European & international law Law, criminology & political science: Multidisciplinary, general & others
Author, co-author :
VAVOULA, Niovi ; University of Luxembourg > Faculty of Law, Economics and Finance (FDEF) > Department of Law (DL) ; School of Law, Queen Mary, University of London, United Kingdom
External co-authors :
no
Language :
English
Title :
Interoperability of EU Information Systems: The Deathblow to the Rights to Privacy and Personal Data Protection of Third-Country Nationals?
5 For a detailed analysis see Niovi Vavoula, Immigration and Privacy in the Law of the European Union: The Case of Databases (Brill Nijhoff, forthcoming 2020).
6 For an overview see Niovi Vavoula, Databases for Non-EU Nationals and the Right to Private Life: Towards a System of Generalised Surveillance of Movement?, in EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., CUP, forthcoming 2019).
7 Articles 92–119 of the Convention Implementing the Schengen Agreement (CISA).
8 Regulation 2725/2000 [2000] OJ L316/1.
9 In specific, the SIS contains alerts on persons wanted for arrest; missing; sought to assist with a judicial procedure; to be served with a criminal judgment or other documents in connection with criminal proceedings; subject to discreet checks or specific checks. The system also stores data on objects (vehicles, boats, aircrafts and containers) for the purposes of discreet or specific checks, and for the purposes of seizure or use as evidence in criminal proceedings. As regards third-country nationals it records alerts on irregular migrants and third-country nationals who are convicted or suspected of committing a criminal offence carrying a custodial sentence of more than one year.
10 Regulation 604/2013 [2013] OJ L180/31.
11 Annaliese Baldaccini, Counter-Terrorism and the EU Strategy for Border Security: Framing Suspects with Biometric Documents and Databases, 10(1) EJML 31 (2008); Valsamis Mitsilegas, Immigration Control in an Era of Globalization: Deflecting Foreigners, Weakening Citizens, Strengthening the State, 19(1) IJGLS 3 (2012).
19 The revised VIS will expand to include records on long-stay visa applicants, residence permit and residence card holders. See COM(2018) 302 final (recast VIS Proposal). The Eurodac will store personal data on irregular stayers. See COM(2016) 272 final (recast Eurodac Proposal). The SIS II will include alerts on all return decisions and entry bans. See Regulation (EU) 2018/1861 [2018] OJ L312/14 and Regulation (EU) 2018/1860 [2018] OJ L312/1. For law enforcement purposes, there is also Regulation (EU) 2018/1862 (SIS II Regulations).
20 The fingerprint process is revised. Both the VIS and the Eurodac will store the fingerprints of third-country nationals over the age of six, whereas under the current rules the fingerprints are collected from individuals over the age of 12 (VIS) and 14 (Eurodac). Furthermore, as regards Eurodac, more categories of alphanumeric personal data will be collected. See Arts 10–12 of the recast Eurodac Proposal.
21 According to Art. 17 of the recast Eurodac Proposal, the database will store the records on persons found irregularly crossing the external border of the EU for five years as opposed to eighteen months. The SIS II increased the retention period of alerts from three to five years.
22 For example, both Eurodac and the SIS II store records on irregular migrants. The EES will monitor the movement of third-country nationals covered by the VIS and the ETIAS. Convicted individuals' data will be stored in both the SIS II and the ECRIS-TCN.
23 Databases could thus be conceived as the pieces of a puzzle. For further analysis see Vavoula, supra n. 6.
24 Article 9 of Regulation (EU) 2016/679 [2016] OJ L119/1 (General Data Protection Regulation); Art. 10 of Directive (EU) 2016/680 [2016] OJ L119/89.
25 Anil Jain, Ruud Bolle & Sharath Pankanti, Personal Identification in Networked Society (Kluwer 1999). For an analysis on implementing biometrics at the borders see Commission, Biometrics at the frontiers: Assessing the Impact on Society (2005).
26 Valsamis Mitsilegas, The Border Paradox: The Surveillance of Movement in a Union Without Internal Frontiers, in A Right to Inclusion and Exclusion? Normative Fault Lines of the EU's Area of Freedom, Security and Justice (Hans Lindahl ed., Hart 2009).
27 For an analysis see Niovi Vavoula, The Use of European Centralised Databases for Third-Country Nationals as Law Enforcement Weapons in the Fight against Impunity, in The Fight Against Impunity in EU Law (Luisa Marin & Stefano Montaldo eds, Hart, forthcoming 2020).
