29.12.2010   

EN

Official Journal of the European Union

C 355/16

1.

On 20 July 2010, the Commission adopted a Communication entitled ‘Overview of information management in the area of freedom, security and justice’ (hereinafter the ‘Communication’) (3). The Communication was sent to the EDPS for consultation.

2.

The EDPS welcomes the fact that he was consulted by the Commission. Already before the adoption of the Communication, the EDPS was given the possibility to give informal comments. Many of these comments have been taken into account in the final version of the document.

3.

The EDPS welcomes the objective of the Communication which is to provide ‘for the first time, a full overview of the EU-level measures in place, under implementation or consideration that regulate the collection, storage or cross-border exchange of personal information for the purpose of law enforcement and migration management’ (4). The aim of the document is also to provide citizens with an overview of what information is collected, stored and exchanged about them, for what purpose and by whom. Moreover, according to the Commission, the Communication should also serve as a transparent reference tool for all stakeholders who wish to take part in a debate about the future direction of the EU policy in this area. Thus it should contribute to an informed policy dialogue with all stakeholders.

4.

In concrete terms, the Communication mentions that it aims to clarify the main purpose of the instruments, their structure, the types of personal data they cover, ‘the list of authorities with access to such data’ (5) and the provisions on data protection and data retention. In addition, Annex I contains a limited number of examples illustrating how these instruments operate in practice.

5.

Furthermore, the document sets out the broad principles (‘Substantive principles’ and ‘Process-oriented principles’) that the Commission intends to follow in the future development of instruments for data collection, storage and exchange. Under ‘Substantive principles’, the Communication lists such principles as safeguarding fundamental rights, in particular the right to privacy and data protection, necessity, subsidiarity and accurate risk management. ‘Process-oriented principles’ include cost-effectiveness, bottom-up policy design, clear allocation of responsibilities, and review and sunset clauses.

6.

These principles, according to the Communication, will be used when evaluating existing instruments. Adopting such a principled approach to policy development and evaluation should, in the Commission's view, enhance the coherence and effectiveness of current and future instruments in a way that fully respects citizens’ fundamental rights.

7.

The EDPS notes that the Communication is an important document that gives a comprehensive overview of the existing and (possible) future instruments for information exchange in the area of freedom, security and justice. It contains an elaboration of the Chapters 4.2.2 (Managing the flow of information) and 5.1 (Integrated management of the external borders) of the Stockholm programme (6). It will play an important role in the future development of this area. It is for this reason that the EDPS deems it useful to comment on the different elements of the Communication, despite the fact that the text of the Communication itself will not be changed.

8.

The EDPS intends to provide a few additional notions that in his view have to be taken into account in the further development of the area of freedom, security and justice. This opinion specifies a number of notions that have been provided earlier in the EDPS Opinion of 10 July 2009 on the Communication on an area of freedom, security and justice serving the citizen (7), and in a number of other opinions and comments. It also elaborates on the views presented on earlier occasions. In this context, reference should also be made to the Report on the Future of Privacy, adopted by the Article 29 Working Party and the Working Party on Police and Justice on 1 December 2009. This report, constituting a joint contribution to the consultation of the European Commission on the legal framework for the fundamental rights to protection of personal data, and supported by the EDPS, gave important directions as to the future of data protection, also applicable to the information exchange in the area of police and judicial cooperation in criminal matters.

9.

The EDPS welcomes the Communication as a reply to the call by the European Council (8) for developing EU-level information management instruments in accordance with an EU Information Management Strategy, and for reflecting on a European Information Exchange Model.

10.

Furthermore, the EDPS notes that the Communication should also be read as a response to the Stockholm programme, mentioned earlier on, which calls for coherence and consolidation in developing the information exchange in the field of EU internal security. More precisely, Chapter 4.2.2 of the Stockholm programme invites the European Commission to assess the need for developing a European Information Exchange Model based on the evaluation of the current instruments, including the Prüm framework and the so-called Swedish Framework Decision. These assessments should help to determine whether these instruments function as originally intended and meet the goals of the Information Management Strategy.

