1.4.2011   

EN

Official Journal of the European Union

C 101/14

1.

On 11 October 2010, the European Commission adopted an Amended proposal for a Regulation of the European Parliament and of the Council on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EC) No (…/…) (establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person) (‘the Proposal’) (3). On the same day, the Proposal as adopted by the Commission was sent to the EDPS for consultation in accordance with Article 28(2) of Regulation (EC) No 45/2001. The EDPS welcomes the fact that he is consulted by the Commission and asks that reference to this consultation is made in the recitals of the Proposal.

2.

Eurodac was established by Regulation (EC) No 2725/2000 concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention (4). A recast proposal for the amendment of the Eurodac Regulation was adopted by the Commission in December 2008 (5) (hereafter the December 2008 proposal). The EDPS commented on that proposal in an opinion of February 2009 (6).

3.

The December 2008 proposal was designed to ensure a more efficient support to the application of the Dublin Regulation and to properly address data protection concerns. It also aligned the IT management framework to that of the SIS II and VIS Regulations by providing for the taking over of the tasks of the operational management for Eurodac by the future Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (7) (hereinafter: IT Agency) (8).

4.

The Commission then adopted an amended proposal in September 2009 in which it introduced the possibility for Member States’ law enforcement authorities and Europol to access the Eurodac central database for the purposes of prevention, detection and investigation of terrorist offences and other serious criminal offences.

5.

In particular, that proposal introduced a bridging clause to allow access for law enforcement purposes as well as the necessary accompanying provisions and amended the December 2008 proposal. It was presented at the same time as a Proposal for a Council Decision on requesting comparisons with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes (9) (hereafter: the Council Decision), spelling out the exact modalities of such access. The EDPS issued an opinion on this proposal in December 2009 (10).

6.

With the entry into force of the Lisbon Treaty and the abolition of the pillar system, the proposal for a Council Decision lapsed; it had to be formally withdrawn and replaced with a new proposal to take account of the new framework of the TFEU.

7.

The Explanatory Memorandum to the Proposal states that, with a view to progressing on the negotiations on the asylum package (11) and facilitating the conclusion of an agreement on the Eurodac Regulation, the Commission has found it more appropriate to withdraw from the Eurodac Regulation those provisions referring to the access for law enforcement purposes.

8.

The Commission also considers that withdrawing that (rather controversial) part of the proposal and enabling thereby the swifter adoption of the new Eurodac Regulation will also facilitate the timely set up of the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, since that Agency is planned to be also responsible for the management of Eurodac.

9.

As a consequence, while the present amended proposal introduces two technical provisions, its main purpose is to amend the previous proposal (i.e. from September 2009) by deleting from it the option of access for law enforcement purposes. It was therefore not considered necessary to conduct a new impact assessment specifically for the present proposal.

10.

The EDPS has already contributed several opinions in this area, as mentioned above. The purpose of the present opinion is to recommend improvements to the proposal; these recommendations are either based on new developments or on recommendations previously made and not yet taken on board, in situations where the EDPS finds that his arguments have not been met adequately or that these recommendations are supported by new arguments.

11.

The present opinion will focus on the following points:

12.

The EDPS welcomes the fact that the possibility to give law enforcement an access to Eurodac has been left out of the current proposal. Indeed, while the EDPS does not dispute that governments need appropriate instruments to guarantee the security of the citizen, he had expressed strong doubts as to the legitimacy of this proposal, based on the following considerations.

13.

Measures to combat terrorist offences and other serious offences can be a legitimate ground to allow processing of personal data — even if incompatible with the purposes for which the data were originally collected — provided that the necessity of the intrusion is supported by clear and undeniable elements, and the proportionality of the processing is demonstrated. This is all the more required since the proposals concern a vulnerable group in need of higher protection because they flee from persecution. Their precarious position has to be taken into account in the assessment of the necessity and proportionality of the proposed action. The EDPS emphasised, more concretely, that the necessity should be proven by the demonstration of substantial evidence of a link between asylum applicants and terrorism and/or serious crime. This had not been done in the proposals.

14.

On a more general level, the EDPS has advocated the need for assessment of all existing instruments on information exchange before proposing new ones in numerous opinions and comments, and with particular emphasis in the recent opinions on the ‘Overview of information management in the area of freedom, security and justice’ (12) and on ‘the EU Counter-Terrorism Policy: main achievements and future challenges’ (13).

15.

Indeed, assessing the effectiveness of existing measures while considering the impact on privacy of new envisaged measures is crucial and should vest an important role in European Union's action in this area, in line with the approach put forward by the Stockholm Programme. In this case, special attention should for instance be devoted to the implementation of exchange of data under the Prüm mechanism. Exchange of fingerprints is foreseen in this context, and it should be demonstrated that the system has severe insufficiencies which justifies the access to a database such as Eurodac.

16.

