23 January 2019
European data protection authorities have strongly criticised the European Commission's proposals to extend the Visa Information System (VIS), arguing that the lowering of the fingerprinting age for children, access to visa data by law enforcement authorities and the storage of long-stay visas and residence permits in the database fail to meet basic data protection and fundamental rights standards.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
In a letter sent on 19 December 2018 but circulated in the Council the following day, the VIS Supervision Coordination Group (SCG, made up of the data protection authorities of all EU Member States participating in the VIS) made a number of proposals to the Member States.
The Council, however, reached its position for negotiations with the European Parliament on 19 December - and its position does not take into account any of the recommendations made by the VIS SCG. The European Parliament has not yet come to a negotiating position.
See:
Fingerprinting children
The Commission's proposal (pdf) foresees lowering the age of fingerprinting for short-stay visas to include anybody from the age of 6 and up (the current age threshold is 12 years of age).
The SCG's letter states that:
"...the European Commission did not sufficiently substantiate the necessity and proportionality of its proposal to allow for fingerprinting children, in the visa application procedure, from 6 years instead of 12. Neither the Explanatory Memorandum and the Impact assessment, nor the response provided as part of the public consultation carried out in 2017, did provide sufficient objective elements able to demonstrate that such measure would indeed benefit to the objective pursued and serve the best interests of the child."
If the Parliament and Council decide to introduce a lower age for fingerprinting children as part of the visa application procedure:
"the VIS SCG recommends introducing a stronger purpose limitation for the possible use of children's fingerprints. They should only be used where it is in the child's best interest for verifying their identity, either at the border or in other situations where this would contribute to the prevention and fight against children's right abuse, such as trafficking. This is especially relevant for acces by law enforcement authorities, which should be limited to cases where his [sic] is necessary for the prevention, detection or investigation of a child trafficking case."
The Council's negotiating position does include a paragraph it proposes adding to the existing VIS Regulation which states:
"3. The best interests of the child shall be a primary consideration for Member States with respect to all procedures provided for in this Regulation. The child’s well-being, safety and security, in particular where there is a risk of the child being a victim of trafficking in human beings, and the views of the child shall be taken into consideration and given due weight in accordance with his or her age and maturity."
However, this does not meet the standards proposed by the SCG, which suggest the need for binding limitations on the reasons for which childrens' fingerprint data could be accessed.
Access by law enforcement authorities
"While law enforcement access may certainly be useful, it is not automatically necessary and/or proportionate," the SCG letter points out. The group:
"considers that the necessity and proportionality of law-enforcement access to data related to long stay visas and residence permits has not been sufficiently demonstrated and substantiated to comply with EU primary and secondary data protection law."
Such a suggestion would never have been likely to find favour within the Council, where the trend for some years has been to open up existing non-policing databases to law enforcement authorities (such as Eurodac), or to provide law enforcement access by default to new systems (such as the Entry/Exit System, EES, and European Travel Information and Authorisation System, ETIAS).
Indeed, the Council's negotiating position is clearly in favour of continuing to permit access to the VIS by police and other law enforcement authorities, including to the new data on long-stay visas and residence permits that will likely be included in the system.
The SCG also noted that:
"when law-enforcement authorities access the VIS, it is in the first place their own task (in line with the principle of accountability) to ensure that they fulfil the access conditions. The wording of the proposed new Article 22q(3) of the VIS Regulation gives the - wrong - impression that responsibiltiy for this check is with the national DPAs. While DPAs form a further line of defence against unlawful use, first-line responsibiltiy lies with the designated competent authorities. To avoid any risks of misunderstandings, the VIS SCG suggests deleting the word 'checking the admissibility of the request' in the proposed new Article 22q(3)." (emphasis in original)
The Council's negotiating position maintains this wording, rather than deleting it.
Storing long-stay visas and residence permits in the VIS
One of the key planks of the Commission's proposal was to include more data in the VIS - in this case, information on long-stay visas and residence permits.
The Commission argued that this would "allow border guards to quickly determine whether a long-stay visa or a residence permit used to cross the Schengen external borders is valid and in the hands of its legitimate holder – closing an important security gap."
The SCG notes that this change would transform the VIS from "a tool for dealing with applications for short-stay visas, to covering almost all third-country nationals born in the Union and having their centre of life here."
Furthermore:
"The SCG notes that the foreseen processing [of long-stay visas and residence permits] has no own specific purpose, unlike the existing processing of the personal data of short visa applicants... For the holders of long-stay visas and residence permits, the main purpose... is to check the TCN against law enforcement databases such as Europol, SIS II etc. within the future and disputed interconnection / interoperability framework to assess their threat, regardless of the residence status granted to them by the Member States. The SCG can only point out that this purpose could also be achieved by checking the correct database during a (border) control." (emphasis added)
And:
"The other purpose pursued by the extension is to identify properly the TCN. However, the identity of the holder of an EU residence permit can already be ascertained by the existing means, since the residence permit holds the biometric data of the TCN... The SCG is surprised that this aspect is not even mentioned." (emphasis added)
However, as is made clear in the Commission's proposal, the "interoperabiltiy" of the EU's databases and information systems outweighs such considerations - the lack of long-stay visas and residence permits in the VIS represented an "information gap" that had to be filled.
The SCG highlights that this is likely to have important consequences for the individuals concerned:
"...long-term residents may stay in the Union more or less permanently. Unless they obtain citizenship of a Member State, their data may practically be kept for an open-ended duration. This would also result in open-ended retention of their data in the VIS. As a general rule, retention should be limited in time, both under ECtHR case law and the main principles of the GDPR.
(...)
The SCG must therefore conclude that the data minimisation principle... is not met by the processing of the data of - at least - EU residence permit holders and advises to remove their data from the scope of the VIS."
Architecture of data protection supervision
The SCG does have one positive point to make, concerning the "architecture of data protection supervision."
Currently use of the VIS is jointly monitored by national data protection authorities (responsible for Member States' use of the system and the European Data Protection Supervisor (which monitors the EU IT agency, eu-Lisa). National authorities and the EDPS cooperate in the VIS SCG.
The SCG's letter states:
"Article 43(1) of the Commission proposal provides for the application of the new model established in Article 62 of the new data protection regulation for EU institutions, recently adopted as Regulation (EU) 2018/1725.
"The VIS SCG considers that the model of Article 62... indeed corresponds better to the division of responsibilities between the different authorities involved..."
This may well be the case, but given the proposed extension of the scope of the VIS, it seems that all the authorities involved in supervising use of the system will have a lot more work to do if the Council and Commission get their way in negotiations with the Parliament.
Background
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.