REPORT on the amended proposal for a regulation of the European Parliament and of the Council on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration) and amending Regulation (EU) 2018/XX [the Eurodac Regulation], Regulation (EU) 2018/XX [the Regulation on SIS in the field of law enforcement], Regulation (EU) 2018/XX [the ECRIS-TCN Regulation] and Regulation (EU) 2018/XX [the eu-LISA Regulation]

19.10.2018 - (COM(2018)0480 – C8‑0293/2018 – 2017/0352(COD)) - ***I

Committee on Civil Liberties, Justice and Home Affairs
Rapporteur: Nuno Melo


Procedure : 2017/0352(COD)
Document stages in plenary
Document selected :  
A8-0348/2018
Texts tabled :
A8-0348/2018
Texts adopted :

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the amended proposal for a regulation of the European Parliament and of the Council on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration) and amending Regulation (EU) 2018/XX [the Eurodac Regulation], Regulation (EU) 2018/XX [the Regulation on SIS in the field of law enforcement], Regulation (EU) 2018/XX [the ECRIS-TCN Regulation] and Regulation (EU) 2018/XX [the eu-LISA Regulation]

(COM(2018)0480 – C8‑0293/2018 – 2017/0352(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2017)0794 and the amended proposal COM(2018)0480),

–  having regard to Article 294(2) and Article 16(2), Article 74, point (e) of Article 78(2), point (c) of Article 79(2), point (d) of Article 82(1), Article 85(1), point (a) of Article 87(2) and Article 88(2) of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0293/2018),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs and the opinion of the Committee on Budgets (A8-0348/2018),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Amendment    1

Proposal for a regulation

Recital 8 a (new)

Text proposed by the Commission

Amendment

 

(8a)  In his Opinion 4/2018 of 16 April 20181a, the European Data Protection Supervisor emphasised that the decision to make large scale IT systems interoperable would not only permanently and profoundly affect their structure and their way of operating, but would also change the way legal principles have been interpreted in this area so far and would as such mark a ‘point of no return’.

 

_________________

 

1a http://edps.europa.eu/sites/edp/files/publication/2018-04-16_interoperability_opinion_en.pdf

Amendment    2

Proposal for a regulation

Recital 8 b (new)

Text proposed by the Commission

Amendment

 

(8b)  In its Opinion of 11 April 20181a, the Article 29 Data Protection Working Party reiterated that the process towards interoperability of systems raises fundamental questions regarding the purpose, necessity, proportionality of the data processing as well as concerns regarding the principles of purpose limitation, data minimization, data retention and clear identification of a data controller.

 

_________________

 

1a http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51517

Amendment    3

Proposal for a regulation

Recital 9

Text proposed by the Commission

Amendment

(9)  With a view to improve the management of the external borders, to contribute to preventing and combating irregular migration and to contribute to a high level of security within the area of freedom, security and justice of the Union, including the maintenance of public security and public policy and safeguarding the security in the territories of the Member States, interoperability between EU information systems, namely [the Entry/Exit System (EES)], the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, the Schengen Information System (SIS), and the [European Criminal Records Information System for third-country nationals (ECRIS-TCN)] should be established in order for these EU information systems and their data to supplement each other. To achieve this, a European search portal (ESP), a shared biometric matching service (shared BMS), a common identity repository (CIR) and a multiple-identity detector (MID) should be established as interoperability components.

(9)  In order to improve the management of the external borders, to facilitating regular border crossings, to contribute to preventing and combating irregular migration and to contribute to a high level of security within the area of freedom, security and justice of the Union, including the maintenance of public security and public policy and safeguarding the security in the territories of the Member States, to improve the implementation of the common visa policy and to assist in examining applications for international protection, and to assist in the prevention, detection and investigation of terrorist offences or other serious criminal offences, in order to maintain public trust in the Union migration and asylum system, Union security measures and Union capabilities to manage the external border, interoperability between Union information systems, namely the Entry/Exit System (the EES), the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, the Schengen Information System (SIS), and the [European Criminal Records Information System for third-country nationals (ECRIS-TCN)] should be established in order for these Union information systems and their data to supplement each other so far as that is possible while respecting the fundamental rights of the individual, in particular the right to protection of personal data. To achieve this, a European search portal (ESP), a shared biometric matching service (shared BMS), a common identity repository (CIR) and a multiple-identity detector (MID) should be established as interoperability components.

Amendment    4

Proposal for a regulation

Recital 10

Text proposed by the Commission

Amendment

(10)  The interoperability between the EU information systems should allow said systems to supplement each other in order to facilitate the correct identification of persons, contribute to fighting identity fraud, improve and harmonise data quality requirements of the respective EU information systems, facilitate the technical and operational implementation by Member States of existing and future EU information systems, strengthen and simplify the data security and data protection safeguards that govern the respective EU information systems, streamline the law enforcement access to the EES, the VIS, the [ETIAS] and Eurodac, and support the purposes of the EES, the VIS, the [ETIAS], Eurodac, the SIS and the [ECRIS-TCN system].

(10)  The interoperability between the Union information systems should allow said systems to supplement each other in order to facilitate the correct identification of persons, for the purpose of applications of international protection or in the context of the prevention, detection and investigation of serious criminal offences - including terrorist offences, to contribute to fighting identity fraud, improve and harmonise data quality requirements of the respective Union information systems, to contribute to ensuring the effective use of Union information systems, Europol data and Interpol databases by facilitating access to them by the authorities in accordance with their access rights and the objectives and purposes as laid down in the legal instruments governing the respective systems, to strengthen and simplify and harmonise the data security and data protection safeguards that govern the respective Union information systems, in particular by ensuring that all Union data protection rules are applicable to all the information systems, and to streamline and simplify designated authorities access to the EES, VIS, [ETIAS] and Eurodac, and support the purposes of the EES, VIS, [ETIAS], Eurodac, SIS and [ECRIS-TCN].

Amendment    5

Proposal for a regulation

Recital 11

Text proposed by the Commission

Amendment

(11)  The interoperability components should cover the EES, the VIS, the [ETIAS], Eurodac, the SIS, and the [ECRIS-TCN system]. They should also cover the Europol data to the extent of enabling it to be queried simultaneously with these EU information systems.

(11)  The interoperability components should cover the EES, the VIS, the [ETIAS], Eurodac, the SIS, and the [ECRIS-TCN system]. They should also cover the Europol data only to the extent of enabling that data to be queried simultaneously with these Union information systems.

Amendment    6

Proposal for a regulation

Recital 12 a (new)

Text proposed by the Commission

Amendment

 

(12a)  Children and vulnerable persons merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. The interoperability components should be designed so that particular attention is paid to the protection of children and that their rights and integrity are fully respected.

Amendment    7

Proposal for a regulation

Recital 13

Text proposed by the Commission

Amendment

(13)  The European search portal (ESP) should be established to facilitate technically the ability of Member State authorities and EU bodies to have fast, seamless, efficient, systematic and controlled access to the EU information systems, the Europol data and the Interpol databases needed to perform their tasks, in accordance with their access rights, and to support the objectives of the EES, the VIS, the [ETIAS], Eurodac, the SIS, the [ECRIS-TCN system] and the Europol data. Enabling the simultaneous querying of all relevant EU information systems in parallel, as well as of the Europol data and the Interpol databases, the ESP should act as a single window or ‘message broker’ to search various central systems and retrieve the necessary information seamlessly and in full respect of the access control and data protection requirements of the underlying systems.

(13)  The ESP should be established to facilitate technically the ability of the authorised Member State authorities and Union agencies to have controlled access to the relevant Union information systems, the Europol data and the Interpol databases insofar as this is needed to perform their tasks, in accordance with their access rights, and to support the objectives of the EES, VIS, [ETIAS], Eurodac, SIS, [ECRIS-TCN] and Europol data. Enabling the simultaneous querying of all relevant Union information systems in parallel, as well as of Europol data and the Interpol databases, the ESP should act as a single window or ‘message broker’ to search various central systems and retrieve the necessary information seamlessly and in full respect of the access control and data protection requirements of the underlying systems.

Amendment    8

Proposal for a regulation

Recital 16

Text proposed by the Commission

Amendment

(16)  To ensure fast and systematic use of all EU information systems, the European search portal (ESP) should be used to query the common identity repository, the EES, the VIS, [the ETIAS], Eurodac and [the ECRIS-TCN system]. However, the national connection to the different EU information systems should remain in order to provide a technical fall back. The ESP should also be used by Union bodies to query the Central SIS in accordance with their access rights and in order to perform their tasks. The ESP should be an additional means to query the Central SIS, the Europol data and the Interpol systems, complementing the existing dedicated interfaces.

(16)  To ensure fast and seamless use of all relevant Union information systems, the ESP should be used to query the common identity repository, the EES, VIS, ETIAS, Eurodac and [ECRIS-TCN]. A central Union backup ESP should be established in order to provide all the functionalities of the principal ESP and a similar level of performance as it in the event of its failure. However, the national connection to the different relevant Union information systems should remain in order to provide a technical fall back. The ESP should also be used by Union agencies to query the Central SIS in accordance with their access rights and in order to perform their tasks. The ESP should be an additional means to query the Central SIS, Europol data and the Interpol systems, complementing the existing dedicated interfaces.

Amendment    9

Proposal for a regulation

Recital 17

Text proposed by the Commission

Amendment

(17)  Biometric data, such as fingerprints and facial images, are unique and therefore much more reliable than alphanumeric data for identifying a person. The shared biometric matching service (shared BMS) should be a technical tool to reinforce and facilitate the work of the relevant EU information systems and the other interoperability components. The main purpose of the shared BMS should be to facilitate the identification of an individual who may be registered in different databases, by matching their biometric data across different systems and by relying on one unique technological component instead of five different ones in each of the underlying systems. The shared BMS should contribute to security, as well as financial, maintenance and operational benefits by relying on one unique technological component instead of different ones in each of the underlying systems. All automated fingerprint identification systems, including those currently used for Eurodac, the VIS and the SIS, use biometric templates comprised of data derived from a feature extraction of actual biometric samples. The shared BMS should regroup and store all these biometric templates in one single location, facilitating cross-system comparisons using biometric data and enabling economies of scale in developing and maintaining the EU central systems.

(17)  Biometric data, that in the content of this regulation entails fingerprints and facial images only and therefore excludes hand palm prints, are unique and therefore much more reliable than alphanumeric data for identifying a person. However, biometric data constitute sensitive personal data. This Regulation should therefore lay down the basis of and the safeguards for processing of such data for the purpose of uniquely identifying the persons concerned. Shared BMS should be a technical tool to reinforce and facilitate the work of the relevant Union information systems, the effective use of Europol data and the other interoperability components. The SBMS should replace the Automated Fingerprint Identification Systems of respectively the EES, VIS, SIS, Eurodac and [ECRIS-TCN] and should therefore not duplicate either the storage of the biometric data nor the storage of biometric templates. The main purpose of the shared BMS should be to facilitate the identification of an individual who may be registered in different databases, by matching their biometric data across different systems and by relying on one unique technological component instead of five different ones in each of the underlying systems. The shared BMS should contribute to security, as well as financial, maintenance and operational benefits by relying on one unique technological component instead of different ones in each of the underlying systems. All automated fingerprint identification systems, including those currently used for Eurodac, VIS and SIS, use biometric templates comprised of data derived from a feature extraction of actual biometric samples. The shared BMS should regroup and store all these biometric templates – logically separated according to the information system from which the data originated in one single location, thereby facilitating cross-system comparisons using biometric templates and enabling economies of scale in developing and maintaining the Union central systems.

Amendment    10

Proposal for a regulation

Recital 17 a (new)

Text proposed by the Commission

Amendment

 

(17a)  The biometric templates stored in the shared BMS which are comprised of data derived from a feature extraction of actual biometric samples should be obtained in such a way that reverting the process is not possible. Indeed, biometric templates should be obtained from biometric data but it should not be possible to obtain that same biometric data from the biometric templates.

Amendment    11

Proposal for a regulation

Recital 18

Text proposed by the Commission

Amendment

(18)  Biometric data constitute sensitive personal data. This regulation should lay down the basis for and the safeguards for processing of such data for the purpose of uniquely identifying the persons concerned.

deleted

Amendment    12

Proposal for a regulation

Recital 19

Text proposed by the Commission

Amendment

(19)  The systems established by Regulation (EU) 2017/2226 of the European Parliament and of the Council54 , Regulation (EC) No 767/2008 of the European Parliament and of the Council55 , [the ETIAS Regulation] for the management of the borders of the Union, the system established by [the Eurodac Regulation] to identify the applicants for international protection and combat irregular migration, and the system established by [the ECRIS-TCN system Regulation] require in order to be effective to rely on the accurate identification of the third-country nationals whose personal data are stored therein.

(19)  The systems established by Regulation (EU) 2017/2226 of the European Parliament and of the Council54 , Regulation (EC) No 767/2008 of the European Parliament and of the Council55 , [the ETIAS Regulation] for the management of the borders of the Union, the system established by [the Eurodac Regulation] to identify the applicants for international protection and combat irregular migration, and the system established by [the ECRIS-TCN system Regulation] require the accurate identification of those third-country nationals whose personal data are stored therein.

_________________

_________________

54 Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (EES Regulation) (OJ L 327, 9.12.2017, p. 20–82).

54 Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (EES Regulation) (OJ L 327, 9.12.2017, p. 20–82).

55 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).

55 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).

Justification

Linguistic Change

Amendment    13

Proposal for a regulation

Recital 25

Text proposed by the Commission

Amendment

(25)  The common identity repository (CIR) should provide for a shared container for identity and biometric data of third-country nationals registered in the EES, the VIS, [the ETIAS], Eurodac and the [ECRIS-TCN system], serving as the shared component between these systems for storage of this data, and to allow its querying.

(25)  The CIR should provide for a shared container for identity and biometric data of third-country nationals registered in the EES, VIS, [ETIAS], Eurodac and [ECRIS-TCN], serving as the shared component between these systems for storage of this data, and to allow its querying. A central Union backup CIR should be established in order to provide all the functionalities of the principal CIR and a similar level of performance as it in the event of its failure.

Amendment    14

Proposal for a regulation

Recital 27

Text proposed by the Commission

Amendment

(27)  In order to ensure the correct identification of a person, Member State authorities competent for preventing and combating irregular migration and competent authorities within the meaning of Article 3(7) of Directive 2016/680 should be allowed to query the common identity repository (CIR) with the biometric data of that person taken during an identity check.

(27)  In order to assist in the correct identification of that person, where a Member State police authority has been unable to identify that person on the basis of a query of the CIR using a travel document or the identity data provided by that person, or where there are doubts as to the authenticity of the travel document or the identity of its holder, or where the person is unable or refuses to cooperate, a Member State competent authorities within the meaning of Article 3(7) of Directive 2016/680, following rules and procedures provided for in national law, should be allowed to query the CIR with the biometric data of that person taken during an identity check, provided always that the person concerned is physically present during such a check.

Amendment    15

Proposal for a regulation

Recital 28

Text proposed by the Commission

Amendment

(28)  Where the biometric data of the person cannot be used or if the query with that data fails, the query should be carried out with identity data of that person in combination with travel document data. Where the query indicates that data on that person are stored in the common identity repository (CIR), Member State authorities should have access to consult the identity data of that person stored in the CIR, without providing any indication as to which EU information system the data belongs to.

deleted

Amendment    16

Proposal for a regulation

Recital 30

Text proposed by the Commission

Amendment

(30)  This Regulation should also introduces a new possibility for streamlined access to data beyond identity data present in the EES, the VIS, [the ETIAS] or Eurodac by Member State designated law enforcement authorities and Europol. Data, including data other than identity data contained in those systems, may be necessary for the prevention, detection, investigation and prosecution of terrorist offences or serious criminal offences in a specific case.

(30)  This Regulation should also introduces a new possibility for streamlined access to data beyond identity data present in the EES, VIS, [ETIAS] or Eurodac by Member State designated authorities and Europol. Data, including data other than identity data contained in those systems, may be necessary for the prevention, detection, investigation and prosecution of terrorist offences or serious criminal offences in a specific case where there are reasonable grounds to consider that consultation will substantially contribute to the prevention, detection or investigation of the criminal offences in question, in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls under the category of third-country nationals whose data are stored in the EES, VIS, ETIAS and Eurodac. Such streamlined access should be provided after a prior search in the national databases has been carried out and a query of the automated fingerprint identification system of the other Member States under Council Decision 2008/615/JHA1a has been launched.

 

__________________

 

1a Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ L 210, 6.8.2008, p. 1).

Amendment    17

Proposal for a regulation

Recital 31

Text proposed by the Commission

Amendment

(31)  Full access to the necessary data contained in the EU information systems necessary for the purposes of preventing, detecting and investigating terrorist offences or other serious criminal offences, beyond the relevant identity data covered under common identity repository (CIR) obtained using biometric data of that person taken during an identity check, should continue to be governed by the provisions in the respective legal instruments. The designated law enforcement authorities and Europol do not know in advance which of the EU information systems contains data of the persons they need to inquire upon. This results in delays and inefficiencies in the conduct of their tasks. The end-user authorised by the designated authority should therefore be allowed to see in which of the EU information systems the data corresponding to the query introduced are recorded. The concerned system would thus be flagged following the automated verification of the presence of a hit in the system (a so-called hit-flag functionality).