11.

Against this background, it is useful to highlight the fact that the Stockholm programme refers to a strong data protection regime as the main prerequisite for the EU Information Management Strategy. This strong emphasis on data protection is fully in line with the Lisbon Treaty which, as mentioned earlier, contains a general provision on data protection giving everyone — including third-country nationals — a right to data protection enforceable before a judge, and obliges the Council and the European Parliament to establish a comprehensive data protection framework.

12.

The EDPS also supports the requirement of the Information Management Strategy that all new legislative measures which would facilitate the storage and exchange of personal data should only be proposed if they are based on concrete evidence of their need. The EDPS has advocated this approach in various opinions on legislative proposals related to the area of freedom, security and justice, e.g. on the Second Generation SIS (9), on law enforcement access to Eurodac (10), on the revision of Eurodac and Dublin Regulations (11), on the commission the communication on Stockholm programme (12) and on PNR (13).

13.

Indeed, the need for assessment of all existing instruments on information exchange before proposing new ones is of essential importance. This is even more important if one considers the fact that the current framework is a complex patchwork of different instruments and systems of which some have only recently been implemented so that their effectiveness could not yet be assessed, some are in the process of implementation and some new ones are still in the legislative pipeline.

14.

This is why the EDPS notes with satisfaction that the Communication makes a clear link with other exercises launched by the Commission in order to take stock and evaluate this area, as follow-up to the Stockholm programme.

15.

In this context, the EDPS welcomes in particular an ‘information mapping’ exercise initiated by the Commission in January 2010 and conducted in close cooperation with an Information Mapping Project Team made up of representatives of EU and EFTA Member States, Europol, Eurojust, Frontex and the EDPS (14). As mentioned in the Communication, the Commission aims to present to the Council and the European Parliament the results of the ‘information mapping’ exercise still in 2010. As the next step, it also aims at presenting a communication on the European Information Exchange Model.

16.

In the EDPS's view, making a clear link between the Communication and the ‘information mapping’ exercise is most welcome, as both are clearly interlinked. It is obviously still early to assess what the outcome of these exercises and, more generally, of the discussions on the European Information Exchange Model will be (so far the ‘mapping exercise’ has only been presented by the Commission as a ‘stock-taking exercise’). The EDPS will continue to follow this work. Moreover, already at this stage, he draws attention to the need to provide for synergies and avoid diverging conclusions of all the exercises undertaken by the Commission in the context of the discussions on the European Information Exchange Model.

17.

Furthermore, the EDPS wishes to refer to the ongoing review of the data protection framework, and more in particular to the intention of the Commission to come up with a comprehensive framework for data protection, including police and judicial cooperation in criminal matters.

18.

With regard to this, the EDPS notes that the Communication refers — under ‘Safeguarding fundamental rights, in particular the right to privacy and personal data protection’ — to Article 16 of the Treaty on the Functioning of the European Union (TFEU) providing a legal basis for the work on such a comprehensive data protection scheme. He also notes in this context that the Communication mentions that it is not analysing specific data protection provisions of the instruments under discussion given that on the basis of the above mentioned Article 16, the Commission is now working on a new comprehensive framework for the protection of personal data in the EU. He hopes that in that context a good overview will be provided of the existing and possibly diverging data protection schemes and that the Commission will base further decision making on this overview.

19.

Last but not least, although the EDPS welcomes the objectives and the main content of the Communication, he also draws attention to the fact that this document should be only considered as a first step in the evaluation process, and that it should be followed by further concrete measures the outcome of which should be a comprehensive, integrated and well-structured EU policy on information exchange and management.

20.

In the text of the Communication, the Commission refers to the purpose limitation principle as ‘a key consideration for most of the instruments covered in this communication’.

