4.2.2014   

EN

Official Journal of the European Union

C 32/25


Executive summary of the Opinion of the European Data Protection Supervisor on the proposals for a Regulation establishing an Entry/Exit System (EES) and a Regulation establishing a Registered Traveller Programme (RTP)

(The full text of this Opinion can be found in English, French and German on the EDPS website (http://www.edps.europa.eu))

2014/C 32/12

I.   Introduction

I.1.   Consultation of the EDPS

1.

On 28 February 2013 the Commission adopted the following proposals (hereinafter: ‘the proposals’):

proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data of third-country nationals crossing the external borders of the Member States of the European Union (hereinafter: ‘the EES proposal’) (1);

proposal for a Regulation of the European Parliament and of the Council establishing a Registered Traveller Programme (RTP) (hereinafter: ‘the RTP proposal’) (2);

proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 562/2006 as regards the use of the Entry/Exit System (EES) and the Registered Traveller Programme (RTP) (hereinafter: ‘the amending proposal’) (3).

2.

On the same day, the proposals were sent to the EDPS for consultation. The EDPS had been given the opportunity to provide informal comments to the Commission before the adoption of the proposals.

3.

The EDPS welcomes the reference to the consultation of the EDPS which has been included in the Preamble of both the EES proposal and the RTP proposal.

I.2.   Background

4.

The 2008 Commission's Communication ‘Preparing the next steps in border management in the European Union’ suggested new tools for the future management of European borders, including an Entry/Exit System (hereinafter: ‘EES’) for the electronic recording of the dates of entry and exit of third-country nationals and a registered traveller programme to facilitate border crossing for bona fide travellers (hereinafter: ‘RTP’). It also considered the introduction of an Electronic System of Travel Authorisation (ESTA) for visa-exempted third-country nationals.

5.

These proposals were endorsed by the European Council of December 2009 in the Stockholm programme (4). However, in its 2011 Communication on smart borders, the Commission (5) considered that the establishment of an ESTA should be discarded for the moment as ‘the potential contribution to enhancing the security of the Member States would neither justify the collection of personal data at such a scale nor the financial cost and the impact on international relations’ (6). It further announced that it intended to present proposals for an EES and an RTP in the first half of 2012.

6.

Subsequently, the European Council of June 2011 requested that the work on ‘smart borders’ be pushed forward rapidly and asked for the introduction of the EES and the RTP (7).

7.

The Article 29 Working Party commented on the Communication from the Commission on smart borders, which preceded the proposals, in a letter to Commissioner Malmström of 12 June 2012 (8). More recently, on 6 June 2013, the Working Party adopted an opinion questioning the necessity of the Smart Borders package (9).

8.

The present Opinion builds on these positions, as well as on a previous EDPS Opinion (10) on the 2011 Commission's Communication on migration (11) and on the EDPS Preliminary comments (12) on three Communications on border management (2008) (13). It also uses input given in the EDPS Round Table on the Smart Borders package and data protection implications (14).

I.3.   Aim of the proposals

9.

Article 4 of the EES proposal specifies its purpose. The proposal aims at improving the management of the EU external borders and the fight against irregular migration, the implementation of the integrated border management policy and the cooperation and consultation between border and immigration authorities. It provides for a system that would:

(a)

enhance checks at external border crossing points and combat irregular immigration;

(b)

calculate and monitor the calculation of the duration of the authorised stay of third-country nationals admitted for a short stay;

(c)

assist in the identification of any person who may not, or may no longer, fulfil the conditions for entry to, or stay on the territory of the Member States;

(d)

enable national authorities of the Member States to identify overstayers and take appropriate measures;

(e)

gather statistics on the entries and exits of third-country nationals for the purpose of analysis.

10.

The system should help monitoring the authorised stay by providing quick and precise information to border guards and to travellers. It would replace the current system of manual stamping of passports, which is considered slow and unreliable and improve the efficiency of border management (15).

11.

It should also assist, through the storing of biometrics, in the identification of persons who do not fulfil the conditions for entry to, or stay in the EU, especially in the absence of identification documents. In addition, the EES would provide a precise picture of travel flows and of the number of overstayers, allowing evidence-based policymaking, for example on visa obligations. The statistics mentioned in Article 4 are used for this last aim.

12.

