Evelien Brouwer, Senior-researcher, Amsterdam Centre for Migration and Refugee Law (ACMRL), Vrije Universiteit Amsterdam
This Blog examines ways in which the new Interoperability Regulations affect the EU data protection principle of purpose limitation. The main argument is that purpose limitation is in the interest of both individuals and users. For data subjects, it ensures the transparency of the use of their personal data. At the same time, it is a guarantee of the division of powers. Purpose limitation guarantees that personal information that is submitted to national authorities for one particular public task will not be automatically shared with other actors. For users, it ensures that data are not used outside the specific context or tasks for which it is collected, or that this data is shared with too many users and too many countries.
Purpose limitation safeguards the confidentiality, but also the reliability and accuracy of data collected and processed by public authorities. The necessity and proportionality of interoperability constitutes a key challenge. It is central to ensure that the use of information stored into the EU large-scale databases is based on transparent and harmonised rules, and that effective supervision and legal remedies are available in practice.
Interoperability and purpose limitation
A key point raised during the Task Force discussions related to the extent to which interoperability will affect or amend any of the original purposes of already existing EU databases, or whether it will add any new category of data to be stored. Purpose limitation is one of the key principles of data protection law, incorporated in the rules of the GDPR and the Law Enforcement Directive (LED).
Preserving purpose limitation is in the interest of both data subjects, ensuring the confidentiality of their personal data, and the safeguarding of the balance of powers in their relationship with governments. Furthermore, purpose limitation guarantees that data is not used outside the context or the public task for which they are gathered. This allows authorities using these systems to rely on the confidentiality, reliability, and accuracy of the data being stored.
Taking into account the original goals and context in which the different large-scale data systems in the EU were set up, interoperability deviates from the purpose limitation principle by allowing organisations with very different roles and tasks to get access to information which have been stored for other purposes.
Aside from the Regulation on Interoperability, previous EU legislation also added new databases, including the Entry Exit System, ETIAS, and ECRIS-TCN, and gradually extended the content and accessibility of existing databases such as Eurodac and the Schengen Information System (SIS). In this regard, interoperability also changes the meaning of ‘information’ dependent of the context it is being used. A key red-line should be to ensure that newly available information would be used only when strictly necessary, in accordance with general principles of data protection law as affirmed by the Court of Justice of the EU (CJEU) in different judgments (e.g. Digital Rights Ireland, Schrems, Opinion 1/15 on the Canada-PNR agreement).
Some Task Force participants questioned however whether current rules on interoperability in combination with the new rules on existing and new EU databases have gone beyond these goals, making a dead letter of purpose limitation. In this sense, it was submitted that the choice for the multipliers in the interoperability framework could result in the by-passing of existing national safeguards against misuse or unlawful access to data.
Furthermore, where the EU legislator, for example with regard to the establishment of ECRIS-TCN, submits that a new measure is necessary for the identification of third country nationals, ‘identification’ can never operate as an aim in itself: the following question should be always posed: identification as a tool for which specific purpose?
Security and rights: necessity and proportionality
The discussion on purpose limitation and the law enforcement use of immigration data is closely related to the discussion on the goals of the new rules on interoperability and large-scale databases. In accordance with the EU Charter on Fundamental Rights and case-law of the CJEU, any decision on the establishment of new EU information tools, centralised storage of data on third country nationals, or the broadening of the purpose limitation, should be based on a prior assessment of the necessity and proportionality of such measure.
This decision-making should also take into account the ‘transitioning of status’ of individuals. This means that whereas the necessity and proportionality of data processing in the field of the EU’s Area of Freedom, Security and Justice (AFSJ) is closely related to the status of the data subject, it should be acknowledged that this status may change in time. For example, asylum seekers may transition into refugees, third country nationals may obtain EU citizenship, and criminal charges against persons may be dismissed, meaning previously suspected persons must be treated as innocent citizens again.
