EDPS respomse to the Commission public consultation on lowering tfiie fingerprinting âge for children in the visa procédure from 12 years to 6 years

Similar documents
Reflection paper on the interoperability of information systems in the area of Freedom, Security and Justice

Opinion 07/2016. EDPS Opinion on the First reform package on the Common European Asylum System (Eurodac, EASO and Dublin regulations)

Opinion of the European Data Protection Supervisor

on the proposal for a Regulation of the European Parliament and of the Council concerning customs enforcement of intellectual property rights

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

The EDPS has limited the comments below to the provisions of the Proposal that are particularly relevant from a data protection perspective.

EUROPEAN DATA PROTECTION SUPERVISOR

Opinion 3/2017 EDPS Opinion on the Proposal for a European Travel Information and Authorisation System (ETIAS)

Public Consultation on the Smart Borders Package

Meijers Committee standing committee of experts on international immigration, refugee and criminal law

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

EUROPEAN DATA PROTECTION SUPERVISOR

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Opinion on a notification for Prior Checking received from the OLAF Data Protection Officer regarding the Customs File Identification Database (FIDE)

Having regard to the opinion of the European Economic and Social Committee ( 1 ),

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Adapting the common visa policy to new challenges

Council of the European Union Brussels, 8 October 2015 (OR. en)

Table of contents United Nations... 17

Tony Bunyan May Interoperability: the point of no return 1

12926/16 al 1 GIP 1B

FREEDOMS. Fundamental rights and the interoperability of EU information systems: borders and security

Report on the national preparation for the implementation of the Eurodac Recast

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Brussels, 16 May 2006 (Case ) 1. Procedure

EUROPEAN DATA PROTECTION SUPERVISOR

Coordinated Supervision of Eurodac. Activity Report

9848/18 AP/kl 1 DGD 1 LIMITE EN

Spring Conference of the European Data Protection Authorities, Cyprus May 2007 DECLARATION

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Secretariaat. To European Parliament Civil Liberties, Justice and Home Affairs Committee Rue Wiertz BE-1047 BRUXELLES

Committee on Civil Liberties, Justice and Home Affairs. on the Situation of fundamental rights in the European Union ( ) (2011/2069(INI))

Brussels, 16 July 2007 (Case ) 1. Procedure

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

PE-CONS 71/1/15 REV 1 EN

Recommendation for a COUNCIL DECISION

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 11 January /07 Interinstitutional File: 2004/0287 (COD) LIMITE VISA 7 CODEC 32 COMIX 25

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COMP Article 1. Article 1 Subject matter and objectives

Public Consultation on the Smart Borders Package

12913/17 EG/np 1 DGD 2C

Proposal for a COUNCIL DECISION

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 25 October /06 Interinstitutional File: 2004/0287 (COD) LIMITE

Brussels, 29 November 2007 (Case ) 1. Procedure

Adopted on 23 June 2005

EXECUTIVE SUMMARY. 3 P a g e

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 78(3) thereof,

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 20 December /06 Interinstitutional File: 2004/0287 (COD) LIMITE

Connecting personal data of Third Country Nationals

COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT. Accompanying the document PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND THE COUNCIL

ECRE Comments on the Commission Proposal to recast the Eurodac Regulation COM(2016) 272

COUNCIL REGULATION (EC)

Opinion 6/2015. A further step towards comprehensive EU data protection

EUROPEAN DATA PROTECTION SUPERVISOR

POLICY BRIEF. Crossing borders in the next 15 years: EXECUTIVE SUMMARY. How should and will border management develop?

Report on access to the VIS and the exercise of data subjects' rights

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 78(3) thereof,

THE PASSENGER JOURNEY: New requirements for border control

REPORT on access to the VIS and the exercise of data subjects' rights

8974/18 ACA/mr 1 DGD 1

Data protection and privacy aspects of cross-border access to electronic evidence

COMMISSION RECOMMENDATION. of XXX

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

11161/15 WST/NC/kp DGD 1

Recommendation for a COUNCIL DECISION

ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

Delegations will find the text of this Resolution in annex II and are invited to present their comments at the COPEN meeting of 28 May 2014.

