The Meijers Committee (*) has recently advised the members of the European Parliament to vote against the “Smart Borders” proposals (COM(2013) 95, 96 and 97).
In its letter it has expressed its deep concerns with respect to the:
– proportionality and practical feasibility of the proposals;
– coherence of the proposals with existing databases;
– applicable standards of data protection for the data subjects;
– conditions for transmission of personal data to third countries;
– broad discretion as regards the issuing of the registered traveller status;
– proposed amendments in the Schengen Borders Code;
– possible access to the Entry/Exit system for law enforcement purposes.
Note on the Smart Borders proposals (COM(2013) 95 final, COM(2013) 96 final and COM(2013) 97 final)
1. Introduction
The proposed Entry/Exit System (EES) processes alphanumeric data and fingerprints upon entry and exit of the third-country national, aiming to improve the management of the external border and the fight against irregular migration and more specifically to contribute to the identification of any person who may not, or may no longer fulfil the conditions of duration of stay within the territory of the Member States (so-called “overstayers”). This would effectively mean that the EES would collect the personal data of all third-country nationals entering the Schengen area. The Registered Traveller Programme (RTP) enables pre-vetted individuals to cross borders faster than other third-country nationals and aims to offset the additional constraints by the EES on cross-border travel. According to the European Commission, yearly 109 million third-country nationals without a visa and 73 million third- country nationals with a visa cross the EU borders.
The costs of the Smart Borders proposals envisaged by the European Commission are 1.1. billion euro.1
The sheer amount of data collected, in combination with the high costs of establishing Smart Borders, require compelling justifications. The EU legislator is obliged to observe proportionality as a general principle of EU law. This means that the measure must be suitable and necessary to achieve the aim it pursues, and should not impose “a burden on the individual (…) excessive in relation to the object sought to be achieved”.2
The Meijers Committee is of the opinion that the Smart Borders proposals are neither proportionate, nor suitable to its stated aims and raise severe data protection concerns. Therefore, the Committee advises the European Parliament to vote against the proposals.
2. Proportionality and practical feasibility
The proposals intend to facilitate the entry of “bona fide” travellers at the external borders and shorten waiting times.3 The EES is however likely to result in longer queues for third- country nationals, since all third-country nationals – also those that are not under a visa obligation – will be required to provide their fingerprints at the border. The RTP will only off-set waiting time to a limited extent, as only a limited number of third-country nationals will enrol in that programme.4 There is also a lack of clarity on the size of the problem of overstay which the EES intends to tackle. There are few reliable data on the numbers and profile of overstayers and there is very little research on the financial and social costs of the presence of third country nationals staying on an irregular basis in the EU.
Most importantly however, there is no direct link between the identification of overstayers and the stated objective of tackling irregular migration. The extent to which the information from the EES can help to implement and execute return proceedings is limited. The identification of overstayers does not provide authorities with any information as regards their location within the whole Schengen territory, nor does it facilitate return procedures. When a third county national is apprehended on suspicion of irregular stay, already now national authorities are able to establish the (ir)regularity of stay by examining the entry and exit-stamps on a person’s passport as well as by consulting the visa-stickers and VIS. Moreover, the mere identification of overstayers does not provide a solution in the situation where a third state does not cooperate in return proceedings. The side-effect of being able to collect statistics on overstay does not by itself justify the collection of large amounts of personal data.
Lessons need to be learnt from the experience with the setting up and practical operation of already existing databases. The European Commission itself has stated that a fully operational and developed Visa Information System (VIS) is “a prerequisite for the implementation of a Smart Borders System”.5 The Meijers Committee notes that the new generation Schengen Information System (SIS II) has only become operational as of 9 April 2013, the VIS is still in the process of being rolled out and access to EURODAC for law enforcement purposes has only been decided upon recently.6 There is therefore insufficient information to assess the functioning of existing databases and the added value of the current proposals. As required by the Hague Programme new centralised databases should only be created on the basis of studies that have shown their added value.7
Finally, the Meijers Committee wishes to point out the difficulties with the implementation of other information systems, most notably the SIS II, which was plagued with delays and cost over-runs due to technological problems. The United States has been unable to successfully implement a fully-functioning entry/exit system despite costly efforts to do so over the past decade.8 These experiences raise serious doubts as to the practical feasibility and cost-effectiveness of the current proposals.
3. Coherence with existing EU legislation
The Smart Borders Package will not function in isolation. Close attention has to be paid to the interaction with other databases in the Area of Freedom, Security and Justice. The proposals do not stipulate the consequences of an entry as overstayer in the EES for the inclusion in other data bases or the possible issuing of a return decision and/or entry ban under the Return Directive 2008/115. The registration of entry bans into the SIS should always be subject to the principle of proportionality and requires an individual assessment, in accordance with Articles 21 and 24 of the SIS II Regulation. However, national practices with regard to the SIS and the application of entry bans show a diverging approach in the EU Member States.
