The
EDPS is Peter Hustinx, the person responsible for monitoring the
processing of personal data by the Community institutions and
bodies. His 26-page opinion on three proposals related to the
Second Generation Schengen Information System, known as SIS II, was
published today.
Hustinx welcomed some aspects of the proposals, including
measures in favour of victims of identity theft and a better
definition of the grounds for alerting individuals for the purpose
of refusing entry to a country.
But he commented that "additional safeguards" were necessary to
balance the new functionalities and widened access introduced by
the Commission proposals. "It is essential that a consistent and
high level of data protection is ensured, thereby providing legal
certainty to all people concerned," he said.
SIS is the system that currently enables competent authorities
to obtain information regarding certain categories of persons and
property in relation to the free movement of people and police
cooperation. SIS II will replace the current intergovernmental
Schengen Information System with EU legislation and enable the
enlargement of the Schengen area to the new Member States.
The three proposals provide for a complex framework in which one
single information system – the SIS II – will rely on different
legal bases. The data protection regime therefore becomes highly
complex. The proposals are also linked to legislation which is not
yet adopted. Hustinx warned that this results in a legal
uncertainty which is unacceptable for the people concerned.
"Given this legal context and the great impact of the proposals
for the people concerned, it is regrettable that the European
Commission has not elaborated an explanatory memorandum or a proper
impact assessment study," he wrote.
The SIS II proposals, just as the Proposal for a Visa
Information System (VIS), provide for the possibility to process
biometric data (fingerprints and photographs). The EDPS notes again
that the reliability of biometrics seems to be overestimated. The
possibility to process biometric data requires a careful
consideration of the risks involved as well as specific safeguards
which can match those risks, he argued.
Access is currently based on the principle that only an
(authorised) authority is granted access in order to perform an
(authorised) action. However, the proposed rules may also provide
for access to data by an authority which is not competent to take
the action foreseen in the alert, and thus only 'for information'.
This constitutes a fundamental change to the current system and
increases the risks of abuse, which necessitates even more
stringent safeguards.
Another element of the proposals that increases the risks for
the data subjects is the interlinking of alerts. Although this may
be a useful investigation tool, it may also lead to incorrect
conclusions and unfair treatment of innocent persons. In no case
should the introduction of SIS II result in the situation whereby
the national provisions on access to data are diluted: if, for
instance, a police officer in a Member State is currently refused
access to immigration data, he or she shall not be granted it by
the introduction of SIS II.
The question of data quality deserves particular attention. The
Joint Supervisory Authority of Schengen has reported that during
investigations in some Member States, it emerged that more than 30%
of the immigration data was incorrect or outdated. Adequate rules
on the rights of the data subject are crucial in this respect, said
Hustinx.
Finally, he found that the supervisory tasks of the national
data protection authorities with respect to SIS II are not fully
consistent.
"There is some fuzziness in the attribution of competences
between Member States and the Commission," he wrote. "Clarity is
paramount as it is not only necessary for the smooth running of the
system, but also a basic requirement to ensure a comprehensive
supervision of the system."
