CCIR

Several different large-scale IT databases are used by the EU to facilitate police cooperation and to help manage borders and migration. The EU aims to improve the efficiency of these databases by making them more interoperable, or capable of communicating and exchanging information.

While we endorse attempts to develop a more coherent approach to border management and cooperation, this is a complex topic. Any new proposal must ensure full respect for data protection rules, the European Data Protection Supervisor (EDPS) said as he published his contribution to the debate on interoperability.

Giovanni Buttarelli, EDPS, said: “Interoperability, when implemented in a well-considered manner, could help to increase the efficiency of information-sharing in the EU, as well as to reduce the costs associated with operating the EU’s large-scale IT systems. Interoperability may even act in the interest of data protection, helping to ensure that the data held in these systems is up to date. We welcome the EU’s efforts to explore a more coherent approach to borders and security and will work with them to help ensure that any new measures fully respect the fundamental right to data protection.”

Making the exchange of data technically feasible becomes, in many cases, a powerful drive for the exchange of these data. Interoperability may therefore lead to the development of new data processing activities, involving the exchange or cross matching of data. As a clear legal basis for doing this does not currently exist, a new legal basis for processing would need to be established.

The EDPS looks forward to the publication of the Commission’s forthcoming legislative proposal. He encourages the Commission to clearly define the problems interoperability aims to solve and to plainly set out the specific categories of data to be processed and the purpose for doing so. Only once this information is available can the current debate on the impact of interoperability on our fundamental rights move forward.

 

If it is to be fully compliant with data protection rules, the EDPS recommends that any proposal involving new forms of data processing must be shown to be both necessary and proportionate in relation to clearly stated objectives. Once this has been established, compliance with data protection rules must then be ensured through the application of principles such as data protection by design and by default and the implementation of appropriate security measures.