P6_TA-PROV(2007)0347 PNR Agreement

ANNEX. to the COMMISSION IMPLEMENTING DECISION

Interoperability of Justice and Home Affairs Information Systems

1. UNHCR s interest regarding human trafficking

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Ombudsman on verification of telephone bills

Recommendation for a COUNCIL DECISION

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

JAI.1 EUROPEAN UNION. Brussels, 8 November 2018 (OR. en) 2016/0407 (COD) PE-CONS 34/18 SIRIS 69 MIGR 91 SCHENGEN 28 COMIX 333 CODEC 1123 JAI 829

Biometric data in large IT borders, immigration and asylum databases - fundamental rights concerns

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL FRAMEWORK DECISION. on combating fraud and counterfeiting of non-cash means of payment

***I POSITION OF THE EUROPEAN PARLIAMENT

L 348/98 Official Journal of the European Union

Selection procedure at the European Ombudsman's Secretariat

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Proposal for a COUNCIL DECISION

Legal aspects of biometric data processing : current state of affairs. Dr. E. J. Kindt MIPRO 2015

The public consultation consisted of four different questionnaires targeting respectively:

ARTICLE 29 DATA PROTECTION WORKING PARTY

Council of the European Union Brussels, 16 October 2017 (OR. en)

Recommendation for a COUNCIL DECISION

AMENDMENTS EN United in diversity EN. European Parliament Draft report Claude Moraes (PE v02-00)

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

The EU Passenger Name Record System and Human Rights

Having regard to the opinion of the European Economic and Social Committee ( 1 ),

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DECISION

10020/16 SN/pf 1 DGD1B

Official Journal of the European Union L 180/31

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Transcription:

Europe an Data protection supervisof EDPS respomse to the Commission public consultation on lowering tfiie fingerprinting âge for children in the visa procédure from 12 years to 6 years Context On 17 August 2017, the European Commission launched a public consultation1 on lowering the fingerprinting âge for children in the visa procédure from twelve years to six years old. Following an évaluation2 of the functioning of the Visa Information System (hereinafter "VIS") carried out in 2016, the Commission considers that a number of areas of the VIS could be improved and envisages revising the VIS Régulation3. The Commission thus made several suggestions for amending the VIS Régulation, including reducing the minimum âge for fingerprinting visa applicants to six years old. To propose such a change, the Commission draws on a Technical Report4 from the Joint Research Centre ("JRC") on Fingerprint Récognition for Children. The Commission already proposed5 a similar change in 2016 for the Eurodac information system by providing for a new minimum âge of six years old for processing biométrie data (instead of fourteen years old originally), by considering that six years old is "the âge at which research shows that fingerprint récognition of children can be achieved with a satisfactory level of accuracy"6. The EDPS provided comments in this regard in his Opinion7 on the proposai. This public consultation on lowering the fingerprinting âge for children in the visa procédure will feed into a specific study on the necessity and proportionality of lowering the fingerprinting âge for children whose data are in the VIS, and will also underpin the impact assessment of the proposai to revise the VIS Régulation that will be tabled by the Commission in 2018. Aim and scope of these comments One of the EDPS' mission is to advise the Commission services in the drafting of new proposais with data protection implications. The EDPS welcomes that, contrary to the 2016 Eurodac proposai, the future proposai to revise the VIS Régulation will be accompanied by an impact assessment. Reducing the âge limit for collecting and processing fingerprint data of children from the âge of twelve years old to the âge of six will impact their right to data protection laid down in Article 8 of the EU Charter of Fundamental Right (hereinafter "the Charter"). The EDPS has long been concerned not only with the processing of biométrie data but also with the processing of personal data relating to children8. This public consultation is therefore relevant for the EDPS activities. Moreover, the EDPS is listed as one of the target group of this public consultation. Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 30 E-mail : edps@edps.europa.eu - Website: www.edps.europa.eu Tel.: 02-283 19 00 - Fax : 02-283 19 50

