07 August 2018
UK-EU: Schengen data fiasco
- UK responsible for "very serious deficiencies" in its use of SIS
"the Presidency invites the delegations to confirm on 3 September 2018 (Working Party for Schengen Matters (Schengen Evaluations)) that the evaluation process should continue. On this basis, the Presidency will suggest that Coreper recommends, as a I/A-item, that the Council invite the Commission to present a proposal for a Council Implementing Decision setting out a recommendation to address the very serious deficiencies identified in the evaluation of the United Kingdom in view of fulfilling the conditions necessary for the application of the Schengen acquis in the field of the Schengen Information System, pursuant to Article 15 of Regulation (EU) No 1053/2013."
Timeline leading to this conclusion
On 15 February 2015 the Council adopted a Council Implementing Decision:
"which allowed, on a provisional basis for evaluation purposes, for non-border SIS data to be made available to the UK and provided that the UK could enter data in the SIS.
A successful outcome of the evaluation was set as a pre-condition for the final putting into effect of the relevant SIS provisions in the UK."
The evaluation took place on 7-13 June 2015 and:
"concluded that the UK had only
partially implemented the Schengen acquis related to
SIS and that a further visit is necessary in order to complete the evaluation satisfactorily."
On 8-9 October 2015 the Council called for a further valuation visit, however, the legal basis changed at the beginning of 2016 and a new evaluation took place on 5 to 10 November 2017. The ensuing report was adopted by the Council on 16 May 2018 which found that:
"The Working Party for Schengen Matters (Schengen Evaluations) discussed the report at its meeting of 19 June 2018. The Commission presented the main findings of the report, underlining that non-compliances identified in the 2015 report have not been remedied and identifying four main categories of non-compliances: lack of reciprocity and mutual recognition; risk to the integrity and security of the SIS data; selective approach to SIS data; and outdated IT infrastructure, which is non-compliant with SIS requirements. The Commission concluded that the report identified very serious deficiencies and asked for guidance from the Council as to the follow-up to be given to the report."
The views of Member States were asked for and:
"results from the positions expressed by a large number of delegations that the best way forward is to continue the evaluation procedure."
This lead to the conclusion set out at the beginning.
EUobserver reported: UK unlawfully copying data from EU police system (25.5.18)
EUobserver found that the UK had illegally copies classified information and shared it with US companies. A "Restricted" document seen by EUobserver listed years by UK agencies is quoted in the the story:
"The 29-page document, drafted by Schengen experts from EU states and from the European Commission, said the UK violations" and cites the document as follows:
"constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects."[emphasis added throughout]
"that some major deficiencies in the legal, operational, and technical implementation of SIS identified during the evaluation of 2015 were not effectively remedied and still persist."
The story says
The UK has made numerous full and partial copies of SIS, increasing the risk of data breach and of having it unlawfully shared with other authorities around the world.
SIS contains information on nearly 500,000 non-EU citizens denied entry into Europe, as well as over 100,000 missing people, and some 36,000 criminal suspects. The Brits alone are said to have run some 539 million SIS checks last year. (...)
Some of these copies were unlawfully stored on back-up laptops at airports and ports. Other copies were held at government offices. Other still were held by private contractors like CGI, a US-Canadian company, as well as IBM and ATOS, which were hired by the UK government to run the systems.
CGI now manages a SIS copy that included photographs, fingerprints and European Arrest Warrants. IBM manages a copy used by the UK's national border targeting centre as a service for the UK Home Office, which it then stores at a data centre owned by ATOS."
And citing the document:
"Entrusting the management of the SIS technical copies to private contractors poses increased risks in terms of physical and logical data security, especially since the private contractors in the UK are not only hosting the systems but also implement changes to the system," the EU experts' report noted.
The EUobserver story continues:
US companies holding such sensitive data may also be required to hand it over to the US government given demands by the USA Patriot Act, warned the EU document. (...)
Meanwhile, the UK was using partial
SIS data with a variety of national systems.
These included the Warning Index, which cross-references incoming travellers against national lists of known criminals and terrorists.
The Warning Index is held and managed by Fujitsu, a private contractor, on behalf of the UK Home Office, and is running at six UK airports.
The index is also one of the biggest violators of the SIS data and "constitutes an unlawful copying of SIS data", the EU report said.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.