An Analysis of the Commission Communication (Com(2005) 597 Final of 24.11.2005) on Improved Effectiveness, Enhanced Interoperability and Synergies among European Databases in the Area of Justice And Home Affairs

IP/C/LIBE/FWC/2005-08

«Management of the European External Borders»

DG Internal Policies of the Union

Directorate C – Citizens’ Rights and Constitutional Affairs

BRIEFING PAPER: ORDER FORM No IP/C/LIBE/OF/2005-168

An Analysis of the Commission Communication (Com(2005) 597 Final of 24.11.2005)

on Improved Effectiveness, Enhanced Interoperability and Synergies among European Databases in the Area of Justice And Home Affairs

by

Peter Hobbing

Date of Submission:31 January 2006

Abstract

Commission Communication (2005)597 has gone widely unnoticed which is probably due more to the complexity of matters treated than the unanimous applause obtained. Equally unusual is its objective as it does not propose concrete legislative action but offers various technical and organisational scenarios for Council and Parliament to pick from when designing the future of JHA databases SIS II, VIS, EURODAC and possibly adding a few new structures.

The developments examined for maintaining a high level of security (in particular as regards acts of terrorism and serious crime) in view of ensuring a maximum of free movement, are centred around the increased use of biometrics for control and facilitation purposes («trusted-traveller-programme»), as well as extended access to JHA databases by internal security services. While most of the features promise greater if not impressive efficiency for surveillance purposes, their possible use may make the alarm bells ring for those preoccupied with the risks involved for data protection, proportionality and other human rights. It is therefore recommended, that the Parliament study carefully the options proposed and voice its concerns and priorities in order to actively participate in the shaping of the future JHA database landscape at the EU-level.

TABLE OF CONTENTS

1. Introduction 1

2. Description of content and objectives of the Communication 1

2.1 Formal observations 1

2.2 Shortcomings identified and solutions suggested 2

2.2.1 Shortcomings 2

2.2.2 Solutions 1: Better use of existing systems 2

2.2.3 Solutions 2: Further development of existing and planned systems 3

2.2.4 Solutions 3: Long-term scenarios and further developments 3

2.2.5 Solutions 4: Architectural and organisational changes 3

2.3 Considerations concerning data protection/human rights 3

3. Critical analysis 4

3.1 Internal assessment as to format and coherence 4

3.2 Assessment in view of external statements (EU institutions, organisations, media) 5

4. Recommendations to the European Parliament 6

Bibliography 7

Annex: Table of correspondence 8

An Analysis of the Commission Communication

on

Improved Effectiveness, Enhanced Interoperability and Synergies among European Databases in the area of Justice and Home Affairs (4.11.2005 COM(2005) 597 final) [1]

Peter Hobbing [2]

Introduction

Communication (2005) 597, in its attempt to «more effectively support the policies linked to the free movement of persons and serve the objective of combating terrorism and serious crime», represents a somewhat unusual Commission document as it – different from the normal practise –neither proposes a concrete legal measure nor formally defends a specific strategy for future legislation. It is much rather a request to the other institutions to launch an «in-depth debate» on the preferred future shaping/configuration of the JHA databases and related structures and advise the Commission on the orientation to be taken. The text thus undertakes to describe various scenarios that may occur depending on the preliminary decisions adopted.

The open-ended approach adopted was clearly motivated by the unusually complicated subject matter concerned: if individual large-scale IT-systems already defy any easy comprehension, due to their technical and legal complexity, this is all the more true for a combination of such databases and their mutually interwoven links and dependencies. It is true that the Commission had been assigned by various high-level Council events as well the European Parliament [3] to proceed to an initiative in this area, but these signals were not altogether unequivocal. Thus, the result could have much more modest than this widespread analysis.

Despite the extremely cautious approach taken, one cannot overlook that this concerns a highly sensitive terrain, implying definite risks for infringing privacy and other civil rights and liberties. Improving interoperability and synergies means nothing else but knitting the network of surveillance tighter and closing gaps and loopholes in the control of criminals as well as reputable citizens.

In view of this delicate matter, it is quite astonishing to see that the Communication has attracted hardly any attention in the public: more than two months after its publication, no one has (critically) reacted yet – not even Statewatch. [4] It is also for this reason, besides the complexity of the matter, that the briefing will dedicate more space than usual to the explanation/interpretation of the text.

