This post is also available in: Français (French)
27 february 2017 – To members of the Committee on Civil Liberties, Justice and Home Affairs
You are about to vote on the Proposal for a Regulation of Procedure of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/201.
This text contains many provisions which violate the fundamental rights to privacy and data protection protected by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Concerns raised by the 2013 draft are aggravated by the new repressive aim, the creation of a massive database of biometric data, unsatisfactory rules on: the security and integrity of the data stored, interconnections, transfers to third countries, deficient rules for the right of access, and the right to remedy and to appeal, and disproportionate length of data retention.
Given the imminence of your vote you will find below a short summary of the concerns AEDH gas regarding several provisions in this text:
- Extension of the aim. The Commission proposes, among other changes to the 2013 proposal, the addition of an objective: to allow access to the data collected in the Entry-Exit system to the law enforcement authorities. Unless the Commission demonstrates the necessity and proportionality of the measures, such access should be strictly controlled and remain exceptional. (See the opinion of the European Data Protection Supervisor).
- Use of biometrics. Given the specificity of biometric data, their collection should be reduced to what is strictly necessary. Indeed, biometric data is produced by the body of the data subject and therefore allows the identification of the person on the basis of a biological reality. The data designates it and no one else, immutably unlike any other personal data. Any misappropriation or misuse of this data then places a major risk on the identity of that person. The use of biometrics should be strictly regulated and limited.
- Data sharing with EU law enforcement authorities and third countries. The text also foresees that data could be shared not only with EU law enforcement authorities but also with third countries. Sensitive data (like biometrics) could thus be in the hands of countries or companies whose standards are inadequate for privacy and data protection.
- Information of the data subject. The text does not provide sufficient guarantees for the information of the data subject, on their right of access and their right to appeal, in a language they understand.
- Data retention period. The new proposal provides for an extension of data retention from 181 days to 5 years which seems quite excessive and not justified in the proposal with criteria of necessity and proportionality. (See the jurisprudence of the Court of Justice of the European Union).
- Security and integrity of the data stored. There are no data security guarantees for this enormous biometric database (which would be interconnected with the VIS SIS II and Eurodac systems). We recommend, if this database were to be created, that the data should be secured by means of encryption.
In conclusion, AEDH asks you not to choose solutions that come with unjustified restrictions to the fundamental right of privacy and data protection on the pretext that these measures seem easy and at a low price. Moreover, the way in which this system is organised and the way of conservation risk affecting seriously the freedom of movement for some people for an uncontrolled period, with no other justification than its technical functioning.