Opinion of the European Data Protection Supervisor (EDPS) on the proposal for a European Travel Information and Authorisation System (ETIAS)
Members recalled that according to the proposal, the system would require visa-exempt travellers to undergo a risk assessment with respect to security, irregular migration and public health risks prior to their arrival at the Schengen borders. This assessment would be carried out by means of cross-checking applicant’s data submitted through ETIAS against other EU information systems, a dedicated ETIAS watchlist and screening rules.
The EDPS considers that there is a need for conducting an assessment of the impact that the proposal will entail on the right to privacy and the right to data protection enshrined in the Charter of Fundamental Rights of the EU, which will take stock of all existing EU-level measures for migration and security objectives. The establishment of ETIAS would have a significant impact on the right to the protection of personal data, since various kinds of data, collected initially for very different purposes, will become accessible to a broader range of public authorities (i.e. immigration authorities, border guards, law enforcement authorities, etc.).
Moreover, the ETIAS proposal raises concerns regarding the process of determining the possible risks posed by the applicant. The EDPS understands that the legislator’s objective is to create a tool enabling the automatic singling out of visa-exempt third country nationals suspected of posing such risks. Nonetheless, profiling, as any other form of computerised data analysis applied to individuals, raises serious technical, legal and ethical questions.
Since the proposal establishes an additional system involving the processing of a significant amount of personal data of third country nationals for immigration and security objectives, the EDPS:
- intends to include a definition of irregular migration risks and security risks in the Proposal to comply with the purpose limitation principle;
- recommends that the proposed ETIAS screening rules be subject to a prior comprehensive assessment of their impact on fundamental rights;
- calls for convincing evidence supporting the necessity of using profiling tools for the purposes of ETIAS;
- questions the relevance of collecting and processing health data;
- calls for a better justification of the chosen data retention period and of the necessity of granting access to national law enforcement agencies and Europol.
In addition to the main concerns, the EDPS recommendations include, inter alia: (i) the necessity and proportionality of the set of data collected; (ii) the interoperability of ETIAS with other IT systems; (iii) the data subjects’ rights and provided remedies; (iv) the independent review of the conditions for access by law enforcement authorities; (v) the architecture and information security of the ETIAS; (vi) the statistics generated by the system.