21.

The EDPS welcomes the emphasis in the Communication on the purpose limitation principle which requires that the purposes for which personal data are collected should be clearly specified not later than at the time of collection, and that data should not be processed for purposes incompatible with those initial purposes. Any deviation from the purpose limitation principle should constitute an exception and should only be implemented subject to strict conditions and with the necessary safeguards, legal, technical and otherwise.

22.

However, the EDPS regrets that the Communication describes this fundamental data protection principle as a key consideration only ‘for most of the instruments covered in this communication’. Moreover, on page 22 the Communication refers to SIS, SIS II and VIS and mentions ‘that with exception of these centralised information systems, purpose limitation appears to be a core factor in the design of EU-level information management measures’.

23.

This wording might be read as suggesting that this principle has not been a key consideration in all cases and for all systems and instruments related to the exchange of information in the EU. With regard to this, the EDPS notes that exceptions and restrictions to this principle are possible and may be necessary, as is recognised in Article 13 of Directive 95/46/EC and Article 3.2 of Framework Decision 2008/977/JHA (15). However, it is compulsory to ensure that any new instrument relating to information exchange in the EU is proposed and adopted only if the purpose limitation principle has been duly considered and that any possible exceptions and restrictions to this principle are decided on a case-by-case basis and after serious assessment. These considerations are also relevant for SIS, SIS II and VIS.

24.

Any other practice would be contrary to Article 8 of the Charter of Fundamental rights of the Union and to the EU law on data protection (e.g. Directive 95/46/EC, Regulation (EC) No 45/2001 or the Framework Decision 2008/977/JHA) as well as to the jurisprudence of the European Court of Human Rights. Non-respect of the principle of purpose limitation might also lead to so called ‘function creep’ of these systems (16).

25.

The Communication (on page 25) refers to the requirements laid down in the jurisprudence of the European Court of Human Rights relating to the ‘proportionality test’ and it declares that ‘in all future policy proposals, the Commission will assess the initiative's expected impact on individuals’ right to privacy and personal data protection and set out why such an impact is necessary and why the proposed solution is proportionate to the legitimate aim of maintaining internal security within the European Union, preventing crime and managing migration’.

26.

The EDPS welcomes the above cited statements as he has also been insisting on the fact that the respect of proportionality and necessity should be predominant in taking any decisions on the existing and new systems involving collection and exchange of personal data. Looking prospectively, it is also essential for the current reflection on what the EU Information Management Strategy and the European Information Exchange Model should look like.

27.

Against this background, the EDPS welcomes the fact that differently from the wording used by the Commission when referring to the purpose limitation principle (see paras 20-22 of this Opinion), with regard to necessity, the Commission commits itself to assessing all future policy proposals in so far as the impacts on individuals’ right to privacy and personal data are concerned.

28.

Having said that, the EDPS draws attention to the fact that all these requirements regarding proportionality and necessity are derived from the existing EU law (in particular the Charter of Fundamental Rights which is now part of EU primary law) and the well-established jurisprudence of the European Court of Human Rights. In other words, the Communication does not bring in any new elements. Instead, in the EDPS's view, the Communication should not merely repeat these requirements, but should provide for concrete measures and mechanisms which would ensure that both necessity and proportionality are respected and practically implemented in all proposals having impact on individuals’ rights. The Privacy impact assessment, discussed in-paras 38-41 could be a good instrument for this goal. Moreover, this assessment should not only cover the new proposals but also the existing systems and mechanisms.

29.

In addition, the EDPS also takes this opportunity to stress that when considering proportionality and necessity in the EU Information Management Strategy, one should insist on the need for a right balance between data protection, on the one hand, and law enforcement, on the other hand. This balance does not mean that data protection would hamper the use of information necessary to solve a crime. All information that is necessary for this purpose can be used, in accordance with data protection rules (17).

30.