Description of content and objectives of the Communication

Formal observations

The Communication is structured in a topical way, i.e. apart from the concise introductory description of the three major JHA databases (SIS II, VIS, Eurodac) in Section 3, arguments are not individually linked to these basic structures but arranged in a horizontal problem-oriented manner, which leaves the reader sometimes puzzled as to what a given argument would each time mean in practice. The subject would probably have deserved some additional space in order to describe, e.g. via synoptical tables, the links between shortcomings and solutions proposed as well as the impact of each measure on the individual databases. [5] In order make the text more easily accessible, this briefing established such tables of correspondence which are found in the Annex.

Shortcomings identified and solutions suggested

To make the long list of items discussed (11 shortcomings, 8 possible scenarios of development, 1 discourse on human rights compatibility) more transparent, the topics are – for the purpose of better comprehension – treated in subject-related groups.

Shortcomings

If the JHA databases in their current set-up do not work sufficiently well, this is attributed partially to a problematic attitude on the part of the user-community in the Member States (4.1). If competent authorities make little use of certain alerts foreseen by the SIS (discreet surveillance, specific checks [6]) and keep separate national lists instead, this must truly be seen as a serious set-back to the correct working of the data-system in the fight against serious crime. Only if a maximum number of cases legally foreseen by the regulation are entered into the system, can such mechanisms work. If unsystematic data feeding – which clearly infringes the law [7] – equally hampers the smooth working of EURODAC, one must admit that such deficiencies are nothing new: Europol was and is suffering from the reluctance of Member States to transmit information and intelligence. Since the problem cannot be cured by either technical or legislative change, [8] the only way out would appear to be an appeal to Member States’ own interests which will suffer from the irregular behaviour at least in the long run. Another remedy could be criticism raised by other Member States during the regular Schengen peer-reviews, as regards SIS II, whereas for EURODAC the Community infringement procedures of Article 226 TEC could be considered.

As regards technical deficiencies, these principally concern the unsatisfactory working of alphanumerical search tools (4.2.) which severely prejudices the efficiency of the JHA databases by causing numerous errors or producing long hit lists in case of non-unique data (e.g. frequent last names). This issue is linked to the regrettable lack of biometric identification tools (4.9), such as Automated Fingerprint Identification Systems (AFIS) or DNA databases, which could easily become a remedy for cases in which alphanumeric searches do not produce a satisfactory result. One of the scenarios specifically mentioned concerns the group of illegal immigrants (4.4.) whose identification documents are missing or false (counterfeit/falsified).

The largest case group concerns that of conceptual/legal deficiencies, i.e. unsatisfactory situations caused by a lack of interface between data systems, lack of access for certain authorities and other organisational deficits. The Communication specifically addresses the denial of access to visa data for asylum authorities (4.5) as well as that to asylum, immigration and visa data for internal security authorities (4.6). Another category of concern is that of bona-fide frequent travellers (4.3) who should deserve special treatment: fast-track procedures granted to them for repeat visa as well as for replacement of lost/stolen travel documents would be of mutual benefit for them and the border authorities. Other groups of foreigners not subject to short-stay visa requirements (4.7) and thus not registered in VIS cause specific concern to the security and intelligence communities. It is finally regretted that there is no general entry/exit monitoring (4.8) as VIS allows us to document visa-application but not border-crossing history. There is furthermore the current lack of a central repository for travel and ID documents of EU citizens (4.10) as well as that of a comprehensive database allowing the identification of disaster victims and unidentified bodies (4.11).

Solutions 1: Better use of existing systems

The Communication proposes with regard to the user-related problems (4.1) the adoption of better quality control in data-input and improved user-friendliness (5.1). But there is apparently no remedy in sight for some Member States’ reticence to feed sufficient data into EURODAC and SIS, as the Commission only foresees an appeal to common sense («Member States should»).

Solutions 2: Further development of existing and planned systems

One major improvement suggested is the increased use of biometry in SIS II(5.2.1), thus reacting to the current lack described under item 4.9 of the Communication. So far SIS II only foresees the processing of biometric data only to confirmthe identification of a person already established by means of an alphanumeric search. Under the new scenario, searches would directly be conducted on the basis of biometric data.