(31)  Full access to the necessary data contained in the Union information systems necessary for the purposes of preventing, detecting and investigating terrorist offences or other serious criminal offences, beyond the relevant identity data covered under CIR obtained using biometric data of that person taken during an identity check, should continue to be governed by the provisions in the respective legal instruments. The designated authorities and Europol do not know in advance which of the Union information systems contains data of the persons they need to inquire upon. This results in delays and inefficiencies in the conduct of their tasks. The end-user authorised by the designated authority should therefore be allowed to see in which of the Union information systems the data corresponding to the query introduced are recorded. The concerned system would thus be flagged following the automated verification of the presence of a hit in the system (a so-called hit-flag functionality) after necessary checks in national databases and after a query of the automated fingerprint identification system of the other Member States under Decision 2008/615/JHA has been launched.

Amendment    18

Proposal for a regulation

Recital 33

Text proposed by the Commission

Amendment

(33)  The query of the common identity repository (CIR) by Member State designated authorities and Europol in order to obtain a hit-flag type of response indicating the data is recorded in the EES, the VIS, [the ETIAS] or Eurodac requires automated processing of personal data. A hit-flag would not reveal personal data of the concerned individual other than an indication that some of his or her data are stored in one of the systems. No adverse decision for the concerned individual should be made by the authorised end-user solely on the basis of the simple occurrence of a hit-flag. Access by the end-user of a hit-flag would therefore realise a very limited interference with the right to protection of personal data of the concerned individual, while it would be necessary to allow the designated authority and Europol to address its request for access for personal data more effectively directly to the system that was flagged as containing it.

(33)  The query of the CIR by Member State designated authorities and Europol in order to obtain a hit-flag type of response indicating the data is recorded in the EES, VIS, [ETIAS] or Eurodac requires automated processing of personal data. A hit-flag should reveal only personal data of the concerned individual other than an indication that some of his or her data are stored in one of the systems, provided the authority making the search has access to that system. No adverse decision for the concerned individual should be made by the authorised end-user solely on the basis of the simple occurrence of a hit-flag, and the hit-flag should be used by the relevant authorities only for the purpose of deciding which database to query. Access by the end-user of a hit-flag would therefore realise a very limited interference with the right to protection of personal data of the concerned individual, while it would be necessary to allow the designated authority and Europol to address its request for access for personal data more effectively directly to the system that was flagged as containing it.

Amendment    19

Proposal for a regulation

Recital 34

Text proposed by the Commission

Amendment

(34)  The two-step data consultation approach is particularly valuable in cases where the suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence is unknown. In those cases the common identity repository (CIR) should enable identifying the information system that knows the person in one single search. By creating the obligation to use this new law enforcement access approach in these cases, access to the personal data stored in the EES, the VIS, [the ETIAS] and Eurodac should take place without the requirements of a prior search in national databases and the launch of a prior search in the automated fingerprint identification system of other Member States under Decision 2008/615/JHA. The principle of prior search effectively limits the possibility of Member State’ authorities to consult systems for justified law enforcement purposes and could thereby result in missed opportunities to uncover necessary information. The requirements of a prior search in national databases and the launch of a prior search in the automated fingerprint identification system of other Member States under Decision 2008/615/JHA should only cease to apply once the alternative safeguard of the two-step approach to law enforcement access through the CIR has become operational.

(34)  The two-step data consultation approach is particularly valuable in cases where the suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence is unknown. In those cases the CIR should enable the relevant designated authority to identify the information system that knows the person in one single search, following the necessary checks in national databases and once a query of the automated fingerprint identification system of other Member States under Decision 2008/615/JHA has been launched for the justified purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences.

Amendment    20

Proposal for a regulation

Recital 36

Text proposed by the Commission

Amendment

(36)  The possibility to achieve the objectives of the EU information systems is undermined by the current inability for the authorities using these systems to conduct sufficiently reliable verifications of the identities of the third-country nationals whose data are stored in different systems. That inability is determined by the fact that the set of identity data stored in a given individual system may be fraudulent, incorrect, or incomplete, and that there is currently no possibility to detect such fraudulent, incorrect or incomplete identity data by way of comparison with data stored in another system. To remedy this situation it is necessary to have a technical instrument at Union level allowing accurate identification of third-country nationals for these purposes.

(36)  To better realise the objectives of EU information systems, the authorities using those systems should be able to conduct sufficiently reliable verifications of the identities of the third-country nationals whose data are stored in different systems. The set of identity data stored in a given individual system may be incorrect, incomplete of fraudulent, and there is currently no way of detecting incorrect, incomplete or fraudulent identity data by way of comparison with data stored in another system. To remedy this situation it is necessary to have a technical instrument at Union level allowing accurate identification of third-country nationals for these purposes.

Justification

The statistics on fraudulent identity data in EU information systems is, in itself, incomplete. However, the problems of incorrect and incomplete data is well known as set out in the Opinion of the EU Agency for Fundamental Rights on Interoperability (page 49).

Amendment    21

Proposal for a regulation

Recital 37

Text proposed by the Commission

Amendment

(37)  The multiple-identity detector (MID) should create and store links between data in the different EU information systems in order to detect multiple identities, with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. The MID should only contain the links between individuals present in more than one EU information system, strictly limited to the data necessary to verify that a person is recorded lawfully or unlawfully under different biographical identities in different systems, or to clarify that two persons having similar biographical data may not be the same person. Data processing through the European search portal (ESP) and the shared biometric matching service (shared BMS) in order to link individual files across individual systems should be kept to an absolute minimum and therefore is limited to a multiple-identity detection at the time new data is added to one of the information systems included in the common identity repository and in the SIS. The MID should include safeguards against potential discrimination or unfavourable decisions for persons with multiple lawful identities.

(37)  The MID should create and store links between data in the different Union information systems in order to detect multiple identities, with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. The creation of those links constitutes automated decision-making as referred to in Regulation (EU) 2016/679 and Directive (EU) 2016/680 and therefore requires transparency towards the individuals affected and the implementation of necessary safeguards in accordance with Union data protection rules. The MID should contain links only between individuals present in more than one Union information system, strictly limited to the data necessary to verify that a person is recorded lawfully or unlawfully under different biographical identities in different systems, or to clarify that two persons having similar biographical data may not be the same person. Data processing through the ESP and the shared BMS in order to link individual files across individual systems and the Europol database should be kept to an absolute minimum and therefore is limited to a multiple-identity detection at the time new data is added to one of the Union information systems included in the common identity repository and in SIS. The MID should include safeguards against potential discrimination or unfavourable decisions for persons with multiple lawful identities.

Amendment    22

Proposal for a regulation

Recital 41

Text proposed by the Commission

Amendment

(41)  Access to the multiple-identity detector (MID) by Member State authorities and EU bodies having access to at least one EU information system included in the common identity repository (CIR) or to the SIS should be limited to so called red links where the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person, or where the linked data has similar identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person. Where the linked identity data is not similar, a yellow link should be established and a manual verification should take place in order to confirm the link or change its colour accordingly.

(41)  Access to the MID by Member State authorities and Union bodies having access to at least one Union information system included in the CIR or to SIS should be limited to red links where the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers in an unjustified manner to the same person, or where the linked data has similar identity data and the authority responsible for the verification of different identities concluded it refers in an unjustified manner to the same person. Where the linked identity data is not similar, a yellow link should be established and a manual verification should take place in order to confirm the link or change its colour accordingly.

Amendment    23

Proposal for a regulation

Recital 43 a (new)

Text proposed by the Commission

Amendment

 

(43a)  eu-LISA should develop and manage all interoperability components in such a way as to ensure fast, seamless, efficient, controlled access and full availability of such components with a response time in line with the operational needs of the Member States’ authorities.

Amendment    24

Proposal for a regulation

Recital 44

Text proposed by the Commission

Amendment

(44)  eu-LISA should establish automated data quality control mechanisms and common data quality indicators. eu-LISA should be responsible to develop a central monitoring capacity for data quality and to produce regular data analysis reports to improve the control of implementation and application by Member States of EU information systems. The common quality indicators should include the minimum quality standards to store data in the EU information systems or the interoperability components. The goal of such a data quality standards should be for the EU information systems and interoperability components to automatically identify apparently incorrect or inconsistent data submissions so that the originating Member State is able to verify the data and carry out any necessary remedial actions.

(44)  eu-LISA should establish automated data quality control mechanisms and common data quality indicators. eu-LISA should send out automatic and immediate warnings to the authority entering data if minimum data quality standards are not met. eu-LISA should be responsible for developing a central monitoring capacity for data quality, and for producing regular data analysis reports to improve the control of implementation and application by Member States of Union information systems. The common quality indicators should include the minimum quality standards to store data in the Union information systems or the interoperability components. The goal of such a data quality standards should be for the Union information systems and interoperability components to automatically identify apparently incorrect or inconsistent data submissions so that the originating Member State is able to verify the data and carry out any necessary remedial actions.

Amendment    25

Proposal for a regulation

Recital 46

Text proposed by the Commission

Amendment

(46)  The Universal Message Format (UMF) should establish a standard for structured, cross-border information exchange between information systems, authorities and/or organisations in the field of Justice and Home affairs. UMF should define a common vocabulary and logical structures for commonly exchanged information with the objective to facilitate interoperability by enabling the creation and reading of the contents of the exchange in a consistent and semantically equivalent manner.

(46)  The Universal Message Format (UMF) should establish a standard for structured, cross-border information exchange between information systems, authorities and/or organisations in the field of Justice and Home affairs. UMF should define a common vocabulary and logical structures for commonly exchanged information with the objective of facilitating interoperability by enabling the creation and reading of the contents of the exchange in a consistent and semantically equivalent manner.

Amendment    26

Proposal for a regulation

Recital 47

Text proposed by the Commission

Amendment

(47)  A central repository for reporting and statistics (CRRS) should be established to generate cross-system statistical data and analytical reporting for policy, operational and data quality purposes. eu-LISA should establish, implement and host the CRRS in its technical sites containing anonymous statistical data from the above-mentioned systems, the common identity repository, the multiple-identity detector and the shared biometric matching service. The data contained in the CRRS should not enable the identification of individuals. eu-LISA should render the data anonymous and should record such anonymous data in the CRRS. The process for rendering the data anonymous should be automated and no direct access by eu-LISA staff should be granted to any personal data stored in the EU information systems or in the interoperability components.

(47)  A central repository for reporting and statistics (CRRS) should be established to generate cross-system statistical data and analytical reporting for policy, operational and data quality purposes in line with the objectives of the underlying systems and in conformity with their respective legal bases. eu-LISA should establish, implement and host the CRRS in its technical sites containing anonymous statistical data from the above-mentioned systems, the CIR, the MID and the shared BMS. The data contained in the CRRS should not enable the identification of individuals. eu-LISA should immediately render the data anonymous and should record only such anonymised data in the CRRS. The process for rendering the data anonymous should be automated and no direct access by eu-LISA staff should be granted to any personal data stored in the Union information systems or in the interoperability components.

Amendment    27

Proposal for a regulation

Recital 48

Text proposed by the Commission

Amendment

(48)  Regulation (EU) 2016/679 should apply to the processing of personal data under this Regulation by national authorities unless such processing is carried out by the designated authorities or central access points of the Member States for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences, when Directive (EU) 2016/680 of the European Parliament and of the Council should apply.

(48)  Regulation (EU) 2016/679 should apply to the processing of personal data under this Regulation by national authorities unless such processing is carried out by the designated authorities or central access points of the Member States for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences, in which case Directive (EU) 2016/680 of the European Parliament and of the Council should apply.

Amendment    28

Proposal for a regulation

Recital 51

Text proposed by the Commission

Amendment

(51)  The national supervisory authorities established in accordance with [Regulation (EU) 2016/679] should monitor the lawfulness of the processing of personal data by the Member States, whilst the European Data Protection Supervisor as established by Regulation (EC) No 45/2001 should monitor the activities of the Union institutions and bodies in relation to the processing of personal data. The European Data Protection Supervisor and the supervisory authorities should cooperate with each other in the monitoring of the processing of personal data by interoperability components.

(51)  The national supervisory authorities established in accordance with Regulation (EU) 2016/679 or Directive (EU) 2016/680 should monitor the lawfulness of the processing of personal data by the Member States, whilst the European Data Protection Supervisor as established by Regulation (EC) No 45/2001 should monitor the activities of the Union institutions and bodies in relation to the processing of personal data. The European Data Protection Supervisor and the supervisory authorities should cooperate with each other in the monitoring of the processing of personal data

Amendment    29

Proposal for a regulation

Recital 52

Text proposed by the Commission

Amendment

(52)  “(...) The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on

(52)  The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 16 April 2018.

Amendment    30

Proposal for a regulation

Recital 53

Text proposed by the Commission

Amendment

(53)  Insofar as confidentiality is concerned, the relevant provisions of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union should apply to officials or other servants employed and working in connection with SIS.

(53)  Insofar as confidentiality is concerned, the relevant provisions of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union should apply to officials or other servants employed and working in connection with the data accessed through any of the interoperability components.

Amendment    31

Proposal for a regulation

Recital 56

Text proposed by the Commission

Amendment

(56)  In order to allow competent authorities and the EU bodies to adapt to the new requirements on the use of the European search portal (ESP), it is necessary to provide for a transitional period. Similarly, in order to allow for the coherent and optimal functioning of the multiple-identity detector (MID), transitional measures should be established for the start of its operations.

(56)  In order to allow competent authorities and the Union bodies to adapt to the new requirements on the use of the ESP, it is necessary to provide for a transitional period which should entail, inter alia, training programmes for end users so as to ensure that the new instruments operate to their full potential. Similarly, in order to allow for the coherent and optimal functioning of the MID, transitional measures should be established for the start of its operations.

Amendment    32

Proposal for a regulation

Recital 57

Text proposed by the Commission

Amendment

(57)  The costs for the development of the interoperability components projected under the current Multiannual Financial Framework are lower than the remaining amount on the budget earmarked for Smart Borders in Regulation (EU) No 515/2014 of the European Parliament and the Council58. Accordingly, this Regulation, pursuant to Article 5(5)(b) of Regulation (EU) No 515/2014, should reallocate the amount currently attributed for developing IT systems supporting the management of migration flows across the external borders.

(57)  The remaining amount on the budget earmarked for developing IT systems supporting the management of migration flows across the external borders in Regulation (EU) No 515/2014 of the European Parliament and the Council58 should be reallocated to this Regulation, pursuant to Article 5(5)(b) of Regulation (EU) No 515/2014.

 

In addition, eu-LISA should endeavour to keep costs to a minimum and to identify and implement the most cost-effective technical solutions.

_________________

_________________

58 Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing as part of the Internal Security Fund, the Instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (OJ L 150, 20.5.2014, p. 143).

58 Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing as part of the Internal Security Fund, the Instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (OJ L 150, 20.5.2014, p. 143).

Justification

Projected costs often do not reflect actual costs. All that can be said with certainty at this stage is that the remaining amount available under Regulation 515/2014 should be reallocated to this Regulation.

Amendment    33

Proposal for a regulation

Recital 57 a (new)

Text proposed by the Commission

Amendment

 

(57a)  It would be appropriate that, during the development phase of the interoperability components, the Commission assess the necessity of further harmonisation of national systems and infrastructure of Member States at external borders and makes recommendations. Those recommendations should also include an impact assessment and an assessment of the cost for the Union budget.

Amendment    34

Proposal for a regulation

Recital 58

Text proposed by the Commission

Amendment

(58)  In order to supplement certain detailed technical aspects of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of the profiles for the users of the European search portal (ESP) and the content and format of the ESP replies. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201659. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member State experts, and their experts should systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(58)  In order to supplement certain detailed technical aspects of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, power should be delegated to the Commission in respect of the profiles for the users of the European search portal (ESP), the content and format of the ESP replies, the procedures to determine the cases where identity data can be considered as identical or similar, and the rules on the operation of the CRRS, including specific safeguards for processing of personal data and security rules applicable to the repository. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201659 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member State experts, and their experts should systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

_________________

_________________

59 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.123.01.0001.01.ENG.

59 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.123.01.0001.01.ENG.

Justification

The additional elements on procedures for identity data and in respect of the CRRS constitute the supplementing of certain non-essential elements of this Regulation and, as such, should be the subject of a delegated act.

Amendment    35

Proposal for a regulation

Recital 59

Text proposed by the Commission

Amendment

(59)  In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to adopt detailed rules on: automated data quality control mechanisms, procedures and indicators; development of the UMF standard; procedures for determining cases of similarity of identities; the operation of the central repository for reporting and statistics; and cooperation procedure in case of security incidents. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council60.

(59)  In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to adopt detailed rules on: automated data quality control mechanisms, procedures and indicators; development of the UMF standard; and cooperation procedure in case of security incidents. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council60.

_________________

_________________

60 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

60 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

Justification

This amendment is tabled for consistency with the previous amendment.

