Data Protection Experts Give Critical Statement on Planned Interoperability
On 11 April 2018, the Article 29 Data Protection Working Party (WP29) adopted its opinion on the Commission proposals to establish a framework of interoperability between the EU information systems in the field of borders and visas and police and judicial cooperation, asylum and migration (for the legislative proposals, see eucrim 4/2017, pp. 174-175). The opinion must be seen in the context of other, nearly parallel statements issued by the EDPS and the EU’s Agency for Fundamental Rights.
The WP29 opinion gives a detailed, critical analysis of the proposed architecture and its components, access rights, the data protection regime, coordination of the supervision, specific safeguards for children, the elderly and disabled persons, data retention and the keeping of logs, and data security.
In general, the WP29 criticises the proposal not having made an impact assessment of data protection aspects. In particular, the Commission failed to explain which data protection regime will apply to which operation.
Specifically, the WP29 opinion concludes, inter alia, the following:
- The creation of a common, central database for the purpose of overall identification, the Common Identity Repository (CIR), which includes biometric data, is not necessary and proportionate;
- The impact of identity fraud on the internal security of the Union has not been sufficiently established;
- Access rights for police officers with regard to overall identity checks is regulated in a disproportionate manner so far, particularly lacking safeguards to justify the use of data for additional law enforcement purposes;
- The controllership of the EU database must be regulated more precisely and clearly concerning the applicable data protection regime;
- Specific, additional protection should be introduced as regards data processing involving children, the elderly, and disabled persons;
- Retention periods must be more strongly justified;
- In terms of data security, better security measures are needed, in particular for sensitive data, such as biometric data;
- Coordination of supervision should be placed under the responsiblity of the European Data Protection Board (EDPB).
In view of the numerous concerns, the WP29 calls upon the Commission and the Union’s legislator to provide an analysis of less intrusive means to reach the goals set in the proposals, so that the choices made and the proportionality principle can be justified. Furthermore, the WP29 recommends substantially amending the proposed law during the negotiations to ensure better data protection safeguards and enhanced legal certainty.
It should be noted that, as from 25 May 2018, the WP29 has been replaced by the European Data Protection Board (EDPB) under the EU General Data Protection Regulation. The WP29 was made up of a representative of the data protection authorities from each EU Member State and the EDPS. Its main tasks were to advise the European Commission on data protection questions of EU legislation and to promote the consistent application of the EC’s Data Protection Directive 95/46.