Executive summary of the Opinion of the European Data Protection Supervisor on the proposal for a Council regulation on migration from the Schengen Information System (SIS) to the second generation Schengen Information System (SIS II) (recast)
Consultation of the EDPS: the EDPS already issued an Opinion on the three proposals setting up the second generation Schengen Information System on 19 October 2005. At that time, the EDPS focused his analysis on the need to limit access rights and retention periods, as well as the need to supply information to data subjects. He also pointed out that the new functionality of links between records must not lead to an extension of access rights. On the technical design of SIS II, he recommended improvements of the security measures and cautioned against the use of national copies.
The EDPS takes note of the Council conclusions of 13 December 2011 on migration to SIS II where Member States were invited to:
· implement, as soon as possible, the corrective and preventive mechanisms (for current SIS 1+ alerts and new SIS 1+ alerts respectively), so that they can be adapted to the data quality requirements laid down for SIS II alerts;
· prior to the launch of the migration of SIS 1+ data to SIS II, once again review the conformity of current alerts with SIS II dictionaries, ensuring that they comply with the final version of those dictionaries;
· via the competent national authorities responsible for the quality of SIS data, systematically monitor the accuracy of the alerts entered in the national system of SIS 1+, this being essential for ensuring the trouble-free use of the mapping/dictionary mapping mechanism.
In his informal comments on the Commissions draft proposal, the EDPS expressed concerns on different aspects of the migration that in his view should be clarified. Unfortunately, the text adopted did not take into account the comments made during the informal stage and has therefore not provided the required clarifications. Accordingly, the EDPS concludes as follows:
Coordinated supervision mechanism: migration of the data contained in SIS to SIS II is an operation likely to involve specific risks from the point of view of data protection. The EDPS welcomes the fact that under the new provisions, the legal framework for SIS II enters into force once the first Member State has successfully completed the switchover. This is relevant as under the old legislation, the SIS II legal framework would only have come into force once all Member States have completed the migration to SIS II, which would have created legal ambiguity particularly with regard to new functions. This approach has to be also assessed from the point of view of supervision. In the view of the EDPS, it will result in a transfer of responsibilities during the migration that could have negative effects and impinge on the safeguards that supervision provides at the moment when it is needed most. Therefore, the EDPS recommends that the coordinated supervision mechanism should be applicable from the start of the migration. The recast should provide for this approach.
Clarifications required: the EDPS is of the opinion that essential aspects of the migration should be further clarified in the text of the Regulation and not left for other instruments such as the migration plan. In particular, this concerns:
(i) the scope of the migration: it should be absolutely clear which data categories migrate and which do not, and also if the migration involves any transformation of the data, and if so, which are those alterations;
(ii) the need for risk assessment: it is important to carry out a risk assessment for the migration, with the results feeding into a specific security plan;
(iii) the logging of the data: although the proposed text contains a specific article, the focus of this article refers mainly to the regular processing activities of SIS II rather than to the specific data processing activities of the migration, and the text presents a similar provision to the one in the main SIS II Regulation. In the view of the EDPS, the Regulation should have a specific clause determining what should be recorded, for how long, and with which purpose focused on the activities of the migration.
Strengthen testing obligations: the EDPS recommends that the Regulation should strengthen the testing obligations by clarifying certain matters.
(i) Pre-migration tests, which should also include the following elements:
· all functional aspects associated to the migration process as referred to in Article 11 of the proposal and other issues such as the quality of the data to be transferred;
· non-functional elements such as security;
· any specific measures and controls adopted to reduce the risks of the migration.
(ii) Comprehensive tests: the EDPS recommends that the proposal should provide clearer criteria to define if those tests have resulted in a success or in a failure.
(iii) Validation of results: after the switchover of a Member State has been completed, it should be possible to validate the results. The Regulation should also require that these validation tests are successful in order to consider a Member State 's switchover to SIS II successful. Hence, these tests should be carried out as a precondition to enable the use of full SIS II functionality by that Member State .
(iv) Use of test data: as regards using test data during migration, the EDPS would like to stress that if test data are to be based on scrambled real data from SIS, all necessary measures would have to be taken to ensure that it will be impossible to reconstruct real data from this test data.
Security: preventive security measures are especially welcomed, and the EDPS recommends introducing in the text of the recast a specific provision requiring the Commission and the Member States to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the migration and also by the specific nature of the personal data to be processed, based on the requirements of Article 22 of Regulation (EC) No 45/2001.The EDPS makes certain recommendations.
(i) Take into consideration general security aspects through:
· recognising the specific nature of the data processing activities associated to the migration;
· establishing some general guidelines concerning the measures to be taken (for instance that the data should only be transferred between two systems if adequately encrypted);
· establishing that the Commission together with the Member States, and in particular with France, shall develop a specific security plan, after the evaluation of the possible risks associated to the migration, in due time before the migration.
(ii) Specific clauses to protect data integrity: the EDPS recommends including in the Regulation or in a specific Commission decision the following measures:
· an annex with the mapping and validation rules applicable in the conversion, making it easy to verify whether the relaxation of SIS II rules is compliant with the SIS II Regulation;
· a provision defining the responsibility of the different actors in the identification and correction of anomalous data;
· a requirement to fully test, before the migration, the compliance of the data to be migrated with SIS II integrity rules.
(iii) The disposal of the old system: after the migration, the question of what will happen to the technical equipment of SIS 1+ becomes urgent. The EDPS therefore recommends that the proposal or a specific Commission decision should establish a precise time limit for this retention together with an obligation to take appropriate technical measures to ensure a secure deletion of the data after finishing the migration and the intensive monitoring period.