Amendment    36

Proposal for a regulation

Recital 68 a (new)

Text proposed by the Commission

Amendment

 

(68a)  As interoperability components will involve the processing of significant amounts of sensitive personal data, it is important that persons whose data is processed through those components can effectively exercise their rights as data subjects as laid down in Regulation (EU) 2016/679, Directive (EU) 680/2016 and Regulation (EC) No45/2001. In that regard, in the same way as Member State authorities have been provided with a single portal to carry out searches in Union information systems, the data subjects should be provided with a single web service through which they can exercise their rights to access to and rectification, erasure and restriction of their personal data. eu-LISA should establish such a web service and host it in its technical site. As eu-LISA is not responsible for the entry of personal data or the verification of identities, any request by a data subject should be transmitted via the web service to either the Member State responsible for the manual verification of different identities or the Member State responsible for the entry of the data into the underlying information system.

Amendment    37

Proposal for a regulation

Recital 68 b (new)

Text proposed by the Commission

Amendment

 

(68b)  Article 8 (2) of the European Convention on Human Rights states that any interference with the right to respect for private life, must pursue a legitimate aim and must be both necessary and proportionate except in such cases when, in accordance with the law such an action is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Justification

The right to the protection of personal data and the right to respect for private life are enshrined both within EU law (GDPR) and within EU's highest human rights instruments. As this legislation deals with both personal data and privacy of persons, it is essential that both instruments are reflected within the recitals of the law.

Amendment    38

Proposal for a regulation

Recital 68 c (new)

Text proposed by the Commission

Amendment

 

(68c)  One of the core principles of data protection is data minimisation as highlighted in Article 5 (1)(c) of Regulation (EU) 2016/679 in accordance with which the processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

 

 

 

 

Justification

The right to the protection of personal data and the right to respect for private life are enshrined both within EU law (GDPR) and within EU's highest human rights instruments. As this legislation deals with both personal data and privacy of persons, it is essential that both instruments are reflected within the recitals of the law.

Amendment    39

Proposal for a regulation

Recital 68 d (new)

Text proposed by the Commission

Amendment

 

(68d)  Article 5 (1) (b) of Regulation (EU) 2016/679 provides that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Furthermore, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes must respect the principle of purpose limitation.

 

 

 

 

Justification

The right to the protection of personal data and the right to respect for private life are enshrined both within EU law (GDPR) and within EU's highest human rights instruments. As this legislation deals with both personal data and privacy of persons, it is essential that both instruments are reflected within the recitals of the law.

Amendment    40

Proposal for a regulation

Article 1 – paragraph 1

Text proposed by the Commission

Amendment

1.  This Regulation, together with [Regulation 2018/xx on interoperability borders and visa], establishes a framework to ensure the interoperability between the Entry/Exit System (EES), the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, the Schengen Information System (SIS), and [the European Criminal Records Information System for third-country nationals (ECRIS-TCN)] in order for those systems and data to supplement each other.

1.  This Regulation, together with [Regulation 2018/xx on interoperability police and judicial cooperation, asylum and migration], establishes a framework to ensure the interoperability between the Entry/Exit System (EES), the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, the Schengen Information System (SIS), and [the European Criminal Records Information System for third-country nationals (ECRIS-TCN)].

Amendment    41

Proposal for a regulation

Article 1 – paragraph 3

Text proposed by the Commission

Amendment

3.  This Regulation also lays down provisions on data quality requirements, on a Universal Message Format (UMF), on a central repository for reporting and statistics (CRRS) and lays down the responsibilities of the Member States and of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), with respect to the design and operation of the interoperability components.

3.  This Regulation also lays down provisions on data quality requirements, on a Universal Message Format (UMF), on a central repository for reporting and statistics (CRRS) and lays down the responsibilities of the Member States and of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), with respect to the design, development and operation of the interoperability components.

Amendment    42

Proposal for a regulation

Article 1 – paragraph 4

Text proposed by the Commission

Amendment

4.  This Regulation also adapts the procedures and conditions for Member State law enforcement authorities and for the European Union Agency for Law Enforcement Cooperation (Europol) access to the Entry/Exit System (EES), the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS),] and Eurodac for the purposes of the prevention, detection and investigation of terrorist offences or of other serious criminal offences falling under their competence.

4.  This Regulation also adapts the procedures and conditions for Member State designated authorities and for the European Union Agency for Law Enforcement Cooperation (Europol) access to the EES, VIS, ETIAS and Eurodac for the purposes of the prevention, detection and investigation of terrorist offences or of other serious criminal offences.

Amendment    43

Proposal for a regulation

Article 1 – paragraph 4 a (new)

Text proposed by the Commission

Amendment

 

4a.  This Regulation also lays down a framework for verifying identities of third-country nationals and for identifying third-country nationals.

Amendment    44

Proposal for a regulation

Article 2 – title

Text proposed by the Commission

Amendment

Objectives of interoperability

Objectives

Amendment    45

Proposal for a regulation

Article 2 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a)  to improve the management of the external borders;

(a)  to enhance the effectiveness and efficiency of border checks at the external borders;

Amendment    46

Proposal for a regulation

Article 2 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b)  to contribute to preventing and combating irregular migration;

(b)  to contribute to preventing and tackling irregular migration;

Amendment    47

Proposal for a regulation

Article 2 – paragraph 1 – point e a (new)

Text proposed by the Commission

Amendment

 

(ea)  to contribute to the prevention, detection and investigation of terrorist offences or of other serious criminal offences;

Amendment    48

Proposal for a regulation

Article 2 – paragraph 1 – point e b (new)

Text proposed by the Commission

Amendment

 

(eb)  to aid in the identification of unknown persons who are unable to identify themselves or unidentified human remains in cases of natural disasters, accidents or terrorist attacks.

Amendment    49

Proposal for a regulation

Article 2 – paragraph 2 – introductory part

Text proposed by the Commission

Amendment

2.  The objectives of ensuring interoperability shall be achieved by:

2.  Those objectives shall be achieved by:

Amendment    50

Proposal for a regulation

Article 2 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a)  ensuring the correct identification of persons;

(a)  facilitating the correct identification of third-country nationals registered in the Union information systems;

Amendment    51

Proposal for a regulation

Article 2 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b)  contributing to fighting identity fraud;

(b)  contributing to combating identity fraud;

Amendment    52

Proposal for a regulation

Article 2 – paragraph 2 – point c

Text proposed by the Commission

Amendment

(c)  improving and harmonising data quality requirements of the respective EU information systems;

(c)  improving the data quality and harmonising the quality requirements for the data stored in the Union information systems while respecting the data processing requirements of the legal bases of the individual systems, data protection standards and principles;

Amendment    53

Proposal for a regulation

Article 2 – paragraph 2 – point c a (new)

Text proposed by the Commission

Amendment

 

(ca)  improving judicial cooperation in the area of freedom, security and justice;

Amendment    54

Proposal for a regulation

Article 2 – paragraph 2 – point d

Text proposed by the Commission

Amendment

(d)  facilitating the technical and operational implementation by Member States of existing and future EU information systems;

(d)  facilitating the technical and operational implementation by Member States of existing and Union information systems;

Amendment    55

Proposal for a regulation

Article 2 – paragraph 2 – point e

Text proposed by the Commission

Amendment

(e)  strengthening and simplifying and making more uniform the data security and data protection conditions that govern the respective EU information systems;

(e)  strengthening and simplifying and making more uniform the data security and data protection conditions that govern the respective Union information systems, without prejudice to the special protection and safeguards afforded to certain categories of data;

Amendment    56

Proposal for a regulation

Article 2 – paragraph 2 – point f

Text proposed by the Commission

Amendment

(f)  streamlining the conditions for law enforcement access to the EES, the VIS, [the ETIAS] and Eurodac;

(f)  streamlining and simplifying the conditions for designated authorities’ access to the EES, VIS, [ETIAS] and Eurodac, while ensuring the necessary and proportionate conditions for law enforcement access;

Amendment    57

Proposal for a regulation

Article 3 – paragraph 3

Text proposed by the Commission

Amendment

3.  This Regulation applies to persons in respect of whom personal data may be processed in the EU information systems referred to in paragraph 1 and in the Europol data referred to in paragraph 2.

3.  This Regulation applies to persons in respect of whom personal data may be processed in the Union information systems referred to in paragraph 1 and in the Europol data referred to in paragraph 2, only for the purposes as defined in the underlying legal basis for those information systems.

Justification

It is important to reiterate that, in terms of scope, the processing of personal data through interoperability should only serve to achieve the purposes of the underlying systems

Amendment    58

Proposal for a regulation

Article 4 – paragraph 1 – point 3

Text proposed by the Commission

Amendment

(3)  ‘border authority’ means the border guard assigned in accordance with national law to carry out border checks;

(3)  ‘border authority’ means the border guard assigned in accordance with national law to carry out border checks as defined in Article 2(11) of Regulation (EU) 2016/399;

Amendment    59

Proposal for a regulation

Article 4 – paragraph 1 – point 18

Text proposed by the Commission

Amendment

(18)  ‘EU information systems’ means the large-scale IT systems managed by eu-LISA;

(18)  ‘Union information systems’ means the EES, VIS, [ETIAS], Eurodac, SIS and [ECRIS-TCN] operationally managed by eu-LISA;

Amendment    60

Proposal for a regulation

Article 4 – paragraph 1 – point 19

Text proposed by the Commission

Amendment

(19)  ‘Europol data’ means personal data provided to Europol for the purpose referred to in Article 18(2)(a) of Regulation (EU) 2016/794;

(19)  ‘Europol data’ means personal data processed by Europol for the purposes referred to in Article 18(2)(a), (b) and (c) of Regulation (EU) 2016/794;

Amendment    61

Proposal for a regulation

Article 4 – paragraph 1 – point 21

Text proposed by the Commission

Amendment

(21)  ‘match’ means the existence of a correspondence established by comparing two or more occurrences of personal data recorded or being recorded in an information system or database;

(21)  ‘match’ means the existence of a same or similar correspondence as a result of an automated comparison between personal data recorded or being recorded in an information system or database;

Amendment    62

Proposal for a regulation

Article 4 – paragraph 1 – point 22

Text proposed by the Commission

Amendment

(22)  ‘hit’ means the confirmation of one match or several matches;

deleted

Amendment    63

Proposal for a regulation

Article 4 – paragraph 1 – point 24

Text proposed by the Commission

Amendment

(24)  ‘designated authorities’ means the Member State designated authorities referred to in Article 29(1) of Regulation (EU) 2017/2226, Article 3(1) of Council Decision 2008/633/JHA, [Article 43 of the ETIAS Regulation] and [Article 6 of the Eurodac Regulation];

(24)  ‘designated authorities’ means the Member State designated authorities as defined in Article 3(26) of Regulation (EU) 2017/2226, Article 2(1)(d) of Council Decision 2008/633/JHA, [Article 3(21) of the ETIAS Regulation] and referred to in [Article 6 of the Eurodac Regulation];

Amendment    64

Proposal for a regulation

Article 4 – paragraph 1 – point 25

Text proposed by the Commission

Amendment

(25)  ‘terrorist offence’ means an offence under national law which corresponds or is equivalent to one of the offences referred to in Directive (EU) 2017/541;

(25)  ‘terrorist offence’ means an offence under national law which corresponds to one of the offences referred to in Articles 3 to 14 of Directive (EU) 2017/541, or which is equivalent to one of those offences for the Member States which are not bound by that Directive;

Amendment    65

Proposal for a regulation

Article 4 – paragraph 1 – point 31

Text proposed by the Commission

Amendment

(31)  'SIS' means the Schengen Information System as referred to [in the Regulation on SIS in the field of border checks, Regulation on SIS in the field of law enforcement and Regulation on SIS in the field of illegal return];

(31)  'SIS' means the Schengen Information System as referred to [in the Regulation on SIS in the field of border checks, Regulation on SIS in the field of law enforcement and Regulation on SIS in the field of return];

 

(Horizontal amendment applies throughout the text.)

Amendment    66

Proposal for a regulation

Article 4 – paragraph 1 – point 33

Text proposed by the Commission

Amendment

(33)  'ESP' means the European search portal as referred to in Article 6;

deleted

Amendment    67

Proposal for a regulation

Article 4 – paragraph 1 – point 34

Text proposed by the Commission

Amendment

(34)  'shared BMS' means the shared biometric matching service as referred to in Article 15;

deleted

Amendment    68

Proposal for a regulation

Article 4 – paragraph 1 – point 35

Text proposed by the Commission

Amendment

(35)  'CIR' means the common identity repository as referred to in Article 17;

deleted

Amendment    69

Proposal for a regulation

Article 4 – paragraph 1 – point 36

Text proposed by the Commission

Amendment

(36)  'MID' means the multiple-identity detector as referred to in Article 25;

deleted

Amendment    70

Proposal for a regulation

Article 4 – paragraph 1 – point 37

Text proposed by the Commission

Amendment

(37)  'CRRS' means the central repository for reporting and statistics as referred to in Article 39.

deleted

Amendment    71

Proposal for a regulation

Article 5 – title

Text proposed by the Commission

Amendment

Non-discrimination

Non-discrimination and fundamental rights

Amendment    72

Proposal for a regulation

Article 5 – paragraph 1

Text proposed by the Commission

Amendment

Processing of personal data for the purposes of this Regulation shall not result in discrimination against persons on any grounds such as sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation. It shall fully respect human dignity and integrity. Particular attention shall be paid to children, the elderly and persons with a disability.

Processing of personal data for the purposes of this Regulation shall not result in discrimination against persons on any grounds such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. It shall fully respect human dignity and integrity and fundamental rights, including the right to respect for one’s private life and to the protection of personal data. Particular attention shall be paid to children, the elderly and persons with a disability and persons in need of international protection. The best interests of the child shall be a primary consideration.

Amendment    73

Proposal for a regulation

Article 5 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

One year after the date of entry into force of this Regulation, the Commission shall conduct an ex-post evaluation aimed at assessing the impact of interoperability on the right to non-discrimination.

Justification

Currently, it is not possible to ascertain that the principle of non-discrimination will be fully applied- especially in reference to the Multiple Identity Detector. For example, it is still unclear whether or not the proposal may negatively affect women, in comparison with men, due to the fact that women are more likely to change their last name.

Amendment    74

Proposal for a regulation

Article 6 – paragraph 1

Text proposed by the Commission

Amendment

1.  A European search portal (ESP) is established for the purposes of ensuring that Member State authorities and EU bodies have fast, seamless, efficient, systematic and controlled access to the EU information systems, the Europol data and the Interpol databases that they need to perform their tasks in accordance with their access rights and of supporting the objectives of the EES, the VIS, [the ETIAS], Eurodac, the SIS, [the ECRIS-TCN system] and the Europol data.

1.  A European search portal (ESP) is established for the purposes of facilitating the controlled access of Member State authorities and Union agencies to the Union information systems, to Europol data and the Interpol databases for the performance of their tasks and in accordance with their access rights and the objectives and purposes of the EES, VIS, [ETIAS], Eurodac, SIS, [ECRIS-TCN] as well as in accordance with Regulation (EU) 2016/679, while fully respecting the principles of necessity and proportionality.

Amendment    75

Proposal for a regulation

Article 6 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b)  a secure communication channel between the ESP, Member States and EU bodies that are entitled to use the ESP in accordance with Union law;

(b)  a secure communication channel between the ESP, Member States and Union agencies that are entitled to use the ESP;

Amendment    76

Proposal for a regulation

Article 6 – paragraph 2 – point c a (new)

Text proposed by the Commission

Amendment

 

(ca)  a central Union backup ESP capable of providing all the functionalities of the principal ESP and a similar level of performance as it in the event of its failure.

Amendment    77

Proposal for a regulation

Article 6 – paragraph 3

Text proposed by the Commission

Amendment

3.  eu-LISA shall develop the ESP and ensure its technical management.

3.  eu-LISA shall develop the ESP and ensure its technical management. It shall not, however, have access to any of the personal data processed through the ESP.

Amendment    78

Proposal for a regulation

Article 7 – paragraph 1

Text proposed by the Commission

Amendment

1.  The use of the ESP shall be reserved to the Member State authorities and EU bodies having access to the EES, [the ETIAS], the VIS, the SIS, Eurodac and [the ECRIS-TCN system], to the CIR and the multiple-identity detector as well as the Europol data and the Interpol databases in accordance with Union or national law governing such access.

1.  The use of the ESP shall be reserved to the Member State authorities and Union agencies having access to the EES, [ETIAS], VIS, SIS, Eurodac and [ECRIS-TCN] in accordance with the legal instruments governing those Union information systems, to the CIR and the multiple-identity detector in accordance with this Regulation as well as Europol data in accordance with Regulation (EU) 2016/794 and to the Interpol databases in accordance with Union or national law governing such access.

 

Those Member State authorities and Union agencies may make use of the ESP and the data provided by it only for the objectives and purposes laid down in the legal instruments governing those Union information systems and in this Regulation.

Amendment    79

Proposal for a regulation

Article 7 – paragraph 2

Text proposed by the Commission

Amendment

2.  The authorities referred to in paragraph 1 shall use the ESP to search data related to persons or their travel documents in the central systems of Eurodac and [the ECRIS-TCN system] in accordance with their access rights under Union and national law. They shall also use the ESP to query the CIR in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22.

2.  The authorities referred to in paragraph 1 shall use the ESP to search data related to persons or their travel documents in the central systems of Eurodac and [ECRIS-TCN] in accordance with their access rights in accordance with the legal instruments governing the Union information systems and national law. They shall also use the ESP to query the CIR in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22.

