This document is an excerpt from the EUR-Lex website
Document 52017XX1116(01)
Summary of the Opinion of the European Data Protection Supervisor on the proposal for a Regulation on the eu-LISA
Summary of the Opinion of the European Data Protection Supervisor on the proposal for a Regulation on the eu-LISA
Summary of the Opinion of the European Data Protection Supervisor on the proposal for a Regulation on the eu-LISA
OJ C 386, 16.11.2017, p. 6–8
(BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
|
16.11.2017 |
EN |
Official Journal of the European Union |
C 386/6 |
Summary of the Opinion of the European Data Protection Supervisor on the proposal for a Regulation on the eu-LISA
(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)
(2017/C 386/06)
Since its establishment in 2011, the European Agency in charge of the operational management of large-scale IT systems in the area of freedom, security and justice (‘eu-LISA’) has been gradually entrusted with the operational management of the Schengen Information System, the Visa Information System and Eurodac. After 4 years of operation the Commission conducted an overall evaluation. As a result the Proposal for a Regulation on the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice was presented on 29 June 2017.
This Proposal aims mainly to entrust eu-LISA with: (i) the operational management of the existing and future large-scale IT systems in the area of freedom, security and justice, (ii) developing some aspects of the interoperability of these systems, (iii) carrying out research activities and pilot projects and (iv) developing, managing and hosting a common IT system for a group of Member States opting on a voluntary basis for a centralised solution in implementing technical aspects of the EU legislation on decentralised systems in the area of freedom, security and justice.
The eu-LISA proposal is part of a wider process to enhance external border management and internal security in the European Union with a view to respond to specific security challenges. Several legislative proposals on large-scale IT systems are indeed currently under negotiation with the European Parliament and the Council (.the Entry/Exit System, Eurodac, the European Travel Information and Authorisation System, the Schengen Information System and the European Criminal Records Information System on third countries nationals). These legislative proposals entrust eu-LISA with operational management of the abovementioned large-scale IT systems.
The EDPS, also in his capacity as the supervisory authority of eu-LISA, recommends that the eu-LISA Proposal is accompanied by a detailed impact assessment of the right to privacy and the right to data protection which are enshrined in the Charter of Fundamental Rights of the EU.
The EDPS also recalls that there is currently no legal framework for the interoperability of EU large scale IT systems. Therefore eu-LISA could develop the implementing actions only if such legal framework is adopted.
Finally, the EDPS has concerns regarding the possibility that eu-LISA could develop and host a common centralised solution for large scale IT systems which are in principle decentralised. The architecture of each EU large scale IT system is clearly defined in a specific legal basis and cannot be changed by a delegation agreement between eu-LISA and a group of Member States. Any change of a system architecture can be done only by changing the appropriate legislative basis, preceded by an impact assessment and feasibility studies.
1. INTRODUCTION AND BACKGROUND
|
1. |
The European Agency in charge of the operational management of large-scale IT systems in the area of freedom, security and justice (hereinafter ‘eu-LISA’) was established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council (1). The Regulation entrusts eu-LISA with the operational management at the central level of the second generation Schengen Information System (2) (hereinafter ‘SIS II’) and the Visa Information System (3) (hereinafter ‘VIS’). Regulation (EU) No 1077/2011 was amended by Regulation (EU) No 603/2013 of the European Parliament and of the Council (4), which additionally has entrusted eu-LISA with the management of Eurodac. |
|
2. |
In 2016, the Commission carried out an evaluation (5) of eu-LISA 4 years after it started to be operational. As a result, the need of improving the effectiveness and efficiency of eu-LISA functioning was identified. In this context on 29 June 2017 the Commission issued a Proposal for a Regulation on the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (6) (hereinafter ‘eu-LISA Proposal’). |
|
3. |
Additionally the Commission has started since 2016 a broader reflection on how to make the management and use of data, both for border management and security purposes, more effective and efficient. As a result, the Commission has adopted a Communication on Stronger and Smarter Information Systems for Borders and Security (7), and the final report of the High Level Expert Group on information systems and interoperability (8) as well as the Seventh progress report towards and effective and genuine Security Union (9) with proposals on new tasks and in consequence a new mandate for eu-LISA. |
|
4. |
The EDPS was consulted informally before the publication of the eu-LISA Proposal and he provided informal comments to the Commission, which were taken into account only partially. |
|
5. |
The aim of the eu-LISA Proposal is to extend the Agency's mandate by:
|
|
6. |
The EDPS will first address the main recommendations regarding the eu-LISA proposal. These main recommendations represent the major issues observed by the EDPS and that should in any event be addressed in the legislative process. Additional recommendations are the points identified by the EDPS as requiring clarification, additional information, or minor modifications. This distinction should help the legislator to give priority to the major issues addressed by this Opinion. |
4. CONCLUSION
|
23. |
After carefully analysing the eu-LISA Proposal, the EDPS makes the following recommendations:
|
|
24. |
In addition to the main concerns identified above, the recommendations of the EDPS in the present Opinion relate to the following aspects of the eu-LISA Proposal:
|
|
25. |
The EDPS remains available to provide further advice on the eu-LISA Proposal, also in relation to any delegated or implementing act adopted pursuant to the proposed Regulation, which might have an impact on the processing of personal data. |
Brussels, 9 October 2017.
Giovanni BUTTARELLI
European Data Protection Supervisor
(1) OJ L 286, 1.11.2011, p. 1.
(2) Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 381, 28.12.2006, p. 4) and Council Decision 2007/533/JHA of 12 June 2007 on the establishment operation and use of the second generation Schengen Information System (SIS II) (OJ L 205, 7.8.2007, p. 63).
(3) Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).
(4) Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 180, 29.6.2013, p. 1).
(5) Report from the Commission to the European Parliament and the Council on the functioning of the European Agency for the operational management of large scale IT systems in the area of freedom, security and justice (eu-LISA), COM(2017) 346, 29.6.2017.
(6) Proposal for a Regulation on the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011, COM(2017) 352 final, 29.6.2017.
(7) COM(2016) 205 final, 6.4.2016.
(8) http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetailDoc&id=32600&no=1
(9) COM(2017) 261 final, 16.5.2017.