28 Council, Document 13176/01 (24 Oct. 2001).
29 COM(2001) 720 final, at 8.
30 The Hague Programme: Strengthening Freedom, Security and Justice in the European Union, OJ C53/1, para. 2.1.
31 Ibid., para. 1.7.2.
32 COM(2005) 597 final, at 3.
33 For a critique see Paul De Hert & Serge Gutwirth, Interoperability of Police Databases within the EU: An Accountable Political Choice?, 20(1–2) IRLCT 21, 22 (2006); EDPS, ‘Comments on the Communication of the Commission on interoperability of European databases' (10 Mar. 2006).
34 See for instance The Stockholm Programme – An Open and Secure Europe Serving and Protecting Citizens [2010] OJ C115/1, para. 4.2.2; Council, Document 6975/10 (01 Mar. 2010), pt 20.
35 Council, Document EUCO 28/15, at 3 (18 Dec. 2015).
36 Council, Document 7371/16 (24 Mar. 2016), pt 5.
37 COM(2016) 205 final, at 3–4.
38 Ibid., at 14.
39 Commission Decision [2016] OJ C257/3.
40 Council, Document 9368/1/16, at 5 (06 June 2016). See also Council, Document 7711/16 (12 Apr. 2016).
41 Ibid., at 4.
42 COM(2016) 194 final (EES Proposal).
43 COM(2016) 731 final (ETIAS Proposal).
44 Recast Eurodac Proposal, supra n. 19.
45 For a discussion on interoperability prior to the EES proposal of 2013 see Council, Document 13801/13 (19 Sept. 2013). See Art. 8 of the EES Regulation.
46 Recast Eurodac Proposal, supra n. 19, at 5.
47 See Art. 11 of the ETIAS Regulation.
48 Julien Jeandesboz, Susie Alegre & Niovi Vavoula, European Travel Information and Authorisation System (ETIAS): Border Management, Fundamental Rights and Data Protection (Study for the European Parliament, PE 583.148, 2017).
49 HLEG, Final report (May 2017). Option 2 regarding interconnectivity was to be considered on a case-by-case basis.
50 COM(2017) 793 final (collectively Interoperability Proposals).
51 COM(2017) 794 final (collectively Interoperability Proposals).
52 COM(2018) 478 final; COM(2018) 480 final.
53 It is worth noting that two more Commission Proposals were adopted in early 2019 so as to align the rules on interoperability between the ETIAS, the SIS II and the ECRIS-TCN. See COM(2019) 3 final; COM(2019) 4 final.
54 Interoperability Proposals, supra nn. 50–51, at 2.
55 Articles 6–11.
56 Recital 15.
57 Articles 12–16.
58 Els Kindt, Privacy and Data Protection Issues of Biometric Identifiers 98 (Springer 2013).
59 Articles 25–36.
60 Recital 39 and Art. 25.
61 Article 33.
62 Article 30.
63 Article 31.
64 Article 32.
65 Articles 17–24.
66 Article 17(1).
67 Article 22.
68 De Hert & Gutwirth, supra n. 33, at 27.
69 COM(2010) 385 final, at 3. ‘The compartmentalised structure of information management that has emerged over recent decades is more conducive to safeguarding citizens' right to privacy than any centralised alternative'.
70 Pascal Kolkman & Robert van Kralingen, Privacy en nieuwe technologie, in Privacyregulering in theorie en praktijk 410 (J. M. A. Berkvens & Corien Prins eds, Kluwer 2007).
71 Kindt, supra n. 58, at 94–100. See Mirja Gutheil et al., Interoperability of Justice and Home Affairs Information Systems (Study for the European Parliament, PE604.947, 2018).
72 Article 29 Working Party, Working Document on Biometrics 5 (WP80, 2003).
73 Recital 26.
74 Michel Foucault, Discipline and Punish – The Birth of Prison (Editions Gallimard 1975). In the context of databases see Dennis Broeders, The New Digital Borders of Europe: EU Databases and the Surveillance of Irregular Migrants, 22 Int'l Soc. 71 (2007).
75 Interoperability Proposals, supra nn. 50–51, at 2.
76 In reality, these catalogues may even amount to permanent registrations (e.g. frequent travellers whose personal data are stored in the EES, or apply for authorization via the VIS or the ETIAS).
77 Opinion 1/15 (26 July 2017) ECLI:EU:C:2017:592, paras 186–189.
78 Ibid.
79 Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd v. Ireland (08.04.2014) ECLI:EU: C:2014:238.
80 Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v. Post-och telestyrelsen (C-203/15) and Secretary of State for the Home Department v. Tom Watson, Peter Brice, Geoffrey Lewis (C-698/15) [2016] ECLI:EU: C:2016:970.
