved (Article 9, Protocol 10) unless they are subsequently amended or replaced. The new powers for the European Court of Justice will not apply to this acquis for five years (i.e.: 2014).

  4. However, under the new structure although there are ten areas covered by the new "ordinary legislative procedure", there are four areas where the EP is only to be "consulted" and four areas where the new (that is, to justice and home affairs issues) concept of "consent" is introduced.

  5. Under the "consent" procedures the Council will act unanimously and the EP will be "asked to "consent" without changing a "dot or comma". The "consent" procedure concerns:

    1. mutual recognition of judicial decisions and approximation of laws where "any other aspects of criminal procedure" can be added (Art 69.e.d);

    2. minimum rules defining offences and sanctions covering ten areas can be extended to "other areas of crime" (Art 69.f.1); and

    3. the creation of a European Prosecutors Office to deal with financial crime but the scope can be extended by "consent" (Art 69.i.4).

  6. One of area which the EP is only to be "consulted" is the highly contentious issue of measures concerning passports, ID cards, residence permits and any other such documents. "Measures concerning" could refer not just to the issuing of documents but the databases on which the personal data, including biometrics are held, data-sharing, data-mining and data protection.

  7. There are also two new bodies are being created concerning "internal security". The first is the Standing Committee on operational cooperation on internal security" (Article 65, known as COSI). There has been a debate as to its composition, is it to be a high-level committee of officials advised by the numerous agencies and bodies or will be latter be simply advisory? Article 65 leaves this open by saying the agencies "may be involved in the proceedings of the committee". What is absolutely clear is that the European Parliament and national parliaments are simply to be "kept informed" on its proceedings, which on past form will be will ensure neither scrutiny or accountability in any meaningful sense.

  8. The second new entity appears in the Treaty in Article 66 which resurrects intergovernmental cooperation between the member states to allow "cooperation and coordination as they deem appropriate between the competent departments of their administrations responsible for safeguarding national security".

  9. That is to say an internal security agency. The EU has long wanted to replace the "Club of Berne", an informal grouping of security and intelligence agencies formed in 1971. Its participants include agencies from the UK, France and Germany. However, it has never been a vehicle for intelligence gathering available to the EU.

  10. There are no provisions set out for scrutiny or accountability and its intergovernmental form access to its proceedings and documents will be highly problematic.

Examining Data Sharing In The UK And The Serious Crime Act 2007

  1. So why are all these developments at an EU level relevant to us as practitioners? The answer is, because of what is happening at a national level. Consider the provisions tucked away in the Serious Crime Act 2007.

  2. The Bill has now become an Act (it received Royal Assent on 30 October 2007), although the parts of the Act I am about to describe are not yet in force. The s68(8) power to specify an anti-fraud organisation came into force on 1 March 2008 (SI 2008/219) and the data matching powers for the National Audit Office comes into force on 6 April 2008 (SI2008/755).

  3. In Part 3 Chapter 1 of the Act , section 68 allows a public authority to disclose information of any kind, for the purpose of preventing fraud, to a specified anti-fraud organisation. The latter is defined as "any unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes". Such organisations may also be specified by order made by the Secretary of State and the first promised body will be CIFAS.

  4. Proclaiming itself to be the UK's Fraud Prevention Service', CIFAS is the credit industry's clearing house for information. All the major banks, building societies, mortgage lenders, retail credit suppliers, finance companies, insurance companies, credit card companies and mobile phone suppliers are members of CIFAS. Although it will be the first, it will definitely not be the last; further, there is always scope for the Bill once it becomes an Act (which may not be until this Autumn) to widen the definition.

  5. Whilst the clause speaks of disclosures' by the public authority to the anti-fraud organisation, this is really about allowing membership. The Act provides that such disclosure would not breach any obligation of confidence owed by the public authority, but it must be compliance with the Data Protection Act 1998. Here the section 29 exemption to the non-disclosure provisions applies, which allows disclosures for the purposes of personal data for the purposes of the prevention, detection and prosecution of criminal or tax offences. Thus public bodies will be able to contribute data for those purposes to anti-fraud organisations and also gather data from them.

  6. There are obvious concerns in relation to the security of information disclosed by public authorities, which are in part met by the creation in section 69 of a new offence of disclosing revenue and customs data otherwise than for the purposes of the detection, investigation or prosecution of an offence (an interesting throw back to one of the offences under the original Data Protection Act 1984 which was repealed by the DPA 1998). Such an offence carries a maximum penalty of 12 months imprisonment following summary trial and two years on indictment. However, the real concern is whether it is appropriate for public and private authorities to share data in this way.

  7. The first indication of this policy was the Fraud Review in 2006/2007 - a project design to thoroughly review the Government's response from start to finish: from reporting to sentencing. Apart from the recommendation in relation to CIFAS the other main recommendation of the Fraud Review is now embodied in section 73 which gives effect to schedule 7 to the Act. Schedule 7 amends the Audit Commission Act 1998 to allow the Commission to conduct data matching exercises'. In plain English this allows the Commission to compare sets of data, to see how far they match in order to identify patterns or trends, for the purpose of assisting in the prosecution and detection of fraud. The Commission can require bodies which are subject to audit to provide information to it and a failure on the part of an officer or member of such a body commits a summary offence.