Finally, in these opinions as in many others before, the EDPS recommends that special attention be paid to those proposals resulting in collections of personal data of broad categories of citizens, rather than only suspects. Specific consideration and justification should also be given to those cases where processing of personal data is foreseen for purposes other than those for which they were initially collected, such as in Eurodac.

17.

In conclusion, the EDPS welcomes the deletion of this element from the current proposal.

18.

The collection and further processing of fingerprints obviously occupy a central place in the Eurodac system. It should be emphasized that the processing of biometric data such as fingerprints poses specific challenges and creates risks which have to be addressed. In the context of the Proposal, the EDPS wants to specifically underline the problem of so-called ‘failure to enrol’ — the situation in which a person finds him/herself if for some reason, their fingerprints are not usable.

19.

Failure to enrol may occur when individuals have temporarily or permanently damaged fingertips or hands. This may be due to various factors, such as illness, disability, wounds and burns. It can also in some cases, be linked to ethnicity or occupation. In particular, it seems that a non-trivial number of agricultural and construction workers have fingerprints which are damaged to the point of being unreadable. In other cases, the frequency of which is difficult to evaluate, it may happen that refugees self-mutilate, in order to avoid being fingerprinted.

20.

The EDPS recognises that it can be difficult to distinguish those third country nationals who have voluntarily damaged their fingerprints to frustrate the identification process from those with genuinely unreadable fingerprints.

21.

It is however extremely important to ensure that ‘failure to enrol’ on its own does not lead to a denial of rights for asylum seekers. It would not be acceptable, for instance, that failure to enrol would be construed systematically as an attempt to fraud and would lead to a refusal to examine an asylum application or a withdrawal of assistance to the asylum seeker. If it were the case, it would mean that the possibility to be fingerprinted would be one of the criteria to recognise the status of asylum seeker. The purpose of Eurodac is to facilitate the application of the Dublin Convention, and not to add a criterion (‘having usable fingerprints’) for granting someone the status of asylum seeker. This would be a violation of the purpose limitation principle, and of at least the spirit of the right to asylum.

22.

Finally, the EDPS also insists that the present proposal should be consistent with the other directives relevant in this area. In particular, the ‘Qualification Directive’ insists that each application shall be considered on its own merit, and does certainly not mention the impossibility to enrol as a criterion for examining the asylum application (14).

23.

The current proposal already envisages partly the failure to enrol in its Articles 6.1 and 6.2 (15).

24.

However, these provisions only envisage the hypothesis of temporary failure to enrol, whereas in a significant number of cases this impossibility will be permanent. Article 1 of the Regulation amending the Common Consular Instructions (16) provides for such cases and stipulates that: ‘(…) Member States shall ensure that appropriate procedures guaranteeing the dignity of the applicant are in place in the event of there being difficulties in enrolling. The fact that fingerprinting is physically impossible shall not influence the grant or refusal of a visa’.

25.

In order to cater for these cases in the context of Eurodac, the EDPS recommends adding to Article 6 a provision inspired by this, along the following line: ‘Temporary or permanent impossibility to provide usable fingerprints shall not adversely affect the legal situation of the individual. In any case, it can not represent sufficient grounds to refuse to examine or to reject an asylum application’.

26.

The EDPS notes that effective implementation of the right to information is crucial for the proper functioning of Eurodac. In particular, it is essential to ensure that information is provided in a way that enables the asylum seeker to fully understand his situation as well as the extent of the rights, including the procedural steps he/she can take as follow-up to the administrative decisions taken in his/her case. The EDPS also reminds that the right of access is a cornerstone of data protection, as mentioned in particular in Article 8 of the EU Charter of Fundamental Rights.

27.

The EDPS had already underlined this item in his previous opinion on Eurodac. Since the proposed modification has not been accepted, the EDPS wants to emphasize the importance of this question.

28.

Article 24 of the Proposal reads as follows:

‘A person covered by this Regulation shall be informed by the Member State of origin in writing, and where appropriate, orally, in a language which he or she understands or may reasonably be presumed to understand of the following:

(…)

29.

The EDPS suggests that the wording of Article 24 should be reformulated to clarify the rights to be given to the applicant. The wording as proposed is unclear, as it can be interpreted as considering ‘the right to receive information on the procedures for exercising those rights (…)’ apart from the right of access to data and/or the right to request inaccurate data be corrected (…). Moreover, according to the current wording of the above-mentioned provision, the Member States are to inform the person covered by the Regulation not of the content of the rights but of their ‘existence’. As the latter seems to be only a stylistic issue, the EDPS suggests that Article 24 be redrafted as follows: ‘A person covered by this Regulation shall be informed by the Member State of origin (…) of (…)(g) the right of access to data relating to him/her, and the right to request that inaccurate data relating to him/her be corrected or that unlawfully processed data relating to him/her be deleted’.

30.

