The VIS, also known as the Visa Information System, is intended
to be a system for the exchange of visa data between Member States
and is primarily an instrument to support the common visa policy.
It will also facilitate checks at the external borders and within
the Member States, assisting the exchange of data between Member
States on applications and on the decisions in respect of those
applications.
The EDPS – the person responsible for monitoring the processing
of personal data by the Community institutions and bodies – has
issued an Opinion on a proposal, released in November, for a
Council Decision that will set out how and when Europol and the
security agencies of Member States will be entitled to access the
VIS.
According to the EDPS, Peter Hustinx, "The VIS database will be
the biggest cross border one in Europe. Some 20 million new entries
per year, regarding people who apply for a Schengen visa, are
foreseen. It is of utmost importance that data protection is taken
seriously for these, a priori, innocent people".
In general terms, the proposed Council Decision allows agencies
to access VIS in the course of their duties in relation to the
prevention, detection and investigation of criminal offences,
including terrorist acts and threats, subject to strict compliance
with the rules governing the protection of personal data.
According to Hustinx, the Commission proposal pays considerable
attention to data protection, requiring that access can only be
granted in specific circumstances, on a case-by-case basis, and
accompanied by strict safeguards.
This is welcome, says Hustinx, although improvements could be
made. In particular he suggests that:
- The conditions for access must be read cumulatively and access
should only be granted if it would 'substantially' contribute in a
specific case;
- Equivalent data protection must be granted if an authority of a
member state that does not apply the VIS regulation accesses the
database;
- The 'purpose of travel' and the photograph of the visa holder
or applicant should only be made available as supplementary
information; and
- Data protection requirements shall be supervised in a
coordinated way and self-auditing provisions shall be
introduced.
The VIS database is not the only EU-wide database that may be
affected by increased access requirements in the current political
climate.
The Schengen Information System, which governs the movement of
people within certain EU borders, and EURODAC, which retains the
fingerprints of anyone over the age of 14 who applies for asylum in
the EU (except Denmark, for the time being), in Norway and in
Iceland, are increasingly being seen as key security tools within
the EU.
According to the EDPS, therefore, his current Opinion is an
important one, as it is likely to be a precursor in the field of
granting law enforcement authorities access to large scale
information and identification systems.