Amendment    80

Proposal for a regulation

Article 7 – paragraph 4

Text proposed by the Commission

Amendment

4.  The EU bodies shall use the ESP to search data related to persons or their travel documents in the Central SIS.

4.  Where they are so required under Union law, Union agencies referred to in paragraph 1 shall use the ESP to search data related to persons or their travel documents in the Central SIS.

Amendment    81

Proposal for a regulation

Article 7 – paragraph 5

Text proposed by the Commission

Amendment

5.  The authorities referred to in paragraph 1 may use the ESP to search data related to persons or their travel documents in the Europol data in accordance with their access rights under Union and national law.

5.  Where so required under Union or national law, the authorities referred to in paragraph 1 may use the ESP to search data related to persons or their travel documents in the Europol data in accordance with their access rights under Union and national law.

Amendment    82

Proposal for a regulation

Article 8 – paragraph 1 – point a a (new)

Text proposed by the Commission

Amendment

 

(aa)  the purpose of the query;

Amendment    83

Proposal for a regulation

Article 8 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b)  the EU information systems, the Europol data and the Interpol databases that shall and may be consulted and that shall provide a reply to the user; and

(b)  the Union information systems, Europol data, the Interpol databases and the data in those systems that may be searched and that shall provide a reply to the user; a user requesting data on the basis of Article 22 shall only get a hit/no-hit notification if the user is authorised to request from the central access point the data of the individual Union information system having provided a hit in accordance with the legal instrument governing that system;

Amendment    84

Proposal for a regulation

Article 8 – paragraph 2

Text proposed by the Commission

Amendment

2.  The Commission shall adopt delegated acts in accordance with Article 63 to specify the technical details of the profiles referred to in paragraph 1 for the users of the ESP referred to in Article 7(1) in accordance with their access rights.

2.  The Commission shall adopt delegated acts in accordance with Article 63 to specify the technical details of the profiles referred to in paragraph 1 for the users of the ESP referred to in Article 7(1) in accordance with their access rights as laid down in the legal instruments governing Union information systems and in national law where applicable.

Amendment    85

Proposal for a regulation

Article 8 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  The profiles referred to in paragraph 1 shall be reviewed regularly, at least once per year, and if necessary updated.

Amendment    86

Proposal for a regulation

Article 9 – paragraph 1

Text proposed by the Commission

Amendment

1.  The users of the ESP shall launch a query by introducing data in the ESP in accordance with their user profile and access rights. Where a query has been launched, the ESP shall query simultaneously, with the data introduced by the user of the ESP, the EES, [the ETIAS], the VIS, the SIS, Eurodac, [the ECRIS-TCN system] and the CIR as well as the Europol data and the Interpol databases.

1.  The users of the ESP shall launch a query by introducing data in the ESP in accordance with their ESP user profile created in accordance with Article 8 and access rights. Where a query has been launched, the ESP shall query simultaneously, with the data introduced by the user of the ESP, the EES, [ETIAS], VIS, SIS, Eurodac, [ECRIS-TCN] and the CIR as well as the Europol data and the Interpol databases.

Amendment    87

Proposal for a regulation

Article 9 – paragraph 4

Text proposed by the Commission

Amendment

4.  The EES, [the ETIAS], the VIS, the SIS, Eurodac, [the ECRIS-TCN system], the CIR and the multiple-identity detector, as well as the Europol data and the Interpol databases, shall provide the data that they contain resulting from the query of the ESP.

4.  The EES, [ETIAS], VIS, SIS, Eurodac, [ECRIS-TCN], the CIR and the multiple-identity detector, as well as Europol data and the Interpol databases, shall provide the data that they contain resulting from the query of the ESP. The ESP shall provide replies to the user as soon as data is available from one of the systems. The replies to the user from the ESP shall be unique and shall contain all the data to which the user has access in accordance with the legal instruments governing the Union information systems and under national law. Without prejudice to Article 20, the reply provided by the ESP shall indicate to which Union information system or database the data belongs. The ESP shall provide no information regarding data in information systems to which the user has no access under Union law.

Amendment    88

Proposal for a regulation

Article 9 – paragraph 5

Text proposed by the Commission

Amendment

5.  When querying the Interpol databases, the design of the ESP shall ensure that the data used by the user of the ESP to launch a query is not shared with the owners of Interpol data.

5.  When querying the Interpol databases, the design of the ESP shall ensure that no information is revealed to the owner of the Interpol alert. The design of the ESP shall also ensure that Interpol TDAWN is not queried in a systematic manner but in accordance with applicable Union and national law.

Amendment    89

Proposal for a regulation

Article 9 – paragraph 6

Text proposed by the Commission

Amendment

6.  The reply to the user of the ESP shall be unique and shall contain all the data to which the user has access under Union law. Where necessary, the reply provided by the ESP shall indicate to which information system or database the data belongs.

deleted

Amendment    90

Proposal for a regulation

Article 10 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

Without prejudice to [Article 39 of the Eurodac Regulation], [Articles 12 and 18 of the Regulation on SIS in the field of law enforcement], [Article 29 of the ECRIS-TCN Regulation] and Article 40 of Regulation (EU) 2016/794, eu-LISA shall keep logs of all data processing operations within the ESP. Those logs shall include, in particular, the following:

Without prejudice to [Article 39 of the Eurodac Regulation], [Articles 12 and 18 of the Regulation on SIS in the field of law enforcement], [Article 29 of the ECRIS-TCN Regulation] and Article 40 of Regulation (EU) 2016/794, eu-LISA shall keep logs of all data processing operations within the ESP. Those logs shall include, in particular, the following:

Amendment    91

Proposal for a regulation

Article 10 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a)  the Member State authority and the individual user of the ESP, including the ESP profile used as referred to in Article 8;

(a)  the Member State authority or the Union agency launching the query;

Amendment    92

Proposal for a regulation

Article 10 – paragraph 1 – point c

Text proposed by the Commission

Amendment

(c)  the EU information systems and the Europol data queried;

(c)  the Union information systems and the Europol and Interpol databases queried;

Amendment    93

Proposal for a regulation

Article 10 – paragraph 1 – point c a (new)

Text proposed by the Commission

Amendment

 

(ca)  the ESP profile;

Amendment    94

Proposal for a regulation

Article 10 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d)  in accordance with national rules or when applicable, Regulation (EU) 45/2001, the identifying mark of the person who carried out the query..

deleted

Amendment    95

Proposal for a regulation

Article 10 – paragraph 1 – subparagraph 1 (new)

Text proposed by the Commission

Amendment

 

In addition, Member States and Union agencies shall keep logs of the unique user identity of the official performing the query.

Amendment    96

Proposal for a regulation

Article 10 – paragraph 2

Text proposed by the Commission

Amendment

2.  The logs may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation, unless they are required for monitoring procedures that have already begun.

2.  The logs may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, for self-monitoring, and for ensuring the proper functioning and data integrity and security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to national supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. Those logs shall be protected by appropriate measures against unauthorised access and erased two years after their creation, unless they are required for monitoring procedures that have already begun.

Amendment    97

Proposal for a regulation

Article 11 – paragraph -1 (new)

Text proposed by the Commission

Amendment

 

-1.  Where it is technically impossible to use the ESP due to its failure, eu-LISA shall switch to the back-up ESP.

Amendment    98

Proposal for a regulation

Article 11 – paragraph 1

Text proposed by the Commission

Amendment

1.  Where it is technically impossible to use the ESP to query one or several EU information systems referred to in Article 9(1) or the CIR, because of a failure of the ESP, the users of the ESP shall be notified by eu-LISA.

1.  Where it remains technically impossible to use the ESP to query one or several Union information systems or the CIR, because of a failure of the ESP or a failure in the Union information systems being queried, the users of the ESP shall be immediately notified by eu-LISA.

Amendment    99

Proposal for a regulation

Article 11 – paragraph 2

Text proposed by the Commission

Amendment

2.  Where it is technically impossible to use the ESP to query one or several EU information systems referred to in Article 9(1) or the CIR, because of a failure of the national infrastructure in a Member State, that Member State's competent authority shall notify eu-LISA and the Commission.

2.  Where it is technically impossible to use the ESP to query one or several Union information systems or the CIR, because of a failure of the national infrastructure in a Member State, that Member State's competent authority shall immediately inform all its users and notify eu-LISA and the Commission.

Amendment    100

Proposal for a regulation

Article 11 – paragraph 3

Text proposed by the Commission

Amendment

3.  In both scenarios, and until the technical failure is addressed, the obligation referred to in Article 7(2) and (4) shall not apply and Member States may access the information systems referred to in Article 9(1) or the CIR directly using their respective national uniform interfaces or national communication infrastructures.

3.  In both scenarios referred to in paragraphs 1 and 2 of this Article, and until the technical failure is addressed, the obligation referred to in Article 7(2) and (4) shall not apply and Member States shall access the Union information systems or the CIR, where they are required to do so according to Union or national law, directly using their respective national uniform interfaces or national communication infrastructures.

Amendment    101

Proposal for a regulation

Article 11 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a.  Where it is technically impossible to use the ESP to query one or several Union information systems or the CIR because of a failure of the infrastructure of a Union agency that agency shall notify eu-LISA and the Commission.

Amendment    102

Proposal for a regulation

Article 12 – paragraph 1

Text proposed by the Commission

Amendment

1.  A shared biometric matching service (shared BMS) storing biometric templates and enabling querying with biometric data across several EU information systems is established for the purposes of supporting the CIR and the multiple-identity detector and the objectives of the EES, the VIS, Eurodac, the SIS and [the ECRIS-TCN system].

1.  A shared biometric matching service (shared BMS) storing biometric templates and enabling querying with biometric data across Union information systems containing biometric data is established for the purposes of supporting the CIR and the multiple-identity detector and the objectives of the EES, VIS, Eurodac, SIS and [ECRIS-TCN]. In line with the principles of necessity and proportionality, the shared BMS shall not store DNA data or palm print data.

Amendment    103

Proposal for a regulation

Article 12 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a)  a central infrastructure, including a search engine and the storage of the data referred to in Article 13;

(a)  a central infrastructure, that shall replace the Automated Fingerprint Identification Systems of respectively the EES, VIS, SIS, Eurodac and [ECRIS-TCN] to the extent that it allows to search with biometric data as defined in Article 4(12);

Amendment    104

Proposal for a regulation

Article 12 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b)  a secure communication infrastructure between the shared BMS, Central-SIS and the CIR.

(b)  a secure communication infrastructure between the shared BMS, Central-SIS, the CIR and the Union information systems.

Amendment    105

Proposal for a regulation

Article 12 – paragraph 3

Text proposed by the Commission

Amendment

3.  eu-LISA shall develop the shared BMS and ensure its technical management.

3.  eu-LISA shall develop the shared BMS and ensure its technical management. It shall not, however, have access to any of the personal data processed through the shared BMS.

Amendment    106

Proposal for a regulation

Article 13 – title

Text proposed by the Commission

Amendment

Data stored in the shared biometric matching service

Storing biometric templates in the shared biometric matching service

Amendment    107

Proposal for a regulation

Article 13 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  The shared BMS shall store the biometric templates that it shall obtain from the following biometric data:

1.  The shared BMS shall store the biometric templates – logically separated – according to the information system from which the data originates, that it shall obtain from the following biometric data:

Amendment    108

Proposal for a regulation

Article 13 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d)  the data referred to in Article 20(3)(w) and (x) of the Regulation on SIS in the field of law enforcement;

(d)  the data referred to in Article 20(3)(w) and (y) of the Regulation on SIS in the field of law enforcement;

Amendment    109

Proposal for a regulation

Article 13 – paragraph 1 – point f

Text proposed by the Commission

Amendment

(f)  [the data referred to in Article 13(a) of the Eurodac Regulation;]

(f)  [the data referred to in Article 12(a) and (b), Article 13(2),(a) and (b) and Article 14(2),(a) and (b) of the Eurodac Regulation;]

Amendment    110

Proposal for a regulation

Article 13 – paragraph 4

Text proposed by the Commission

Amendment

4.  The storage of the data referred to in paragraph 1 shall meet the quality standards referred to in Article 37(2).

4.  The storage of the data referred to in paragraph 1 of this Article shall meet the quality standards referred to in Article 37.

Amendment    111

Proposal for a regulation

Article 15 – paragraph 1

Text proposed by the Commission

Amendment

The data referred to in Article 13 shall be stored in the shared BMS for as long as the corresponding biometric data is stored in the CIR or the SIS.

The data referred to in Article 13 shall be stored in the shared BMS for as long as the corresponding biometric data is stored in the CIR in accordance with Articles 18 and 19 or in SIS, after which it shall be automatically deleted.

Amendment    112

Proposal for a regulation

Article 15 – paragraph 1

Text proposed by the Commission

Amendment

The data referred to in Article 13 shall be stored in the shared BMS for as long as the corresponding biometric data is stored in the CIR or the SIS.

The data referred to in Article 13 shall be stored in the shared BMS for as long as the corresponding biometric data is stored in the CIR in accordance with Article 19, SIS or as Europol data.

Amendment    113

Proposal for a regulation

Article 16 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  Without prejudice to [Article 39 of the Eurodac Regulation], [Article 12 and 18 of the Regulation on SIS in the field of law enforcement] and [Article 29 of the ECRIS-TCN Regulation], eu-LISA shall keep logs of all data processing operations within the shared BMS. Those logs shall include, in particular, the following:

1.  Without prejudice to [Article 39 of the Eurodac Regulation], [Article 12 and 18 of the Regulation on SIS in the field of law enforcement] and [Article 29 of the ECRIS-TCN Regulation], eu-LISA shall keep logs of all data processing operations within the shared BMS. Those logs shall include the following:

Amendment    114

Proposal for a regulation

Article 16 – paragraph 1 – point -a (new)

Text proposed by the Commission

Amendment

 

(-a)  the Member State authority or the Union agency launching the query;

Amendment    115

Proposal for a regulation

Article 16 – paragraph 1 – point f

Text proposed by the Commission

Amendment

(f)  the results of the query and date and time of the result;

(f)  the results of the query and the date and time of the result and the Union information system from which the data was received;

Amendment    116

Proposal for a regulation

Article 16 – paragraph 1 – point g

Text proposed by the Commission

Amendment

(g)  in accordance with national rules or, when applicable, Regulation (EU) 45/2001, the identifying mark of the person who carried out the query.

deleted

Amendment    117

Proposal for a regulation

Article 16 – paragraph 1 – point g a (new)

Text proposed by the Commission

Amendment

 

(ga)  the specific purpose of the query and, where applicable, the case reference, pursuant to Article 14.

Amendment    118

Proposal for a regulation

Article 16 – paragraph 1 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

In addition, Member States and Union agencies shall keep logs of the unique user identity of the official performing the query.

Amendment    119

Proposal for a regulation

Article 16 – paragraph 2

Text proposed by the Commission

Amendment

2.  The logs may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation, unless they are required for monitoring procedures that have already begun. The logs referred to in paragraph 1(a) shall be erased once the data is erased.

2.  The logs may be used only for data protection monitoring and monitoring the impact on fundamental rights, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to the national supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. Those logs shall be protected by appropriate measures against unauthorised access and erased two years after their creation, unless they are required for monitoring procedures that have already begun. The logs referred to in paragraph 1(a) shall be erased once the data is erased.

Amendment    120

Proposal for a regulation

Article 17 – paragraph 1

Text proposed by the Commission

Amendment

1.  A common identity repository (CIR), creating an individual file for each person that is recorded in the EES, the VIS, [the ETIAS], Eurodac or [the ECRIS-TCN system] containing the data referred to in Article 18, is established for the purpose of facilitating and assisting the correct identification of persons registered in the EES, the VIS, [the ETIAS], the Eurodac and [the ECRIS-TCN system], of supporting the functioning of the multiple-identity detector and of facilitating and streamlining access by law enforcement authorities to non-law enforcement information systems at EU level, where necessary for the prevention, investigation, detection or prosecution of serious crime.

1.  A common identity repository (CIR), creating an individual file for each person that is recorded in the EES, VIS, [ETIAS], Eurodac or [ECRIS-TCN ] containing the data referred to in Article 18, is established for the purpose of facilitating and assisting the correct identification of persons registered in the EES, VIS, [ETIAS], Eurodac and [ECRIS-TCN ], of supporting the functioning of the multiple-identity detector and of facilitating and streamlining access by designated authorities to non-law enforcement information systems at Union level, where necessary for the prevention, investigation, detection or prosecution of serious crime, while fully respecting the principles of necessity and proportionality.

Amendment    121

Proposal for a regulation

Article 17 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b)  a secure communication channel between the CIR, Member States and EU bodies that are entitled to use the European search portal (ESP) in accordance with Union law;

(b)  a secure communication channel between the CIR, Member States and Union agencies that are entitled to use the CIR in accordance with Union and national law

Amendment    122

Proposal for a regulation

Article 17 – paragraph 2 – point c a (new)

Text proposed by the Commission

Amendment

 

(ca)  a central Union backup CIR capable of providing all the functionalities of the principal CIR and a similar level of performance as it in the event of its failure. The CIR and the backup CIR may operate simultaneously. The CIR and the backup CIR shall be located in technical sites of eu-LISA.

