The UK has participated in the EU’s Area of Freedom, Security and Justice since its inception. A primary aim has been to increase the capacity of member states’ law enforcement agencies to quickly access up-to-date information and criminal intelligence.
The UK participates in all EU criminal justice information exchange legislation, which includes the Prüm Decisions on access to automated exchange of DNA, fingerprints and vehicle registration (Prüm); the European Criminal Records Information System (ECRIS), the EU Passenger Name Records (PNR); and the police and judicial cooperation aspects of the Schengen Information System (SIS II).
The Swedish Initiative is important, as it simplified the exchange of information and intelligence between law enforcement agencies in different member states. The UK and the EU have both stressed their desire to maintain a close relationship in this area after Brexit and both have published draft texts.
However, with such a short time left until the end of the transition, law enforcement agencies are earnestly preparing for a no deal scenario. What are the differences between a deal and no deal scenario in the context of criminal justice information sharing?
What would a deal look like?
According to the EU’s draft text published in March 2020 the only databases the UK would have full access to, even in a deal scenario, are Prüm and PNR. There is no precedent for a non-EU country to access ECRIS (not even non-EU Schengen countries).
The agreement proposed by the EU does offer some improvements to the European Convention on Mutual Assistance in Criminal Matters 1959 which could be broadly comparable to ECRIS, particularly if the EU would agree to the UK using the current technical platform.
This would mean that whilst the underpinning legislation would alter the manner by which criminal records are exchanged would not. The extent to which the UK would have access to a comparable system in the event of a deal being made on security remains to be seen.
There is also no legal basis in the EU treaties for a non-EU, non-Schengen country to participate in SIS II. Non-EU Schengen countries such Switzerland and Norway can access SIS II but pay into the EU budget, accept the supremacy of the ECJ and incorporate the relevant parts of the Schengen acquis into their domestic law.
The EU draft proposal offers provisions for the exchange of criminal justice information, which are akin to the Swedish Initiative in that states must ensure the conditions for accessing information and intelligence are not stricter than those applicable at domestic level.
However even in a deal scenario information is provided in response to a request rather than through real time access to the databases. There will not be a replacement which mirrors the capabilities of SIS II or the Secure Information Exchange Network Application (SIENA) via Europol. The UK will fall back on the Interpol I-24/7 database as a replacement for SIS II
What would no deal look like?
If the transition period ends without a comprehensive agreement, the UK will lose access to Prüm, PNR, any improvement to the 1959 Convention on criminal record exchange and a replacement for the Swedish Initiative. The UK will also no longer be able to use any personal data it received in the past from the EU.
The ability to obtain personal data from EU partners will be impacted. Transfers from a UK law enforcement agency to EU ones will be covered by a UK transitional data adequacy decision and will be permissible if the transfer is necessary for law enforcement purposes. However, transfers to the UK will become immediately uncertain as the UK will become a ‘third country’ for EU data protection purposes.
Without an EU adequacy decision, UK law enforcement agencies will need to satisfy EU partners that there are adequate data protection safeguards. All EU member states must comply with the transfer provisions of the GDPR and any national data protection law.
UK agencies are being advised by the Information Commissioner’s Office that EU senders of data will probably require a contract or binding legal instrument or find some other way of assessing appropriate safeguards are in place.
The UK is starting from a point of unprecedented alignment with EU data protection rules. However, the UK draft text seeks to agree bespoke data protection provisions with the EU, which would mean cooperation would not depend on data adequacy.
Whether the UK is willing to compromise on this position has yet to be seen. The ECJ, in the Schrems II decision, demonstrated the court is willing to robustly assess adequacy decisions and has the power to strike them down.
The court appears to be requiring a standard of protection close to that of GDPR and has little interest in third country norms. The UK and EU will need to ensure transparency in any data adequacy decision to ensure its ongoing stability.
The EU’s Area of Freedom, Security and Justice is one of shared competence in which either the EU or member states can adopt legal acts. However, even if negotiations were to fail, many aspects of criminal justice cooperation remain an area of competence of the EU.
The Commission launched infringement proceedings against four states for signing an agreement with five Western Balkan countries on the automated exchange of DNA. This demonstrates that member states cannot enter into bilateral agreements which replicate EU databases.
Other areas of bilateral exchange are possible but if they involve personal data exchange, they will fall under the purview of the ECJ and would be doomed to fail without close alignment of the UK to EU data protection.
In the event of no deal, an adequacy decision is very important, and a legal framework which enables the spontaneous sharing of information is vital for public safety and must be a priority for the UK Government.
By Gemma Davies, Associate Professor of Law at Northumbria University.