Article 4(1) of the Proposal stipulates: ‘After a transitional period, a Management Authority, funded from the general budget of the European Union, shall be responsible for the operational management of Eurodac. The Management Authority shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used for the Central System’. Although the EDPS welcomes the requirement laid down in Article 4(1), he wishes to note that the expression ‘best available technology’ referred to in the above-mentioned provision, should be replaced with the wording ‘best available techniques’ which includes both the technology used and the way in which the installation is designed, built, maintained and operated.

31.

This is important because the concept of ‘best available techniques’ is broader and covers various aspects contributing to the application of ‘Privacy by Design’ which is considered a key principle in the review of the EU data protection legal framework. It underlines that data protection can be implemented through different means, not all of a technological nature. It is indeed important to examine not only the technology but also the way the technology is used as a tool to achieve the purpose of the data processing at hand. Business processes must be oriented toward the achievement of this purpose which is translated into procedures and organisational structures.

32.

In this regard, and on a more general level, the EDPS would like to reiterate the recommendation made in previous opinions (17) regarding the need for the Commission to define and promote together with industry stakeholders ‘Best Available Techniques’ following the same procedure adopted by the Commission in the environmental field (18). ‘Best Available Techniques’ would mean the most effective and advanced stage in the development of technology and their methods of operation which indicate the practical suitability of particular techniques for providing, in compliance with the privacy and data protection EU framework, a defined detection threshold. These BATs will be designed to prevent and, where that is not practicable, to mitigate to an appropriate level the security risks related to this data processing and minimize as much as possible their impact on privacy.

33.

This process should also provide reference documents on ‘Best Available Techniques’ which may offer very useful guidance for the management of other EU large-scale IT systems. It will also enhance the harmonisation of such measures throughout the EU. Last but not least, the definition of privacy and security friendly BATs will facilitate the supervisory role of Data Protection Authorities by providing them privacy and data protection compliant technical references adopted by data controllers.

34.

The EDPS notes that the Proposal does not address the issue of subcontracting parts of the tasks of the Commission (19) to another organisation or entity (such as a private company). Nevertheless, subcontracting is commonly used by the Commission in the development and management both of the system and the communication infrastructure. While subcontracting of activities does not in itself run contrary to data protection requirements, important safeguards should be put in place to ensure that the applicability of Regulation (EC) No 45/2001, including the data protection supervision by the EDPS, remains entirely unaffected by the subcontracting. Furthermore, additional safeguards of a more technical nature should also be adopted.

35.

In this regard, the EDPS suggests that similar legal safeguards as envisaged in the SIS II legal instruments should be provided mutatis mutandis in the framework of the revision of the Eurodac Regulation, specifying that even when the Commission subcontracts a part of its tasks to another body or organisation, it shall ensure that the EDPS has the right and is able to fully exercise his tasks, including carrying out on-the-spot checks and to exercise any other powers conferred on him by Article 47 of Regulation (EC) No 45/2001.

36.

The EDPS welcomes the fact that he is consulted by the Commission and asks that reference to this consultation is made in the recitals of the Proposal.

37.

The EDPS welcomes the fact that the possibility to give law enforcement an access to Eurodac has been left out of the current proposal.

38.

The collection and further processing of fingerprints occupy a central place in the Eurodac system. The EDPS emphasizes that the processing of biometric data such as fingerprints poses specific challenges and creates risks which have to be addressed. In particular, the EDPS underlines the problem of so-called ‘failure to enrol’ — the situation in which a person finds him/herself if for some reason, their fingerprints are not usable. Failure to enrol on its own should not lead to a denial of rights for asylum seekers.

39.

The EDPS recommends adding to Article 6a of the proposal a provision along the following line: ‘Temporary or permanent impossibility to provide usable fingerprints shall not adversely affect the legal situation of the individual. In any case, it can not represent sufficient grounds to refuse to examine or to reject an asylum application’.

40.

The EDPS notes that effective implementation of the right to information is crucial for the proper functioning of Eurodac, so as to ensure that information is provided in a way that enables the asylum seeker to fully understand his situation, as well as the extent of the rights, including the procedural steps he/she can take as follow-up to the administrative decisions taken in his/her case. The EDPS suggests that the wording of Article 24 of the Proposal should be reformulated to clarify the rights to be given to the asylum applicant.

41.

The EDPS recommends amending Article 4(1) of the Proposal, using the expression ‘Best Available Techniques’ instead of ‘Best Available Technologies’. Best Available Techniques include both the technology used and the way in which the installation is designed, built, maintained and operated.

42.

The EDPS recommends as regards on the issue of subcontracting a part of the Commission tasks to another organisation or entity (such as a private company) that safeguards should be put in place to ensure that the applicability of Regulation (EC) No 45/2001, including the data protection supervision by the EDPS remains entirely unaffected by the subcontracting of activities. Furthermore, additional safeguards of a more technical nature should also be adopted.