Further deficiencies referred to under 4.5 and 4.6 could be resolved by providing access to VIS and SIS II by asylum/immigration authorities (5.2.2) and to VIS, SIS II and EURODAC by authorities responsible for internal security (5.2.3): this would lead to a more coherent management of asylum and immigration policies.

Solutions 3: Long-term scenarios and further developments

The creation of a European Criminal Automated Fingerprints Identification System (EU-AFIS) (5.3.1) would fill the gap regretted under section 4.9. The European AFIS could be designed either as a centralised structure or a decentralised linkage of the national AFIS.

The creation of an entry-exit system (5.3.2) would address the problems raised under 4.7 and 4.8, i.e. the incomplete monitoring of cross-border movements of third-country nationals and identify persons remaining illegally in the EU. The system would work by registration via biometric identifiers.

Despite the use of hi-tech equipment, such a global registration system would suffer from the volume of daily travellers crossing European borders. Therefore, the Communication suggests a closely-linked compensatory mechanism which could reduce the number of third country nationals subject to standard border control considerably: bona-fide frequent travellers who according to estimates represent 20% of the overall number of travellers could be granted a border-crossing facilitation schemeallowing border passages in an almost fully-automated fashion by means of a ‘trusted traveller-card’. Similar concepts are currently tested between the United States, Canada and Mexico in view of ultimately creating a card valid at all land borders of the North American continent (Western Hemisphere Travel Initiative). [9]

The lack of a central repository for travel and ID documents of EU citizens referred to under 4.10 could be compensated by the creation of a European register for travel documents and ID cards (5.3.3). This could be implemented by means of either a register of indexes at EU level (containing only a limited set of data such as document number and biometrics) or a linking-up of national databases. Such system would also facilitate the identification of disaster victims and unidentified bodies (cf. 4.11 above).

Solutions 4: Architectural and organisational changes

This section deals with a number of general innovations that fall under the heading of streamlining, increased cost-efficiency and avoidance of duplication. The service-oriented architecture suggested would allow several databases to share certain highly performing functions without merging the systems as such (e.g. the AFIS part of VIS would deliver its specific fingerprint identification services to other AFIS-dependent databases, such as EURODAC).

Similarly there could be some organisational joining of forces in the field of daily database management (whereby this should «not necessarily» imply strategic or political management). Such a single organisational environment as a long-term option could be envisaged as part of an existing agency involved in large-scale IT management. The Commission specifically mentions the External Border Agency FRONTEX as a possible candidate to manage EURODAC, SIS II and VIS.

Considerations concerning data protection/human rights

It is part of the balanced Commission approach to take into account possible negative effects on human rights, notably privacy rights of citizens. [10]

In this context, specific attention is paid to the respect of the proportionality principle which – according to the Commission’s view – should limit the access of internal security services to non-crime-related databases. Whereas access to SIS II crime data could be handled in a more generous way (justification of query by past real or suspected criminal behaviour of the individual), queries within the ‘non-criminal’ databasesofVIS, EURODAC and SIS II immigration data, should be subject to a much higher benchmark, i.e. be permitted only in the case of overriding public security concerns. Such concern could be assumed only where terrorist offences in the sense of Council FD 2002/475/JHA [11] or crimes falling under the competence of Europol [12] are at stake. [13]

Further proportionality issues can – according to the Commission – also be satisfactorily resolved: the comparison of DNA profiles via the ‘hit/no hit method’, the creation of the European Register for travel/ID documents by strict limitations regarding access and the admissibility of searches and – last but not least – the requirement of a comprehensive supervision by competent data protection bodies in line with document COM (2005) 172 proposing a methodology for the internal control of fundamental rights. [14]

Critical analysis

In view of the general absence of direct reactions to Communication (2005) 597, its critical assessment is conducted in two steps, i.e. by 1) analysing the coherence of the text as such, and 2) confronting it with the general requirements established for IT systems within the EU as well as specific issues raised in the discussion of existing or planned systems such as SIS II, VIS and EURODAC.

