Out-Law / Your Daily Need-To-Know

Security database super-agency's powers should be limited, says EU privacy watchdog

08 Dec 2009, 2:26 pm

The European Commission should limit the expansion of an agency it plans to create to operate the European Union's visa and asylum databases, according to the EU's data protection watchdog the European Data Protection Supervisor (EDPS).

EDPS Peter Hustinx is charged with advising EU governing bodies on data protection. He has said that he does not object to the creation of an Agency that would run three large EU databases, but that its powers must be limited from the start.

The Commission has proposed the creation of an agency to run the databases behind the second Schengen Information System (SIS II) on cross-border travel within the EU; the Visa Information System; and asylum seeker database EURODAC.

"The EDPS is not opposed to the creation of such an Agency, as long as certain possible risks, which could have great impact on the privacy of individuals, are sufficiently addressed in the founding legislative instrument(s)," said and EDPS analysis of the proposals.

The office of the EDPS said that it was worried about the expansion of the agency's powers because the Commission's proposal said that it would run the named databases and also "[manage] other large-scale IT projects".

Hustinx said he had concerns that the proposed agency would end up with a brief expanded beyond what is contained in the Commission's proposal, something that he said could be dangerous given the sensitivity of the kinds of data involved.

"The risk of mistakes or wrongful use of personal data may increase when more large-scale IT systems are entrusted to the same operational manager," said his just-published opinion. "The total number of large-scale IT systems managed by one and the same Agency should therefore be restricted to a number with which the data protection safeguards can still sufficiently be assured. In other words, the point of departure should not be to bring as many large-scale IT-systems as possible under the operational management of one Agency."

"The risk of function creep can be avoided if, first, the scope of (possible) activities of the Agency is limited and clearly defined in the founding legal instrument and, second, if it is ensured that any expansion of this scope will be based on a democratic decision making procedure, which normally is the ordinary legislative procedure," it said.

Hustinx urged the Commission to be specific in its creation of the agency to limit its powers.
"The creation of an Agency for such large-scale databases must be based on legislation which is unambiguous about the competences and the scope of activities of the Agency," he said. "Such clarity would prevent any future misunderstanding about the conduct of the agency and avoid the risk of function creep. As currently drafted, the proposals do not meet those standards."

In his opinion, Hustinx said that while the process proposed by the Commission for setting up the agency is an accountable one, the fault lies with the specifics of the proposal.

"The current Agency will be established on the basis of a Regulation which is adopted in accordance with the ordinary legislative procedure and is therefore subject to a democratic decision," it said. "The EDPS sees the advantages of creating an independent regulatory agency. The EDPS wishes to underline, however, that such an agency should only be established when the scope of its activities and its responsibilities are clearly defined."