Several different large-scale IT databases are used by the EU to facilitate police cooperation and to help manage borders and migration. The EU aims to improve the efficiency of these databases by making them more interoperable, or capable of communicating and exchanging information. While we endorse attempts to develop a more coherent approach to border management and cooperation, this is a complex topic. Any new proposal must ensure full respect for data protection rules, the European Data Protection Supervisor (EDPS) said as he published his contribution to the debate on interoperability.
Giovanni Buttarelli, EDPS, said: “Interoperability, when implemented in a well-considered manner, could help to increase the efficiency of information-sharing in the EU, as well as to reduce the costs associated with operating the EU’s large-scale IT systems. Interoperability may even act in the interest of data protection, helping to ensure that the data held in these systems is up to date. We welcome the EU’s efforts to explore a more coherent approach to borders and security and will work with them to help ensure that any new measures fully respect the fundamental right to data protection."
Making the exchange of data technically feasible becomes, in many cases, a powerful drive for the exchange of these data. Interoperability may therefore lead to the development of new data processing activities, involving the exchange or cross matching of data. As a clear legal basis for doing this does not currently exist, a new legal basis for processing would need to be established.
The EDPS looks forward to the publication of the Commission’s forthcoming legislative proposal. He encourages the Commission to clearly define the problems interoperability aims to solve and to plainly set out the specific categories of data to be processed and the purpose for doing so. Only once this information is available can the current debate on the impact of interoperability on our fundamental rights move forward.
If it is to be fully compliant with data protection rules, the EDPS recommends that any proposal involving new forms of data processing must be shown to be both necessary and proportionate in relation to clearly stated objectives. Once this has been established, compliance with data protection rules must then be ensured through the application of principles such as data protection by design and by default and the implementation of appropriate security measures.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Large-scale IT systems: databases created by the EU are considered to be large-scale according to the number of people using the system for different purposes, the amount of data collected, stored, accessed, manipulated and the number of connections between components, among other things. SIS II, VIS and Eurodac are three examples of large-scale IT systems in the area of border and police control.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.
EU Data Protection Reform package:
On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
- a general Regulation on data protection which was adopted on 24 May 2016, applicable as of 25 May 2018; and
- a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU). Member States have two years to ensure that they are fully implementable in their countries by May 2018.