In an earlier opinion, the Meijers Committee has already pointed out the legal uncertainty in relation to the issuing of an entry ban and its inclusion in the SIS.9 The Meijers Committee expects a similar problem with respect to the reporting of overstayers in the EES. When overstay in the past is an element to be taken into account when issuing a (new) Schengen visa to a third-country national, the risk exists that the fact that he or she is reported in the EES, will lead to an automatic refusal of a visa, not taking into account his or her personal circumstances or reasons to visit the EU.
The Meijers Committee further points to the relationship of the EES and the reintroduction of internal border controls, regulated in Article 28 of the Schengen Borders Code. According to this provision, the obligation to enter the entry and exit data of the third country- national in the EES would apply mutatis mutandis
Close attention also needs to be paid to the possible consequences of EES for EU citizens and especially third country family members of EU citizens. The proposals should guarantee that the application of the EES does not interfere with the rights laid down in Directive 2004/38 EC. Moreover, the Meijers Committee questions whether the EES can be applied to Turkish nationals falling under the Association Agreement and their family members in light of the standstill clause in Decision 1/80 and the nondiscrimination clause in Article 9 of the Association Agreement.
Finally, the Smart Borders proposals refer to Directive 95/46 as the applicable legal framework for data protection. These rules are however under review and set to be replaced by a new general legislative framework on data protection (COM(2012 9,10 and 11). The Meijers Committee recommends that the adoption of proposals involving the storage of large amounts of data is postponed until the final adoption of clear and uniform rules on data protection. Following the adoption of a new legal framework, the Smart Borders proposals should be re-assessed in the light of the new data protection framework.
4.Data protection rights
It is established case law of the ECtHR that the mere collection, storage and processing of personal data amounts to an interference with the right to privacy (art. 8 ECHR and art. 8 EU Charter). Such interference can only be justified when it serves a legitimate aim and is proportionate to this aim. The data must be relevant and not excessive in relation to the purposes for which they are stored and preserved in a form no longer than is required for the purpose for which those data are stored.10 As mentioned above, under point 2, the necessity and the proportionality of the Smart Borders proposals has not been established.
The Meijers Committee is of the opinion that the proposal for an Entry/Exit system does not offer sufficient guarantees to the data subject and leaves too much discretion to the Member States. In the following, the Committee makes a few comments on specific provisions relating to data protection in the proposal for an Entry/Exit system.
§ 4.1. Article 20- the storage of data
Article 20 of the proposal for an EES regulates that data will be stored in the EES for six months when the third-country national exits the territory of the Member States within the authorised period of stay. Data shall be stored for a maximum period of five years when there is no exit-record following the date of expiry of the authorised period of stay. The unconditional application of a five years data retention period may result in a disproportional limitation of the individual freedom of movement. It could mean that an individual may not be able to re-enter the EU during five years, also when a person has overstayed his or her authorised stay for a negligible amount of time or for causes not attributable to him or her.
§ 4.2. Article 21- the possibility to amend data in EES
The proposal is flawed as regards the rights granted to the data-subjects in case of justifiable overstay or of an erroneous entry in the EES. It is crucial that a third-country national has the possibility to request the,competent authorities to delete or amend such data and is given an effective judicial remedy, including interim measures, if the authorities refuse to amend the data, especially if in the future data stored in EES can be accessed for law enforcement purposes. Article 21 of the proposal includes these rights, but its text provides the Member State a wide discretionary power; notions such as “without delay”, “unforeseeable and serious event” and “in case of errors” can be interpreted in many different ways.
Also, the decision on which evidence shall be admitted to support the claim for amendment of the data should not be left to the discretion of the Member States. Considering that exceeding authorised stay might lead to the expulsion of the third country national, a clearly defined provision, including the possibility to grant suspensive effects to the appeal lodged on EU level is necessary. Finally, the Meijers Committee points at the important problem of the practical accessibility and implementation of the rights in Article 21, especially when the individual concerned has left the EU territory.
§ 4.3. Article 27- transfer of data to third countries
The Meijers Committee is concerned about the wide discretionary power left to the national authorities of the Member States with regard to the transfer of personal data from the EES to third countries, as provided in Article 27 of the proposal. This discretionary power undermines the general principle that data shall not be transferred to third countries, third parties or organisations. The transfer of data to third countries is allowed for the purpose of proving the identity of third-country nationals, including for the purpose of return. The conditions to allow for such communication do not offer sufficient guarantees. It has not been substantiated why the transfer of EES data to third countries is necessary for the return of third- country nationals.