Internal assessment as to format and coherence

As already mentioned in the introduction, this Communication suffers in a number of passages from a lack of explicitness due to rigid size restrictions imposed for logistical reasons (lack of translation facilities): this is regrettable as some relevant thoughts require interpretative skills in order to fully convey the message intended. Partly, the concise description of instruments becomes somewhat lopsided when e.g. the primary purpose of VIS is described as «benefit bona fide travellers by improving visa issuing procedures». As another example, the term ‘connectivity’ is formally defined in section 2.2 Concepts, but then not used any more in the remainder of the text (probably due to subsequent cuts of the passage(s) concerned!).

This being said, the open-ended presentation as such outlining a wide spectrum of scenarios for the future of JHA databases certainly merits some positive appreciation: it has in the past been often regretted that technical ventures of such kind were presented in an excessively pre-defined manner and at too late a stage to allow the other institutions to contribute to the planning phase. Now this would give Parliament and Council the opportunity to clearly formulate their preferences.

As regards the content, it is difficult to argue against a concept that intends to create synergies and reduce red tape, except for issues where matters of human rights such as the proportionality principle are at stake. Nevertheless, three major aspects of the synergy approach should not be overlooked:

One of the greatest obstacles to database synergy in the JHA field is to be seen in the dichotomy between First and Third Pillar matters which subjects closely connected policy issues to entirely different legislative rules and control/supervision procedures. A comprehensive synergy approach should thus add the abolition of this artificial separation line (as proposed by the draft Constitutional Treaty [15]) to the list of action suggested.

Under the aspect of technical and management synergy, some consideration should be given to the size of the common platform proposed. If current considerations are confined to the joint management of SIS II, VIS and EURODAC, such vision might be too limited to achieve a full-size management structure. Instead of envisaging this platform involving a modest staff numbing 45-50, priority should be given to adding further related databases to the group, e.g. the Customs Information System CIS (currently managed by Commission DG TAXUD) as well as possibly the databases operated by Europol and Eurojust. With these additions, the critical mass of 80-100 staff members could be reached, thereby creating a fully self-sufficient management structure which could represent a European agencyin itself rather than being attached to an existing agency, such as FRONTEX with a principally non-database-management remit. [16]

Streamlining in practice means cutting down existing database systems or at least not increasing their number; this objective is reflected in section 2.1 of the Hague Programme stipulating that «new centralised European databasesshould only be created on the basis of studies that have shown their added value». The Commission would thus have to demonstrate that the proposed European AFIS and the European RTDIC either do not fall under this category (because they represent e.g. no centraldatabases in the technical sense [17]) or they just provide such added value.

Assessment in view of external statements (EU institutions, organisations, media)

As pointed out earlier, there has so far been no substantive debate directly referring to Communication (2005) 597. However, a number of previous statements may be considered to determine to which extent the document meets the requirements and expectations expressed in the wider public. One of the ‘benchmark’ documents may be seen in the Statewatch analysis of February 2004, [18] which basically supports the concept of such a transparent and wide-ranging consultationof institutions including the EP and national parliaments in order to prevent uncontrollable ‘latent system development’ [19] and «function creep». [20] In terms of specific issues, the analysis expresses the following concerns: a) confusion arising from separate legal frameworks applicable to the same technical platform in the case of SIS II/VIS, b) insufficiently controlled access to these databases by internal security and intelligence services and c) adding new purposes to SIS which would risk «transforming it from a reporting system to a reporting an investigation system».

Concerning SIS II, the EP Recommendation of 20.11.2003 (Coelho) [21] contains a number of general requirements which appear equally applicable to the wider frame of the interoperability/synergy issue; this concerns notably the need to a) «thoroughly examine each proposal for granting full or partial access to new authorities» and b) «entrust the strategic management of SIS and other large-scale IT-systems to a European agency», which is inter alia «subject to control by the European Parliament».

In its opinion on the proposed legal basis for SIS II, [22] the Joint Supervisory Authority of Schengen (JSA) referred to the following concerns: a) an excessive number (4) of European instruments applying to SIS/SIS II, b) preoccupying combination of ID-controls on persons with objectives of police and judicial cooperation and c) the urgent need for reflection on the role of the database supervisors.

