EDPS worries about extended powers of agency running EC databases

By EDRi · December 16, 2009

This article is also available in:
Deutsch: [Datenschutzbeauftragter sorgt sich um erweiterte Befugnisse der Agentur, die Datenbanken der Kommission betreibt| http://www.unwatched.org/node/1631]

Although not opposed to the creation by the European Commission of a
security agency that would be in charge of EU visa and asylum databases,
EDPS Peter Hustinx issued an opinion on 7 December 2009 showing his concern
related to the expansion of the agency powers.

The Commission has proposed the creation of an agency that would run the
databases used for the Schengen Information System (SIS II) on cross-border
travel within the EU, the Visa Information System and EURODAC, the asylum
seeker database.

Hustinx is worried because the Commission’s proposal says that, besides
running the respective databases, the agency should also manage other
large-range IT projects. The EDPS believes that certain risks on the privacy
of individuals should be “sufficiently addressed in the founding legislative
instrument(s),” and urged the Commission to limit the powers of the agency.
“The creation of an Agency for such large-scale databases must be based on
legislation which is unambiguous about the competences and the scope of
activities of the Agency. Such clarity would prevent any future
misunderstanding about the conduct of the agency and avoid the risk of
function creep. As currently drafted, the proposals do not meet those
standards.”

The EDPS’s opinion is that entrusting more such large-scale IT projects to
the same body would increase the risk of mistakes and wrongful use of
personal data. “The total number of large-scale IT systems managed by one
and the same Agency should therefore be restricted to a number with which
the data protection safeguards can still sufficiently be assured. In other
words, the point of departure should not be to bring as many large-scale
IT-systems as possible under the operational management of one Agency.”

The risk is even greater as in terms of interoperability “similar technology
will be used for all systems which can therefore easily be interconnected.”

For the improvement of the EC proposal, the EDPS recommends the legislator
to clarify and decide whether the scope of activities of the Agency “should
potentially cover all large-scale IT systems developed in the area of
freedom, security and justice” and “to clarify the notion of large-scale IT
systems in relation to the establishment of the Agency, and make clear
whether it is limited to such systems which have as a feature the storage of
data in a centralised database for which the Commission or the Agency is
responsible”.

Huntinx also “encourages the legislator, in the context of the proposed
pilot schemes, to clarify the procedure which the Commission should follow
before requesting for a pilot scheme. According to the EDPS, such a
procedure should include an assessment, which might require a consultation
of the European Parliament and the EDPS, of the possible impact on data
protection of the initiative developed following such a request.”

Security database super-agency’s powers should be limited, says EU privacy
watchdog (8.12.2009)
http://www.out-law.com//default.aspx?page=10586

Opinion of the European Data Protection Supervisor – on the proposal for a
Regulation establishing an Agency for the operational management of
large-scale IT systems in the area of freedom, security and
justice (7.12.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2009/09-12-07_Agency_LargeITsystems_EN.pdf

EDPS sees advantages of new Agency for large-scale IT systems, but urges the
legislator to better define its scope of activities (7.12.2009)
http://europa.eu/rapid/pressReleasesAction.do?reference=EDPS/09/14&format=HTML&aged=0&language=EN&guiLanguage=fr