EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52016XX1213(03)

Executive Summary of the Opinion of the European Data Protection Supervisor on the second EU Smart Borders package

OJ C 463, 13.12.2016, p. 14–17 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

13.12.2016   

EN

Official Journal of the European Union

C 463/14


Executive Summary of the Opinion of the European Data Protection Supervisor on the second EU Smart Borders package

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2016/C 463/11)

EXECUTIVE SUMMARY

The establishment of an Entry/Exit System (EES) that will record entries and exits of third country nationals on the territory of the European Union has been envisaged for a long time by the EU legislator. The Commission adopted three proposals as part of the first Smart Borders package in 2013; the co-legislators expressed serious concerns and the package did not reach a consensus. Then the Commission launched a proof of concept exercise in response to those concerns, and released this year a second Smart Borders package now composed of two revised proposals.

The EDPS has carefully analysed these proposals and issues recommendations with a view to assist the legislator so as to ensure that the legal framework applicable to the EES scheme will be fully compliant with EU privacy and data protection law, in particular Articles 7 and 8 of the EU Charter of Fundamental Rights.

The EDPS recognises the need for coherent and effective information systems for borders and security. These proposals come at a crucial moment when the EU is confronted with serious challenges in this area. However the EDPS underlines the significant and potentially intrusive nature of the proposed processing of personal data under the EES, which must therefore be considered under both Articles 7 and 8 of the Charter. Necessity and proportionality of the EES scheme are to be assessed both globally, taking into consideration the already existing large-scale IT systems in the EU, and specifically, in the specific case of these third country nationals who are lawful visitors of the EU. The EDPS notes that EES data will be processed for two different purposes, on the one hand for border management and facilitation purposes and on the other hand for law enforcement purposes. The EDPS strongly recommends clearly introducing the difference between these objectives throughout the 2016 EES Proposal itself, as these purposes entail a different impact on the rights to privacy and data protection.

While he welcomes the attention to privacy and data protection concerns previously expressed and the improvements in the revised proposals, the EDPS raises serious concerns as regards several aspects of the EES Proposal that should be better justified, or even reconsidered by the legislator, in particular:

the five years' retention period of EES data. The EDPS notes that the need for keeping overstayers' data for five years should be better demonstrated, and that a retention period of five years for all personal data stored in the EES appears to be disproportionate,

the collection of the facial images of visa-required travellers, whose facial images are already stored in the VIS,

the need for access to EES data by law enforcement authorities, which is not sufficiently supported by convincing evidence;

the prerequisite for a data subject to provide fingerprints when exercising his/her rights of access, correction and/or deletion of his/her personal data which could be an important obstacle to the effective exercise of these rights.

The Opinion further provides additional recommendations in terms of data protection and privacy that should be taken in consideration in the legislative process, including the security of the system.

I.   INTRODUCTION AND BACKGROUND

1.

The Commission first announced its intention to build a European Entry/Exit System in order to control entries and exits of third country nationals on the territory of the European Union in 2008 (1). At that time the EDPS first gave his preliminary comments (2) on the idea and then highlighted specific issues in an Opinion of July 2011 (3). The Commission further elaborated its views in a communication (4) entitled ‘Smart borders — Options and the way ahead’ of October 2011, on which the Article 29 Working Party provided comments (5). The EDPS also gave input in a joint round table with various stakeholders (6).

2.

In February 2013, the Commission adopted three proposals as part of the first Smart Borders package: a proposal to build and Entry/Exit System (7) (hereinafter ‘the 2013 EES Proposal’), a proposal to establish a Registered Traveller Programme (8) (hereinafter ‘the 2013 RTP Proposal’) and a proposal amending the Schengen Border Code (9) to introduce these changes accordingly. The package immediately faced criticisms from both co-legislators due to technical, operational and cost concerns, as well as important data protection concerns. The same year, the EDPS provided his first concrete recommendations on the three proposals in the form of an Opinion (10). The Article 29 Working Party also issued an Opinion (11), to which the EDPS contributed, which questioned the necessity of the Entry/Exit System as such.

3.

Early 2014, in response to those concerns, the Commission announced the launch of a proof of concept exercise consisting of two steps: first a Technical Study (12) and a Cost Study (13) to identify the most suitable options and solutions to implement Smart Borders, followed in the course of 2015 by a pilot project (14) led by the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (hereinafter ‘eu-LISA’) in order to test the different options identified. In parallel, the Commission launched a three-month public consultation (15) in July 2015 to collect views and opinions from citizens and organisations, to which the EDPS also contributed (16).

