Information management in the area of freedom, security and justice

This communication provides a transparent presentation of European instruments used to manage personal information for the purposes of law enforcement or migration management. It describes what information is collected, stored or exchanged about citizens, for what purposes and by whom.

ACT

Communication from the Commission to the European Parliament and the Council of 20 July 2010 – Overview of information management in the area of freedom, security and justice [COM(2010) 385 final – Not published in the Official Journal].

SUMMARY

The communication presents an overview of European Union (EU) level instruments that regulate the collection, storage or cross-border exchange of personal data for law enforcement or migration management purposes. It describes the main purpose and structure of these instruments, as well as the types of personal data they cover, the authorities that have access to these data and the rules for data protection and retention. It also sets out the main principles to take into consideration when designing and evaluating such instruments in future.

Instruments in force, under implementation or consideration

The current EU level instruments consist of those that aim to improve the functioning of the Schengen area and the customs union, such as the:

• Schengen Information System (SIS) and the second generation Schengen Information System (SIS II), which is currently under development;
• Eurodac system;
• Visa Information System (VIS);
• directive on the transmission of Advance Passenger Information (API);
• Naples II Convention;
• Customs Information System (CIS) and its Customs File Identification Database (FIDE).

There are also EU level instruments aimed at preventing and combating terrorism and other forms of serious cross-border crime, such as the:

• framework decision on simplifying the exchange of information between law enforcement authorities;
• decision on stepping up cross-border cooperation;
• Data Retention Directive 2006/24/EC;
• framework decisions on taking account of previous convictions in new criminal proceedings and on exchanging information from criminal records, including the European Criminal Records Information System (ECRIS) for the latter;
• Council Decision 2000/642/JHA on exchanging information between EU countries’ Financial Intelligence Units;
• decision on cooperation between Asset Recovery Offices (AROs);
• Cybercrime Alert Platforms.

In addition, EU agencies and bodies have been established to assist EU countries in preventing and combating serious cross-border crime, such as the European Police Office (Europol) and the EU’s Judicial Cooperation Unit (Eurojust).

As to cooperation with non-EU countries to prevent and combat terrorism and other forms of serious transnational crime, the Commission has signed Passenger Name Record (PNR) agreements with the United States, Australia and Canada. However, the European Parliament is critical of the content of these agreements and has, therefore, requested the Commission to renegotiate them. The Commission has also signed an agreement with the United States on the transfer of financial messaging data (EU-US TFTO Agreement).

Instruments envisaged in the Stockholm Programme action plan

In its action plan on the Stockholm Programme, the Commission has committed to presenting in the course of 2011 three legislative proposals:

• a PNR package;
• an Entry/Exit System (EES) for non-EU country nationals entering the Union for stays of a maximum of three months;
• a Registered Travellers Programme (RTP) for simplifying border checks for certain groups of frequent travellers from non-EU countries.

The Stockholm Programme action plan also includes initiatives that the Commission is to study, with a view to presenting a communication on their feasibility:

• an EU Terrorist Finance Tracking Programme (EU TFTP), for facilitating data transfers from the EU to the United States;
• an Electronic System of Travel Authorisations (ESTA), for facilitating the entry of non-EU nationals who are not subject to visa requirements;
• a European Police Record Index System (EPRIS), for facilitating the location of information across the EU by law enforcement officers.

Analysis of instruments

Only six of the above mentioned instruments involve the collection and storage of personal data at EU level: SIS, VIS, Eurodac, CIS, Europol and Eurojust. The other instruments regulate the exchange or transfer of personal information that has been collected at national level. With the exception of SIS and VIS, these instruments have a single purpose. Similarly, the personal information collected may only be used for the single purpose defined by the instrument in question, except for that collected through SIS and VIS.

Access to information from instruments that aim at combating terrorism and serious crime is limited to the police and border control and customs authorities. Access to information from Schengen-related instruments is limited to immigration authorities and, in certain circumstances, to the police and border control and customs authorities. The information flow for centralised instruments is controlled by national interfaces and for decentralised instruments by national contact points or central coordinating units.

Set of core principles for future

There is a need to establish a set of core principles for future policy developments as well as for the evaluation of the current instruments. These should consist of substantive principles, such as:

• the safeguarding of fundamental rights, especially of the right to privacy and personal data protection via “privacy by design”;
• an assessment of the necessity of the new instrument in terms of its impact on an individual’s right to privacy and personal data protection;
• compliance with the principles of subsidiarity and proportionality;
• management of risk via risk profiles.

The set of core principles should also consist of process-oriented principles, such as:

• cost-effectiveness, taking into consideration existing instruments;
• bottom-up policy design, taking into consideration the interests of end-users;
• clear allocation of responsibilities, paying particular attention to governance structures;
• reporting and review obligations to ensure the instruments serve the purposes they were designed for.

Last updated: 22.10.2010