Breton's firm hosted unlawful copy of EU police data

A confidential document obtained by EUobserver lists years of abuse by UK authorities in the way they handle the Schengen Information System (SIS), an EU-run database used by police to track down undocumented migrants, missing people, stolen property, or suspected criminals.

Although not a member of the passport-free Schengen area, the UK has been granted restricted access since 2015 on the premise it would respect the rules.

Despite this restricted access, the UK carried out over 514 million SIS queries in 2016, the second-highest among all EU states.

A spot check exercise in November 2017 by a team of Schengen experts from EU states and from the European Commission found that the UK had also made a significant number of full or partial copies of the SIS.

"Three of the SIS copies are administered by different private companies in their own premises or in rented premises," notes the report.

Among them is Breton's ATOS, which had allowed IBM to store a partial technical copy of SIS known as Semaphore on its premises.

The copy contained alerts for arrests, checked against inbound and outbound passenger information, supplied by airlines and shipping companies.

"This technical copy is managed by a private contractor IBM in the premises of another private contractor - ATOS," notes the report.

The report says such copies should never be entrusted to third parties like private contractors because it increases the risk it will be leaked, stolen or misused.

Another worry is that the UK-based private contractors not only host the systems but have administrator access rights, which also violates SIS management rules.

ATOS, IBM and the US-Canadian firm CGI all had access to SIS in some shape or form.

The United Kingdom is also a member of the elite intelligence sharing network known as 'Five Eyes', which includes the United States.

The Patriot Act, a counterterrorism law passed in the wake of the September 11 attacks on the World Trade Centre, gave US intelligence and law enforcement agencies wide powers in gaining access to data.

The issue was raised with the UK authorities, who claim neither IBM nor CGI would be obliged to comply with a US request to access the SIS data.

They argued that although IBM operates the service for the UK Home Office, it is the Home Office that owns the hardware and intellectual property rights.

It also says IBM operates services from a data centre, rented by the Home Office, but owned by ATOS.

But companies, under certain US Patriot Act provisions, are also banned from notifying the data subject or the data protection authority in Europe should US authorities request access to the personal details of an EU national.

Asked if the UK had given the European Commission any guarantees that it was not sharing the data with the Americans, EU commissioner for security Julian King remained elusive.

Instead, he said a rolling programme of engagement with member states on how they secure data according to the rules do sometimes raise some issues and some concerns.

"We pursue those concerns with the countries involved. I have to say that those conversations, which remain private, are very effective," he told EUobserver last week (30 October).

ATOS was also asked to comment but forwarded the query to the UK Home Office, which told EUobserver they do not respond to leaked documents.

"The UK has some of the highest levels of data protection safeguards globally and we are fully committed to meeting our legal obligations," said the Home Office spokesperson.

ATOS, in a post publication email, added that they "supply only a secure room within our site on behalf of the client and have no technical access to the (SIS) data whatsoever."

This article was updated on Tuesday (5 November) at 10:40 to add a post-publication statement from Atos.