The EU needs a smarter approach to information sharing in order to address challenges relating to security and border management. Interoperability, the process of enabling large-scale EU databases to communicate and exchange information, might prove a useful tool, but it is also likely to have profound legal and societal consequences, the European Data Protection Supervisor (EDPS) said today, as he published his Opinion on the Proposals for two Regulations establishing a framework for interoperability between EU large-scale information systems. The Opinion follows a reflection paper published by the EDPS on interoperability on 17 November 2017.

Giovanni Buttarelli, EDPS, said: “Competent authorities across the EU must be able to share information in order to manage current migratory challenges and terrorist and crime-related issues. Interoperability, implemented in a well-considered manner and in full compliance with fundamental rights, could prove useful in facilitating this. However, in their current form, the Commission’s Proposals would alter the structure and operation of the EU’s existing IT databases and change the way in which fundamental legal principles in this area have traditionally been interpreted. As the precise implications of this for the rights and freedoms of individuals require more clarity, wider debate on the future of information exchange in the EU, the governance of interoperable databases and the safeguarding of fundamental rights is needed.”

The EU operates several large-scale IT databases, used by the competent public authorities in the Member States to manage issues relating to migration, asylum and security in the EU. Interoperability could help public authorities to manage these issues by facilitating the exchange of data held within the databases.

However, the current Proposals go further than this. For example, they would allow public authorities to access and use the data stored in EU IT systems for investigations relating to identity fraud and identity checks, and provide for the streamlining of law enforcement access to databases that do not contain law enforcement information. The EDPS acknowledges that law enforcement authorities need access to the best possible tools so that they are able to quickly identify the perpetrators of terrorist acts and other serious crimes. However, he also notes that allowing law enforcement authorities to routinely access information not originally collected for law enforcement purposes has implications for the protection of fundamental rights.

Of particular concern to the EDPS is the creation of a centralised database containing information about millions of non-EU citizens, including their biometric data. The scale of the database and the nature of the data to be stored within it mean that a data breach could harm a very large number of people. With this in mind, it is essential that strict and appropriate legal, technical and organisational safeguards are built into any database, and that particular attention is given to defining its purpose and conditions of use.

Both in legal and technical terms, the Proposals add another layer of complexity to existing and future EU databases with unclear implications for data protection and other fundamental rights and freedoms, as well as for the governance and supervision of the databases. Taking these uncertainties into account, the EDPS calls for wider debate on this issue before considering further steps in the implementation of the Commission’s Proposals on interoperability.