Europese Toezichthouder voor gegevensbescherming opgetogen maar kritisch over nieuw Europees agentschap grootschalige IT systemen (en)
EDPS/09/14
Brussels, Monday 7 December 2009
EDPS sees advantages of new Agency for large-scale IT systems, but urges the legislator to better define its scope of activities
Today, the European Data Protection Supervisor (EDPS) adopted an opinion on the European Commission's proposed legislative package establishing an Agency for the operational management of large-scale information technology (IT) systems in the area of freedom, security and justice. The Agency would be responsible for the operational management of Schengen Information System (SIS II), Visa Information System (VIS), Eurodac and possible other large-scale IT systems.
As these databases contain large amounts of sensitive personal data (e.g. details of passports, visas and fingerprints), the EDPS analysed the proposal from a data protection standpoint, with a view of ensuring that certain possible risks, which could have great impact on the privacy of individuals, are sufficiently addressed in the founding legislative instrument.
The EDPS sees the advantages of setting up an Agency for the operational management of certain large-scale IT systems since it clarifies issues of liability and applicable law. He underlines, however, that such an Agency should only be established if the scope of its activities and its responsibilities are clearly defined. This is crucial to avoid the risk of function creep or the misuse of personal data.
Peter Hustinx, EDPS, says: "The creation of an Agency for such large-scale databases must be based on legislation which is unambiguous about the competences and the scope of activities of the Agency. Such clarity would prevent any future misunderstanding about the conduct of the agency and avoid the risk of function creep. As currently drafted, the proposals do not meet those standards."
The EDPS encourages the legislator to take a cautious and restrictive approach. The point of departure should not be to bring as many large-scale IT systems as possible under the management of one Agency. Only after having acquired experience and following a positive evaluation of its functioning, other large-scale IT systems could be brought under the responsibility of the Agency.
In order to improve the proposal, the EDPS recommends the legislator to:
-
-clarify whether the scope of activities of the Agency is limited to policies on border checks, asylum and immigration, or whether it should potentially cover all large-scale IT systems developed in the area of freedom, security and justice;
-
-clarify the notion of large-scale IT systems within this framework, and make clear whether it is limited to such systems which store data in a centralised database for which the Commission or the Agency is responsible.
The opinion ( pdf ) is available on our website.
For more information, please contact the EDPS Press Service at: press@edps.europa.eu
EDPS - The European guardian of personal data protection
www.edps.europa.eu