4.

On 6 April 2016, the Commission released a second Smart Borders package (17). This time, only one system is proposed: the Entry/Exit System (hereinafter ‘the EES’). The Commission decided to revise its 2013 EES Proposal and the 2013 Proposal amending the Schengen Borders Code, but to withdraw its 2013 RTP Proposal. Today's Smart Borders package is composed of:

a communication on ‘Stronger and Smarter Information Systems for Borders and Security’ (18),

a proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System to register entry and exit data and refusal of entry data of third country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011 (19) (hereinafter ‘the 2016 EES Proposal’), and

a proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) 2016/399 (20) as regards the use of the Entry/Exit System (21) (hereinafter ‘the 2016 Proposal Amending the Schengen Borders Code’).

5.

In addition, a detailed impact assessment (22) accompanies the two proposals.

6.

The Smart Borders package has gained new momentum following the current migration crisis and recent terrorist attacks in Europe. The Dutch Presidency and the Slovakian Presidency announced that they plan on working intensely on the package with a view to reaching a political agreement by the end of 2016 (23).

7.

The EDPS welcomes that he has been consulted informally by the Commission before the adoption of the new proposals. He also welcomes the good cooperation (24) between DG HOME and the EDPS throughout the process of renewing the first Smart Borders package.

IV.   CONCLUSION

90.

The EDPS welcomes the work done by the Commission in the 2016 EES Proposal to address data protection concerns raised about the 2013 Smart Borders package. Some of the EDPS' recommendations and comments in his previous Opinion on the package have been duly taken into account, for example regarding the introduction of fall-back procedures in case of technical impossibility or failure of the system.

91.

The EDPS welcomes the efforts made by the Commission to justify the necessity of setting up the EES scheme, but has main recommendations directly related to its proportionality in order to ensure full compliance of the EES with the essential prerequisite of Article 52(1) of the Charter to be both necessary and proportionate. He points out that necessity and proportionality of the EES scheme are to be assessed both globally, taking into consideration the already existing large-scale IT systems in the EU, and specifically, in the specific case of these third country nationals who are lawful visitors of the EU. He considers that a retention period of five years for all personal data stored in the EES should be fully justified. He also stresses that the following aspects of the 2016 EES Proposal should be better justified and supported by convincing evidence: the collection of the facial image of visa-required travellers, the five years' retention period for overstayers and the need for access to EES data by law enforcement authorities. Quod non, these aspects should be reconsidered by the EU legislator.

92.

Furthermore, considering the wide-ranging interference with fundamental rights to privacy and data protection of third country nationals, the EDPS considers that the EES should remain a border management tool purely designed with this purpose in mind. Therefore, the difference between the stated objectives of EES, i.e. the primary objectives of border management and facilitation and the secondary objective of law enforcement, should be clearly introduced and reflected throughout the 2016 EES Proposal, in particular in relation to Articles 1 and 5.

93.

In addition, the EDPS has concerns regarding the requirement for all data subjects to provide in any event fingerprints to submit any request for access, correction and deletion of their personal data. This could create an important obstacle to the effective exercise of the right of access, an important guarantee for the data subject included in Article 8(2) of the EU Charter.

94.

Other recommendations of the EDPS in the present Opinion concern the following aspects and articles:

Article 14 should be detailed so that, in cases where facial images of third country nationals are taken live, a minimum level of quality is reached for these pictures, and Article 33 should specify that the Commission will provide detailed information on how to reach the necessary level of quality for facial images taken live.

Article 15(3) should be amended so as to specify what information may be collected, stored and use by the border authorities when they request further clarification on the grounds for the temporary impossibility to provide fingerprints.

Article 39 should provide for the strong need for coordination between eu-LISA and Member States with regard to ensuring security of the EES.

The security responsibilities should be made clear in the Proposal in case of interconnection of national facilitation programmes from Member States to the EES. The new Article 8e of the Schengen Borders Code should specify that security must be ensured following a proper information security risk assessment and describe the necessary security measures.

The Proposal should clearly specify that eu-LISA is responsible for the security of the web service, the security of the personal data it contains and the process to get the personal data from the central system into the web service.

Article 44(1) should be amended in order to include in the information communicated to data subjects: the retention period applying to their data, the right for overstayers to have their personal data deleted in case they provide evidence that they exceeded the authorised duration of stay due to unforeseeable and serious events and an explanation of the fact that the EES data will be accessed for border management and facilitation purposes.

Article 46(1) should fix a strict harmonised deadline that would be no longer than a few months to answer access requests.

