In recent years, the Commission has proposed several initiatives aimed at ensuring EU borders remain safe and secure. Though we support these efforts, it is vital to ensure that the proposals fully respect the fundamental rights of those concerned, the European Data Protection Supervisor (EDPS) said today, as he issued his Opinion on the proposed European Travel Information and Authorisation System (ETIAS). The proposal would require visa-exempt travellers to undergo a risk assessment with respect to security, irregular migration and public health before entering the EU.
Giovanni Buttarelli, EDPS, said: “The ETIAS proposal involves collecting personal data from visa-exempted travellers to the EU and checking it against a dedicated ETIAS watchlist, screening rules and information stored in other EU databases. The EDPS understands the need for the EU to better address the challenges of migration, borders and refugees. However, as the information gathered will be used to grant or deny individuals access to the EU, based on the migration, security or health risks they may pose, it is vital that the law clearly defines what these risks are and that reliable methods are used to determine in which cases they exist.”
The proposal provides for the establishment of screening rules, a profiling tool that would enable the ETIAS system to single out individuals suspected of posing such risks. In his Opinion, the EDPS stresses that profiling techniques, as with any other form of computerised data analysis, raise serious technical, legal and ethical questions, related to their transparency and accuracy, and calls on the Commission to produce convincing evidence establishing the need for their inclusion and use in the ETIAS system.
The EDPS also stresses the need to conduct a thorough assessment of the impact this proposal will have on the rights to privacy and data protection. The assessment must take into account all existing EU-level policies in the areas of migration and security in order to determine whether the measures proposed, and the implications they have for the privacy of the individuals concerned, are truly necessary, given the resources already available in this area.
The ETIAS proposal is one of several initiatives currently under consideration by EU legislators aimed at improving control over who is able to enter the EU. It seems to follow a recurring trend in EU border management policy, which seeks to address the problems of migration and security as joint concerns. It is important to recognise that border management and law enforcement are distinct objectives, with different implications for data protection and privacy.
The EDPS recognises that the challenges posed by increased migration and the threat to security require a new and improved approach to EU border policy. However, securing our borders must not come at the expense of protecting fundamental rights. EU policymakers must find a balance between the two in order to ensure a consistent and effective approach to EU border policy.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8)
Impact assessments: examine whether there is a need for EU action and analyse the possible impacts of legislative and non-legislative proposals. These are carried out during the preparation phase, before the Commission finalises a proposal for a new law. They provide evidence to inform and support the decision-making process.