Opinion of the European Data Protection Supervisor on the Commission proposal for a Regulation of the European Parliament and of the Council on administrative cooperation through the Internal Market Information System (‘IMI’).
The EDPS welcomes the fact that the Commission formally consulted him and that a reference to this Opinion is included in the preamble of the proposal.
The overall views of the EDPS on IMI are positive. The EDPS supports the aims of the Commission in establishing an electronic system for the exchange of information and regulating its data protection aspects. The EDPS also welcomes the fact that the Commission proposes a horizontal legal instrument for IMI in the form of a Council and Parliament Regulation. He is pleased that the proposal comprehensively highlights the most relevant data protection issues for IMI.
Nevertheless, the EDPS cautions that establishment of a single centralised electronic system for multiple areas of administrative cooperation also creates risks. These include, most importantly, that more data might be shared, and more broadly than strictly necessary for the purposes of efficient cooperation, and that data, including potentially outdated and inaccurate data, might remain in the electronic system longer than necessary.
The security of the information system accessible in 27 Member States is also a sensitive issue, as the whole system will be only as secure as the weakest link in the chain permits it to be.
The EDPS makes the following recommendations:
Legal framework: with regard to the legal framework for IMI to be established in the proposed Regulation, the EDPS calls attention to two key challenges: (i) the need to ensure consistency, while respecting diversity, and (ii) the need to balance flexibility and legal certainty:
- that functionalities that are already foreseeable should be clarified and more specifically addressed;
- that adequate procedural safeguards should be applied to ensure that data protection will also be carefully considered during the future development of IMI. This should include an impact assessment and consultation of the EDPS and national data protection authorities before each expansion of IMI's scope to a new policy area and/or to new functionalities;
- access rights by external actors and access right to alerts should be further specified.
Retention periods:
- the Regulation should provide guarantees that cases will be closed in a timely manner in IMI and that dormant cases (cases without any recent activity) will be deleted from the database,
- it should be reconsidered whether there is an adequate justification for the extension of the current 6-month period to 18 months following case closure,
- the Commission has not provided sufficient justification for the necessity and proportionality of retention of ‘blocked data’ up to a period of five years, and therefore, this proposal should be reconsidered,
- a more clear distinction should be made between alerts and repositories of information: the Regulation should provide, as a default rule that (i) — unless otherwise specified in vertical legislation, subject to adequate additional safeguards — a six-month retention period should apply to alerts and that (ii) this period should be counted as of the time of sending the alert.
Risk assessment: the Regulation should require a risk assessment and a review of the security plan before each expansion of IMI to a new policy area or before adding a new functionality with an impact on personal data.
Information and access rights: the provisions on information to data subjects and access rights should be strengthened and should encourage a more consistent approach.
Supervision: the EDPS would strengthen the provisions on coordinated supervision at certain points and would for that purpose support similar provisions as those in place for example in the context of the Visa Information System, Schengen II and envisaged for Eurodac. With regard to the frequency of meetings and audits, the EDPS supports the proposal in its flexible approach aimed to ensure that the Regulation provides the necessary minimal rules to ensure effective cooperation without creating unnecessary administrative burdens.
Third countries: the Regulation should ensure that competent authorities or other external actors in a third country that does not afford adequate protection should not be able to have direct access to IMI unless there are appropriate contractual clauses in place. These clauses should be negotiated at the EU level.
Internal control: the Regulation should establish a clear framework for adequate internal control mechanisms that ensures data protection compliance and provides evidence thereof, including privacy assessments (also including a security risk analysis), a data protection policy (including a security plan) adopted based on the results of these, as well as periodic reviews and auditing.
Lastly, the Regulation should also introduce specific privacy by design safeguards.