4.2.2014   

EN

Official Journal of the European Union

C 32/25

1.

On 28 February 2013 the Commission adopted the following proposals (hereinafter: ‘the proposals’):

2.

On the same day, the proposals were sent to the EDPS for consultation. The EDPS had been given the opportunity to provide informal comments to the Commission before the adoption of the proposals.

3.

The EDPS welcomes the reference to the consultation of the EDPS which has been included in the Preamble of both the EES proposal and the RTP proposal.

4.

The 2008 Commission's Communication ‘Preparing the next steps in border management in the European Union’ suggested new tools for the future management of European borders, including an Entry/Exit System (hereinafter: ‘EES’) for the electronic recording of the dates of entry and exit of third-country nationals and a registered traveller programme to facilitate border crossing for bona fide travellers (hereinafter: ‘RTP’). It also considered the introduction of an Electronic System of Travel Authorisation (ESTA) for visa-exempted third-country nationals.

5.

These proposals were endorsed by the European Council of December 2009 in the Stockholm programme (4). However, in its 2011 Communication on smart borders, the Commission (5) considered that the establishment of an ESTA should be discarded for the moment as ‘the potential contribution to enhancing the security of the Member States would neither justify the collection of personal data at such a scale nor the financial cost and the impact on international relations’ (6). It further announced that it intended to present proposals for an EES and an RTP in the first half of 2012.

6.

Subsequently, the European Council of June 2011 requested that the work on ‘smart borders’ be pushed forward rapidly and asked for the introduction of the EES and the RTP (7).

7.

The Article 29 Working Party commented on the Communication from the Commission on smart borders, which preceded the proposals, in a letter to Commissioner Malmström of 12 June 2012 (8). More recently, on 6 June 2013, the Working Party adopted an opinion questioning the necessity of the Smart Borders package (9).

8.

The present Opinion builds on these positions, as well as on a previous EDPS Opinion (10) on the 2011 Commission's Communication on migration (11) and on the EDPS Preliminary comments (12) on three Communications on border management (2008) (13). It also uses input given in the EDPS Round Table on the Smart Borders package and data protection implications (14).

9.

Article 4 of the EES proposal specifies its purpose. The proposal aims at improving the management of the EU external borders and the fight against irregular migration, the implementation of the integrated border management policy and the cooperation and consultation between border and immigration authorities. It provides for a system that would:

10.

The system should help monitoring the authorised stay by providing quick and precise information to border guards and to travellers. It would replace the current system of manual stamping of passports, which is considered slow and unreliable and improve the efficiency of border management (15).

11.

It should also assist, through the storing of biometrics, in the identification of persons who do not fulfil the conditions for entry to, or stay in the EU, especially in the absence of identification documents. In addition, the EES would provide a precise picture of travel flows and of the number of overstayers, allowing evidence-based policymaking, for example on visa obligations. The statistics mentioned in Article 4 are used for this last aim.

12.

The EES would be the basis for the RTP, aimed at facilitating border crossings to pre-vetted, frequent third-country travellers. Registered travellers would have a token with a unique identifier to be swiped on arrival and departure at the border through an automated gate. The data of the token, the fingerprints and, if applicable, the visa sticker number would be compared to the ones stored in the Central Repository and other databases. If all checks are successful, the traveller would be able to cross the automated gate. Otherwise, a border guard would assist the traveller.

13.

Finally, the amending proposal has the objective of accommodating Regulation (EC) No 562/2006 establishing a Community Code on the rules governing the movement of persons across borders (hereinafter: ‘the Schengen Borders Code’) to the new EES and RTP proposals.

14.

The project to develop an electronic system to control entries and exits to the EU territory is not new, and several Communications of the Commission mentioned above have paved the way for the proposals now under analysis. It is therefore in the perspective of these developments that the smart border package should be assessed. In particular, the following elements need to be taken into account.

15.

In the Stockholm programme, the Commission has taken the strategic approach of assessing the need for developing a European Information Exchange Model based on the evaluation of current instruments. This shall be based, amongst others, on a strong data protection regime, a well targeted data collection scheme, and a rationalisation of the different tools, including the adoption of a business plan for large IT systems. The Stockholm programme recalls the need to ensure consistency of the implementation and management of the different information tools with the strategy for the protection of personal data and the business plan for setting up large-scale IT systems (16).

16.

A comprehensive analysis is all the more needed considering the existence and further development and implementation of large-scale IT systems, such as Eurodac (17), VIS (18) and SIS II (19). A smart borders scheme is an additional tool to collect massive amounts of personal data in a border control perspective. This global approach has been confirmed recently by the JHA Council which emphasised the need to learn from the experience of SIS by reference in particular to the escalation of costs (20). The EDPS has also commented that ‘a European information model may not be construed on the basis of technical considerations’, in view of the almost limitless opportunities offered by new technologies. Information should be processed only on the basis of concrete security needs (21).

17.

The analysis of the EES and the RTP from a privacy and data protection angle must be done in the perspective of the Charter of Fundamental Rights of the European Union (22) (hereinafter: ‘the Charter’), and in particular its Articles 7 and 8. Article 7, which is similar to Article 8 of the European Convention on Human Rights (23) (ECHR), provides for a general right to respect for private and family life, and protects the individual against interference by public authorities, while Article 8 of the Charter gives the individual the right that his or her personal can only be processed under certain specified conditions. The two approaches are different and complementary. The Smart Borders package will be assessed against these two perspectives.

18.

The present Opinion has a strong focus on the EES proposal — which is most relevant from the perspectives of privacy and data protection — and is structured as follows:

102.

The Smart Borders package aims at creating a new large-scale IT system in order to supplement the existing border control mechanisms. The lawful character of this system needs to be evaluated against the principles of the Charter, in particular Article 7 on the right to respect for private and family life and Article 8 on the protection of personal data, with the objective to assess not only the interference with fundamental rights of the new scheme but also the data protection safeguards provided in the proposals.

103.

In that perspective, the EDPS confirms that the proposed EES scheme constitutes an interference with the right to respect for private and family life. While he welcomes the safeguards in the proposals and recognises the efforts made by the Commission in that sense, he concludes that necessity remains the essential issue: the cost/efficiency of the system is at stake, not only in financial terms, but also in relation to fundamental rights, seen in the global context of existing schemes and border policies.

104.

The EDPS makes the following recommendations as to the EES:

105.

While the RTP does not raise the same substantial questions with regard to interference with fundamental rights as the EES, the EDPS still calls the attention of the legislator on the following aspects.

106.

With regard to security aspects, the EDPS considers that for EES and RTP a Business Continuity Plan and Information Security Risk Management practices should be developed to assess and prioritise risks. Moreover, strong collaboration should be foreseen between the Agency and the Member States.