81 Digital Rights Ireland, supra n. 79, paras 56–59; Tele2 Sverige and Watson, supra n. 80, para. 105.
82 COM(2010) 385 final, at 3.
83 Article 29 Working Party, Opinion on Commission proposals on establishing a framework for interoperability between EU information systems in the field of borders and visa as well as police and judicial cooperation, asylum and migration, WP266 4 (2018).
84 See Recitals 17, Arts 6(1), 18(3).
85 European Data Protection Supervisor, Opinion on the Communication of the Commission on Interoperability of European Databases (10 Mar. 2006).
86 See Art. 2(c) of the VIS Regulation and Art. 6(1)(i) of the EES Regulation.
87 HLEG, supra n. 49, at 53.
88 Article 20(1). The age limit was added at the behest of the Parliament. Identity checks for minors below the age of 12 are permitted if it is in the best interests of the child.
89 Ibid. Compare to the Commission Proposals where these circumstances were not listed. See Council, Document 14691/18, 163–170 (10 Dec. 2018).
90 Article 20(3).
91 Article 20(5).
92 Tony Bunyan, The ‘Point of No Return' Interoperability Morphs into the Creation of a Big Brother Centralised EU State Database Including All Existing and Future Justice and Home Affairs Databases, Statewatch, http://statewatch.org/analyses/no-332-eu-interop-morphs-into-central-database-revised.pdf (accessed 10 Aug. 2019).
93 Article 1 of the SIS II Regulations.
94 In line with Art. 21 of the Schengen Borders Code.
95 Joined cases C-188/10 and C-189/10 Aziz Melki (C-188/10) and Sélim Abdeli (C-189/10) [2010] ECLI:EU:C:2010:363, paras 69–70.
96 Case C-9/16 A v. Staatsanwaltschaft Offenburg (21 June 2017) ECLI:EU:C:2017:483, para. 46.
97 European Data Protection Supervisor, Opinion 4/2018, at 12–13.
98 Ibid.
99 Article 29 Working Party, supra n. 83, at 11.
100 See Teresa Quintel, Interoperability of EU Databases and Access to Personal Data by National Police Authorities under Article 20 of the Commission Proposals, 4 EDPLR 470 (2018).
101 Article 20(5).
102 This has also not been done by the EU Court of Justice. See Case C-278/12 PPU Atiqullah Adil (19 July 2012) ECLI:EU:C:2012:508.
103 Directive 2006/24/EC [2006] OJ L105/54.
104 Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd v. Ireland (08 Apr. 2014) ECLI:EU: C:2014:238.
105 Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v. Post-och telestyrelsen (C-203/15) and Secretary of State for the Home Department v. Tom Watson, Peter Brice, Geoffrey Lewis (C-698/15) [2016] ECLI:EU: C:2016:970.
106 Paragraph 66. This view is shared by the Art. 29 Working Party, supra n. 83, at 12; EDPS, supra n. 97, at 13 and the Fundamental Rights Agency, Opinion 1/2018, at 26–27.
107 See EDPS, supra n. 106, at 62; Art. 29 Working Party, supra n. 83, at 11.
108 See also Niovi Vavoula, Interoperability of European Centralised Databases: Another Nail in the Coffin of Third-Country Nationals' Privacy?, EU Immigration and Asylum Law and Policy, http://eumigration lawblog.eu/interoperability-of-european-centralised-databases-another-nail-in-the-coffin-of-third-country-nationals-privacy/ (accessed 10 Aug. 2019).
109 For the SIS II see, Notices from Member States [2019] OJ C222/1. For Eurodac see eu-LISA, List of designated authorities which have access to data recorded in the Central System of Eurodac pursuant to Art. 27(2) of the Regulation (EU) No 603/2013, for the purpose laid down in Art. 1(1) of the same Regulation (Apr. 2019). The list of authorities that are granted access to Eurodac for law enforcement purposes is not publicly accessible. For the VIS see Notices from Member States [2016] OJ C187/4; Notices from Member States [2013] OJ C236/1.
110 Article 5(1) of the recast Eurodac Regulation.
111 The findings are part of an ongoing project carried out by Didier Bigo, Elspeth Guild and Niovi Vavoula.
112 As defined in Directive (EU) 2017/541 [2017] OJ L88/6.
113 Serious crimes are deemed those listed in Art. 2(2) of Framework Decision 2002/584/JHA [2002] OJ L190/1.
114 Whereas the rules are relatively similar, discrepancies remain. For example, in the cases of Eurodac, the EES and the ETIAS prior consultation of national fingerprint databases, as well as the automated fingerprinting identification systems (AFIS) of other Member States must have been conducted (albeit with exceptions).
115 In the case of the EES and ETIAS, either ‘evidence' or ‘reasonable grounds' are required. See Art. 32(1) (c) of the EES Regulation and Art. 52(1)(c) of the ETIAS Regulation.