The Stockholm programme requests an objective and comprehensive assessment of all the instruments and systems dealing with the exchange of information in the European Union. Of course, the EDPS fully supports this approach.

31.

The Communication seems, however, not fully balanced. It seems to give priority, at least when it comes to figures and statistics, to those instruments that proved successful over the years and are considered ‘success stories’ (e.g. number of successful hits in SIS and Eurodac). The EDPS does not question the overall success of these systems. However, as an example, he mentions that the activity reports of the Joint Supervisory Authority for SIS (18) reveal that in a non-trivial number of cases, alerts in SIS were outdated, misspelled or wrong, which led (or could have led) to negative consequences for the individuals concerned. Such information is missing in the Communication.

32.

The EDPS would advise the Commission to reconsider the approach taken in the Communication. The EDPS suggests that in the future work on information management also failures and weaknesses of the system are reported — such as, for instance, the number of people wrongly arrested or inconvenienced in any way following a false hit in the system — in order to ensure a fair balance.

33.

For instance, the EDPS suggests that the data on SIS/Sirene hits (Annex 1) are complemented by a reference to the work conducted by the JSA on the reliability and accuracy of the alerts.

34.

Amongst ‘Process-oriented principles’ listed on pages 26-27, the Communication refers to the principle of ‘Clear allocation of responsibilities’, in particular when it comes to the issue of the initial design of governance structures. The Communication refers in this context to the problems with the SIS II project and future responsibilities of the IT Agency.

35.

The EDPS wishes to use this opportunity to stress the importance of the principle of ‘accountability’ which should also be implemented in the field of judicial and police cooperation in criminal matters and play an important role in the conception of the new and more developed EU policy on exchange of data and information management. The principle is currently being discussed in the context of the future of the European data protection framework, as a tool to further induce data controllers to reduce the risk of non-compliance by implementing appropriate mechanisms for effective data protection. Accountability requires that controllers put in place internal mechanisms and control systems that ensure compliance and provide evidence — such as audit reports — to demonstrate compliance to external stakeholders, including supervisory authorities (19). The EDPS has also stressed the need for such measures in his opinions on VIS and SIS II in 2005.

36.

The Commission refers to the concept of ‘Privacy by design’ on page 25 of the Communication (under Substantive principles ‘Safeguarding fundamental rights, in particular the right to privacy and personal data protection’) declaring that ‘when developing new instruments that rely on the use of information technology, the Commission will seek to follow the approach known as “privacy by design”’.

37.

The EDPS welcomes the reference to this concept (20) which is currently developed for both private and public sectors in general, and must also play an important role in the area of police and justice (21).

38.

The EDPS is convinced that this Communication provides a good opportunity to reflect more on what should be meant by a real ‘privacy and data protection impact assessment’ (PIA).

39.

The EDPS notes that neither the general guidelines described in this Communication nor the Commission's Impact Assessment Guidelines (22) specify this aspect and develop it into a policy requirement.

40.

Therefore, the EDPS recommends that for future instruments a more specific and rigorous impact assessment on privacy and data protection is conducted, either as a separate assessment or as part of the general fundamental rights’ impact assessment. Specific indicators and features should be developed to ensure that each proposal having impact on privacy and data protection is subject to thorough consideration. The EDPS also suggests that this issue be part of the ongoing work on the comprehensive data protection framework.

41.

Additionally, it could be helpful in this context to refer to Article 4 of the RFID Recommendation (23) in which the Commission called upon the Member States to ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments. Also the Madrid Resolution, adopted in November 2009 by the International Conference of Privacy and Data Protection Commissioners, encouraged the implementation of PIAs prior to the implementation of new information systems and technologies for the processing of personal data or substantial modifications in existing processing.

42.

The EDPS notes that the Communication does not address specifically the important issue of the data subjects’ rights which constitute a vital element of data protection. It is essential to ensure that across all different systems and instruments dealing with information exchange, the citizens enjoy similar rights relating to how their personal data are processed. Indeed, many of the systems referred to in the Communication establish specific rules on data subjects’ rights, but there is a lot of variation between the systems and instruments, without good justification.

