EU privacy chief wants tweaks to anti-terror database plan

The VIS, also known as the Visa Information System, is intended to be a system for the exchange of visa data between Member States and is primarily an instrument to support the common visa policy. It will also facilitate checks at the external borders and within the Member States, assisting the exchange of data between Member States on applications and on the decisions in respect of those applications.

The EDPS – the person responsible for monitoring the processing of personal data by the Community institutions and bodies – has issued an Opinion on a proposal, released in November, for a Council Decision that will set out how and when Europol and the security agencies of Member States will be entitled to access the VIS.

According to the EDPS, Peter Hustinx, "The VIS database will be the biggest cross border one in Europe. Some 20 million new entries per year, regarding people who apply for a Schengen visa, are foreseen. It is of utmost importance that data protection is taken seriously for these, a priori, innocent people".

In general terms, the proposed Council Decision allows agencies to access VIS in the course of their duties in relation to the prevention, detection and investigation of criminal offences, including terrorist acts and threats, subject to strict compliance with the rules governing the protection of personal data.

According to Hustinx, the Commission proposal pays considerable attention to data protection, requiring that access can only be granted in specific circumstances, on a case-by-case basis, and accompanied by strict safeguards.

This is welcome, says Hustinx, although improvements could be made. In particular he suggests that:

• The conditions for access must be read cumulatively and access should only be granted if it would 'substantially' contribute in a specific case;
• Equivalent data protection must be granted if an authority of a member state that does not apply the VIS regulation accesses the database;
• The 'purpose of travel' and the photograph of the visa holder or applicant should only be made available as supplementary information; and
• Data protection requirements shall be supervised in a coordinated way and self-auditing provisions shall be introduced.

The VIS database is not the only EU-wide database that may be affected by increased access requirements in the current political climate.

The Schengen Information System, which governs the movement of people within certain EU borders, and EURODAC, which retains the fingerprints of anyone over the age of 14 who applies for asylum in the EU (except Denmark, for the time being), in Norway and in Iceland, are increasingly being seen as key security tools within the EU.

According to the EDPS, therefore, his current Opinion is an important one, as it is likely to be a precursor in the field of granting law enforcement authorities access to large scale information and identification systems.