OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the Initiative of the Federal Republic of Germany, with a view to adopting a Council Decision on the implementation of Decision 2007/…/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime.
The EDPS was not asked for advice on this initiative for an implementing decision. Therefore he issues this opinion on his own initiative.
The EDPS recommends that the initiative and its Annex be openly discussed by effectively profiting from the contributions of all institutional actors. It calls on the legislator to ensure that a clear, effective and comprehensive legal framework with regard to data protection - combining different legal instruments with general provisions and specific guarantees - is in place before the current initiative enters into force.
In this perspective, the EDPS reiterates that the Council decisions on Prüm should not enter into force before Member States have implemented a general framework decision on data protection in the third pillar that would be a ‘lex generalis’ on top of which those provisions of the Prüm initiative ensuring specific guarantees and tailored stricter standards should apply.
On the other hand, the legislator should clarify that the specific data protection rules relating to DNA, fingerprints and vehicle registration data in Chapter 6 of the Prüm initiative, are applicable not only to the exchange of these data, but also to their collection, storage and domestic processing, as well as to the supply of further personal data within the scope of the Council decision.
Moreover, the EDPS invites the legislator to properly take into account the scale of the system when further discussing the current initiative, by ensuring that the increase in the number of participating Member States does not entail a decrease in effectiveness.
The EDPS also recommends that the essential advisory role played by relevant data protection authorities be explicitly recognised. Furthermore, the initiative should ensure that Member States provide data protection authorities with the (additional) resources necessary to carry out the supervisory tasks stemming from the implementation of the proposed system and that competent data protection authorities regularly meet at EU level with a view to coordinating their activities and harmonising the application of these instruments.
In addition, the EDPS calls upon the legislator once more to introduce a clear and inclusive definition of personal data. In this perspective, the implementing provisions should also clarify the applicability of data protection rules to unidentified DNA profiles.
The EDPS recommends that, in the context of automated searches and comparisons, accuracy of the matching process is duly taken into account (e.g. with regard to fingerprints, the initiative should harmonise as much as possible the different automated fingerprint identification systems (AFIS) in use in the Member States and the way these systems are used, in particular with regard to false rejection rates).
Lastly, the EDPS suggests that specific emphasis be given to the evaluation of data protection aspects of data exchanges, with specific attention to purposes for which data have been exchanged, methods of information of data subjects, accuracy of exchanged data and false matches, requests of access to personal data, length of storage periods and effectiveness of security measures. In this context, relevant data protection authorities and experts should be duly involved.