Therefore, the EDPS has answered below the questions of the Commission consultation that are relevant from a data protection perspective9, not limiting himself to the alternative answers suggested by the Commission. Answers to the questions Question 1. Do vou consider, as a matter of principle that children should be submitted to the same procédures when applving for a short-stav ("Schengen") visa as adults? Children in général are more vulnérable than adults as they are less aware not only of the conséquences of the processing of their personal data, but also of existing safeguards and of their data protection rights. In the spécifié context of migration and border control, the Fundamental Rights Agency rightly pointed out10 that the collection of children's data might affect their lives, while they have no say in their parent's décision to travel. For these reasons, the EDPS considers that children should benefit from a higher level of protection and specific safeguards11 in relation to the processing of their personal data in the visa procédure, especially since some of the data collected from them are as highly sensitive as biométrie information. Question 2. Is there anv particular âge from where fingerprinting should start being applied? The EDPS recalls the necessity and proportionality requirements in Article 52(1) of the EU Charter in case a limitation is brought on a fundamental right. Article 8 of the Charter provides for the fundamental right to the protection of individuals' personal data. The right to protection of one's personal data is not an absolute right; it can be limited on the condition that such limitation complies with ail requirements of Article 52(1) of the Charter, including passing the necessity and proportionality test. The EDPS considers that for now the question remains whether or not processing fingerprint data of children as from a younger âge is necessary and proportionate to achieve objectives of général interest. The EDPS takes note of the fact that the Technical Report from the JRC on Fingerprint Récognition for Children finds that "Size (in terms of the dimensions of the relevant fingerprint characteristics) - and implicitly âge - does not constitute any theoretical barrier for automated fingerprint récognition However, the EDPS emphasises that what is technically feasible is nor per se necessarily desirable, nor necessary and proportionate in accordance with Article 52(1). The EDPS recommends that the necessity and proportionality of collecting fingerprint data of children as from a younger âge should be the focus of an additional prior reflection and évaluation, as part of the impact assessment that is carried out to accompany the future Commission proposai to revise the VIS Régulation. Fixing the particular minimum âge for fingerprinting children should be part of this reflection. In this regard, the EDPS invites the Commission to read the Necessity Toolkit12 that has been released in April this year and is addressed to the legislator to help in assessing the necessity of new législative measures. 2

Question 3. To what extent do vou consider that fingerprinting children applving for a short stav visa, bv helping with identification, is necessary or useful to address or prevent a) trafficking, b) child abduction, c) children going missing, d) irregular migration, e) visa fraud and f) identitv fraud? The EDPS first stresses the importance of defining clear purposes for the processing of fingerprint data of children, and recalls the purpose limitation and purpose spécification principles13 according to which personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a manner which is incompatible with those purposes. In addition, the EDPS considers that identifying clear purposes is also a pre-requisite to assess the necessity and proportionality of collecting fingerprint data of children. In particular, the specific objectives that would be pursued in this case, which could not be achieved without storing fingerprint of children as from a younger âge, should be clarified. Furthermore, the EDPS considers that a clear différence should be made between the use of fingerprint data in the interest of children (e.g. to prevent child abduction or child trafficking) or to their possible detriment (e.g. with a view to identify a child as irregular migrant). He emphasises that Europol and national law enforcement authorities can request - and under certain conditions obtain - access to ail VIS data without distinction for pursuing the prévention, détection and investigation of terrorist offences and other serious criminal offences14. Therefore fingerprint data of children from a younger âge kept in the VIS would potentially also be available to Europol and national law enforcement authorities. In this regard, the EDPS recalls that the European Court of Human Rights ("ECtHR") in the case of S. and Marper v. United-Kingdom15 ruled against the blanket rétention of biométrie data of persons who are not suspected of unlawful conduct or otherwise under investigation for law enforcement purposes, and found that it "constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a démocratie society"16. The Court further considered that this may be especially harmful in the case of children given their spécial situation and the importance of their development and intégration in society17. Therefore, when defining the purposes for the processing of fingerprint data of children in the visa procédure, the EDPS recommends that fingerprints of children should not be considered as serving to incriminate them, since below a certain âge they could not represent any meaningful threat. In principle, the processing of a child's fingerprint data by law enforcement authorities should mainly take place in the child's sole interests, for instance in order to protect or retrieve missing children or children who are victims of crimes. Question 4. In vour view, can any of the purposes mentioned above (prévention of and/or responses to trafficking or children going missing, child abduction, irregular migration, visa fraud, identitv fraud) be achieved through other means? As part of the assessment of the necessity of lowering the âge for fingerprinting, the EDPS stresses that the legislator should indeed assess whether or not each of these objectives could not be achieved as efficiently by using less intrusive means. In this case, the question of whether one or several alternative législative measures could achieve the same objectives without collecting additional data from children as of six years old, for instance by using the data already available in other systems in a différent way, remains and should be answered. 3

