Police data sharing must respect privacy principles

The EDPS, Peter Hustinx, has been considering the implications of the Commission’s Communication on improved effectiveness, enhanced interoperability and synergies among European databases in the area of Justice and Home Affairs.

The Communication was published in November and covers, in general, three European databases:

• The planned Visa Information System (VIS) intended to be a system for the exchange of visa data between Member States and thus primarily an instrument to support the common visa policy. It will also facilitate checks at the external borders and within the Member States, assisting the exchange of data between Member States on applications and on the decisions in respect of those applications;
• The Schengen Information System (SIS) – the system that currently enables competent authorities to obtain information regarding certain categories of persons and property in relation to the free movement of people and police cooperation. SIS II will replace the current intergovernmental Schengen Information System with EU legislation and enable the enlargement of the Schengen area to the new Member States; and
• EURODAC – which stores the fingerprints of anyone over the age of 14 who applies for asylum in the EU (except Denmark, for the time being), in Norway and in Iceland. It was created in the context of the development of an asylum policy common to all the Member States of the European Union.

The Commission’s Communication tackles the technical issues involved in the interoperability and synergies among these systems and goes on to show how these systems could, in addition to their existing roles, more effectively underpin the policies linked to the free movement of persons and contribute to the fight against terrorism and organised crime.

The Communication also looks into the possibility of taking forward other initiatives, for example the establishment of a system for monitoring entry and exit movements and a system making it easier for frequent travellers to cross external borders, or the creation of a European criminal Automated Fingerprints Identification System (AFIS).

But according to the EDPS, there are a few data protection concerns with the proposals.

The EDPS is concerned, firstly, that the term ‘interoperability’ is not properly defined in the Communication. He finds that the term is used in the context of both the “common use of large scale IT systems, but also with regard to possibilities of accessing or exchanging data, or even of merging databases”.

This is regrettable, says Hustinx, as different types of interoperability require different safeguards. The problem is acute since the Commission plans to create new objectives for the systems that will go beyond their original purposes and impact upon data protection in new ways.

"The Commission argues that interoperability is a technical rather than a legal or political concept,” he says. “This is confusing and only serves to avoid fundamental issues. Interoperable systems increase the risks for citizens, if such systems allow for new access to their personal data. It is essential to examine this more carefully and not hide it as a technicality".

The EDPS is also concerned at the proposed use of biometric data, such as fingerprints – or perhaps even DNA – as a unique identification key. The accuracy of biometrics is overestimated in this respect and it will facilitate unwarranted interconnection of databases, he says.

Hustinx underlines that he needs to be consulted on any legislative proposals that may stem from the Communication. He also makes some specific observations, such as welcoming the Commission's analysis that there shall be a much higher threshold for access when internal security authorities query databases in other domains than when they query criminal databases.