43.

Therefore, the EDPS invites the Commission to look more carefully into the issue of the alignment of data subjects’ rights in the EU in the near future.

44.

Although the Commission refers to the use of biometrics (24), it does not address specifically the current phenomenon of the increased use of biometric data in the area of the exchange of information in the EU, including in the EU large-scale IT systems and other border management tools. The Communication also does not provide any concrete indication as to how the Commission intends to deal in the future with this issue and whether it is working on a comprehensive policy with regard to this growing tendency. This is regrettable given that this matter is of high importance and sensitivity from the perspective of data protection.

45.

Against this background, the EDPS wishes to mention that he has, on many occasions, in various fora and in different opinions (25) emphasised the possible risks linked to the major impacts of the use of biometrics on individuals’ rights. On these occasions, he also suggested the insertion of stringent safeguards for the use of biometrics in particular instruments and systems. The EDPS also drew attention to a problem related to inherent inaccuracies in the collection and comparison of biometric data.

46.

For these reasons, the EDPS takes this opportunity to ask the Commission to develop a clear and strict policy on the use of biometrics in the area of freedom, security and justice based on a serious evaluation and a case-by-case assessment of the need for the use of biometrics, with full respect for such fundamental data protection principles as proportionality, necessity and purpose limitation.

47.

On an earlier occasion (26), the EDPS raised a number of concerns regarding the concept of interoperability. One of the consequences of interoperability of systems is that it could be an incentive to propose new objectives for large scale IT systems which go beyond their original purpose and/or for the use of biometrics as primary key in this field. Specific safeguards and conditions are needed for different kinds of interoperability. The EDPS also stressed in this context that interoperability of the systems must be implemented with due respect for data protection principles and in particular the purpose limitation principle.

48.

Against this background, the EDPS notes that the Communication does not refer specifically to the issue of interoperability of the systems. The EDPS therefore calls on the Commission to develop a policy on this essential aspect of the EU information exchange, which should be part of the evaluation exercise.

49.

The Communication contains a chapter on legislative proposals to be presented by the Commission in the future. Amongst others the document refers to a proposal on a Registered Travellers Programme (RTP) and a proposal relating to an Entry/Exit System (EES). The EDPS would like to make a few remarks on both above mentioned proposals, on which, as the Communication suggests, the Commission has already taken a decision.

50.

As highlighted in point 4 of this Opinion, the Communication aims at presenting ‘a full overview of the EU-level measures (…) that regulate the collection, storage and cross-border exchange of personal information for the purpose of law enforcement and migration management’.

51.

In that context, the EDPS wonders what the final objective of the Registered Travellers Programme will be and how this proposal, currently under consideration by the Commission, will be covered by the purposes of law enforcement and migration management. The Communication states on page 20 that ‘this programme would allow certain groups of frequent travellers from third countries to enter the EU (…) using simplified border checks at automated gates’. Thus, the purpose of the instruments seems to be facilitation of travelling of frequent travellers. These instruments would therefore have no (direct or clear) link with law enforcement and migration management purposes.

52.

When referring to the future EU Entry/Exit System, the Communication (page 20) mentions the problem of ‘overstayers’ and states that this category of people ‘constituted the largest group of irregular migrants in the EU’. The latter argument is presented as the reason why the Commission decided to propose the introduction of an entry/exit system for third-country nationals entering the EU for short stays of up to three months.

53.

In addition, the Communication mentions that ‘the system would record the time and place of entry and length of authorised stay and would transmit automated alerts to the competent authorities identifying individuals as “overstayers”. Based on biometric data verification, it would deploy the same biometric matching system and operational equipment as that used by SIS II and VIS’.

54.