The EES would be the basis for the RTP, aimed at facilitating border crossings to pre-vetted, frequent third-country travellers. Registered travellers would have a token with a unique identifier to be swiped on arrival and departure at the border through an automated gate. The data of the token, the fingerprints and, if applicable, the visa sticker number would be compared to the ones stored in the Central Repository and other databases. If all checks are successful, the traveller would be able to cross the automated gate. Otherwise, a border guard would assist the traveller.

13.

Finally, the amending proposal has the objective of accommodating Regulation (EC) No 562/2006 establishing a Community Code on the rules governing the movement of persons across borders (hereinafter: ‘the Schengen Borders Code’) to the new EES and RTP proposals.

I.4.   Context and structure of the present Opinion

14.

The project to develop an electronic system to control entries and exits to the EU territory is not new, and several Communications of the Commission mentioned above have paved the way for the proposals now under analysis. It is therefore in the perspective of these developments that the smart border package should be assessed. In particular, the following elements need to be taken into account.

15.

In the Stockholm programme, the Commission has taken the strategic approach of assessing the need for developing a European Information Exchange Model based on the evaluation of current instruments. This shall be based, amongst others, on a strong data protection regime, a well targeted data collection scheme, and a rationalisation of the different tools, including the adoption of a business plan for large IT systems. The Stockholm programme recalls the need to ensure consistency of the implementation and management of the different information tools with the strategy for the protection of personal data and the business plan for setting up large-scale IT systems (16).

16.

A comprehensive analysis is all the more needed considering the existence and further development and implementation of large-scale IT systems, such as Eurodac (17), VIS (18) and SIS II (19). A smart borders scheme is an additional tool to collect massive amounts of personal data in a border control perspective. This global approach has been confirmed recently by the JHA Council which emphasised the need to learn from the experience of SIS by reference in particular to the escalation of costs (20). The EDPS has also commented that ‘a European information model may not be construed on the basis of technical considerations’, in view of the almost limitless opportunities offered by new technologies. Information should be processed only on the basis of concrete security needs (21).

17.

The analysis of the EES and the RTP from a privacy and data protection angle must be done in the perspective of the Charter of Fundamental Rights of the European Union (22) (hereinafter: ‘the Charter’), and in particular its Articles 7 and 8. Article 7, which is similar to Article 8 of the European Convention on Human Rights (23) (ECHR), provides for a general right to respect for private and family life, and protects the individual against interference by public authorities, while Article 8 of the Charter gives the individual the right that his or her personal can only be processed under certain specified conditions. The two approaches are different and complementary. The Smart Borders package will be assessed against these two perspectives.

18.

The present Opinion has a strong focus on the EES proposal — which is most relevant from the perspectives of privacy and data protection — and is structured as follows:

Section II contains a general assessment of the Entry/Exit System, focusing on compliance with both Articles 7 and 8 of the Charter;

Section III contains comments on more specific provisions of the EES concerning the processing of biometric data and access by law enforcement authorities;

Section IV includes comments on other issues raised by the EES;

Section V focuses on the RTP;

Section VI refers to the need for additional data security safeguards;

Section VII lists the conclusions.

VII.   Conclusions

102.

The Smart Borders package aims at creating a new large-scale IT system in order to supplement the existing border control mechanisms. The lawful character of this system needs to be evaluated against the principles of the Charter, in particular Article 7 on the right to respect for private and family life and Article 8 on the protection of personal data, with the objective to assess not only the interference with fundamental rights of the new scheme but also the data protection safeguards provided in the proposals.

103.

In that perspective, the EDPS confirms that the proposed EES scheme constitutes an interference with the right to respect for private and family life. While he welcomes the safeguards in the proposals and recognises the efforts made by the Commission in that sense, he concludes that necessity remains the essential issue: the cost/efficiency of the system is at stake, not only in financial terms, but also in relation to fundamental rights, seen in the global context of existing schemes and border policies.

104.

The EDPS makes the following recommendations as to the EES:

The necessity and proportionality of the system could only be positively demonstrated in accordance with Article 7 of the Charter after a clear European policy on management of overstayers has been established, and the system is assessed against the more global context of existing large-scale IT systems.

Data protection principles should be improved in accordance with Article 8 as follows.

Purposes should be limited and the design of the system should not pre-empt on the future assessment of any possible law enforcement access to EES data.

Data subjects’ rights should be reinforced, especially with regard to the right to information and redress possibilities, taking into account the need for specific safeguards concerning automated decisions taken in relation to the calculation of the duration of stay.