Amendment    123

Proposal for a regulation

Article 17 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a.  Where it is technically impossible to query the CIR for the purpose of identifying a person pursuant Article 20, for the detection of multiple identities pursuant Article 21 or for law enforcement purposes pursuant Article 22, because of a failure of the CIR, the users of the CIR shall be immediately notified by eu-LISA.

Amendment    124

Proposal for a regulation

Article 18 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a)  – (not applicable)

deleted

 

(Horizontal amendment applies throughout the text.)

Amendment    125

Proposal for a regulation

Article 18 – paragraph 1 – point e

Text proposed by the Commission

Amendment

(e)  [the data referred to in Article 5(1)(b) and 5(2) and the following data of Article 5(1)(a) of the ECRIS-TCN Regulation: surname or family name; first name(s) (given name(s)); sex; date of birth; place and country of birth; nationality or nationalities; gender and where applicable previous names, pseudonyms(s) and/or alias name(s).]

(e)  [the data referred to in Article 5(1)(b) and 5(2) and the following data of Article 5(1)(a) of the ECRIS-TCN Regulation: surname or family name; first name(s) (given name(s)); sex; date of birth; place and country of birth; nationality or nationalities; gender and where applicable previous names, pseudonyms(s) and/or alias name(s) as well as information on travel documents.]

Amendment    126

Proposal for a regulation

Article 18 – paragraph 2

Text proposed by the Commission

Amendment

2.  For each set of data referred to in paragraph 1, the CIR shall include a reference to the information systems to which the data belongs.

2.  For each set of data referred to in paragraph 1, the CIR shall include a reference to the information systems to which the data belongs. The officer accessing the CIR shall see only the data contained in the individual file stored in the CIR which originate from those information systems the officer is authorised to access.

Amendment    127

Proposal for a regulation

Article 19 – paragraph 1

Text proposed by the Commission

Amendment

1.  Where data is added, amended or deleted in Eurodac or [the ECRIS-TCN system], the data referred to in Article 18 stored in the individual file of the CIR shall be added, amended or deleted accordingly in an automated manner.

1.  Without duplicating the data from the respective Union information systems, where data is added, amended or deleted in Eurodac or [ECRIS-TCN], the data referred to in Article 18 stored in the individual file of the CIR shall be simultaneously added, amended or deleted accordingly in an automated manner.

Amendment    128

Proposal for a regulation

Article 20 – paragraph 1 – subparagraph -1 (new)

Text proposed by the Commission

Amendment

 

-1  Where a Member State police authority is unable to identify a person due to the lack of a travel document or another credible document proving that person’s identity, or where there are doubts about the identity data provided by that person or as to the authenticity of the travel document or the identity of its holder or where the person is unable or refuses to cooperate, the authority shall be able to query the CIR in accordance with paragraphs 1 and 2. Such query shall not be allowed against minors under the age of 12 years old, unless in the best interest of the child.

Amendment    129

Proposal for a regulation

Article 20 – paragraph 1 – subparagraph 1

Text proposed by the Commission

Amendment

Where a Member State police authority has been so empowered by national legislative measures as referred to in paragraph 2, it may, solely for the purpose of identifying a person, query the CIR with the biometric data of that person taken during an identity check.

Where the situation referred to in paragraph -1 arises during an identity check following rules and procedures provided for in national law and a Member State police authority has been so empowered by national legislative measures as referred to in paragraph 2, it may, in the presence of that person, and solely for the purpose of identifying that person, query the CIR with the biometric data of that person taken during the identity check.

Amendment    130

Proposal for a regulation

Article 20 – paragraph 1 – subparagraph 2

Text proposed by the Commission

Amendment

Where the query indicates that data on that person is stored in the CIR, the Member States authority shall have access to consult the data referred to in Article 18(1).

Where the query indicates that data on that person is stored in the CIR, the Member States police authority shall have access to consult the data referred to in Article 18(1). The consultation shall not reveal to which Union information system the data belongs.

Amendment    131

Proposal for a regulation

Article 20 – paragraph 1 – subparagraph 3

Text proposed by the Commission

Amendment

Where the biometric data of the person cannot be used or where the query with that data fails, the query shall be carried out with identity data of the person in combination with travel document data, or with the identity data provided by that person.

deleted

Amendment    132

Proposal for a regulation

Article 20 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  Where a Member State police authority has been so empowered by national legislative measures as referred to in paragraph 2, it may, in the event of a disaster or an accident and solely for the purpose of identifying unknown persons who are not able to identify themselves or unidentified human remains, query the CIR with the biometric data of those persons.

Amendment    133

Proposal for a regulation

Article 20 – paragraph 2

Text proposed by the Commission

Amendment

2.  Member States wishing to avail themselves of the possibility provided for in this Article shall adopt national legislative measures. Such legislative measures shall specify the precise purposes of identity checks within the purposes referred to in Article 2(1)(b) and (c). They shall designate the police authorities competent and lay down the procedures, conditions and criteria of such checks.

2.  Member States wishing to avail themselves of the possibility provided for in this Article shall adopt national legislative measures. Such legislative measures shall specify the precise purposes of the identification within the purposes referred to in Article 2(2)(b) and lay down the procedures, conditions and criteria for such identification. They shall designate the competent police authorities. Member States making use of this possibility shall transmit the text of their national legislative measures to the Commission. Access to the CIR to establish the identity of a third country national for purposes of ensuring a high level of security shall only be allowed where access for the same purposes to similar national databases exist and under equivalent conditions.

Amendment    134

Proposal for a regulation

Article 22 – paragraph 1

Text proposed by the Commission

Amendment

1.  For the purposes of preventing, detecting and investigating terrorist offences or other serious criminal offences in a specific case and in order to obtain information on whether data on a specific person is present in the EES, the VIS and [the ETIAS] or the Member State designated authorities and Europol may consult the CIR.

1.  Where there are reasonable grounds to believe that consultation of Union information systems will substantially contribute to the prevention, detection or investigation of terrorist or other serious criminal offences, in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls under a category of third-country nationals whose data are stored in [the EES], VIS, [ETIAS] or Eurodac , and where a prior search in national databases has been carried out and a query of the automated fingerprint identification system of the other Member States under Decision 2008/615/JHA has been launched, the Member States designated authorities and Europol may use the CIR in order to obtain information on whether data on a specific person is present in the EES, VIS and [ETIAS]

Amendment    135

Proposal for a regulation

Article 22 – paragraph 3 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

The reply indicating that data on that person is present in any of the Union information systems referred to in paragraph 1 may be used only for the purposes of submitting an access request subject to the conditions and procedures laid down in the respective legislative instruments governing such access.

Amendment    136

Proposal for a regulation

Article 22 – paragraph 4 a (new)

Text proposed by the Commission

Amendment

 

4a.  The Member State designated authorities and Europol getting a hit shall refer to the national supervisory authorities that shall check whether the conditions of accessing the CIR were complied with. In case the ex post independent verification determines that the consultation of the CIR was not justified, the law enforcement authority shall erase all data originating from the CIR.

Amendment    137

Proposal for a regulation

Article 23 – paragraph 1

Text proposed by the Commission

Amendment

The data referred to in Article 18(1) and (2) shall be deleted from the CIR in accordance with the data retention provisions of [the Eurodac Regulation] and [the ECRIS-TCN Regulation] respectively.

The data referred to in Article 18(1) and (2) shall be automatically deleted from the CIR in accordance with the data retention provisions of [the Eurodac Regulation] and [the ECRIS-TCN Regulation] respectively.

Amendment    138

Proposal for a regulation

Article 23 – paragraph 2

Text proposed by the Commission

Amendment

2.  The individual file shall be stored in the CIR for as long as the corresponding data is stored in at least one of the information systems whose data is contained in the CIR. The creation of a link shall not affect the retention period of each item of the linked data.

2.  The individual file shall be stored in the CIR for as long as the corresponding data is stored in at least one of the Union information systems whose data is contained in the CIR. The creation of a link shall not affect the retention period of each item of the linked data. Once all data to which a link is created is deleted the link shall also be deleted automatically.

Amendment    139

Proposal for a regulation

Article 24 – paragraph 2 – introductory part

Text proposed by the Commission

Amendment

2.  Concerning any access to the CIR pursuant to Article 20, eu-LISA shall keep logs of all data processing operations within the CIR. Those logs shall include, in particular, the following:

2.  Concerning any access to the CIR pursuant to Article 20, eu-LISA shall keep logs of all data processing operations within the CIR. Those logs shall include the following:

Amendment    140

Proposal for a regulation

Article 24 – paragraph 2 – point -a (new)

Text proposed by the Commission

Amendment

 

(-a)  the Member State authority launching the query;

Amendment    141

Proposal for a regulation

Article 24 – paragraph 2 – point d

Text proposed by the Commission

Amendment

(d)  the results of the query;

(d)  the results of the query and the Union information system from which the data was received.

Amendment    142

Proposal for a regulation

Article 24 – paragraph 2 – point e

Text proposed by the Commission

Amendment

(e)  in accordance with national rules or with Regulation (EU) 2016/794 or, when applicable, Regulation (EU) 45/2001, the identifying mark of the person who carried out the query.

deleted

Amendment    143

Proposal for a regulation

Article 24 – paragraph 2 – subparagraph 1 (new)

Text proposed by the Commission

Amendment

 

In addition, Member States shall keep logs of the unique user identity of the official performing the query.

Amendment    144

Proposal for a regulation

Article 24 – paragraph 3 – introductory part

Text proposed by the Commission

Amendment

3.  Concerning any access to the CIR pursuant to Article 21, eu-LISA shall keep logs of all data processing operations within the CIR. Those logs shall include, in particular, the following:

3.  Concerning any access to the CIR pursuant to Article 21, eu-LISA shall keep logs of all data processing operations within the CIR. Those logs shall include the following:

Amendment    145

Proposal for a regulation

Article 24 – paragraph 3 – point -a (new)

Text proposed by the Commission

Amendment

 

(-a)  the Member State authority launching the query;

Amendment    146

Proposal for a regulation

Article 24 – paragraph 3 – point c

Text proposed by the Commission

Amendment

(c)  where relevant, the data used to launch the query;

(c)  the data used to launch the query;

Amendment    147

Proposal for a regulation

Article 24 – paragraph 3 – point d

Text proposed by the Commission

Amendment

(d)  where relevant, the results of the query;

(d)  the results of the query and the Union information system from which the data was received.

Amendment    148

Proposal for a regulation

Article 24 – paragraph 3 – point e

Text proposed by the Commission

Amendment

(e)  in accordance with national rules or with Regulation (EU) 2016/794 or, when applicable, Regulation (EU) 45/2001, the identifying mark of the person who carried out the query.

deleted

Amendment    149

Proposal for a regulation

Article 24 – paragraph 3 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

In addition, Member States shall keep logs of the unique user identity of the official performing the query.

Amendment    150

Proposal for a regulation

Article 24 – paragraph 4 – subparagraph 1 – introductory part

Text proposed by the Commission

Amendment

Concerning any access to the CIR pursuant to Article 22, eu-LISA shall keep logs of all data processing operations within the CIR. Those logs shall include, in particular, the following:

Concerning any access to the CIR pursuant to Article 22, eu-LISA shall keep logs of all data processing operations within the CIR. Those logs shall include the following:

Amendment    151

Proposal for a regulation

Article 24 – paragraph 4 – subparagraph 1 – point a

Text proposed by the Commission

Amendment

(a)  the national file reference;

(a)  the purpose of access and the reference to the national investigation or case;

Amendment    152

Proposal for a regulation

Article 24 – paragraph 4 – subparagraph 1 – point c

Text proposed by the Commission

Amendment

(c)  the type of data used to launch the query;

(c)  the data used to launch the query or, in the case of a query launched with biometric data, the type of data used to launch the query;

Amendment    153

Proposal for a regulation

Article 24 – paragraph 4 – subparagraph 1 – point d

Text proposed by the Commission

Amendment

(d)  the results of the query;

(d)  the results of the query and the Union information system from which the data was received.

Amendment    154

Proposal for a regulation

Article 24 – paragraph 4 – subparagraph 1 – point f

Text proposed by the Commission

Amendment

(f)  in accordance with national rules or with Regulation (EU) 2016/794 or, when applicable, Regulation (EU) 45/2001, the identifying mark of the official who carried out the query and of the official who ordered the query.

deleted

Amendment    155

Proposal for a regulation

Article 24 – paragraph 4 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

In addition, Member States shall keep logs of the unique user identity of the official performing the query.

Amendment    156

Proposal for a regulation

Article 24 – paragraph 4 – subparagraph 2

Text proposed by the Commission

Amendment

The logs of such access shall be regularly verified by the competent supervisory authority established in accordance with Article 51 of Regulation (EU) 2016/679 or in accordance with Article 41 of Directive 2016/680, at intervals not exceeding six months, to verify whether the procedures and conditions set out in Article 22(1) to (3) are fulfilled.

The logs of such access shall be regularly verified by the competent supervisory authority established in accordance with Article 51 of Regulation (EU) 2016/679 or in accordance with Article 41 of Directive 2016/680, at intervals not exceeding six months, to verify whether the procedures and conditions set out in Article 22(1) to (3) are fulfilled. eu-LISA shall make available to the supervisory authorities a practical tool to facilitate and automate as far as possible the verification of the logs.

Amendment    157

Proposal for a regulation

Article 24 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a.  Union agencies shall keep logs of queries of the staff duly authorised to use the CIR pursuant to Article 22.

Amendment    158

Proposal for a regulation

Article 24 – paragraph 6

Text proposed by the Commission

Amendment

6.  The logs referred to in paragraphs 1 and 5 may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. They shall be protected by appropriate measures against unauthorised access and erased one year after their creation, unless they are required for monitoring procedures that have already begun.

6.  The logs referred to in paragraphs 1, 5 and 5a may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, for self-monitoring, and for ensuring the proper functioning and the data integrity and security pursuant to Article 42. They shall be protected by appropriate measures against unauthorised access and erased two years after their creation, unless they are required for monitoring procedures that have already begun.

Amendment    159

Proposal for a regulation

Article 24 – paragraph 7

Text proposed by the Commission

Amendment

7.  eu-LISA shall keep the logs related to the history of the data stored in individual file, for purposes defined in paragraph 6. The logs related to the history of the data stored shall be erased once the data is erased.

7.  eu-LISA shall keep the logs related to the history of the data stored in individual file, for purposes defined in paragraph 6. The logs related to the history of the data stored shall be erased automatically once the data is erased.

Amendment    160

Proposal for a regulation

Article 24 – paragraph 7 a (new)

Text proposed by the Commission

Amendment

 

7a.  The competent national authorities in charge of checking whether or not access is lawful, monitoring the lawfulness of data processing, self-monitoring and ensuring the proper functioning, data integrity and security, shall have access, within the limits of their competence and at their request, to the logs for the purpose of fulfilling their duties.

Amendment    161

Proposal for a regulation

Article 24 – paragraph 7 b (new)

Text proposed by the Commission

Amendment

 

7b.  For the purposes of self-monitoring and ensuring the proper functioning of the CIR, data integrity and security, the eu-LISA shall have access, within the limits of its competence, to the logs.

Amendment    162

Proposal for a regulation

Article 24 – paragraph 7 c (new)

Text proposed by the Commission

Amendment

 

7c.  The European Data Protection Supervisor shall have access, within the limits of its competence and upon request, to those logs for the purpose of fulfilling its tasks.

Amendment    163

Proposal for a regulation

Article 25 – paragraph 1

Text proposed by the Commission

Amendment

1.  A multiple-identity detector (MID) creating and storing links between data in the EU information systems included in the common identity repository (CIR) and the SIS and as a consequence detecting multiple identities, with the dual purpose of facilitating identity checks and combating identity fraud, is established for the purpose of supporting the functioning of the CIR and the objectives of the EES, the VIS, the ETIAS], Eurodac, the SIS and [the ECRIS-TCN system].

1.  A multiple-identity detector (MID) creating and storing links between data in the Union information systems included in the CIR and SIS and as a consequence detecting multiple identities, with the dual purpose of facilitating identity checks and combating identity fraud, is established for the purpose of supporting the functioning of the CIR and the objectives of the EES, VIS, ETIAS], Eurodac, SIS and [ECRIS-TCN ], while fully respecting the principles of necessity and proportionality.

Amendment    164

Proposal for a regulation

Article 25 – paragraph 3

Text proposed by the Commission

Amendment

3.  eu-LISA shall develop the MID and ensure its technical management.

3.  eu-LISA shall develop the MID and ensure its technical management. It shall not have access to any of the personal data processed through the MID.

Amendment    165

Proposal for a regulation

Article 25 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a.  eu-LISA and the competent authorities of the Member States shall use appropriate procedures for the profiling, implement technical and organizational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimized, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents discriminatory effects on natural persons on the basis of social, racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such effect.

