28 March 2012
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
EU Data protection
working party criticise proposals on VIS (Visa Information System)
project of setting up a central database and a system of exchange
of information concerning short-stay visas raises important questions
for fundamental rights and freedoms of individuals and in particular
their right to privacy.
It will lead to a massive collection and processing of personal and biometric data, their storage in a centralised database and to large scale exchanges of information concerning a huge number of persons."
It notes that the VIS central database is intended to deal with 20 million visa applications a year resulting in 70 million set of fingerprint data within five year (an estimated 30% will be frequent visitors).
Fingerprinting for visas will be compulsory and:
"links will be established with other applications possibly submitted by the same individual and already recorded in the VIS as well as with the data of individuals travelling in a group and with people providing accommodation in the EU countries requiring the visas.."
The issue of the data being used for other purposes is of great concern:
"the use of the system for multiple purposes is related to the objective of achieving enhanced interoperability between European databases and creating synergies between, namely, SIS II, VIS and Eurodac."
The legal basis of the proposal is questioned, in particular whether the obligation to provide data requires a specific, detailed legal instrument or whether the legal power to collect personal data, in compliance with Article 6 of the 1995 Directive, can be provided by an amendment to the Common Consular Instructions (issued to EU member states embassies abroad).
Proportionality and purpose
The question of "purpose(s) of the processing is paramount". In order to be lawful:
"personal data must be collected only for specified, explicit and legitimate purposes, may not be further processed in a way that is incompatible with those purposes, must be adequate, relevant and not excessive in relation to the purposes for which they are collected and further processed." (emphasis in original)
The Working Party is thus particularly concerned about what "would appear to refer to other purposes" (letters a-f in Article 1 para 2 of the VIS proposal). Specifically where:
reference to threats to internal security
is concerned, this seems to be a broad, cross-sectoral purpose,
which is already pursued by the many tools available for police
cooperation - including the SIS and must be referred to
only in the light of the main purpose of the VIS - which is and
must remain that of improving the common visa policy, and therefore
may only be deployed insofar as it is compatible with the said
facilitate checks at external border and within the territory; assist in the identification and return of illegal immigrants; facilitate the application of Regulation (EC) No. 343/2003; these purposes would not appear to be in line with the first requirement set forth in Article 8 of the ECHR, as they are not included in the measures that may be adopted by having regard to the legal basis underlying the proposal."
and this extends to:
purpose of examination of applications, Article 13;
purposes of consultation between authorities, Article 14;
purposes of reporting and statistics, Article 15; and
of identification, Article 16 and 17).
The Working Party says that:
"This multiplicity of purposes should be reconsidered in order to meet specific requirements that should not be in contradiction with the essence of the purpose limitation principle."
and concludes that:
"In the light of Article 6 of the Directive, the purposes of the data processing involved should be closely defined and limited to the need for improving the common visa policy, and that the wording of the proposal should be amended accordingly. The purpose of the processing would be in line with the legal bases used by the Commission to put forward its proposal, namely Article 62.2.b, ii and Article 66 TEC."
Applicant's nationality at birth - should be deleted
The Working Party says that the:
"the applicants nationality at birth (in addition to the current one) as requested in Article 6 is of no relevance to the implementation of the common visa policy and may actually give rise to unlawful discrimination between applicants that are nationals of the same third country. The Working Party therefore requests its deletion from Article 6."
Linking to other applications
The draft in Letter d. of the proposal refers to: "links to other applications". This:
"requires legal regulations to specify its scope and the attending safeguards. In particular, interlinking of information might allow users to access information to which they are not entitled. There should be safeguards in place to ensure that the interlinking does not change the existing access rights to the different categories of data in the VIS."
Specific problems with biometrics
Due to the sensitivity of the biometric data the Working Party asks:
what studies of the scale and seriousness of these phenomena revealed compelling reasons of public safety or public order that would justify such an approach, and whether alternative approaches that did not involve such risks had been or could be studied.
and the principle of proportionality :
"inevitably, therefore, begs the question of the fundamental legitimacy of collecting these data and does not only concern the processing procedures (modes of access, storage period etc.)
"attention should also be drawn to the possible expansion of the access scope to include entities other than those that had been envisaged initially."
Data being used that are incompatible with the original purpose
"There have to be particularly rigorous checks if these biometric data are to be stored in a centralised database, as this would substantially increase the risk of the data being used in a manner that was disproportionate to or incompatible with the original purpose for which they were collected."
Moreover, reliability problems might arise:
problems might arise from the creation of such a large database,
both in terms of accesses and in terms of false-positive and/or
false-negative findings with potentially harmful consequences
for the persons concerned."
Use of data by other authorities
The report is particularly concerned about the use of data by authorities "other than those competent for the issuing of visas" (p15):
"its use should be limited to the essential purposes inherent in the common visa policy.."
"Other purposes" are, it is noted, related to public security which are pursued by other information systems (eg: SIS).
The Working Party is particularly concerned about the Council Conclusions of 7 March 2005 whereby:
for the purpose of consultation, should be guaranteed to Member
States authorities responsible for internal security in the course
of their duties in relation to the prevention, detection and
investigation of criminal offences, including terrorist acts
Said access is to be allowed via an ad-hoc proposal based on Title VI of the TEU, which the Commission is required to submit with a view to its adoption within the same time frame as of the Regulation on the VIS.
The purposes of data processing within the VIS should be, as stated before, the implementation of the visa policy. Access to VIS data should therefore be envisaged, as a matter of principle, only by public authorities in charge of implementing such policy, and the technical specifications should be designed accordingly to serve that purpose and to allow access to those authorities....
Access by other authorities could only be legitimate on an ad hoc basis, in specific circumstances and subject to appropriate safeguards. Any rule allowing systematic or routine access would clearly go beyond what may be considered as a necessary measure in a democratic society and would not be deemed lawful.
Accordingly, the technical specifications for accessing the data in the VIS system should be designed in order to exclude such routine access by other authorities and for other purposes. Even less should the system be technically shaped to allow certain types of access that would only be useful for those other purposes." (emphasis added)
The "interoperability" of VIS and SIS II
Equally the Working Party is concerned at the planned "interoperability" between SIS II, VIS and Eurodac (or the creation of "synergies" in Brussels-speak):
be quite clear that the basic concept of the legitimate and proportionate
collection of data from an individual and further processing
of such data for a precise, legitimate, purpose (i.e. issuing
a Schengen visa) should not leave room to the concept of a data
base that can be shared by different authorities to pursue different
Interoperability should never lead to a situation where an authority, not entitled to access or use certain data, can obtain this data via another information system."
Finally, because of the complexity of VIS, the lack of information, and the "synergies", the Working Party says that the implementation of the Regulation should not be the subject of the comitology procedure (which is largely hidden from public view and debate) but should be the subject of primary legislation:
are several sensitive issues that should not be decided upon
exclusively by means of a comitology procedure in the
light of their impact of fundamental rights including the protection
of personal data as well as in the absence of the clarification
Therefore, the ultimate decision on all issues liable to impact on fundamental rights and personal data protection should be left to an instrument of primary legislation, which can better ensure careful assessment of the proportionality of the measures in question."
1. Regulation on VIS, Working Party report no 110, 23 June 2005
2. WP 96 (11.8.04)
3. Statewatch report: VIS unworkable
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.