In addition, restricting spécifié aspects of the measure of lowering the fingerprinting âge to six years old could also be envisaged to make it less intrusive, such as for instance by providing for a reduced data rétention period for fingerprint data of children or limiting the access and use of such data to specific authorities. The EDPS invites the Commission to get acquainted with "Step 4: Choose option that is effective and least intrusive" of his Necessity Toolkit. Question 5. To what extent do vou agree with the following statement: "Fingerprinting of minors/children is an intrusive measure"? Fingerprinting children constitutes a limitation to their fundamental rights to privacy and data protection enshrined in Articles 7 and 8 of the EU Charter. The EDPS considers that the processing of fingerprint data from children as from six years old in the visa procédure is a significantly intrusive measure, especially taking into considération: the number of data subjects concerned - which given the lowering of the minimum âge from twelve to six years old would greatly increase; the category of persons concerned - in this case children who are particularly vulnérable persons and require spécial care and attention; the type of additional personal data collected and processed - in this case biométrie data, which are considered spécial catégories of personal data according to the General Data Protection Régulation18 and the Data Protection Directive for the police and justice sectors19 and as such can only be processed where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject; the automated means used to process such information - namely the Eurodac database; the différent purposes that are pursued for processing such data - which still need to be precisely identified. Question 6. Which authorities should, in vour view. have access to the personal data of children (meluding fingerprints") collected in the visa procédure, for the purposes mentioned in question 4 above: visa authorities onlv, when processing the visa application, to combat identitv and visa fraud; - border authorities, to identifv cases of visa fraud; - authorities competent in the field of irregular migration; anti-trafficking authorities, if the child is suspected to be or identified as a victim of trafficking; - child protection authorities for ail situations where there are child protection concerns relating to the child. The EDPS recalls that, depending on the objectives set by the legislator for fingerprinting children, the catégories of authorities entitled to access and use fingerprint data of children 4

should be limited to what is strictly necessary for the purposes of such processing. The distinction should notably be made between authorities involved in processing personal data of children in their interest, and those processing such data for instance in order to potentially incriminate a child or identify a child as an irregular migrant. The EDPS also recommends that the number of staff members within authorities entitled to access such data should also be limited, and that such staff members should follow specific training on data protection. Moreover, since the proper enrolment of fingerprint data in the VIS is key to ensure a high level of data quality and reduce the risk of errors in matching fingerprints of children, the EDPS also recommends that staff members of diplomatie missions and consular posts in charge of collecting fingerprint data in the visa application process follow specific training for collecting such data of children. Question 7. Do vou consider that specific or additional protection safeguards need to be in place when collecting biometric/fingerprint data of third country national children? Should the necessity of processing fingerprint data of children from a younger âge be demonstrated for specific purposes, the EDPS recommends to include additional safeguards for the processing of children's data in the future proposai to revise the VIS Régulation. First, any information provided to children in accordance with Article 37 of the VIS Régulation should be conveyed in a manner appropriate to their specific âge, knowing that a child of six years old does not have the same level of understanding than a child of thirteen years old. The proposai for the 2016 Eurodac Recast provided that fingerprints of children should be taken in a "child-sensitive and child-friendly manner"20 without further indications of what these words means in practice. The EDPS suggests creating a common European standard for taking biométrie data of children and informing them in a clear and plain language that they can easily understand. Such standard should be developed in coopération with organisations specialised in child protection and with data protection authorities. The EDPS stresses the importance of ensuring a high level of data quality of fingerprint taken from children. Any error of the VIS in matching biométries could resuit in serious conséquences for the children concerned, such as for instance a refusai to access the EU territory or the rejection of the visa application. The EDPS recalls that the Report of the JRC concluded that "fingerprint récognition of children aged between 6 and 12 years is achievable with a satisfactory level of accuracy " on the condition that "appropriate best practice guidelines are developed and achievable within certain constraints of technical and organisational nature Furthermore, as a rule personal data should be retained for no longer than necessary for the purposes of processing. The rétention period of data in the VIS is of maximum five years21 and the same applies accordingly to personal data, including fingerprints, of children from 14 years old and above whose data are already stored in the VIS. As regards the fingerprint of children below 14 years old, the EDPS recommends evaluating in the impact assessment if a shorter data rétention period would be more suitable, since the level of quality of such data cannot be ensured during the same length of time. 5