116 For an analysis see Vavoula, supra n. 27.
117 Compare Art. 5(1) of the recast Eurodac Regulation with Art. 3 of the VIS Decision, Art. 29 of the EES Regulation and Art. 50 of the ETIAS Regulation.
118 Council, Document 5456/1/07 (20 Feb. 2007).
119 Compare Art. 5 of the VIS Decision, Art. 20 of the recast Eurodac Regulation, Art. 32 of the EES Regulation, Art. 52 of the ETIAS Regulation.
120 Fundamental Rights Agency, Fundamental Rights and the Interoperability of EU Information Systems: Borders and Security 25–26 (2017).
121 Interoperability Proposals, supra nn. 50–51, at 23 and 45.
122 See Art. 4(2) of the VIS Decision, Art. 19(3) of the recast Eurodac Regulation, 31(2) of the EES Regulation, 51(4) of the ETIAS Regulation.
123 eu-LISA, VIS Technical Report 2018, at 26.
124 Ibid., at 26 and 29.
125 eu-LISA, Eurodac – 2018 Statistics, at 8.
126 The Evaluation of the VIS speculates that the relative novelty of the system, lack of awareness among potential users and technical and administrative difficulties account for these discrepancies. See COM (2016) 655 final, at 12.
127 There is no information as to whether more Member States attempt to have access but are denied so by the verifying authority.
128 Digital Rights Ireland, supra n. 79, para. 35. See the judgment of the European Court of Human Rights in Weber and Saravia v. Germany (2008), 46 EHRR SE5.
129 Digital Rights Ireland, supra n. 79, para. 62; Tele2 Sverige and Watson, supra n. 80, para. 120.
130 European Data Protection Supervisor, Opinion 4/2018, at 17. See also Teresa Quintel, Connecting Personal Data of Third Country Nationals: Interoperability of EU Databases in the Light of the CJEU's Case Law on Data Retention, University of Luxembourg Working Paper 2/2018, SSRN Paper https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3132506 (accessed 10 Aug. 2019).
131 Vavoula, supra n. 5. See Fundamental Rights Agency, supra n. 106, at 30. See as regards the SIS II see also COM(2016) 880 final, at 11.
132 eu-LISA, ‘VIS Report pursuant to Article 50(3) of Regulation (EC) No 767/2008 – VIS Report pursuant to Article 17(3) of Council Decision 2008/633/JHA' (2016) 10.
133 Inaccurate Data in Schengen System ‘Threatens Rights', euobserver, https://euobserver.com/tickers/140468 (accessed 10 Aug. 2019).
134 Evelien Brouwer, Interoperability and Interstate Trust: A Perilous Combination for Fundamental Rights, EU Immigration and Asylum Law and Policy, https://eumigrationlawblog.eu/interoperability-and-inter state-trust-a-perilous-combination-for-fundamental-rights/ (accessed 10 Aug. 2019). For the implications of false matches see Case C-291/12 Schwarz v. Stadt Bochum (17 Oct. 2013) ECLI:EU: C:2013:670.
135 Recital 48 and Art. 37.
136 Compare Art. 67 of Regulation 2018/1862, Arts 52–53 of Regulation 2018/1861 (both on the SIS II), Arts 37–38 of the VIS Regulation, Art. 14 of the VIS Decision, Art. 29 of the recast Eurodac Regulation, Arts 50–52 of the EES Regulation, Art. 64 of the ETIAS Regulation, Art. 25 of the ECRIS-TCN Regulation.
137 For example, as regards the VIS see COM(2016) 655 final, at 12.
138 Article 49.
139 Council Decision 2008/615/JHA [2008] OJ L210/1.
140 Directive (EU) 2016/681 [2016] OJ L119/132. This fits within the emergence of a Travel Intelligence Architecture. See Statewatch, Europol foresees key role in ‘the EU travel intelligence architecture', http://www.statewatch.org/news/2018/nov/eu-pnr-iwg-update.htm (accessed 10 Aug. 2019).
141 Directive 2004/82/EC [2004] OJ L 261/24.
142 HLEG, supra n. 49, at 38–40.
143 Interoperability Proposals, at 5.
144 Council, Document 5574/19 (29 Jan. 2019).
145 Ben Hayes, NeoConOpticon: The EU Security-Industrial Complex 35 (Transnational Institute/Statewatch 2009). See Katja Lindskov Jacobsen, Making Design Safe for Citizens: A Hidden History of Humanitarian Experimentation, 14(1) Citizenship Stud. 89 (2010).
146 Bunyan, supra n. 92; EDPS, supra n. 97, at 10.
