We have a duty to co-operate with European and other international partners, including the European Commission and other data protection authorities. This co-operation includes:
- sharing information and good practice;
- helping with complaints, investigation and enforcement; and
- working together to improve understanding of data protection law, and produce common positions and guidance where appropriate and necessary.
In the European Union (EU), we co-operate across all areas, including activities related to the internal market; justice, freedom and security; and police and judicial co-operation.
We work with groups established under legislation as well as with groups and initiatives we instigate, or others who aim to promote and improve the data protection framework and its application around the world. As information flows and data sharing are no longer restricted by geographical borders and locations, there is a need to see the data protection framework in a global context and to work with other frameworks and groups around the world to establish agreement and understanding so that we can continue to uphold the rights of citizens and responsibilities of organisations in the legislation.
At European level we are part of the Article 29 Working Party, which is made up of representatives of the 27 EU data protection authorities, plus Norway, Iceland and Liechtenstein, and the European Data Protection Supervisor. The European Data Protection Supervisor oversees the protection of individuals' personal information in the institutions of the European Union. The Europa website has contact details for European data protection authorities.
European law enforcement
There are several law enforcement agencies that operate across the EU. These agencies are set up under specific conventions and regulations at a European level, which include data protection safeguards.
They are not governed by the UK Data Protection Act or data protection laws of other EU countries. The ICO helps to supervise data protection arrangements for these law enforcement agencies to safeguard data protection and uphold privacy rights.
Europol
The European Police Office, or ‘Europol’, is established under the Europol Convention to enable the European Union’s police authorities to co-operate more effectively in combating specific types of serious international crime, including drug trafficking, money forgery, human trafficking, trafficking in radioactive or nuclear substances and child pornography. Because such co-operation involves sharing sensitive information about individuals, a number of data protection safeguards are built into the Convention to ensure that people’s privacy rights will be properly taken into account.
It is important to note that Europol is not an executive police force, it has no prosecution function. Rather it facilitates the exchange of data between members; provides expertise, technical support and advice; generates strategic reports and provides operational analysis in support of Member States’ operations.
Apart from the data and services available to Member States, Europol also provides support to co-operation partners. Co-operation partners currently include Iceland, Norway and the United States of America.
The operations of Europol are supervised by the Europol Joint Supervisory Body (JSB) which ensures it complies with data protection rules. The Europol JSB draws its membership from all of the national data protection authorities, including the Information Commissioner’s Office (ICO). Two of the JSB’s main functions involve examining proposals from Europol to open new Analysis Work Files, and examining proposals from Europol to exchange personal data with overseas law enforcement authorities.
The JSB is also responsible for conducting inspections of Europol in order to determine compliance with the provisions of the Europol Convention. Read the fourth activity report of Joint Supervisory Body of Europol.
As part of its duties to review the Terrorist Financial Tracking Protocol (TFTP) agreement by the EU and US, the Europol JSB undertook an inspection in November 2010 to ensure that all the necessary data protection safeguards were in compliance with the agreement. Europol JSB’s report and some background information is available for further information.
As a follow-up to its recommendations in the first TFTP report, the Europol JSB has undertaken another inspection. You can download JSB Europol’s public statement of these findings and Europol's press statement about the inspection.
Schengen Information System (SIS)
The Schengen Convention 1990 was an attempt to deal with the aim of creating a Europe without internal borders, specifically relating to the free movement of persons within the European Union. At present 25 Member States as well as Norway and Iceland are part of this free travel area. The United Kingdom and Ireland are not yet full members, though they have asked for limited participation as allowed under the Treaty of Amsterdam 1999.
The Schengen Convention applies, among other things, to the areas of visa policy, asylum policy, police co-operation, policy on drugs, and the free movement of persons. An information system, the Schengen Information System (SIS), was established to facilitate the exchange of data in these areas. As the data is of a personal nature, data protection safeguards have been put in place. These safeguards include supervision by the data protection authorities.
SIS
This information system can contain personal data supplied by Member States relating to:
- wanted people or people under police surveillance;
- missing people who should be placed under protection, in particular minors;
- non-EU nationals who are banned from entry to Schengen territory;
- people whose identity is fraudulently used as an alias by other persons; and
- people wanted to answer charges in relation to criminal proceedings.
Member States supply data to the Central SIS (CSIS) in Strasbourg, which then updates the various national systems (NSIS). Only bodies competent in the areas covered by Schengen may have access to the database. These bodies include police, customs, immigration and judiciary.
SIS II
In order to cope with the enlargement of the EU, a new SIS II is being developed. This is planned to have the capacity to deal with the increased membership.
A Joint Supervisory Authority is established under Article 115 of the Schengen Convention. The ICO is represented on this body in an observer capacity.
Customs Information System (CIS)
The Customs Information System was established under the CIS Convention. Its aim is to assist in combating customs related crime by facilitating co-operation between European customs authorities. The abolition of border controls following the formation of the Single Market in 1993 was a motivating factor in developing CIS as a means to combat smuggling.
The centralised Customs Information System located in Brussels can be accessed by Member States and as this involves the processing of personal data, a number of data protection safeguards have been built into the system. The CIS only records data relating to the Customs and Excise area, and the type of personal data is limited to that specified in the Convention.
CIS operates with two separate databases. One relates to matters which are subject to European law, while the second relates to matters which are solely subject to national law. Data held on the CIS may be accessed by the competent authorities in the Member States. However, only the party which has inputted data may correct, amend or delete such data.
A Joint Supervisory Authority is established under the CIS Convention. The JSA is responsible for supervising CIS and consists of representatives from the national authorities, including from the ICO. The JSA can inspect the central CIS database. It also offers advice and can examine issues relating to access requests.
The European Data Protection Supervisor also has a role in supervising use of the CIS by EU institutions. A co-ordinated supervision and co-operation body consisting of JSA members and EDPS ensures that CIS is supervised consistently.
Eurodac
Eurodac is a central database for comparing of fingerprints of asylum seekers. This is consistent with the Dublin Declaration of 1990 which seeks to address the manner in which applications for asylum are dealt with in Member States, in particular to identify people who have made an application in another Member State, or whose application has been rejected by another Member State. This will facilitate the identification of the State properly responsible for dealing with the application.
The Council Regulation which established Eurodac requires that a national supervisory authority exist in each Member State in order to monitor the operation of the system. The ICO is the national supervisory authority for the UK.
At European level, data protection supervision is overseen by the European Data Protection Supervisor. Read the second co-ordinated inspection report of the EURODAC Supervision Co-ordination Group.