EDPS Peter Hustinx is charged with advising EU governing bodies
on data protection. He has said that he does not object to the
creation of an Agency that would run three large EU databases, but
that its powers must be limited from the start.
The Commission has proposed the creation of an agency to run the
databases behind the second Schengen Information System (SIS II) on
cross-border travel within the EU; the Visa Information System; and
asylum seeker database EURODAC.
"The EDPS is not opposed to the creation of such an Agency, as
long as certain possible risks, which could have great impact on
the privacy of individuals, are sufficiently addressed in the
founding legislative instrument(s)," said and EDPS analysis of the
proposals.
The office of the EDPS said that it was worried about the
expansion of the agency's powers because the Commission's proposal
said that it would run the named databases and also "[manage] other
large-scale IT projects".
Hustinx said he had concerns that the proposed agency would end
up with a brief expanded beyond what is contained in the
Commission's proposal, something that he said could be dangerous
given the sensitivity of the kinds of data involved.
"The risk of mistakes or wrongful use of personal data may
increase when more large-scale IT systems are entrusted to the same
operational manager," said his just-published opinion. "The total
number of large-scale IT systems managed by one and the same Agency
should therefore be restricted to a number with which the data
protection safeguards can still sufficiently be assured. In other
words, the point of departure should not be to bring as many
large-scale IT-systems as possible under the operational management
of one Agency."
"The risk of function creep can be avoided if, first, the scope
of (possible) activities of the Agency is limited and clearly
defined in the founding legal instrument and, second, if it is
ensured that any expansion of this scope will be based on a
democratic decision making procedure, which normally is the
ordinary legislative procedure," it said.
Hustinx urged the Commission to be specific in its creation of
the agency to limit its powers.
"The creation of an Agency for such large-scale databases must be
based on legislation which is unambiguous about the competences and
the scope of activities of the Agency," he said. "Such clarity
would prevent any future misunderstanding about the conduct of the
agency and avoid the risk of function creep. As currently drafted,
the proposals do not meet those standards."
In his opinion, Hustinx said that while the process proposed by
the Commission for setting up the agency is an accountable one, the
fault lies with the specifics of the proposal.
"The current Agency will be established on the basis of a
Regulation which is adopted in accordance with the ordinary
legislative procedure and is therefore subject to a democratic
decision," it said. "The EDPS sees the advantages of creating an
independent regulatory agency. The EDPS wishes to underline,
however, that such an agency should only be established when the
scope of its activities and its responsibilities are clearly
defined."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
