The European Data Protection Supervisor (EDPS) criticised the way the European Commission prepares the interconnection between the European Travel Information and Authorisation System (ETIAS) established in late 2018 (see eucrim 2/2018, 82/84) and the other four EU information systems, i.e., the SIS, ECRIS-TCN, VIS, and EES. On 13 March 2019, the EDPS commented on two Commission proposals presented on 7 January 2019 that changed regulations of the information systems in order to make them ready for interoperability with ETIAS.

The EDPS disagrees with the Commission’s stance that the proposals only contain “limited technical adjustments.” The EDPS believes that the Commission proposals do not sufficiently protect the purpose limitation principle, especially as regards interconnectivity with the ECRIS-TCN. The ECRIS-TCN stands for the reform of the European Criminal Record System, which will also include information on convicted third-country nationals and stateless persons. The Council and the European Parliament already reached agreement on the new rules, which are currently being formally finalised.

The EDPS recalls that ECRIS-TCN contains very sensitive data and is a tool to support judicial cooperation. Using it for border management purposes would entail a major change of the system’s purpose as defined in the constituent legal act (as currently agreed). If the EU pushes through the Commission proposal, this would mean a “function creep.” This means that the use of a system or database is gradually extended beyond the purpose for which it was originally intended. The EDPS is concerned about this trend. He calls on the Commission to carry out a proper data protection assessment of its proposals − to be conducted in full transparency.