Furthermore, Article 27(3) regulates that the transfer of third countries shall not prejudice the rights of, refugees and persons requesting international protection, in particular as regards non-refoulement. The Meijers Committee notes that it should be clarified how and by whom the decision on the transmission of data to third countries and the risk of non-refoulement will be examined and if the Member State involved will be held responsible when something happens to the person upon return to his or her country of origin.
§ 4.4. Articles 29 and Article 32- Liability and penalties
Article 29 on the liability for suffered damage as a result of an unlawful processing operation or any act incompatible with the EES does not offer a strong position to the third- country national; Member States will be exempted from liability if it proves that it is not responsible for the event giving rise to the damage. This again leaves too much room for interpretation, especially because no clarity is given on the burden of proof, and the possibility to claim compensation is left to national law.
Article 32 provides for the possibility for the Member States to lay down rules on (administrative or criminal) penalties applicable on infringements of data protection provisions in this Regulation. These penalties should be “effective, proportionate and dissuasive”. While this formulation is consistent with EU law, the Meijers Committee finds that future evaluation mechanisms of the EES should assess carefully whether national provisions implementing this provision do guarantee in an effective manner European data protection rules.
§ 4.5. Role of the supervisory authorities
Considering the current use and development of large-scale databases in the EU and other instruments involving data processing, such as the API Directive, the VIS and Eurodac, the Meijers Committee underlines the excessive increase of workload of the national supervisory authorities and the EDPS. This development carries the risk that supervisory authorities will not be able to exercise their tasks effectively. Therefore, the financial and personal means which are necessary for data protection authorities in order to be able to perform their tasks effectively with respect to the whole data protection framework, should be taken into account and guaranteed.
5. Access to Entry/Exit System for law enforcement purposes and the possibilities offered by Privacy by Design
The current proposal for an EES clearly indicates that in the near future access to the Entry/ Exit System for law enforcement purposes will be considered. This can be derived from the Impact Assessment, where access for law enforcement is already explored and recital (11) where it is set out that the technical development of the system should be as such that in the future access for law enforcement purposes will be possible. The Meijers Committee regrets the premature reference to this possibility because it obscures the discussion on the desired form and the necessity and proportionality of the system as it stands.
As already expressed in earlier comments, the Meijers Committee underlines its strong objections to provide access for law enforcement purposes.11 Access for law enforcement purposes to the EES containing data of a large group of innocent persons is to be considered as a disproportional limitation of their privacy and data protection rights, including the principle of purpose limitation. In this context, the Meijers Committee recalls that preliminary questions have been submitted by national courts in Germany and the Netherlands to the Court of Justice of the European Union on the implementation of the Regulation (EC) No 444/2009 on standards for security features and biometrics in passports and travel documents issued by the Member States.12 In these questions, the national courts voice their concerns about the proportionality of the central storage of biometric data in passports and travel documents and their use for other purposes and about the relationship of the Regulation with the rights to privacy and protection of personal data safeguarded under Article 7 and 8 of the Charter of Fundamental Rights and Article 8 ECHR.
Although access for law enforcement purposes is not regulated in the current proposal, it is required that a technical system be set up in order to allow such access (Recital 11). In view of this, the Commission should device solutions which accommodate privacy by design,13 by recurring to Privacy Enhancing Technologies (PET).14 For example, in this case, it should be considered to use fingerprint identification technologies coupled with the storage of templates (e.g. using hash functions) of fingerprints, instead of the storage of full fingerprints in the database. Besides enhancing security, by reducing the chance to compromise biometric data, this will offer some level of data minimisation and, consequently, will benefit proportionality for a database storing data of persons which are not suspected of any crime.
6. The Registered Traveller Programme (COM (2013) 97 final)
The Meijers Committee has also taken note of the proposal for a Regulation establishing a Registered Traveller Programme. Recognizing the usefulness of facilitating the swift entrance of frequent third- country travellers to the EU, the Meijers Committee questions whether Article 12 of the proposal does not give too much discretion to the competent authorities in deciding on an application for such a programme. Article 12 (d) for example provides that the applicant has to prove “his/her integrity and reliability, in particular a genuine intention to leave the territory in due time”, which can be interpreted in many different ways. The Meijers Committee is of the opinion that the provisions must be more concrete, in order to avoid discretionary decisions on the admission to the Registered Travellers Programme.
7. Proposed amendments to the Schengen Borders Code (COM (2013) 96 final)
The amendments to the Schengen Borders Code aims to bring the Code in line with the proposals for an EES and an RTP. The Meijers Committee notes that not only technical amendments are proposed, but also amendments on the substance, considerably extending the possibilities for border guards to check whether the third country national is an overstayer. For instance, border guards now always need to verify that the third country national did not exceed the maximum duration of authorised stay in the territory of the Member States upon exit of the territory (addition para. IV to Article 7(3)(b)), whereas in the current provision this is not compulsory (Article 7(3)(c)(ii). This extended obligation is not in line with the aim to shorten waiting lines at the borders.
