EU: Commission failing to follow the rules on the operation of EURODAC (1)

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

5.7.12

An inspection by the European Data Protection Supervisor (EDPS) of the EU's EURODAC Central Unit, which contains fingerprint data on asylum seekers and irregular migrants, has found that although the "overall level of data protection and security… is high," there are "still some elements which need further improvement for the data protection and security of the overall system." [1]

The report, published on 20th June but covering an inspection that took place at the end of February, notes a failure to follow the rules or implement proper procedures on a number of issues including the deletion of archived fingerprint data; the destruction of data; and dealing with personal data breaches.

Data retention

The Central Unit is currently operated by the European Commission, and according to the EDPS report the archiving system, which holds "records of all data processing operations within the Central Unit," currently holds log records containing "full fingerprint data for all EURODAC transactions, including CAT 3 requests."

This is prohibited under Article 11(5) of the EURODAC Regulation, which states that once results of any fingerprint comparison have been transmitted by the Commission to the relevant Member States, the Central Unit shall "erase the fingerprint data and other data transmitted to it." [2]

CAT 3 (or category 3) requests are concerned with fingerprints taken from "aliens found illegally present in a Member State" that are compared with information in the central database "to determine whether the person in question is in fact an asylum seeker in one of the Member States." [3]

Further concerns stemmed from the fact that a data retention period of one year is being suggested when it comes to "the back-up tapes of the archiving system, thus allowing the existence of information beyond the legal retention period."

The Commission has also never destroyed any old data: "the hard drives and back-up tapes of the old EURODAC servers have not been destroyed… although there is no need to keep this data after the transition to EURODAC plus."

Representatives of the Commission stated during the inspection that "electronic data destruction is performed by degaussing and physical destruction of equipment, whereas paper shredders are used for the destruction of physical files."

However, no specific procedure exists to outline how and by whom data destruction should be carried out. This "could put at risk the confidentiality to be destructed", as a situation may arise where:

"The collection and submission of the media for destruction is not monitored by a trusted appointed official. In addition, the maintenance of personal data in the old EURODAC servers does not take into account the data necessity and minimisation principles under Regulation 45/2001."

Personal data breach procedures

The report notes that there despite the existence of a formal "incident handling process", there is no procedure in place to deal with "personal data breaches." The EDPS recommends that the Commission establish and document:

"A personal data breach handling procedure (either as part of the incident handling procedure or as a separate procedure), which will describe all the steps to be taken in case that a personal data breach occurs… In addition, the EDPS recommends that all personal data breaches are adequately documented and maintained in a specific register at the European Commission's premises. The Data Protection Officer should be able to access the register at any time."

The report also raises concerns over the fact that the audit systems used may not detect the activation of USB sticks inserted into EURODAC management machines, recommending that USB ports be activated only when necessary: "The unnecessary activation of USB ports could potentially lead to extraction of EURODAC information by unauthorised persons, putting at risk the confidentiality of personal data therein," says the report.

The European Commission should:

"Ensure that the USB ports in EURODAC servers and management machines are activated only when it is absolutely necessary and that the activation/deactivation process is appropriately logged and monitored."

System and security problems

The Central Unit's data archive is suffering from "poor performance" such as "long response times to requests," due to ageing equipment and software. This could "potentially lead to breach of the availability and/or integrity of the EURODAC related records."

There are also issues with the acquisition and installation of software security upgrades. Responsibility and initiative for this is left to the contractors' consortium (made up of the firms Steria, Bull and Cogent) - with "no relevant specific plan or activity from the EC's side."

The EDPS notes that this leaves:

"A real risk that critical operating system patches are not applied and that the operating system will be left vulnerable to known weaknesses. Ultimately this could lead to a situation where operating system level weaknesses are exploited, potentially leading to serious data confidentiality, integrity and/or availability breaches."

There has also been a failure to delete the user profiles of persons no longer provided with access to the system, leading to the risk of "potentially allowing access of unauthorised persons to the system."

No recent internal or external security audit of the EURODAC system has been carried out, and it was stated to the EDPS by Commission representatives that "there were no plans for such an action in the foreseeable future."

Transfer to the new IT Agency

In March this year, the European Parliament and the Council of the EU reached agreement on the establishment of an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.

The new Agency will be responsible for the management of the Schengen Information System, the Visa Information System, and EURODAC, with the intention of achieving "important synergies and economies of scale." It will also be able to undertake research into improving current large-scale IT systems and the development of new ones.

However, despite plans for the Agency to become operational in December this year, the EDPS found at the time of the inspection that:

"There were no concrete developments on the planning for transferring the ownership and management of the EURODAC system to the IT Agency. According to the information provided by the EC representatives, initial contacts were foreseen but concrete plans for the transfer were lacking."

The EDPS noted the need for the Commission to start planning for the transfer "as soon as possible," as:

"Since the transfer process can have an impact on security - depending on the procedures to be adopted, hardware and software components, as well as human resources might be transferred to the IT Agency - it is extremely important to develop a sound and detailed procedure in order to reduce the risks inherent to the process of taking over as much as possible."

Sources
[1] European Data Protection Supervisor, 'EURODAC Central Unit Inspection Report', June 2012
[2] 'COUNCIL REGULATION (EC) No 2725/2000 of 11 December 2000 concerning the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of the Dublin Convention'
[3] European Commission, 'COMMISSION STAFF WORKING DOCUMENT Accompanying the Proposal for a Regulation of the European Parliament and of the Council concerning the establishment of 'Eurodac' for the comparison of fingerprints...', December 2008, p.34
[4] 'New EU Agency for managing large-scale IT systems in the area of freedom, security and justice', 21 March 2012

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error