Question 10. Could technological developments, including on the collection and use of biométries, contribute to and should be used to enhance the protection of children? The EDPS recognised on several occasions the advantages provided by the use of biométries, such as the high assurance of the identity of the individual. However, the EDPS always stressed that, given their very nature and their sensitive character, the necessity to use these data should be strictly demonstrated, and these benefits would be also dépendent on the application of more stringent safeguards22. In this regard, the EDPS recommends the implementation of the principle of data protection by design, which is now provided for by law and referred to in Article 25 of the General Data Protection Régulation and Article 20 of the Data Protection Directive for the police and justice sectors. This principle obliges organisations to integrate data protection from the very design of a new system or a new functionality of a system, and implement technical and organisational measures that will guarantee the protection of personal data processed. Brussels, 9 November 2017 Giovanni BUTTARELLI 6

1 https://ec.europa.eu/home-affairs/content/consultation-lowering-fingerprinting-age-children-visa-procedure-~12years-6-vears_en 2 Report to the European Parliament and the Council on the implementation of Régulation (EC) No 767/2008 of the European Parliament and of the Council establishing the Visa Information System (VIS), the use of fingerprints at external borders and the use of biométries in the visa application procedure/refit Evaluation, CC)M(2016) 655 final. 3 Régulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Régulation), OJ L 218, 13.8.2008, p. 60. 4 Joint Research Centre Technical Report of 2013 on Fingerprint Récognition for Children, Report EUR 26193, available at: http://publications.jrc.ec.europa.eu/repository/bitstream/jrc85145/fingerprint%20recognition%20for%20childre n%20final%20report%20%28pdf%29.pdf 5 Proposai for a Régulation of the European Parliament and of the Council on the establishment of Eurodac' for the comparison of fingerprints for the effective application of [Régulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes (recast), COM(2016) 272 final (hereinafter "2016 Eurodac Recast"). 6 Explanatory Mémorandum to the 2016 Eurodac Recast, p. 4. 7 EDPS Opinion 07/2016 on the First reform package on the Common European Asylum System, par. 24-27. 8 https://edps.europa.eu/sites/edp/files/publication/08-06-23_children_internet_en.pdf 9 Questions 8 and 9 of the public consultation were not considered relevant from a data protection perspective. 10 FRA Opinion 2/2017 on the impact on fundamental rights of the proposed Régulation on the European Travel Information and Authorisation System (ETIAS), p. 18. 11 See infra the EDPS answer to question 7 as regards specific safeguards for the processing of children's data. 12 Available at: https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessitv_toolkit_final_en_0.pdf 13 See also Article 29 Working Party Opinion 03/2013 of 2 April 2013 on purpose limitation. 14 Article 3 of the VIS Régulation; Council Décision 2008/633/JHA of 23 June 2008 concerning access for consultation of the Visa Information System (VIS) by the designated authorities of Member States and by Europol for the purposes of the prévention, détection and investigation of terrorist offences and of other serious criminal offences, OJ L 218, 13.8.2008, p. 129. 15 ECtHR, S. and Marper v. United-Kingdom, 4 December 2008, applications no. 30562/04 and 30566/04. 16 Case S. and Marper v. United-Kingdom, par. 125. 17 Case S. and Marper v. United-Kingdom, par. 124. 18 Régulations Régulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Régulation), OJ L 119, 4.5.2016, p. 1-88, specifically Article 10. 19 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prévention, investigation, détection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Décision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89-131, specifically Article 9. 20 Article 2(2) of the 2016 Eurodac Recast. 21 Article 23 of the VIS Régulation. 22 See inter alia Opinion 07/2016 on the First reform package on the Common European Asylum System (Eurodac, EASO and Dublin régulations); Opinion 06/2016 on the Second EU Smart Borders Package Recommendations on the revised Proposai to establish an Entry/Exit System; Opinion 3/2016 on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS); Opinion 7/2017 on the new légal basis of the Schengen Information System. 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback