30.1.2013   

EN

Official Journal of the European Union

C 28/3


Executive summary of the Opinion of the European Data Protection Supervisor on the amended proposal for a regulation of the European Parliament and of the Council on the establishment of ‘EURODAC’ for the comparison of fingerprints for the effective application of Regulation (EU) No […/…] (recast)

(The full text of this Opinion can be found in English, French and German on the EDPS website: http://www.edps.europa.eu)

2013/C 28/03

1.   Introduction

1.1.   Consultation of the EDPS

1.

On 30 May 2012, the Commission adopted a proposal concerning a recast for a Regulation of the European Parliament and of the Council on the establishment of ‘EURODAC’ for the comparison of fingerprints for the effective application of Regulation (EU) No […/…] (establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person) and to request comparisons with EURODAC data by Member States' law enforcement authorities and Europol for law enforcement purposes and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the Area of Freedom, Security and Justice (hereinafter: ‘the Proposal’) (1).

2.

The Proposal was sent by the Commission to the EDPS for consultation on 5 June 2012, pursuant to Article 28(2) of Regulation (EC) No 45/2001. The EDPS recommends that reference to the present consultation be made in the preamble of the Proposal.

3.

The EDPS regrets that the Commission services did not ask the EDPS to provide informal comments to the Commission before the adoption of the Proposal, according to the agreed procedure in relation to Commission documents relating to the processing of personal data (2).

4.

The Proposal was presented to the Home Affairs Ministers at the Justice and Home Affairs Council on 7-8 June 2012 and is currently under discussion within Council and the European Parliament with a view to adopt a regulation under the ordinary legislative procedure by the end of 2012. The present opinion of the EDPS intends to give input to this procedure.

7.   Conclusions

87.

The EDPS notes that over recent years the need of accessing EURODAC data for law enforcement purposes was extensively debated within the Commission, the Council and the European Parliament. He also understands that the availability of a data base with fingerprints can be a useful additional instrument in the combat of crime. However, the EDPS also recalls that this access to EURODAC has a serious impact on the protection of personal data of the persons whose data are stored in the EURODAC system. To be valid, the necessity of such access must be supported by clear and undeniable elements, and the proportionality of the processing must be demonstrated. This is all the more required in case of an intrusion in the rights of individuals constituting a vulnerable group in need of protection, as foreseen in the proposal.

88.

Evidence provided until now — also taking into account the specific context described above — is according to the EDPS not sufficient and up to date to demonstrate the necessity and proportionality of granting access to EURODAC for law enforcement purposes. There are already a number of legal instruments which permit that one Member State consults fingerprints and other law enforcement data held by another Member State. A much better justification, as a precondition for law enforcement access is necessary.

89.

In this context the EDPS recommends that the Commission provides a new impact assessment in which all relevant policy options are considered, in which solid evidence and reliable statistics are provided and which includes an assessment in a fundamental rights perspective.

90.

The EDPS has identified several additional issues which are:

Applicable data protection law

91.

The EDPS stresses the need for clarity on how the provisions of the Proposal specifying certain data protection rights and obligations relate to Council Framework Decision 2008/977/JHA as well as Council Decision 2009/371/JHA (see section 4).

Conditions for law enforcement access

As stated above, it should first be demonstrated that law enforcement access to EURODAC as such is necessary and proportionate. The comments made below should then be taken into account.

92.

The EDPS recommends:

clarifying that the transfer of EURODAC data to third countries is prohibited also in case of use of EURODAC data for law enforcement purposes (see points 43-44),

adding the law enforcement purposes to the information communicated to the data subject (see point 45),

ensuring unequivocally that access by designated authorities to EURODAC data is limited to law enforcement purposes (see point 49),

submitting the access to EURODAC data for law enforcement purposes to a prior judicial authorisation or as a minimum providing that the verifying authority shall perform its duties and tasks independently and shall not receive instructions as regards the exercise of the verification (see points 50-51),

adding the criterion of the ‘need to prevent an imminent danger associated with serious criminal or terrorist offences’ as exceptional case justifying the consultation of EURODAC data without prior verification by the verifying authority and introducing a concrete time limit for the ex-post verification (see points 53-54),

as regards the conditions of access, adding the conditions of (i) a prior consultation of the Visa Information System, (ii) a ‘substantiated suspicion that the perpetrator of a terrorist or other serious criminal offences has applied for asylum’ and (iii) the ‘substantial’ contribution for law enforcement purposes and clarifying what is understood by ‘reasonable grounds’ (see points 56-57),

describing in a recital the kind of situations justifying a direct access by Europol to the EURODAC Central Unit and providing that the strict conditions of access applying to national designated authorities also apply to Europol (see points 58-59),

ensuring that comparison of fingerprints for law enforcement purposes shall in any case be subject to at least the same safeguards foreseen for Dublin Regulation purposes (see point 62),

specifying more clearly the rules on retention or deletion of data (see point 64),

clarifying which additional information to the ‘hit’ will be communicated to EUROPOL if applicable (see points 65-66),

specifying the precise purpose(s) of the request by the Agency's Management Board of the comparisons with EURODAC data by Member State's law enforcement authorities as well as the anonymisation by law enforcement authorities of the data prior to their transmission to the Management Board and restoring the rules on professional secrecies (see points 67-68),

providing an access for the EDPS and Europol's supervisory authority to the records kept by the Agency and Europol respectively as well as the obligation to store records also for conducting regular self-auditing of EURODAC (see points 79 and 85),

clarifying the supervision of Europol's data processing activities (see point 81).

Other provisions

93.

The EDPS recommends:

replacing the Business Continuity System by the need for a Business Continuity Plan and providing a legal basis for implementing measures containing the modalities of such plan (see point 72),

ensuring that temporary or permanent impossibility to provide usable fingerprints shall not adversely affect the legal situation of the individual and shall in any case represent sufficient grounds to refuse to examine or to reject an asylum application (see point 73),

ensure consistency between the obligations of the Agency, the Member States and Europol to keep records and documentation of data processing activities (see point 77),

improving provisions on data security (see point 82),

including the EDPS for the submission of the Agency's annual report (see point 83),

adding in Article 43 an obligation on Member States and Europol to constantly update the information they have provided to the Commission and requiring that the Commission makes this information available to Member States, Europol and to the public ‘via a constantly updated electronic publication’ (see point 86).

Done at Brussels, 5 September 2012.

Peter HUSTINX

European Data Protection Supervisor


(1)  COM(2012) 254 final.

(2)  The last time, the EDPS was informally consulted by the Commission on an amendment of the EURODAC Regulation was in 2008.