  8. In reality this means that the Audit Commission will have a free hand to obtain and compare data from all sorts of sources. The significant shift away from the current position is that such searches need not have a specific target or suspicion behind them. It is akin to allowing a police officers to enter premises and rummage about in them on the off chance that s/he might fortuitously come across evidence of offending.

  9. Having said that, this power to match data is not entirely new to the Audit Commission, and the Government, through the Fraud Review has realised the benefits of it. Biannually the Audit Commission runs a programme called the National Fraud Initiative (NFI); it takes data from local authorities, payroll records, the NHS, student grants, pensions and other data sets to match records an identify frauds. In 2006 the NFI identified frauds costing the taxpayers £111m.

  10. It is here that one can perhaps see the roots of the desire not only to extend the powers of the Audit Commission but also to spread the practice even more widely.

  11. The provisions of the Act put this programme on a statutory footing and while Schedule 7 restricts data matching for the prevention and detection of fraud, there is provision (in paragraph 32H) to extend the purposes. Amendments to the Bill at report stage explicitly restricted the additional purposes to which data matching could in future be extended to: the prevention and detection of crime (other than fraud); the apprehension and prosecution of offenders; the recovery of debt owing to public bodies.

  12. Among the rights of data subjects under the 1998 Act are those that provide for access to one's own personal data and the right to correct or destroy inaccurate data. While one effect of the Data Protection Act is to achieve a measure of protection of an individual's right to privacy, this is more explicitly provided for by the incorporation, by the Human Rights Act 1998, into UK law of Article 8 of the European Convention on Human Rights (right to respect for private and family life).

  13. Although Article 8 does not explicitly provide that any interference with the right to privacy should be proportionate, the case law of the European Court of Human Rights indicates that a restriction on a freedom guaranteed by the Convention must be "proportionate to the legitimate aim pursued". There would appear to be a weaker implication of proportionality in the "nothing to hide, nothing to fear" proposition one occasionally hears. The Government's green paper, New Powers Against Organised and Financial Crime, the next foreshadowing of this policy, certainly placed some emphasis on the need for data sharing to be proportionate:

    Clearly the public want data sharing to be necessary and proportionate, with particularly confidential material like medical records rightly expected to be treated with special care. But for the majority of data, studies show that the public is most prepared to accept data sharing when this is in order to prevent or detect crime. Too often, however, we are failing to make proper use of the material which is available.

  14. The green paper also referred to perceptions that data protection legislation impedes appropriate sharing of information:

    Whenever problems with data sharing crop up, the assumption is often that there are problems with the Data Protection Act 1998. In practice, we have found no evidence that the Act places genuine obstacles in the way of sensible and proportionate data sharing. Excessive caution about the Act's provisions are a problem, as is the common fear that disclosure will have repercussions. A more significant problem we have identified is with public sector bodies and departments whose underlying powers do, or are perceived to, set unnecessary limits on data sharing within the public sector and beyond.

  15. At face value this might imply that the Bill's provisions in respect of data sharing are relatively modest, doing little more than clarifying a pre-existing legal situation. That this is open to dispute has been evinced in comments by both the Joint Committee on Human Rights and by some contributors during the House of Lords second reading debate.

  16. The Joint Committee on Human Rights considered, among other things, the implications of the information sharing and data matching provisions of the Bill after the end of committee stage. Though some amendments were subsequently made in relation to data matching, the information sharing provisions have remained intact. On information sharing the Joint Committee noted that the power to disclose information was very broad, both in terms of kind and destination. It recommended:

    In light of the above we are concerned that the power of public authorities to share information with anti-fraud organisations is drafted in terms too general to satisfy the requirement in Article 8 ECHR that interferences with the right to respect for private life be sufficiently foreseeable. Unless the law enabling the sharing of information indicates with sufficient clarity the scope and conditions of exercise of the power of disclosure, any interference with the right to respect for private life will not be in accordance with the law and will therefore be in breach of Article 8. We are also concerned by the absence of strong safeguards on the face of the Bill to ensure that the wide power to share personal information about an individual is only exercised in circumstances where it is proportionate to do so.

    In order to make the effect of the new power more foreseeable, and therefore more legally certain, and to make it less likely that the power to share information will be exercised disproportionately, we recommend that the Bill be amended:

    to limit the width of the power, for example by specifying the kind of information which may be disclosed and specifying the categories of people to whom the information may be disclosed in place of the open-ended authorisation of disclosure to any person to whom disclosure happens to be permitted by the arrangements of a particular anti-fraud organisation; and

    to introduce additional safeguards on the face of the Bill, such as defining the threshold for reporting information on suspected fraud (the degree of suspicion that should be required), limiting disclosure so that only information on those suspected of fraud will be shared, prescribing the permissible use of shared information, and providing for individuals to have recourse to compensation if they are unfairly affected by the information held about them.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

This article is part of a series: Click Developments In European Data Protection Law In The Context - Part 2 for the next article.
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.