Amendment    166

Proposal for a regulation

Article 26 – paragraph 1 – point e

Text proposed by the Commission

Amendment

(e)  the SIRENE Bureaux of the Member State creating a [Regulation on SIS in the field of law enforcement or Regulation on SIS in the field of illegal return];

(e)  the SIRENE Bureaux of the Member State creating or updating a [SIS alert in accordance with Regulation on SIS in the field of law enforcement or Regulation on SIS in the field of return];

Amendment    167

Proposal for a regulation

Article 27 – paragraph 2

Text proposed by the Commission

Amendment

2.  Where the data contained within an information system as referred to in paragraph 1 contains biometric data, the common identity repository (CIR) and the Central-SIS shall use the shared biometric matching service (shared BMS) in order to perform the multiple-identity detection. The shared BMS shall compare the biometric templates obtained from any new biometric data to the biometric templates already contained in the shared BMS in order to verify whether or not data belonging to the same third-country national is already stored in the CIR or in the Central SIS.

2.  Where the data contained within an information system as referred to in paragraph 1 contains biometric data, the common identity repository (CIR) and the Central SIS shall use the shared biometric matching service (shared BMS) in order to perform the multiple-identity detection. The shared BMS shall compare the biometric templates obtained from any new biometric data to the biometric templates already contained in the shared BMS in order to verify whether or not data belonging to the same person is already stored in the CIR or in the Central SIS.

Amendment    168

Proposal for a regulation

Article 27 – paragraph 3 – point h

Text proposed by the Commission

Amendment

(h)  [surname (family name); first name(s) (given names); date of birth, place of birth, nationality(ies) and gender as referred to in Article 5(1)(a) of the ECRIS-TCN Regulation.]

(h)  [surname (family name); first name(s) (given names); previous name(s); pseudonym and/or alias name(s); date of birth, place of birth, nationality(ies) and gender as referred to in Article 5(1)(a) of the ECRIS-TCN Regulation.]

Amendment    169

Proposal for a regulation

Article 27 – paragraph 4

Text proposed by the Commission

Amendment

4.  The multiple-identity detection shall only be launched in order to compare data available in one information system with data available in other information systems.

4.  The multiple-identity detection shall only be launched in order to compare data available in one Union information system with data available in other Union information systems.

Amendment    170

Proposal for a regulation

Article 28 – paragraph 5

Text proposed by the Commission

Amendment

5.  The Commission shall lay down the procedures to determine the cases where identity data can be considered as identical or similar in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).

5.  The Commission shall lay down the procedures to determine the cases where identity data can be considered as identical or similar in delegated acts. Those delegated act shall be adopted in accordance with Article 63. Such acts shall be designed in a manner that ensures the protection of persons with multiple lawful identities against discrimination.

Justification

In this regard, Women are more likely to be discriminated against due to the fact that they are more likely to have different legal identities (due to surname change following marriage)

Amendment    171

Proposal for a regulation

Article 28 – paragraph 6 – subparagraph 2

Text proposed by the Commission

Amendment

The Commission shall lay down the technical rules for linking data from different information systems by implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).

The Commission shall, in cooperation with eu-LISA, lay down the technical rules for linking data from different Union information systems by implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).

Amendment    172

Proposal for a regulation

Article 29 – paragraph 1 – subparagraph 1 – point e

Text proposed by the Commission

Amendment

(e)  the SIRENE Bureaux of the Member State for hits that occurred when creating a SIS alert in accordance with the [Regulations on SIS in the field of law enforcement and on SIS in the field of illegal return];

(e)  the SIRENE Bureaux of the Member State for hits that occurred when creating or updating a SIS alert in accordance with the [Regulations on SIS in the field of law enforcement and on SIS in the field of illegal return];

Amendment    173

Proposal for a regulation

Article 29 – paragraph 2 – point f

Text proposed by the Commission

Amendment

(f)  in an alert on unknown wanted persons for identification according to national law and search with biometric data as referred to in Article 40 of [the Regulation on SIS in the field of law enforcement].

deleted

Amendment    174

Proposal for a regulation

Article 29 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  Where the SIRENE Bureau is responsible for manually verifying different identities but has not been involved in the addition of the new identity data which has given rise to a yellow link, it shall be informed immediately by the authority which added the new identity data. The SIRENE Bureau shall carry out the manual verification of the different identities as soon as possible.

Amendment    175

Proposal for a regulation

Article 29 – paragraph 3

Text proposed by the Commission

Amendment

3.  Without prejudice to paragraph 4, the authority responsible for verification of different identities shall have access to the related data contained in the relevant identity confirmation file and to the identity data linked in the common identity repository and, where relevant, in the SIS, and shall assess the different identities and shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file without delay.

3.  Without prejudice to paragraph 4, the authority responsible for verification of different identities shall have access to the related data contained in the relevant identity confirmation file and to the identity data linked in the common identity repository and, where relevant, in the SIS, and shall assess the different identities and shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file without delay, in any case within 24 hours.

Amendment    176

Proposal for a regulation

Article 29 – paragraph 4

Text proposed by the Commission

Amendment

4.  Where the authority responsible for the verification of different identities in the identity confirmation file is the border authority creating or updating an individual file in the EES in accordance with Article 14 of the EES Regulation, and where a yellow link is obtained, the border authority shall carry out additional verifications as part of a second-line check. During this second-line check, the border authorities shall have access to the related data contained in the relevant identity confirmation file and shall assess the different identities and shall update the link in accordance with Articles 31 to 33 and add it to the identity confirmation file without delay.

4.  Where the authority responsible for the verification of different identities in the identity confirmation file is the border authority creating or updating an individual file in the EES in accordance with Article 14 of the EES Regulation, and where a yellow link is obtained, the border authority shall carry out additional verifications. For that purpose only, the border authorities shall have access to the related data contained in the relevant identity confirmation file and shall assess the different identities and shall update the link in accordance with Articles 31 to 33 of this Regulation and add it to the identity confirmation file without delay.

Amendment    177

Proposal for a regulation

Article 29 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a.  The verification of different identities under this Article shall, as a rule, take place in the presence of the person concerned who shall be offered the opportunity to explain the circumstances to the authority responsible, which shall take those explanations into account. Where the verification leads to the establishment of a red link, the person concerned shall receive a justification in writing.

Amendment    178

Proposal for a regulation

Article 29 – paragraph 5 b (new)

Text proposed by the Commission

Amendment

 

5b.  The manual verification of different identities shall take place within 8 hours from the creation of a yellow link under Article 28(4).

Amendment    179

Proposal for a regulation

Article 29 – paragraph 6 a (new)

Text proposed by the Commission

Amendment

 

6a.  Prior to being authorised to verify identities, the staff of the authorities referred to in paragraphs 1 and 2 shall receive specific training on how to conduct the verification of different identities.

Amendment    180

Proposal for a regulation

Article 30 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b)  the linked data has different identity data and no manual verification of different identity has taken place.

(b)  the linked data has different identity data, there is no biometric data to compare, and no manual verification of different identity has taken place;

Amendment    181

Proposal for a regulation

Article 30 – paragraph 1 – point b a (new)

Text proposed by the Commission

Amendment

 

(ba)  the linked data have the same identity data but different biometric data and no manual verification of different identities has taken place.

Amendment    182

Proposal for a regulation

Article 31 – paragraph 1

Text proposed by the Commission

Amendment

1.  A link between data from two or more information systems shall be classified as green where the linked data do not share the same biometric but have similar identity data and the authority responsible for the verification of different identities concluded it refers to two different persons

1.  A link between data from two or more information systems shall be classified as green where:

 

(a)  the linked data do not share the same biometric but have similar identity data and the authority responsible for the verification of different identities concluded it refers to two different persons;

 

(b)  the linked data share the same biometric data and the authority responsible for the verification of different identities has concluded that it refers to two different persons.

Amendment    183

Proposal for a regulation

Article 32 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a)  the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person;

(a)  the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers to the same person in an unjustified manner;

Amendment    184

Proposal for a regulation

Article 32 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b)  the linked data has similar identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person.

(b)  the linked data has similar identity data and the authority responsible for the verification of different identities concluded it refers to the same person in an unjustified manner.

Amendment    185

Proposal for a regulation

Article 32 – paragraph 2

Text proposed by the Commission

Amendment

2.  Where the CIR or the SIS are queried and where a red link exists between two or more of the information systems constituting the CIR or with the SIS, the multiple-identity detector shall reply indicating the data referred to in Article 34. Follow-up to a red link shall take place in accordance with Union and national law.

2.  Where the CIR or the SIS are queried and where a red link exists between two or more of the information systems constituting the CIR or with the SIS, the multiple-identity detector shall reply indicating the data referred to in Article 34. Follow-up to a red link shall take place in accordance with Union and national law. No legal consequence for the person or persons concerned shall derive solely from the existence of a red link.

Amendment    186

Proposal for a regulation

Article 32 – paragraph 4

Text proposed by the Commission

Amendment

4.  Without prejudice to the provisions related to the handling of alerts in the SIS referred to in the [Regulations on SIS in the field of border checks, on SIS in the field of law enforcement and on SIS in the field of illegal return], and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that any national investigation will not be jeopardised, where a red link is created, the authority responsible for verification of different identities shall inform the person of the presence of multiple unlawful identities.

4.  Without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that any national investigation will not be jeopardised, where a red link is created, the authority responsible for verification of different identities shall inform the person of the presence of multiple unlawful identities in accordance with Articles 12, 13 and 14 of Regulation (EU) 2016/679 and Article13 of Directive (EU) 680/2016.

Amendment    187

Proposal for a regulation

Article 32 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a.  Where a Member State authority or Union agency with access to the CIR or SIS obtains evidence showing that a red link recorded in the MID is incorrect or that the data processed in the MID, CIR and SIS were processed in breach of this Regulation, that authority shall, where the link relates to Union information systems either rectify or erase the link from the MID immediately, or where the link relates to SIS, inform the relevant SIRENE Bureau of the Member State that created the SIS alert immediately. That SIRENE Bureau shall verify the evidence provided by the Member State authority and rectify or erase the link from the MID immediately thereafter.

Amendment    188

Proposal for a regulation

Article 33 – paragraph 1 – point c a (new)

Text proposed by the Commission

Amendment

 

(ca)  the linked data shares the same identity data and different biometric data and the authority responsible for the verification of different identities has concluded that it refers to the same person and their biometric data has changed due to injury, illness or another legitimate reason.

Amendment    189

Proposal for a regulation

Article 33 – paragraph 4 a (new)

Text proposed by the Commission

Amendment

 

4a.  If a Member State authority has evidence to suggest that a white link recorded in the MID is factually inaccurate, not up-to-date or that data were processed in the MID or the Union information systems or SIS in breach of this Regulation, it shall check the relevant data stored in the Union information systems and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification without delay.

Amendment    190

Proposal for a regulation

Article 34 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d)  where relevant, the authority responsible for the verification of different identities.

(d)  the authority responsible for the verification of different identities.

Amendment    191

Proposal for a regulation

Article 35 – paragraph 1

Text proposed by the Commission

Amendment

The identity confirmation files and its data, including the links, shall be stored in the multiple-identity detector (MID) only for as long as the linked data is stored in two or more EU information systems.

The identity confirmation files and its data, including the links, shall be stored in the multiple-identity detector (MID) only for as long as the linked data is stored in two or more Union information systems. Once this condition is no longer met, the identity confirmation files and their data, including all related links, shall be deleted automatically.

Amendment    192

Proposal for a regulation

Article 36 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  eu-LISA shall keep logs of all data processing operations within the MID. Those logs shall include, in particular, the following:

1.  eu-LISA shall keep logs of all data processing operations within the MID. Those logs shall include, the following:

Amendment    193

Proposal for a regulation

Article 36 – paragraph 1 – point -a (new)

Text proposed by the Commission

Amendment

 

(-a)  the Member State authority launching the query;

Amendment    194

Proposal for a regulation

Article 36 – paragraph 1 – point f

Text proposed by the Commission

Amendment

(f)  the identifying mark of the person who carried out the query.

deleted

Amendment    195

Proposal for a regulation

Article 36 – paragraph 1 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

In addition, Member States shall keep logs of the unique user identity of the official performing the query.

Amendment    196

Proposal for a regulation

Article 36 – paragraph 3

Text proposed by the Commission

Amendment

3.  The logs may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. The logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation, unless they are required for monitoring procedures that have already begun. The logs related to the history of the identity confirmation file shall be erased once the data in the identity confirmation file is erased.

3.  The logs may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, for self-monitoring, and for ensuring the proper functioning and the data integrity and security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to the national supervisory authorities referred to in Article 51 of Regulation (EU)2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. The logs shall be protected by appropriate measures against unauthorised access and erased two years after their creation, unless they are required for monitoring procedures that have already begun. The logs related to the history of the identity confirmation file shall be erased once the data in the identity confirmation file is erased.

Amendment    197

Proposal for a regulation

Article 37 – paragraph -1 (new)

Text proposed by the Commission

Amendment

 

-1.  Member States shall ensure that the quality of the data in the EES,[ETIAS], VIS, SIS, the shared BMS, the CIR and the MID are closely monitored in order to ensure that they meet the overall requirements for the proper functioning of the respective Union information systems and the interoperability components. Member States shall also ensure that all staff entering data in any of those Union information systems has received prior training on data quality.

Amendment    198

Proposal for a regulation

Article 37 – paragraph 1

Text proposed by the Commission

Amendment

1.  eu-LISA shall establish automated data quality control mechanisms and procedures on the data stored in the EES, the [ETIAS], the VIS, the SIS, the shared biometric matching service (shared BMS), the common identity repository (CIR) and the multiple-identity detector (MID).

1.  eu-LISA shall establish as soon as possible automated data quality control mechanisms and procedures on the data stored in the EES, [ETIAS], VIS, SIS, the (shared BMS) and (CIR). Those automated data quality control mechanisms shall be adequately tested prior to the start of operations of the interoperability components under Article 62.

Amendment    199

Proposal for a regulation

Article 37 – paragraph 2

Text proposed by the Commission

Amendment

2.  eu-LISA shall establish common data quality indicators and the minimum quality standards to store data in the EES, the [ETIAS], the VIS, the SIS, the shared BMS, the CIR and the MID.

2.  eu-LISA shall establish common data quality indicators and the minimum quality standards to store data in the EES, [ETIAS], VIS, SIS, the shared BMS, the CIR and the MID.

 

Only data fulfilling the minimum quality standards may be entered in the EES, [ETIAS], VIS, SIS, the shared BMS, the CIR and the MID.

 

If an authority attempts to enter data not fulfilling the applicable minimum quality standards, it shall immediately receive an automated warning from the relevant Union information system that the data cannot be entered suggesting methods for satisfying the minimum quality standards.

Amendment    200

Proposal for a regulation

Article 37 – paragraph 3

Text proposed by the Commission

Amendment

3.  eu-LISA shall provide regular reports on the automated data quality control mechanisms and procedures and the common data quality indicators to the Member States. eu-LISA shall also provide a regular report to the Commission covering the issues encountered and the Member States concerned.

3.  eu-LISA shall provide regular reports on the automated data quality control mechanisms and procedures and the common data quality indicators to the Member States. eu-LISA shall also provide a regular report to the Commission covering the issues encountered and the Member States concerned. eu-LISA shall also provide that report to the European Parliament and the Council upon request. No reports provided under this paragraph shall contain any personal data.

Amendment    201

Proposal for a regulation

Article 37 – paragraph 5

Text proposed by the Commission

Amendment

5.  One year after the establishment of the automated data quality control mechanisms and procedures and common data quality indicators and every year thereafter, the Commission shall evaluate Member State implementation of data quality and shall make any necessary recommendations. The Member States shall provide the Commission with an action plan to remedy any deficiencies identified in the evaluation report and shall report on any progress against this action plan until it is fully implemented. The Commission shall transmit the evaluation report to the European Parliament, to the Council, to the European Data Protection Supervisor and to the European Union Agency for Fundamental Rights established by Council Regulation (EC) No 168/2007.64

5.  One year after the establishment of the automated data quality control mechanisms and procedures and common data quality indicators and every year thereafter, the Commission shall evaluate Member State implementation of data quality and shall make any necessary recommendations. The Member States shall provide the Commission with an action plan to remedy any deficiencies identified in the evaluation report and, in particular, data quality issues deriving from erroneous data in existing Union information systems and in SIS. The Commission shall report on any progress against this action plan until it is fully implemented. The Commission shall transmit the evaluation report to the European Parliament, to the Council, to the European Data Protection Supervisor, the European Data Protection Board and to the European Union Agency for Fundamental Rights established by Council Regulation (EC) No 168/2007.64

__________________

__________________

64 Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights (OJ L 53, 22.2.2007, p. 1).

64 Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights (OJ L 53, 22.2.2007, p. 1).

Amendment    202

Proposal for a regulation

Article 37 a (new)

Text proposed by the Commission

Amendment

 

Article 37a

 

Availability and response time for interrogation

 

All interoperability components shall be developed and managed in such a way as to ensure fast, seamless, efficient, controlled access, their full availability as laid down in Article 53(1) and a response time in line with the operational needs of the Member Sates’ authorities.

Amendment    203

Proposal for a regulation

Article 38 – paragraph 2

Text proposed by the Commission

Amendment

2.  The UMF standard shall be used in the development of the [Eurodac], the [ECRIS-TCN system], the European search portal, the CIR, the MID and, if appropriate, in the development by eu-LISA or any other EU body of new information exchange models and information systems in the area of Justice and Home Affairs.