The Meijers Committee is concerned about the amendments to Article 11 of the Schengen Borders Code. In the current Article 11 a presumption of irregular stay is provided for in the situation where a thirdcountry national does not bear an entry stamp, whereas in the proposed amendment not only the lack of an entry record in the EES presumes irregular stay, but also where there is an entry record but there is no exit date following the date of expiry of the authorised length of stay. The Meijers Committee notes that this considerably extends the possibilities for authorities to accept a presumption of irregular stay. This underlines the importance of entering data in the EES correctly and accurate, but also implies that clearly defined safeguards should be provided for to be able to rebut the presumption and to have an effective judicial remedy if the rebuttal of the presumption is not accepted.
The Meijers Committee questions whether the criterion of providing “credible evidence, by any means, such as transport tickets or proof of his or her presence outside the territory of the Member State” does not leave too much discretion to authorities to decide on this issue, especially because of the serious consequences: the third- country national may be expelled by the competent authorities from the territory of the Member State concerned. The Meijers Committee considers that it should be investigated first how the Member States have applied this provision so far and whether it has lead to diverging practices.
o-0-o
1 Impact Assessment Proposal for a Regulation establishing an entry/exit system to register entry and exit data of third- country nationals crossing the external border of the Member States of the European Union (SWD (2013) 47 final), p. 11 and p.45.
2 P. Craig, G. de Búrca, EU LAW, Oxford, OUP, 2008, p. 545.
3 ‘Smart Borders’ enhancing mobility and security’, press release European Commission, 28 February 2013.
4 Dr. B. Hayes, M. Vermeulen, “Borderline EU Border Surveillance Initiatives », Heinrich Böll Stiftung, May 2012.
5 COM (2011) 680 final, p.7.
6 Regulation (EC) No 1987/2006 on the establishment, operation and use of the second- generation Schengen Information System (SIS II), Regulation (EC) No 767/2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas and amended proposal for a Eurodac Regulation for the effective application of the Dublin Regulation and to request comparisons with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes (COM(2012) 254).
7 The Hague Programme, Strengthening Freedom, Security and Justice in the European Union (2005/C 53/01).
8 GAO report number GAO-09-1002T: ‘Homeland Security: Despite Progress, DHS Continues to Be Challenged in Managing Its Multi-Billion Dollar Annual Investment in Large-Scale Information Technology Systems’(15 September 2009).
9 CM1202 Note on the coordination of the relationship between the Entry Ban and the SIS- Alert- An Urgent need for Legislative Measures, 8 February 2012.
10 ECtHR S and Marper v. the UK, 4 December 2008, application nos. 30562/04 and 30566/04. See also ECJ Huber v. Germany, C-524/06, 16 December 2008.
11 See also a.o. CM1216, CM0910 and CM0714.
12 Dutch Council of State, case 201205423/1/A3, 28 September 2012, C-447/12 and Verwaltungsgericht Gelsenkirchen, C-291/12 Schwarz v. Stadt Bochum, 15 May 2012.
13 See the Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Fostering Data Protection and Privacy, at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-03-19_Trust_Information_Society_EN.pdf.
14 See MEMO of the Commission Privacy Enhancing Technologies (PETs), Reference: MEMO/07/159, at; http://europa.eu/rapid/press-release_MEMO-07-159_en.htm#fn3; see also the Study on the economic benefits of privacy-enhancing technologies (PETs), Final Report to the European Commission, DG Justice, Freedom and Security, Prepared by London Economics,2010 at: http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf; see also Commission’s Communication COM(2007) 228 final, on Promoting Data Protection by Privacy Enhancing Technologies (PETs), at: http://eur-lex.europa.eu/LexUriServ/site/en/com/2007/com2007_0228en01.pdf.
(*) The Standing Committee of Experts on International Immigration, Refugee and Criminal law, was established in 1990 by five NGO’s: the Dutch Bar Association, the Refugee Council, the Dutch section of the International Commission of Jurists, the Netherlands Centre for Immigrants/FORUM and the National Bureau against Racism (LBR).The Committee is independent. Most of its members are lawyers, working at Law Faculties in the Netherlands or in Belgium. The Standing Committee monitors developments in the area of Justice and Home Affairs and presents its opinion to the Dutch Parliament, the European Parliament, or parliaments in other Member States (e.g. the House of Lords), to the Dutch government, the European Commission and to other public authorities and NGO’s.
European Area of Freedom Security & Justice 