Concerning VIS, the EP-LIBE draft report of 8.11.2005 (Ludford) [23] stresses in particular the following items relevant to the present Communication: a) clear distinction between primary purposes and derived benefits of the database, b) introduction of a specific access clause for internal security services, to be implemented by means of a bridging clause, c) fallback procedures for cases in which no fingerprints can be taken (approximately 20% of travellers, d) strict limitation on the necessity of (d.1) biometrics and (d.2) access by additional authorities and e) serious infringements of the legislation to be considered a criminal offence.

Regarding the advantages of larger IT architecture, views differentiate between the advantages of a joint management including uniform data protection supervision and the risks of uncontrolled transgression into ‘foreign territory’ when various databases are located within the same premises. In this context, one should not ignore the opinion prevailing in IT literature that it is possible to hermetically separate individual databases within larger structures, providing the same degree of protection as if they were located at different geographical places. [24]

Recommendations to the European Parliament

It is recommended that the EP takes the opportunity to thoroughly examine the different scenarios outlined by the Commission and react to them in a comprehensive way in order to take part, at an early stage, in the development of the future IT architecture in European JHA matters. The dialogue proposed by the Commission would appear a positive way to jointly advance in a matter of crucial importance.

Although the subject at stake includes a large number of mutually interdependent problems/issues, it would appear worthwhile to invest some effort in designing an IT database strategy that is coherent with the political priorities and principles of the EU and that could provide guidance for the discussions with the other institutions for the years to come.

In view of this objective, all previous EP statements should be reviewed as well as relevant observations from other sources in order to establish a comprehensive list of benchmarks with which the future European IT structures should be compliant. The present briefing paper may provide a basic list of the documents to be taken into account.

It would seem from this perspective that the following items would be on the EP list of priorities: a) exploration of possibilities to create a single legal framework for the databases as well as their management and supervision, b) control exercised by the EP and c) prevention of loopholes allowing ‘latent system developments’ and informal database access, notably at Member State level.

Bibliography

Balzacq, T., D. Bigo, S. Carrera and E. Guild, Security and the Two-Level Game: The Treaty of Prüm, the EU and the Management of Threats,CEPS Working Document No. 234, Centre for European Policy Studies, Brussels, January 2006.

Council of the European Union, JHA Council Declaration on the EU response to the London bombings of 13.7.2005.

Council of the European Union, Framework Decision of 13 June 2002 on combating terrorism (2002/475/JHA), OJ L 164 of 22/06/2002, p. 3.

European Commission, Commission proposes changes to JLS databases to strengthen EU internal security and facilitate legitimate travelling, RAPID press release of 24.11.2005.

European Commission, Proposal for a Council Decision concerning access for consultation of the Visa Information System (VIS) by the authorities of Member States responsible for internal security and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences,COM(2005) 600 final.

European Commission, Communication on Compliance with the Charter of Fundamental Rights in Commission legislative proposals, COM(2005) 172 final of 27.4.2005.

European Council, Brussels Declaration on Combating Terrorism of 29.4.2004.

European Council, Hague JHA Programme of 5.11.2004.

European Parliament, Recommendations to the Council on the second-generation Schengen information system (SIS II) of 20.11.2003.

European Parliament, LIBE Committee, Draft Report on the Proposal for a Regulation on the Visa Information System of 8.11.2005.

Gallego, F., D. Manson and S. Senft, Information Technology Control and Audit,Boca Raton, LA., 2004.

Guild, E., and S. Carrera, No Constitutional Treaty: Implications for the Area of Freedom, Security and Justice, CEPS Working Document No. 231, Centre for European Policy Studies, Brussels, September 2005.

Hayes, B., From the Schengen Information System to SIS II and the Visa Information System (VIS): The proposals explained,Statewatch Report, February 2004.

Joint Supervisory Authority of Schengen, Opinion on the proposed legal basis for SIS II, October 2005.

US Department of Homeland Security, «Secure Borders and Open Doors in the Information Age», Press release of 17.1.2006 (http://www.dhs.gov/dhspublic/interapp/press_release/ press_release_0838.xml).

An Analysis of the Commission Communication (Com(2005) 597 Final of 24.11.2005) on Improved Effectiveness, Enhanced Interoperability and Synergies among European Databases in the Area of Justice And Home Affairs