Opinion of the European Data Protection Supervisor on the Commission proposal for a Regulation of the European Parliament and of the Council on administrative cooperation through the Internal Market Information System (IMI).
The EDPS welcomes the fact that the Commission formally consulted him and that a reference to this Opinion is included in the preamble of the proposal.
The overall views of the EDPS on IMI are positive. The EDPS supports the aims of the Commission in establishing an electronic system for the exchange of information and regulating its data protection aspects. The EDPS also welcomes the fact that the Commission proposes a horizontal legal instrument for IMI in the form of a Council and Parliament Regulation. He is pleased that the proposal comprehensively highlights the most relevant data protection issues for IMI.
Nevertheless, the EDPS cautions that establishment of a single centralised electronic system for multiple areas of administrative cooperation also creates risks. These include, most importantly, that more data might be shared, and more broadly than strictly necessary for the purposes of efficient cooperation, and that data, including potentially outdated and inaccurate data, might remain in the electronic system longer than necessary.
The security of the information system accessible in 27 Member States is also a sensitive issue, as the whole system will be only as secure as the weakest link in the chain permits it to be.
The EDPS makes the following recommendations:
Legal framework: with regard to the legal framework for IMI to be established in the proposed Regulation, the EDPS calls attention to two key challenges: (i) the need to ensure consistency, while respecting diversity, and (ii) the need to balance flexibility and legal certainty:
Retention periods:
Risk assessment: the Regulation should require a risk assessment and a review of the security plan before each expansion of IMI to a new policy area or before adding a new functionality with an impact on personal data.
Information and access rights: the provisions on information to data subjects and access rights should be strengthened and should encourage a more consistent approach.
Supervision: the EDPS would strengthen the provisions on coordinated supervision at certain points and would for that purpose support similar provisions as those in place for example in the context of the Visa Information System, Schengen II and envisaged for Eurodac. With regard to the frequency of meetings and audits, the EDPS supports the proposal in its flexible approach aimed to ensure that the Regulation provides the necessary minimal rules to ensure effective cooperation without creating unnecessary administrative burdens.
Third countries: the Regulation should ensure that competent authorities or other external actors in a third country that does not afford adequate protection should not be able to have direct access to IMI unless there are appropriate contractual clauses in place. These clauses should be negotiated at the EU level.
Internal control: the Regulation should establish a clear framework for adequate internal control mechanisms that ensures data protection compliance and provides evidence thereof, including privacy assessments (also including a security risk analysis), a data protection policy (including a security plan) adopted based on the results of these, as well as periodic reviews and auditing.
Lastly, the Regulation should also introduce specific privacy by design safeguards.