Oversight should be complemented with a clear picture of the allocation of competences at national level, to ensure that data subjects exercise their rights with the relevant authority.

The use of biometrics should be subject to a targeted impact assessment, and if considered necessary, the processing of such data should be subject to specific safeguards regarding the enrolment process, the level of accuracy and the need for a fallback procedure. Besides, the EDPS strongly questions the collection of 10 fingerprints instead of two or four which would in any case be sufficient for verification purposes.

The reasons for which the transfer of EES data to third-countries is necessary for the return of third-country nationals should be substantiated.

105.

While the RTP does not raise the same substantial questions with regard to interference with fundamental rights as the EES, the EDPS still calls the attention of the legislator on the following aspects.

The voluntary basis of the system is acknowledged, but consent should only be considered as a valid legal ground for processing the data if it is freely given, which means that RTP should not become the only valid alternative to long queues and administrative burdens.

Risks of discrimination should be prevented: the vast number of travellers who do not travel frequently enough to undergo registration or whose fingerprints are unreadable should not be de facto in the ‘higher-risk’ category of travellers.

The verification process leading to registration should be based on selective access to clearly identified databases.

106.

With regard to security aspects, the EDPS considers that for EES and RTP a Business Continuity Plan and Information Security Risk Management practices should be developed to assess and prioritise risks. Moreover, strong collaboration should be foreseen between the Agency and the Member States.

Done at Brussels, 18 July 2013.

Peter HUSTINX

European Data Protection Supervisor


(1)  COM(2013) 95 final.

(2)  COM(2013) 97 final.

(3)  COM(2013) 96 final.

(4)  ‘An open and secure Europe serving and protecting the citizens’ (OJ C 115, 4.5.2010, p. 1).

(5)  Communication of 25 October 2011 from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions on ‘Smart borders — options and the way ahead’ (COM(2011) 680 final).

(6)  Communication from the Commission on smart borders, cited above, p. 7.

(7)  EUCO 23/11.

(8)  The Article 29 Working Party, set up under Directive 95/46/EC, is composed of a representative of every national data protection authority, the EDPS and a representative of the European Commission. It has advisory status and acts independently. The letter of 12 June 2012 of the Working Party to Ms Cecilia Malmström on smart borders is available online (http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20120612_letter_to_malmstrom_smart-borders_en.pdf).

(9)  Article 29 Working Party, Opinion 05/2013 on Smart Border (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp206_en.pdf).

(10)  EDPS Opinion of 7 July 2011, available online (http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-07-07_Migration_EN.pdf).

(11)  Communication of 4 May 2011 from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions on migration (COM(2011) 248/3).

(12)  EDPS Preliminary comments of 3 March 2008, available online (http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2008/08-03-03_Comments_border_package_EN.pdf).

(13)  Communications from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on ‘Preparing the next steps in border management in the European Union’ (COM(2008) 69 final); ‘Examining the creation of a European Border Surveillance System (EUROSUR)’ (COM(2008) 68 final); and ‘Report on the evaluation and future development of the FRONTEX Agency’, COM(2008) 67 final.

(14)  EDPS Round Table on the Smart Borders package and data protection implications, Brussels, 10 April 2013, Venue: EDPS Building, Rue Montoyer 30, Brussels. See summary (http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Events/2013/13-04-10_Summary_smart_borders_final_EN.pdf).

(15)  See the Explanatory Memorandum of the EES proposal.

(16)  The Stockholm programme — an open and secure Europe serving and protecting citizens (OJ C 115, 4.5.2010, p. 1).

(17)  See Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 180, 29.6.2013, p. 1).

(18)  See Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).

(19)  See Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 381, 28.12.2006, p. 4).

(20)  See Council doc. No 8018/13, Note of the Presidency to the Strategic Committee on Immigration, Frontiers and Asylum/Mixed Committee (UE-Iceland/Liechtenstein/Norway/Switzerland), 28 March 2013 on Smart Border Package (http://www.statewatch.org/news/2013/apr/eu-council-smart-borders-8018-13.pdf).

(21)  EDPS Opinion of 10 July 2009 on the Communication from the Commission to the European Parliament and the Council on an area of freedom, security and justice serving the citizen (OJ C 276, 17.11.2009, p. 8).

(22)  OJ C 83, 30.3.2010, p. 389.

(23)  Council of Europe, ETS No 5, 4.11.1950.