At several levels, for example with regard to the introduction of the European Travel Information and Authorisation System (ETIAS), a full impact assessment does not seem to have taken place, also in the light of further aggregation of data and new collection of information. Concrete information on both the evidence of threat and the practical use of accessible data for the prevention of threat or conviction of terrorists is a prerequisite for assessing the legitimacy of the adopted tools on databases and interoperability.
Furthermore, this decision-making is not a mere choice between the protection of fundamental rights and security. Data protection is in the interest of the users, including national authorities and EU agencies. An effective implementation of these principles, including data security and purpose limitation, preserves the shared goal of protecting the safety and legitimacy of the data and the legitimate aims of data processing.
Instead of framing law making as a ‘balance between data protection and security’, it should be emphasised that the protection of both security and individual rights must go hand-to-hand. As former Commissioner for the Security Union Julian King emphasized “Security, freedom and rights continue to be intimately intertwined. Compliance with fundamental rights is a key characteristic of EU security policy”.
This emphasis on fundamental rights compliance is specifically relevant, considering that the majority of the persons registered in the aforementioned EU data systems does not impose a security threat, but concern innocent, not suspected individuals, including refugees and children: such as legitimate travellers in VIS, ETIAS and EES; and asylum seekers in Eurodac.
Transparency and harmonisation
Considering the effectiveness of the adopted Interoperability Regulations and EU large-scale databases, including the access to law enforcement authorities, the need of transparency and standardisation of applicable rules are of crucial importance. As other Blog contributions to this Forum have rightly pointed out, different stakeholders, data protection authorities, national authorities, and EU agencies are confronted with a very complex and fragmented legal framework.
There is a general lack of knowledge on how these rules will work or should be implemented in practice. This complexity of rules is caused by the multiple amendments of existing laws, the introduction of new databases (EES, ETIAS, ECRIS-TCN), and the recent implementation of the General Data Protection Directive (GDPR) and Law Enforcement Directive (LED). It is unclear how the different actors will deal with these rules in practice, also considering the lack of standardised procedures and criteria at the national level.
This lack of transparency and complexity of rules is particularly problematic within the field of law enforcement, where data may end up in a criminal procedure. The lack of standardised rules on machine-learning or the use of algorithms is particularly problematic for the protection of data protection standards: both with regard to access rights of individuals and the supervision by data protection authorities and courts. It will be difficult to assess the lawfulness and accuracy of the submitted data both for individuals and courts.
Supervision and access to legal remedies
Interoperability and its inherent complexity of rules may hamper the effective monitoring by data protection authorities at EU and national levels. EU agencies such as Frontex, Europol and Eurojust are confronted with a complicated legal framework. This complexity is caused by the applicable of multiple and multi-level laws at the EU level, but also the involvement of different state actors and national rules. This is exacerbated by the overlap between immigration and law enforcement access to data.
For example, whereas the primary goal of ETIAS is border controls, ETIAS law provides that the data stored involves six objectives for further uses of data, out of which four of them concern law enforcement or security-related goals. This means that either the GDPR or the LED will have to be applied depending on the specific objective behind its use. The resulting picture in practice will imply the risk that no organisation can be held effectively responsible for unlawful uses.
To ensure both individual rights and the accuracy of data used, it is important that correct implementation of laws is effectively monitored, and that EU and national data protection authorities are provided with sufficient powers, knowledge, and staff, as underlined by Guerra’s Blog in this Forum. The tool of logging, and the strengthened powers on the basis of the GDPR are considered important improvements in this regard. However, effective supervision of the practice of access to databases based on logging also requires time and means for the data protection authorities involved.
Considering the use of immigrant data in the process of law enforcement and prosecution of third country nationals, further standards should be developed to assist national courts to assess the lawfulness of data processing. Effective remedies should be guaranteed for data subjects to challenge decisions or measures which are based on ‘interoperability’, or data held in one of the large-scale databases, including risk assessments.
Finally, not only should data protection authorities be empowered with sufficient means and staff to enable effective supervision, but the necessity and proportionality of interoperability should be permanently monitored and evaluated by all relevant stakeholders. It is only when these necessary safeguards apply and interoperability proves to be an effective and proportional tool, that this new measure may be considered as a ‘point of no return’.