Opinion on the Commission Decision of 12 December 2007 concerning the implementation of the Internal Market Information System (IMI) as regards the protection of personal data (2008/49/EC), OJ C 270, 25.10.2008, p. 1
This Opinion is part of the broader EDPS efforts to improve the data protection safeguards for this large-scale IT system operated by the European Commission to facilitate information exchanges between competent authorities in Member States in the area of internal market legislation.
The EDPS supports the establishment of this electronic system for the exchange of information. Nevertheless, establishment of a centralized electronic system also creates certain risks. These include, most importantly, that more data might be shared and more broadly than strictly necessary for the purposes of efficient cooperation, and that data, including potentially outdated and inaccurate data, might remain in the electronic system longer than is necessary. The security of a database accessible in 27 Member States is also a sensitive issue, as the system is only as safe as the weakest link in the network permits it to be.
In the Opinion, the EDPS questions the adequacy of the legal basis chosen for the adoption of the IMI Decision. The EDPS recommends that the Commission replaces the IMI Decision by a legal instrument that fulfils the requirement of legal certainty. As an ultimately most sound solution, the EDPS suggests adopting a separate legal instrument for the IMI-system, at the level of the Council and the European Parliament, similar to the Schengen Information System, Visa Information System and other large-scale IT databases.
Additionally, the Opinion provides for a number of suggestions on the provisions regulating the data protection aspects of IMI. These recommendations relate to transparency and proportionality, joint control and allocation of responsibilities, notice to data subjects, rights of access, objection, and rectification, data retention, security measures and joint supervision.