Public letter on data security sent by MEPs to Frattini

By EDRi · December 5, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Two members of the European Parliament (MEPs), rapporteurs on the European
huge biometric databases Visa Information System (VIS) and the Schengen
Information System II (SIS II), have addressed a public letter to
commissioner Frattini asking for effective data protection and data security
provisions and thus excluding the copying or storage of sensitive data in
mobile formats such as, for instance, diskettes or CD-ROMs.

This letter comes as a reaction to the UK government data protection
security problems, after two CDs containing the personal data of 25 million
citizens were lost in the post.

The two MEPs – Baroness Sarah Ludford MEP, Liberal Democrat European justice
spokeswoman and European Parliament rapporteur on the VIS and Carlos Coelho,
responsible for the Schengen Information System – have reminded Commissioner
Frattini and the Portuguese Presidency that during the negotiations on the
SIS II one of the major concerns of the Parliament was exactly the problem
of the so-called “technical copies” that lead to personal data stored
off-line. The compromise with the Council was that all routine technical
copies which lead to data stored offline would have to be phased out, and
that only in exceptional cases could a copy be made offline if several
rigorous criteria were met and they were destroyed after 48 hours.

The letter, published by Statewatch, reminds that, in the current
discussions on the draft Common Consular Instructions/biometrics collection
measure, the European Commission provided the European Parliament with a
document in which “offline copies on disc are still presented as a possible
means of transfer of visa data, and that in a context in which encryption
may be challenged by the host country.” This is seen as a major concern by
the 2 MEPs that asked the Commission to learn from the UK problems:

“Not only the UK government but the EU as a whole need to ensure that
lessons are learned from this monumental blunder at HMRC. We cannot allow
lax security standards on access or copying of vast centralised databases to
imperil the personal security of millions of people”, said Sarah Ludford.
“EU data protection laws either need to be toughened up or accompanied by a
strict training and auditing regime in which data protection supervisors
must be given adequate resources and enforcement powers, both hitherto
lacking in the UK.”

They also demand that the European Commission together with the Article 29
Working Party and European Data Protection Supervisor should draw up a green
paper on the risks that exist and the safeguards needed to keep data safe.

A new draft proposal that needs the ammend the European Privacy and
Electronic Communications Directive has been published by the European
Commission. One of the important changes will be the obligation of the
electronic communication companies to notify its customers when a privacy
breach had occurred.

Letter to Franco Frattini on data security (22.11.2007)

EU must learn database lessons from UK lost records (22.11.2007)

European Commission plans security breach notification law (5.12.2007)

EDRI-gram: UK government loses personal data on 25 million citizens