Proposal for a Regulation of the European Parliament and of the Council on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration)

Following on from the recommendations of the high-level expert group on information systems and interoperability, the European Commission tabled, in December 2017, the Commission's Proposal for a Regulation on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration).

The Proposal has four main objectives: a) ensure that end-users, particularly border guards, law enforcement officers, immigration officials and judicial authorities have fast, seamless, systematic and controlled access to the information that they need to perform their tasks; b) provide a solution to detect multiple identities linked to the same set of biometric data, with the dual purpose of ensuring the correct identification of bona fide persons and combating identity fraud; (3) facilitate identity checks of third-country nationals, on the territory of a Member State, by police authorities; and (4) facilitate and streamline access by law enforcement authorities to non-law enforcement information systems at EU level, where necessary for the prevention, investigation, detection or prosecution of serious crime and terrorism.

Together with its sister proposal presented the same day, namely the Commission's Proposal for a Regulation establishing a framework for interoperability between EU information systems (borders and visa), this interoperability proposal focuses on the EU information systems for security, border and migration management that are operated at the central level, three of them existing (Schengen Information System; Eurodac; Visa Information System), one on the brink of development (Entry/Exit System), and two others at the stage of proposals under discussion between co-legislators (European Travel Information and Authorisation System, European Criminal Record Information System for third-country nationals).

These six systems are complementary and — with the exception of the Schengen Information System (SIS) — exclusively focused on third-country nationals. The systems support national authorities in managing borders, migration, visa processing and asylum, and in fighting crime and terrorism. The latter applies in particular to the SIS, which is the most widely used law enforcement information-sharing instrument today.
In addition to these information systems, centrally managed at EU level, the scope of the Commission's Proposal also includes Interpol’s Stolen and Lost Travel Documents (SLTD) database, which pursuant to the provisions of the Schengen Borders Code is systematically queried at the EU’s external borders, and Interpol's Travel Documents Associated with Notices (TDAWN) database. It also covers Europol data, as far as this is relevant for the functioning of the proposed ETIAS system and for assisting Member States when querying data on serious crime and terrorism.
National information systems and decentralised EU information systems are outside the scope of this initiative. Provided that the necessity will be demonstrated, decentralised systems such as those operated under the Prüm framework, the Passenger Name Record (PNR) Directive and the Advance Passenger Information Directive may at a later stage be linked up to one or more of the components proposed under this initiative.

In order to achieve the objectives of this proposal, four interoperability components need to be established:
1) European search portal (ESP), which would enable the simultaneous query of multiple systems (Central-SIS, Eurodac, VIS, the future EES, and the proposed ETIAS and ECRIS-TCN systems, as well as the relevant Interpol systems and Europol data) using identity data (both biographical and biometric).
2) Shared biometric matching service (shared BMS), which would enable the querying and comparison of biometric data (fingerprints and facial images) from several central systems (in particular, SIS, Eurodac, VIS, the future EES and the proposed ECRIS-TCN system).
3) Common identity repository (CIR), would be the shared component for storing biographical24 and biometric identity data of third-country nationals recorded in Eurodac, VIS, the future EES, the proposed ETIAS and the proposed ECRIS-TCN system.
4) Multiple-identity detector (MID), would check whether the queried identity data exists in more than one of the systems connected to it. The MID covers the systems that store identity data in the CIR (Eurodac, VIS, the future EES, the proposed ETIAS and the proposed ECRIS-TCN system) as well as the SIS.

Law enforcement is defined as a secondary or ancillary objective of Eurodac, VIS, the future EES and the proposed ETIAS. As a result, the possibility of accessing data stored in these systems for the purpose of law enforcement is restricted. Law enforcement authorities can only consult directly these non-law enforcement information systems for the purpose of prevention, investigation, detection or prosecution of terrorism and other serious criminal offences. By creating the CIR with a so-called 'hit-flag functionality', the Proposal introduces the possibility for accessing the EES, the VIS, the ETIAS and Eurodac using a two-step data consultation approach. As a first step, a law enforcement officer would launch a query on a specific person using the person's identity data, travel document or biometric data to check whether information on the searched person is stored in the CIR. Where such data is present, the officer will receive a reply indicating which EU information system(s) contains data on this person (the hit-flag). The officer would not have actual access to any data in any of the underlying systems. As a second step, the officer may individually request access to each system that has been indicated as containing data, in order to obtain the complete file on the queried person, in line with the existing rules and procedures established by each system concerned. This second step access would remain subject to prior authorisation by a designated authority and would continue to require a specific user ID and logging.

It shall be noted that the Commission's Proposal acknowledges that interoperability does have the potential of having an additional, indirect impact on a number of fundamental rights. Indeed, the correct identification of a person has a positive impact on the right to respect for private life, and in particular the right to one’s identity (Article 7 of the Charter), as it can contribute to avoid identity confusions. On the other hand, conducting checks based on biometric data can be perceived as interfering with the person’s right to dignity (in particular, where it is perceived as humiliating) (Article 1). Yet in a survey by the EU Agency for Fundamental Rights, the argument goes, respondents were specifically asked whether they believed that giving their biometrics in the context of border control might be humiliating. The majority of respondents did not feel that it would.

Interoperability will especially have an impact on the right to the protection of personal data. The Commission argues that the Proposal embeds all the data protection rules laid down in the General Data Protection Regulation. The Proposal is based on the principles of data protection by design and by default. It includes all appropriate provisions limiting data processing to what is necessary for the specific purpose and granting data access only to those entities that ‘need to know’. Data retention periods (where relevant) are appropriate and limited. Access to data is reserved exclusively for duly authorised staff of the Member State authorities or EU bodies that are competent for the specific purposes of each information system and limited to the extent that the data are required for the performance of tasks in accordance with these purposes.

Under the proposed Regulation, eu-LISA will define the design of the physical architecture of the interoperability components, develop and implement them, and ultimately host them.

Source: Explanatory Memorandum to the Proposal for a Regulation on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration).