Opinion of the European Data Protection Supervisor (EDPS) on the proposal for a new Regulation on the Visa Information System.
In order to enhance security and improve the EU external borders management, the Commission adopted a Proposal which would upgrade the Visa Information System (‘VIS’), the EU centralised database that contains information about persons applying for a Schengen visa.
In particular, the proposal provides for (a) the lowering of the fingerprint age for child applicants for a short stay visa from 12 years to 6 years; (b) the centralisation at EU level of data related to all holders of long stay visas and residence permits; and (c) the cross-check of visa applications against other EU information systems in the area of freedom, security and justice.
The EDPS made the following recommendations
Sensitive data
The EDPS stresses that biometric data such as fingerprints are highly sensitive. Their collection and use should be subject to a strict necessity analysis before deciding to store them in a database where a large number of persons will have their personal data processed.
Prevention against children right's abuses
The EDPS notes that it remains unclear whether or to what extent the child trafficking is rooted in or amplified by the mis- or non-identification of children entering the EU territory on the basis of a visa. Should further elements be provided in support of this claim, the EDPS stresses the importance to ensure that fingerprints of the children will be used only when it is in the best interest of the child in a specific case.
The EDPS recommends to introduce in the proposal a specific provision on the fingerprints of children to limit their processing to the purposes of:
- verifying the child's identity in the visa application procedure and at the external borders;
- contributing to the prevention and fight against children's right abuse only in a specific case.
In particular as regards the access by law enforcement authorities, the EDPS recommends to ensure that:
- such access must be necessary for the purpose of the prevention, detection or investigation of a child trafficking case;
- access is necessary in a specific case;
- a prior search in the relevant national databases and in the specific systems at Union level has been unsuccessful;
- reasonable grounds exist to consider that the consultation of the VIS will substantially contribute to the prevention, detection or investigation of the child trafficking case in question;
- the identification is in the best interest of the child.
Data recording in the VIS
By recording data on all holders of long-stay visas and residence permits in the VIS, the proposal would contribute, in the context of the proposal for interoperability of large-scale EU systems, to the creation of a centralised European network providing access to a considerable amount of information on all third-country nationals who have crossed or are considering crossing EU borders (i.e. millions of people).
In this context, the EDPS considers that the harmonisation of secure documents should be further examined and that the data stored in the VIS should be limited to persons whose long-stay visa or residence permit has been refused for security reasons.
Comparisons of data
The proposal provides for the comparison of data stored in the VIS with data stored in other systems built and used so far for purposes other than migration. In particular, the data of visa applicants would be compared with data collected and stored for police and judicial cooperation purposes.
The EDPS recommends:
- to clarify in the proposal the purpose of the comparison of the VIS data with Europol data, as well as the procedure and conditions applicable as regards the outcome of such comparison;
- to ensure that only alerts that are legally part of the visa issuance decision-making process would produce a hit accessible by visa authorities.
Other recommendations
The EDPS made additional recommendations related to the following aspects of the proposals: (i) categories of VIS data compared with data recorded in other systems; (ii) specific categories of visa applicants; (iii) definition of central authorities; (iv) use of VIS data to enter a SIS alert on missing persons; (v) verifications in case of a hit; (vi) access for law enforcement purposes; (vii) statistics; (viii) use of anonymised data for testing purposes; (ix) data quality monitoring; (x) supervision of the VIS.