The EDPS considers that it is essential to specify the target group of overstayers with reference to an existing legal definition or supporting it with any reliable figures or statistics. This is even more important given that all calculations regarding the number of ‘overstayers’ within the EU are currently based only on pure estimations. It should also be clarified what measures would be taken towards ‘overstayers’ once they have been identified by the system, given that the EU lacks a clear and comprehensive policy on people who ‘overstay’ on the EU territory.

55.

Moreover, the wording of the Communication suggests that the decision to introduce the system has already been taken by the Commission, whereas at the same time the Communication mentions that the Commission is currently conducting an impact assessment. The EDPS emphasises that a decision to introduce such a complex and privacy-intrusive system should only be taken on the basis of a specific impact assessment providing concrete evidence and information on why such a system is necessary and why alternative solutions based on the existing systems could not be envisaged.

56.

Lastly, the Commission seems to link this future system with the biometric matching system and operational equipment of the SIS II and VIS. However, this is done without referring to the fact that neither SIS II nor VIS have gone live yet and that the exact dates of their entry into operation are unknown at this stage. In other words, the entry/exit system would heavily depend on biometric and operational systems which are not in operation yet, as a result of which their performance and functionalities could not possibly have been subjected to an adequate assessment.

57.

In the context of the initiatives to be studied by the Commission — thus on which the Commission has not taken a final decision — the Communication, based on the requests made in the Stockholm programme, refers to three initiatives: an EU terrorist finance tracking system (equivalent to the US TFTP), an Electronic System of Travel Authorisation (ESTA) and a European Police Records Index System (EPRIS).

58.

The EDPS will follow closely all the developments related to these initiatives and will make comments and suggestions when appropriate.

59.

The EDPS fully supports the Communication which provides for a full overview of the EU information exchange systems both in place and planned in the future. The EDPS has advocated the need for assessment of all existing instruments on information exchange before proposing new ones in numerous opinions and comments.

60.

The EDPS also welcomes the reference in the Communication to the ongoing work on the comprehensive data protection framework on the basis of Article 16 TFEU, which should be taken into account also in the context of the work on the overview of the EU information management.

61.

The EDPS considers this Communication as a first step in the evaluation process. It should be followed by a real assessment the outcome of which should be a comprehensive, integrated and well-structured EU policy on information exchange and management. In that context, the EDPS is happy to see the link made with other exercises launched by the Commission as a reaction to the Stockholm programme, in particular the ‘information mapping’ exercise conducted by the Commission in close cooperation with an Information Mapping Project Team.

62.

The EDPS suggests that in the future, work on information management also deficiencies and weaknesses of the systems are reported and taken into consideration, such as for instance the number of people wrongly arrested or inconvenienced in any way following a false hit in the system.

63.

The purpose limitation principle should be considered a key consideration for all instruments dealing with information exchange in the EU, and new instruments can only be proposed if the purpose limitation principle has been duly considered and respected during their elaboration. This continues to be the case during their implementation.

64.

The EDPS also encourages the Commission to ensure by developing concrete measures and mechanisms, that the principles of necessity and proportionality are respected and practically implemented in all new proposals having impact on individuals’ rights. There is also a need for evaluation of the already existing systems with regard to this matter.

65.

The EDPS is also convinced that this Communication provides an excellent opportunity to launch a discussion on and better specify what is really meant by a ‘privacy and data protection impact assessment’.

66.

He also invites the Commission to develop a more coherent and consistent policy on the prerequisites for use of biometrics, a policy on systems operability and more alignment at the EU level in terms of data subjects rights.

67.

The EDPS also welcomes the reference to the concept of ‘privacy by design’ which is currently developed for both private and public sectors in general, and must therefore also play an important role in the area of police and justice.

68.

Last but not least, the EDPS draws attention to his remarks and concerns about the chapter titled ‘Legislative proposals to be presented by the Commission’ regarding the Entry/Exit System and the Registered Travellers Programme.