Article 9(2) should be amended with a clear description of safeguards that would ensure that a proper attention is given to data relating to children, the elderly and persons with a disability.

Article 57 should be amended and require of eu-LISA to develop functionalities that would allow Member States, the Commission, eu-LISA and Frontex to automatically extract the required statistics directly from the EES Central System, without the need for an additional repository.

The Proposal should provide the EDPS with the appropriate information and resources so that his new responsibilities as Supervisor of the future EES may be carried out effectively and efficiently.

Article 28(2) should provide a strict deadline for the verifying authorities to perform the ex post verification of the conditions to access EES data for law enforcement purposes in case of emergency.

Article 28(3) should be modified to impose that designated authorities and the verifying authority are not part of the same organisation.

95.

The EDPS insists on the need to address these issues in a global perspective. He encourages the legislator to continue his exercise of mapping the different databases in the border and migration context, better coordinating and avoiding overlap between the different systems, while fully respecting data protection standards and in its relations with third countries.

Done at Brussels, 21 September 2016.

Giovanni BUTTARELLI

European Data Protection Supervisor


(1)  Commission communication of 13 February 2008 on ‘Preparing the next steps in border management in the European Union’, COM(2008) 69 final.

(2)  EDPS Preliminary comments of 3 March 2008 on three communications on border management.

(3)  EDPS Opinion of 7 July 2011 on the communication on Migration.

(4)  Commission communication of 25 October 2011 on ‘Smart borders — Options and the way ahead’, COM(2011) 680 final.

(5)  The Article 29 Working Party commented on the communication from the Commission on Smart Borders in a letter addressed to Commissioner Malmström of 12 June 2012.

(6)  EDPS Round Table on the Smart Borders package and data protection implications, Brussels, 10 April 2013, see summary available at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Events/2013/13-04-10_Summary_smart_borders_final_EN.pdf.

(7)  Proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data of third country nationals crossing the external borders of the Member States of the European Union, COM(2013) 95 final.

(8)  Proposal for a Regulation of the European Parliament and of the Council establishing a Registered Traveller Programme, COM(2013) 97 final.

(9)  Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 562/2006 as regards the use of the Entry/Exit System (EES) and the Registered Traveller Programme (RTP), COM(2013) 96 final.

(10)  EDPS Opinion of 18 July 2013 on the Proposals for a Regulation establishing an Entry/Exit System (EES) and a Regulation establishing a Registered Traveller Programme (RTP).

(11)  Article 29 Working Party Opinion 05/2013 of 6 June 2013 on Smart Borders.

(12)  Technical Study on Smart Borders — Final Report, October 2014, available at: http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/smart-borders/docs/smart_borders_technical_study_en.pdf

(13)  Technical Study on Smart Borders — Cost Analysis, October 2014, available at: http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/smart-borders/docs/smart_borders_costs_study_en.pdf

(14)  eu-LISA Final Report on the Smart Borders Pilot Project, December 2015, available at: http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/smart-borders/index_en.htm

(15)  Commission public consultation on Smart Borders, available at: http://ec.europa.eu/dgs/home-affairs/what-is-new/public-consultation/2015/consulting_0030_en.htm

(16)  EDPS Formal comments of 3 November 2015 on the Commission Public Consultation on Smart Borders.

(17)  See press release available at: http://europa.eu/rapid/press-release_IP-16-1247_en.htm

(18)  Commission communication of 6 April 2016 on ‘Stronger and Smarter Information Systems for Borders and Security’, COM(2016) 205 final.

(19)  COM(2016) 194 final.

(20)  Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (codification) (OJ L 77, 23.3.2016, p. 1).

(21)  COM(2016) 196 final.

(22)  Commission Staff Working Document of 6 April 2016 on ‘Impact Assessment on the establishment of an EU Entry/Exit System accompanying the 2016 EES Proposal and the 2016 Proposal amending the Schengen Borders Code’, SWD(2016) 115 final (hereinafter ‘Impact Assessment’).

(23)  http://data.consilium.europa.eu/doc/document/ST-8485-2016-INIT/en/pdf

(24)  Two workshops between DG Home and the EDPS addressing Smart Borders' aspects were held in 2015: one workshop on 20 March specifically dedicated to the preparation of the Smart Borders proposals, and one interactive workshop on 21 September 2015 on Data Protection and Privacy Considerations in Policies on Migration and Home Affairs during which the 2013 Smart Borders proposals were also touched upon; see Minutes of the workshop of 20 March 2015 in Annex 16 to the Impact Assessment.


Top