New alerts on criminals and return decisions; greater vigilance for terrorist offences; better protection for children at risk of abduction; and enhanced data protection. These are the main features of the new legal framework for the EU’s largest security database, the Schengen Information System (SIS). The new rules aim at better effectiveness and efficiency of the system’s second generation (SIS II), whose legal bases stem from 2006/2007 and which became fully operational in 2013.

The reform proposal presented by the Commission on 21 December 2016 (see eucrim 1/2017, p. 7) was adopted in November 2018 by the Council. The European Parliament had already agreed to the political compromise found during the trilogue negotiations in October 2018.

The new legal framework was published on 7 December 2018 in the Official Journal (O.J. L 312). It consists of three regulations:

• Regulation (EU) 2018/1860 on the use of the Schengen Information System for the return of illegally staying third-country nationals;
• Regulation (EU) 2018/1861 on the establishment, operation and use of the SIS in the field of border checks;
• Regulation (EU) 2018/1862 on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU.

The three legal instruments were considered necessary because of the distinct EU Member States’ participation in EU policies in the Area of Freedom, Security and Justice. The regulations emphasise, however, that this separation does not affect the principle that SIS constitutes one single information system that should operate as such.

In general, the new rules pursue the following objectives:

• Ensuring a high level of security;
• Increasing the efficiency of the SIS;
• Protecting the free movement of persons from abuse;
• Improving the exchange of information;
• Making the SIS a central tool for fighting terrorism and serious crime;
• Supporting border and migration management;
• Preparing the SIS for its interoperability with other large-scale EU information systems, such as the VIS, Eurodac, ETIAS, and EES.

The SIS continues to cover three areas of competence:

• Security cooperation, allowing police and judicial authorities to establish and consult alerts on persons or stolen objects in relation to criminal offences;
• Border and migration management, enabling border and migration authorities to control the legality of third-country nationals’ stays in the Schengen area;
• Vehicle control, granting vehicle registration authorities access to information about vehicles, number plates, or vehicle registration documents in order to check the legal status of vehicles.

The following gives an overview of the new features of the legislation, in particular as regards Regulation 2018/1862 on the operation and use of the SIS for police and judicial cooperation in criminal matters:

New Alerts:

• Introduction of a new alert category of “unknown wanted persons” connected to a serious crime, e.g., persons whose fingerprints are found on a weapon used in a crime;
• Extension of the existing category of “missing persons” to “vulnerable persons who need to be prevented from travelling,” e.g., children at high risk of parental abduction, children at risk of becoming victims of trafficking in human beings, and children at risk of being recruited as foreign terrorist fighters;
• Creation of the new category “inquiry check” allowing national law enforcement authorities to stop and interview a person in order for the issuing Member State to obtain detailed information;
• Introduction of the category of “objects of high value,” e.g., items of information technology, which can be identified and searched with a unique identification number.

Greater Vigilance over Terrorist Offences:

• Obligation for Member States to create SIS alerts for cases related to terrorist offences;
• Obligation to inform Europol of hits alerts linked to terrorism in order to help to “connect the dots” of terrorism at the European level.

Types of Data – Use of Biometrics:

• New rules on more effective use of existing biometric identifiers, i.e., facial images, fingerprints, palm prints, and DNA profiles;
• Use of facial images for biometric identification;
• Use of DNA profiles when searching for missing persons who need to be placed under protection;

Law Enforcement Access:

• Immigration authorities allowed to consult SIS in relation to irregular migrants who were not checked at a regular border control;
• SIS granted access to boat and aircraft registration authorities;
• SIS granted access to services responsible for registering firearms in order to allow them to verify whether the firearm is being sought for seizure in Member States or whether there is an alert on the person requesting the registration;
• Europol’s access rights extended to give it full access to the system, including missing persons, return alerts, and alerts in relation to third-country nationals;
• European Borders and Coast Guard Agency and its teams granted access to all SIS categories, insofar as it is necessary for the performance of their tasks and as required by the operational plan for a specific border guard operation.

Enhanced Data Protection and Data Security:

• Introduction of additional safeguards to ensure that the collection and processing of, and access to, data is limited to what is strictly necessary and operationally required;
• Applicability of and adaptation to the new EU data protection framework, in particular Directive 2016/680 and the GDPR;
• Coordination and end-to-end supervision by the national data protection authorities and the European Data Protection Supervisor.

Regulation 2018/1860 establishes an effective system, so that return decisions issued in respect of third-country nationals staying illegally on the territory of the Member States can be better enforced and third-country nationals subject to those decisions can be monitored.

Regulation 2018/1861 establishes the conditions and procedures for the entry and processing of SIS alerts on third-country nationals and for the exchange of supplementary information/additional data for the purpose of refusing entry into/stay on the territory of the Member States. Member States will, inter alia, be obliged to insert into the SIS any entry bans issued to third-country nationals preventing them from entering into the Schengen area.

The regulations contain specific rules as regards the EU Member States having a special status with Schengen and measures in the area of freedom, security and justice of the TFEU, e.g., Denmark, Ireland, Croatia, Bulgaria, Romania, and Cyprus.

As regards the entry into force of the new SIS rules, the regulations follow a step-by-step approach: Several improvements to the system apply immediately upon entry into force of Regulations 2018/1861 and 2018/1862 (i.e., 27 December 2018), whereas others will apply either one or two years after entry into force. The said regulations should apply in their entirety within three years after entry into force − and by 28 December 2021 at the latest. Regulation 2018/1860 will apply from the date set by the Commission.

The SIS is the most widely used security database in Europe, with over 5 billion consultations in 2017 and currently contains around 79 million records. It is estimated that further enhancement of the SIS by the new legal framework will cost the EU around €65 million by 2020. Each EU Member State will reportedly receive a lump sum of €1.2 million to upgrade its national system. The EU agency eu-LISA will be responsible for technical improvements and operation of the system.