2.  The UMF standard shall be used in the development of the [Eurodac], the [ECRIS-TCN system], the ESP, the CIR, the MID where feasible and, if appropriate, in the development by eu-LISA or any other Union agency of new information exchange models and Union information systems in the area of Justice and Home Affairs.

Amendment    204

Proposal for a regulation

Article 38 – paragraph 3

Text proposed by the Commission

Amendment

3.  The implementation of the UMF standard may be considered in the VIS, the SIS and in any existing or new cross-border information exchange models and information systems in the area of Justice and Home Affairs, developed by Member States or associated countries.

deleted

Amendment    205

Proposal for a regulation

Article 39 – paragraph 1

Text proposed by the Commission

Amendment

1.  A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of Eurodac, the SIS and [the ECRIS-TCN system] and to generate cross-system statistical data and analytical reporting for policy, operational and data quality purposes.

1.  A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of Eurodac, SIS and [ECRIS-TCN] and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes.

Amendment    206

Proposal for a regulation

Article 39 – paragraph 3

Text proposed by the Commission

Amendment

3.  eu-LISA shall render the data anonymous and shall record such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated.

3.  eu-LISA shall render the data anonymous, by ensuring that the data subject is non-identifiable, and shall record such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated. No access by eu-LISA staff shall be granted to any personal data stored in the Union information systems or in the interoperability components.

 

The data contained in CRRS shall not allow for the identification of individuals.

Amendment    207

Proposal for a regulation

Article 39 – paragraph 4 – point a

Text proposed by the Commission

Amendment

(a)  a central infrastructure, consisting of a data repository enabling the rendering of anonymous data;

(a)  a central infrastructure, consisting of a data repository and a mechanism that ensures for the data to be rendered anonymous before it is stored in CRRS;

Amendment    208

Proposal for a regulation

Article 39 – paragraph 5

Text proposed by the Commission

Amendment

5.  The Commission shall lay down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).

5.  The Commission shall lay down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of a delegated act adopted in accordance with the procedure referred to in Article 63.

Justification

The CRRS will constitute a further database at EU level, albeit that the personal data it contains should be anonymised. The rules related safeguards on data protection fall under the remit of the co-legislators and as such should be the subject of a delegated act.

Amendment    209

Proposal for a regulation

Article 40 – paragraph 1

Text proposed by the Commission

Amendment

1.  In relation to the processing of data in the shared biometric matching service (shared BMS), the Member State authorities that are controllers for the Eurodac, SIS and [the ECRIS-TCN system] respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMS.

1.  In relation to the processing of data in the shared BMS, the Member State authorities that are controllers for the Eurodac, SIS and [the ECRIS-TCN system] respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 or Article 3(8) of Directive (EU) 2016/680 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMS. In relation to information security management of the shared BMS, eu-LISA shall be considered a controller.

Amendment    210

Proposal for a regulation

Article 40 – paragraph 3 – point a

Text proposed by the Commission

Amendment

(a)  the European Border and Coast Guard Agency shall be considered a data controller in accordance with Article 2(b) of Regulation No 45/2001 in relation to processing of personal data by the ETIAS Central Unit;

(a)  the European Border and Coast Guard Agency shall be considered a data controller in accordance with Article 2(d) of Regulation (EC) No 45/2001 in relation to processing of personal data by the ETIAS Central Unit;

Amendment    211

Proposal for a regulation

Article 40 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a.  In relation to information security management of the interoperability components eu-LISA shall be considered a data controller in accordance with Regulation (EC) No 45/2001.

Amendment    212

Proposal for a regulation

Article 41 – paragraph 1

Text proposed by the Commission

Amendment

In relation to the processing of personal data in the CIR, eu-LISA is to be considered the data processor in accordance with Article 2(e) of Regulation (EC) No 45/2001.

In relation to the processing of personal data in the shared BMS, the CIR and the MID, eu-LISA is to be considered the data processor in accordance with Article 2(e) of Regulation (EC) No 45/2001.

Justification

The two missing interoperability components in which data processing takes place need to be added. There is no need to add the ESP as no processing of personal data takes place within it.

Amendment    213

Proposal for a regulation

Article 42 – paragraph 1

Text proposed by the Commission

Amendment

1.  Both eu-LISA and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to the application of this Regulation. eu-LISA, [the ETIAS Central Unit] and the Member State authorities shall cooperate on security-related tasks.

1.  eu-LISA, the Member State authorities and Europol shall ensure the security of the processing of personal data that takes place pursuant to this Regulation. eu-LISA shall be responsible for the central infrastructure of the interoperability components and Member States shall be responsible for the parts referred to in Article 54. eu-LISA, [the European Border and Coast Guard Agency], Europol and the Member State authorities shall cooperate on security-related tasks.

Amendment    214

Proposal for a regulation

Article 42 – paragraph 3 – point a a (new)

Text proposed by the Commission

Amendment

 

(aa)  deny unauthorised persons access to data-processing equipment and installations;

Amendment    215

Proposal for a regulation

Article 42 – paragraph 3 – point d a (new)

Text proposed by the Commission

Amendment

 

(da)  prevent the use of automated data-processing systems by unauthorised persons using data communication equipment;

Amendment    216

Proposal for a regulation

Article 42 – paragraph 3 – point h a (new)

Text proposed by the Commission

Amendment

 

(ha)  ensure that, in the event of interruption, installed systems can be restored to normal operation;

Amendment    217

Proposal for a regulation

Article 42 – paragraph 3 – point h b (new)

Text proposed by the Commission

Amendment

 

(hb)  ensure reliability by making sure that any faults in the functioning of the interoperability components are properly reported;

Amendment    218

Proposal for a regulation

Article 42 – paragraph 3 – point i

Text proposed by the Commission

Amendment

(i)  monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation.

(i)  monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments.

Amendment    219

Proposal for a regulation

Article 42 – paragraph 4

Text proposed by the Commission

Amendment

4.  Member States shall take measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components.

4.  Member States, Europol and the European Border and Coast Guard Agency shall take measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components.

Amendment    220

Proposal for a regulation

Article 43 – title

Text proposed by the Commission

Amendment

Confidentiality of SIS data

Confidentiality of data

Amendment    221

Proposal for a regulation

Article 43 – paragraph 1

Text proposed by the Commission

Amendment

1.  Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data accessed through any of the interoperability components in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies.

1.  Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with data accessed through any of the interoperability components in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies.

Amendment    222

Proposal for a regulation

Article 43 – paragraph 2

Text proposed by the Commission

Amendment

2.  Without prejudice to Article 17 of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of comparable standards to those laid down in paragraph 1 to all its staff required to work with SIS data. This obligation shall also apply after those persons leave office or employment or after the termination of their activities.

2.  Without prejudice to Article 17 of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of comparable standards to those laid down in paragraph 1 of this Article to all its staff required to work with data. This obligation shall also apply after those persons leave office or employment or after the termination of their activities.

Amendment    223

Proposal for a regulation

Article 43 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  Where eu-LISA or a Member State cooperates with external contractors in any task related to the interoperability components, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular those on security, confidentiality and data protection.

Amendment    224

Proposal for a regulation

Article 44 – paragraph 1

Text proposed by the Commission

Amendment

1.  Any event that has or may have an impact on the security of the interoperability components and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

1.  Any event that has or may have an impact on the security of the interoperability components and may cause unauthorised access to, damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

Amendment    225

Proposal for a regulation

Article 44 – paragraph 3

Text proposed by the Commission

Amendment

3.  Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA and the European Data Protection Supervisor of security incidents. In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor.

3.  Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States and Europol shall notify the Commission, eu-LISA, competent supervisory authorities and the European Data Protection Supervisor of any security incidents without delay. In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor.

Amendment    226

Proposal for a regulation

Article 44 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a.  The Commission shall report serious incidents immediately to the European Parliament and to the Council. Those reports shall be classified as EURESTRICTED/RESTREINT UE in accordance with applicable security rules.

Amendment    227

Proposal for a regulation

Article 44 – paragraph 4

Text proposed by the Commission

Amendment

4.  Information regarding a security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and confidentiality of the data shall be provided to the Member States and reported in compliance with the incident management plan to be provided by eu-LISA.

4.  Information regarding a security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and confidentiality of the data shall be provided to the Member States , the ETIAS Central Unit where necessary, and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA.

Amendment    228

Proposal for a regulation

Article 44 – paragraph 5

Text proposed by the Commission

Amendment

5.  The Member States concerned and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specification of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).

5.  The Member States concerned, the ETIAS Central Unit, Europol and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specification of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).

Amendment    229

Proposal for a regulation

Article 45 – paragraph 1

Text proposed by the Commission

Amendment

Member States and the relevant EU bodies shall ensure that each authority entitled to access the interoperability components takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority.

Member States and the relevant Union agencies shall ensure that each authority entitled to access the interoperability components takes the measures necessary to monitor its compliance with this Regulation and cooperates with the supervisory authority.

Amendment    230

Proposal for a regulation

Article 45 a (new)

Text proposed by the Commission

Amendment

 

Article 45a

 

Penalties

 

Member States shall ensure that any misuse of data, processing of data or exchange of data contrary to this Regulation is punishable in accordance with national law. The penalties provided shall be effective, proportionate and dissuasive and shall include the possibility for administrative and criminal penalties.

Amendment    231

Proposal for a regulation

Article 45 b (new)

Text proposed by the Commission

Amendment

 

Article 45b

 

Liability

 

1. Without prejudice to the right to compensation from, and liability of, the controller or processor under Regulations (EC) No 45/2001 and (EU) 2016/679 and Directive (EU) 2016/680:

 

(a) any person or Member State that has suffered material or non-material damage as a result of an unlawful personal data processing operation or any other act incompatible with this Regulation by a Member State shall be entitled to receive compensation from that Member State; and

 

(b) any person or Member State that has suffered material or non-material damage as a result of any act by Europol, the European Border and Coast Guard Agency or eu-LISA incompatible with this Regulation shall be entitled to receive compensation from the agency in question.

 

The Member State concerned, Europol, the European Border and Coast Guard Agency or eu-LISA shall be exempted from their liability under the first subparagraph, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.

 

2. If any failure of a Member State to comply with its obligations under this Regulation causes damage to the interoperability components, that Member State shall be liable for such damage, unless and insofar as eu-LISA or another Member State bound by this Regulation failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

 

3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of the defendant Member State. Claims for compensation against the controller or eu-LISA for the damage referred to in paragraphs 1 and 2 shall be subject to the conditions provided for in the Treaties.

Amendment    232

Proposal for a regulation

Article 46 – title

Text proposed by the Commission

Amendment

Right of information

Right to information

Amendment    233

Proposal for a regulation

Article 46 – paragraph 1

Text proposed by the Commission

Amendment

1.  Without prejudice to the right of information referred to in Articles 11 and 12 of Regulation (EC) 45/2001 and Articles 13 and 14 of Regulation (EU) 2016/679, persons whose data are stored in the shared biometric matching service, the common identity repository or the multiple-identity detector shall be informed by the authority collecting their data, at the time their data are collected, about the processing of personal data for the purposes of this Regulation, including about identity and contact details of the respective data controllers, and about the procedures for exercising their rights of access, rectification and erasure, as well as about the contact details of the European Data Protection Supervisor and of the national supervisory authority of the Member State responsible for the collection of the data.

1.  The authority collecting the data of persons whose data are stored in the shared BMS, the CIR or the MID shall provide those persons with the information required under Articles 11 and 12 of Regulation, (EC) 45/2001 and Articles 13 and 14 of Regulation (EU) 2016/679 in the manner required by Article 12 and Article 13 of Directive 2016/680. The authority shall provide the information at the time that such data are collected.

Amendment    234

Proposal for a regulation

Article 46 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  All information shall be provided to data subjects in a manner and language which they understand, or are reasonably expected to understand. This shall include providing information in a manner which is appropriate to the age of the data subjects who are minors.

Amendment    235

Proposal for a regulation

Article 46 a (new)

Text proposed by the Commission

Amendment

 

Article 46a

 

Information Campaign

 

 The Commission shall, in cooperation with the supervisory authorities and the European Data Protection Supervisor, accompany the start of operations of each interoperability component with an information campaign informing the public and, in particular, third-country nationals, about the objectives and the functioning of those components, the authorities having access and the conditions for such access, and the rights of persons concerned. Such information campaigns shall be conducted continuously.

Amendment    236

Proposal for a regulation

Article 47 – title

Text proposed by the Commission

Amendment

Right of access, correction and erasure

Right of access to, rectification, completion and erasure of personal data, and of restriction of the processing thereof - web service

Amendment    237

Proposal for a regulation

Article 47 – paragraph 1

Text proposed by the Commission

Amendment

1.  In order to exercise their rights under Articles 13, 14, 15 and 16 of Regulation (EC) 45/2001 and Articles 15, 16, 17 and 18 of Regulation (EU) 2016/679, any person shall have the right to address him or herself to the Member State responsible for the manual verification of different identities or of any Member State, who shall examine and reply to the request.

1.  In order to exercise their rights under Articles 13, 14, 15 and 16 of Regulation(EC) 45/2001 and Articles 15, 16, 17 and 18 of Regulation (EU) 2016/679 and Articles 14 and 16 of Directive (EU)2016/680 as regards the processing of personal data in the CIR, the shared BMS and the MID, any person shall have the right to address him or herself to the Member State responsible for the manual verification of different identities or of any to any other Member State, who shall examine and reply to the request.

Amendment    238

Proposal for a regulation

Article 47 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  Without prejudice to paragraph 1, and in order to facilitate and better enable the effective exercise of the rights of data subjects as described in paragraph 1 to access, rectify, erase or restrict the processing of their personal data under interoperability components, in particular for those third-country nationals who may be outside the territory of the Member States, eu-LISA shall establish a web service, hosted in its technical site, which shall enable data subjects to make requests for access, correction, erasure or rectification of their personal data. The web service shall act as a single point of contact for those third-country nationals who are outside the territory of the Member States.

 

The web service shall immediately transmit such requests to the Member State responsible for manual verification of different identities in accordance with Article 29, or, where appropriate, to the Member State responsible for the entry of the data in the underlying Union information system which is the subject of the request.

Amendment    239

Proposal for a regulation

Article 47 – paragraph 1 b (new)

Text proposed by the Commission

Amendment

 

1b.  The Commission shall adopt implementing acts concerning the detailed rules on the conditions for the operation of the web service and the applicable data protection and security rules. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64.

Amendment    240

Proposal for a regulation

Article 47 – paragraph 2

Text proposed by the Commission

Amendment

2.  The Member State responsible for the manual verification of different identities as referred to in Article 29 or the Member State to which the request has been made shall reply to such requests within 45 days of receipt of the request.

2.  The Member State responsible for the manual verification of different identities as referred to in Article 29 or the Member State to which the request has been made, either directly from the data subject in accordance with paragraph 1 or via the web service in accordance with paragraph 1a, shall reply to such requests without undue delay and in any event within one month of receipt of the request.

Amendment    241

Proposal for a regulation

Article 47 – paragraph 3

Text proposed by the Commission

Amendment

3.  If a request for correction or erasure of personal data is made to a Member State other than the Member State responsible, the Member State to which the request has been made shall contact the authorities of the Member State responsible within seven days and the Member State responsible shall check the accuracy of the data and the lawfulness of the data processing within 30 days of such contact.

3.  If a request for access, correction or erasure of personal data is made to a Member State other than the Member State responsible, the Member State to which the request has been made shall contact the authorities of the Member State responsible in writing within seven days and the Member State responsible shall check the accuracy of the data and the lawfulness of the data processing without undue delay and in any event within one month of such contact. The person concerned shall be informed by the Member State which contacted the authority of the Member State responsible that his or her request was forwarded about the further procedure.

Amendment    242

Proposal for a regulation

Article 47 – paragraph 4

Text proposed by the Commission

Amendment

4.  Where, following an examination, it is found that the data stored in the multiple-identity detector (MID) are factually inaccurate or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall correct or delete these data.

4.  Where, following an examination, it is found that the data stored in the CIR, the shared BMS and MID are factually inaccurate or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall immediately correct or delete these data. The person concerned shall be informed in writing that his or her data has been rectified or erased.

Amendment    243

Proposal for a regulation

Article 47 – paragraph 4 a (new)

Text proposed by the Commission

Amendment

 

4a.  Any person shall have the right to lodge a complaint and the right to a legal remedy in the Member State which has refused the right of access to or the right of rectification or erasure of data relating to him or her, in accordance with Union or national law.

Amendment    244

Proposal for a regulation

Article 47 – paragraph 5

Text proposed by the Commission

Amendment

5.  Where data in the MID is amended by the responsible Member State during its validity period, the responsible Member State shall carry out the processing laid down in Article 27 and, where relevant, Article 29 to determine whether the amended data shall be linked. Where the processing does not report any hit, the responsible Member State or, where applicable, the Member State to which the request has been made shall delete the data from the identity confirmation file. Where the automated processing reports one or several hit(s), the responsible Member State shall create or update the relevant link in accordance with the relevant provisions of this Regulation.

