Long-term residents could find their sensitive personal data stored indefinitely, under new proposals for the EU’s Visa Information System (VIS). This poses privacy and data protection risks, according to latest Opinion from the EU Agency for Fundamental Rights.

VIS holds data on over 52 million visitors to the EU. Current plans could extend that by 20 million people, including all non-EU citizens residing in EU Member States. The EU proposes to revise the current Visa Information System and widen its scope. To explore the impact, the European Parliament asked FRA to provide its Opinion on the fundamental rights implications of revising the Visa Information System.

This Opinion advises the EU on how to avoid potential fundamental rights risks when implementing the Visa Information System. It focuses on core data protection principles of only processing as much data as is needed and of using data only for the purposes for which they were collected. It also underlines the need to pay particular attention to several other rights, for example, the right to asylum, child rights, non-discrimination and access to justice. Some of the findings include:

Extending VIS to include holders of all long-stay visas and residence permits goes against data retention rules as personal data could be kept forever as permits are renewed. Alternatives should be explored.

Adding facial images to biometric matching could result in false matches, without adequate tests of the changing technology. Facial images should only be introduced if the technical reliability of positive matches can be guaranteed.

As children grow their biometric data (fingerprints and facial imagery) also change. This poses a reliability problem. Protecting child rights should be further strengthened by findings ways to reduce false matches resulting from data being kept longer than the proposed five year data retention period. This could be through involving biometric experts and not relying on automated processing.

New rules on law enforcement access to VIS should contain sufficient safeguards. This would ensure that criminal information systems are consulted first.

New rules obliging passenger carriers to check passport details of people travelling to the EU could mistakenly prevent people from boarding. Data entry mismatches between the passport data and VIS should not prevent genuine travellers from boarding. Passengers should be informed why they are stopped. A real-time support centre would minimise the disruption caused by possible errors.

As the EU’s large-scale information systems contain a significant amount of inaccurate data, the rights to access, correct and delete personal data should also be improved. This implies informing those affected and setting deadlines for processing requests.

VIS was rolled out in November 2015. It was created to help handling applications for short-stay visas to Schengen countries for up to 90 days.

FRA issues Opinions on specific thematic topics, following requests for advice from the European Parliament, the EU Council or the European Commission. These Opinions are part of the Agency's fundamental rights assistance and expertise that it provides to EU institutions and Member States.