5.  Where data in the CIR, the shared BMS or in the MID is amended by the responsible Member State during its validity period, the responsible Member State shall carry out the processing laid down in Article 27 and, where relevant, Article 29 to determine whether the amended data shall be linked. Where the processing does not report any hit, the responsible Member State or, where applicable, the Member State to which the request has been made shall delete the data from the identity confirmation file. Where the automated processing reports one or several hit(s), the responsible Member State shall create or update the relevant link in accordance with the relevant provisions of this Regulation.

Amendment    245

Proposal for a regulation

Article 47 – paragraph 6

Text proposed by the Commission

Amendment

6.  Where the responsible Member State or, where applicable, the Member State to which the request has been made does not agree that data stored in the MID are factually inaccurate or have been recorded unlawfully, that Member State shall adopt an administrative decision explaining in writing to the person concerned without delay why it is not prepared to correct or delete data relating to him or her.

6.  Where the responsible Member State or, where applicable, the Member State to which the request has been made does not agree that data stored in the CIR, the shared BMS or the MID are factually inaccurate or have been recorded unlawfully, that Member State shall adopt an administrative decision explaining in writing to the person concerned without delay why it is not prepared to correct or delete data relating to him or her.

Amendment    246

Proposal for a regulation

Article 47 – paragraph 7

Text proposed by the Commission

Amendment

7.  This decision shall also provide the person concerned with information explaining the possibility to challenge the decision taken in respect of the request referred in paragraph 3 and, where relevant, information on how to bring an action or a complaint before the competent authorities or courts, and any assistance, including from the competent national supervisory authorities.

7.  This decision shall also provide the person concerned with information explaining the possibility to challenge the decision taken in respect of the request referred to in paragraphs 1, 2 and 3 and, information on how to bring an action or a complaint before the competent authorities or courts, and any assistance, including from the competent national supervisory authorities together with its contact details.

Amendment    247

Proposal for a regulation

Article 47 – paragraph 8

Text proposed by the Commission

Amendment

8.  Any request made pursuant to paragraph 3 shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 3 and shall be erased immediately afterwards.

8.  Any request made pursuant to paragraphs 1, 2 and 3 shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 3 and shall be erased immediately afterwards.

Amendment    248

Proposal for a regulation

Article 47 – paragraph 9

Text proposed by the Commission

Amendment

9.  The responsible Member State or, where applicable, the Member State to which the request has been made shall keep a record in the form of a written document that a request referred to in paragraph 3 was made and how it was addressed, and shall make that document available to competent data protection national supervisory authorities without delay.

9.  The responsible Member State or, where applicable, the Member State to which the request has been made shall keep a record in the form of a written document that a request referred to in paragraphs 1, 2 and 3 was made and how it was addressed, and shall make that document available to competent data protection national supervisory authorities without delay.

Amendment    249

Proposal for a regulation

Article 48 – paragraph 1

Text proposed by the Commission

Amendment

Personal data stored in or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party.

Without prejudice to [Article 65 of the ETIAS Regulation], Article 41 of Regulation (EU) 2017/2226, Article 31 of Regulation (EC) No 767/2008, Article 25 of Regulation (EU) 2016/794 and the querying of Interpol databases through the ESP in accordance with Article 9(5) of this Regulation, personal data stored in, processed or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party.

Amendment    250

Proposal for a regulation

Article 48 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

Any breach of this Article shall be considered a serious security incident and shall be immediately reported and addressed in accordance with Article 44.

Amendment    251

Proposal for a regulation

Article 49 – paragraph -1 (new)

Text proposed by the Commission

Amendment

 

-1.  Each Member State shall ensure that the supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 independently monitors the lawfulness of the processing of personal data pursuant to this Regulation by the Member State concerned.

Amendment    252

Proposal for a regulation

Article 49 – paragraph -1 a (new)

Text proposed by the Commission

Amendment

 

-1a.  Each Member State shall ensure that the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 are also applicable to access to the interoperability components by police authorities and designated authorities, including in relation to the rights of the persons whose data are so accessed.

Amendment    253

Proposal for a regulation

Article 49 – paragraph -1 b (new)

Text proposed by the Commission

Amendment

 

-1b.  The supervisory authority referred to in Article 41(1) of Directive (EU)2016/680 shall monitor the lawfulness of the access to personal data by the Member States police authorities and designated authorities. Article 49(2) and(2a) of this Regulation shall apply accordingly.

Amendment    254

Proposal for a regulation

Article 49 – paragraph 1

Text proposed by the Commission

Amendment

1.  The supervisory authority or authorities designated pursuant to Article 49 of Regulation (EU) 2016/679 shall ensure that an audit of the data processing operations by the responsible national authorities is carried out in accordance with relevant international auditing standards at least every four years.

1.  The supervisory authority or authorities referred to in Article 51(1) of Regulation (EU)2016/679 or pursuant to Article 41 of Directive (EU) 2016/680 shall ensure that an audit of the data processing operations by the responsible national authorities is carried out in accordance with relevant international auditing standards at least every four years. The first such audit shall be carried out two years after the date on which the last interoperability component starts operations under Article 62. The results of the audit may be taken into account in the evaluations conducted under the mechanism established by Council Regulation (EU) No 1053/20131a. The supervisory authorities referred to in Article 51(1) of Regulation (EU) 2016/679 and Article 41(1) of Directive (EU) 2016/680 shall publish annually the number of requests for rectification, completion or erasure, or restriction of processing of data, the action subsequently taken and the number of rectifications, completions, erasures and restrictions of processing made in response to requests by the persons concerned.

 

__________________

 

1a Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).

Amendment    255

Proposal for a regulation

Article 49 – paragraph 2

Text proposed by the Commission

Amendment

2.  Member States shall ensure that their supervisory authority has sufficient resources to fulfil the tasks entrusted to it under this Regulation.

2.  Member States shall ensure that their supervisory authority has sufficient resources, including both human and financial resources, to fulfil the tasks entrusted to it under this Regulation and has access to advice from persons with sufficient knowledge of biometric data. Member States shall grant the supervisory authority access to their logs without prejudice to constraints imposed binational security interests.

Amendment    256

Proposal for a regulation

Article 49 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  Member States shall supply any information requested by a supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 and shall, in particular, provide it with information on the activities carried out in accordance with their responsibilities as laid down in this Regulation. Member States shall grant the supervisory authorities referred to in Article 51(1) of Regulation (EU) 2016/679 access to their logs and allow them to access all their premises used for interoperability purposes at all times.

Amendment    257

Proposal for a regulation

Article 50 – paragraph 1

Text proposed by the Commission

Amendment

The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, the Council, eu-LISA, the Commission and the Member States. eu-LISA shall be given an opportunity to make comments before the reports are adopted.

The European Data Protection Supervisor shall be responsible for monitoring the personal data processing activities of eu-LISA, Europol and the European Border and Coast Guard Agency under this Regulation and for ensuring that such activities are carried out in accordance with Regulation (EC) No 45/2001, Regulation (EU) 2016/794 and with this Regulation.

 

eu-LISA shall supply information requested by the European Data Protection Supervisor to it, give the European Data Protection Supervisor access to all the documents and to its logs referred to in Articles 10, 16, 24 and 36 and allow the European Data Protection Supervisor access to all its premises at any time.

 

The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. The first such audit shall be carried out two years after the date on which the last interoperability component starts operations as set in accordance with Article 62. A report of that audit shall be sent to the European Parliament, the Council, eu-LISA, the Commission and the Member States. eu-LISA shall be given an opportunity to make comments before the reports are adopted. The European Data Protection Supervisor shall have sufficient additional resources, including both human and financial resources, to fulfil the tasks entrusted to it under this Regulation.

Amendment    258

Proposal for a regulation

Article 51 – paragraph 1

Text proposed by the Commission

Amendment

1.  The European Data Protection Supervisor shall act in close cooperation with national supervisory authorities with respect to specific issues requiring national involvement, in particular if the European Data Protection Supervisor or a national supervisory authority finds major discrepancies between practices of Member States or finds potentially unlawful transfers using the communication channels of the interoperability components, or in the context of questions raised by one or more national supervisory authorities on the implementation and interpretation of this Regulation.

1.  The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities and ensure coordinated supervision of the use of the interoperability components and the application of other provisions of this Regulation, in particular if the European Data Protection Supervisor or a national supervisory authority finds major discrepancies between practices of Member States or finds potentially unlawful transfers using the communication channels of the interoperability components.

Amendment    259

Proposal for a regulation

Article 51 – paragraph 2

Text proposed by the Commission

Amendment

2.  In the cases referred to in paragraph 1, coordinated supervision shall be ensured in accordance with Article 62 of Regulation (EU) XXXX/2018 [revised Regulation 45/2001].

2.  The European Data Protection Supervisor and the supervisory authorities shall exchange relevant information, assist each other in carrying out audits and inspections, examine any difficulties concerning the interpretation or application of this Regulation, assess problems in the exercise of independent supervision or in the exercise of the rights of the data subject, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

Amendment    260

Proposal for a regulation

Article 51 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  For the purpose of paragraph 2, the supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year within the framework of the European Data Protection Board established by Regulation (EU)2016/679 (the ‘European Data Protection Board’). The costs of those meetings shall be borne by that Board, which shall also organise them. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

Amendment    261

Proposal for a regulation

Article 51 – paragraph 2 b (new)

Text proposed by the Commission

Amendment

 

2b.  The European Data Protection Board shall send a joint report of activities to the European Parliament, the Council, the Commission, Europol, the European Border and Coast Guard Agency and eu-LISA two years after entry into force of this Regulation and every two years thereafter. That report shall include a chapter on each Member State prepared by the supervisory authority of that Member State.

Amendment    262

Proposal for a regulation

Article 52 – paragraph 2

Text proposed by the Commission

Amendment

2.  The interoperability components shall be hosted by eu-LISA in its technical sites and shall provide the functionalities laid down in this Regulation in accordance with the conditions of security, availability, quality and speed referred to in Article 53(1).

2.  The interoperability components shall be hosted by eu-LISA in its technical sites and shall provide the functionalities laid down in this Regulation in accordance with the conditions of security, availability, quality and speed referred to in Article 37, Article 37a and Article 53(1).

Amendment    263

Proposal for a regulation

Article 52 – paragraph 3 – subparagraph 1

Text proposed by the Commission

Amendment

eu-LISA shall be responsible for the development of the interoperability components, for any adaptations required for establishing interoperability between the central systems of the EES, VIS, [ETIAS], SIS, and Eurodac, and [the ECRIS-TCN system], and the European search portal, the shared biometric matching service, the common identity repository and the multiple-identity detector.

eu-LISA shall be responsible for the design and development of the interoperability components, for any adaptations required for establishing interoperability between the central systems of the EES, VIS, [ETIAS], SIS, and Eurodac, and [ECRIS-TCN], and the ESP, the shared BMS, the CIR, the MID and the CRRS.

Amendment    264

Proposal for a regulation

Article 52 – paragraph 3 – subparagraph 4

Text proposed by the Commission

Amendment

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination. eu-LISA shall follow the principles of privacy by design and by default during the entire lifecycle of the development of the interoperability components.

Amendment    265

Proposal for a regulation

Article 53 – paragraph 1 – subparagraph 1

Text proposed by the Commission

Amendment

Following the entry into operations of each interoperability component, eu-LISA shall be responsible for the technical management of the central infrastructure and the national uniform interfaces. In cooperation with the Member States, it shall ensure at all times the best available technology, subject to a cost-benefit analysis. eu-LISA shall also be responsible for the technical management of the communication infrastructure referred to in Articles 6, 12, 17, 25 and 39.

Following the entry into operations of each interoperability component, eu-LISA shall be responsible for the technical and security management of the central infrastructure of the interoperability components, including maintenance and technological developments. In cooperation with the Member States, it shall ensure that at all times the best available technology is used, subject to a cost-benefit analysis. eu-LISA shall also be responsible for the technical management and security of the communication infrastructure referred to in Articles 6, 12, 17, 25 and 39.

Amendment    266

Proposal for a regulation

Article 53 – paragraph 1 – subparagraph 2

Text proposed by the Commission

Amendment

Technical management of the interoperability components shall consist of all the tasks necessary to keep the interoperability components functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the components function at a satisfactory level of technical quality, in particular as regards the response time for interrogation of the central infrastructures in accordance with the technical specifications.

Technical management of the interoperability components consists of all the tasks necessary to keep the interoperability components functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the components function at a satisfactory level of technical quality, in particular as regards the response time for interrogation of the central infrastructures in accordance with the technical specifications.

Amendment    267

Proposal for a regulation

Article 53 – paragraph 1 – subparagraph 2 a (new)

Text proposed by the Commission

Amendment

 

Security management of the interoperability components shall consist of all the tasks necessary to ensure the integrity, confidentiality and availability of all interoperability components in accordance with this Regulation, in particular information security risk assessments and preventive measures to avoid both physical and IT security incidents and the actions required to respond and recover from them if they cannot be avoided.

Amendment    268

Proposal for a regulation

Article 54 – paragraph 1 – point g a (new)

Text proposed by the Commission

Amendment

 

(ga)  fully complying with the rules of each IT system to ensure the security and integrity of personal data;

Amendment    269

Proposal for a regulation

Article 54 – paragraph 1 – point h a (new)

Text proposed by the Commission

Amendment

 

(ha)  reporting any security incidents involving personal data to the Commission, eu-LISA, the national supervisory authorities and the European Data Protection Supervisor.

Amendment    270

Proposal for a regulation

Article 54a – paragraph 1

Text proposed by the Commission

Amendment

1.  Europol shall ensure processing of the queries by the ESP to the Europol data and shall accordingly adapt its Querying Europol Systems (QUEST) interface for basic protection level (BPL) data.

1.  Europol shall ensure processing of the queries by the ESP and the shared BMS to the Europol data and shall accordingly adapt its Querying Europol Systems (QUEST) interface for basic protection level (BPL) data.

Amendment    271

Proposal for a regulation

Article 54a – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  Any data processing by Europol under this Regulation shall be subject to Regulation (EU) 2016/794.

Amendment    272

Proposal for a regulation

Article 55d – paragraph 2

Regulation (EU) 2018/XX [Regulation on eu-LISA]

Article 9

 

Text proposed by the Commission

Amendment

" Article 9

deleted

Interoperability

 

Where the interoperability of large-scale IT systems has been stipulated in a relevant legislative instrument the Agency shall develop the necessary actions conferred on it by those legislative instruments to enable that interoperability."

 

Justification

Not necessary – this is already the text agreed in the eu-LISA Regulation adopted by EP in the July plenary.

Amendment    273

Proposal for a regulation

Article -56 (new)

Text proposed by the Commission

Amendment

 

Article -56

 

Access by third country jurisdictions

 

With reference to Article 48 of Regulation (EU) 2016/679, Directive (EU) 2016/680, and Articles XIV and XIV bis of the General Agreement on Trade in Services, companies present in a third country jurisdiction where they may be subject to (court) orders or subpoenas by third country authorities requiring them to retrieve data from the interoperability components or different information systems made interoperable, shall be excluded from preparing, designing, developing, hosting or managing any part of an interoperability component, or processing personal data of these systems.

Amendment    274

Proposal for a regulation

Article 56 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the European search portal (ESP), solely for the purposes of reporting and statistics without enabling individual identification:

1.  The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the European search portal (ESP), solely for the purposes of reporting and statistics. The use of these data shall not allow for the identification of a person:

Amendment    275

Proposal for a regulation

Article 56 – paragraph 2 – introductory part

Text proposed by the Commission

Amendment

2.  The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the common identity repository, solely for the purposes of reporting and statistics without enabling individual identification:

2.  The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the common identity repository, solely for the purposes of reporting and statistics. The use of these data shall not allow for the identification of a person:

Amendment    276

Proposal for a regulation

Article 56 – paragraph 3 – introductory part

Text proposed by the Commission

Amendment

3.  The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the multiple-identity detector, solely for the purposes of reporting and statistics without enabling individual identification:

3.  The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the multiple-identity detector, solely for the purposes of reporting and statistics. The use of these data shall not allow for the identification of a person:

Amendment    277

Proposal for a regulation

Article 56 – paragraph 3 – point d a (new)

Text proposed by the Commission

Amendment

 

(da)  the number of linkages between the various Union information systems;

Amendment    278

Proposal for a regulation

Article 56 – paragraph 3 – point d b (new)

Text proposed by the Commission

Amendment

 

(db)  the period of time for which a yellow link remained in the system;

Amendment    279

Proposal for a regulation

Article 56 – paragraph 3 – point d c (new)

Text proposed by the Commission

Amendment

 

(dc)  the period of time for which a red link remained in the system.

Amendment    280

Proposal for a regulation

Article 56 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a.  Meaningful summaries shall be made available to the Agency for Fundamental Rights in order to evaluate the impact on fundamental rights of this Regulation.

Amendment    281

Proposal for a regulation

Article 59 – paragraph 1

Text proposed by the Commission

Amendment

1.  For a period of one year following the notification by eu-LISA of the completion of the test referred to in Article 62(1)(b) regarding the multiple-identity detector (MID) and before the start of operations of the MID, the ETIAS Central Unit as referred to in [Article 33(a) of Regulation (EU) 2016/1624] shall be responsible for carrying out a multiple-identity detection between the data stored in the VIS, Eurodac and the SIS. The multiple-identity detections shall be carried out using only biometric data in accordance with Article 27(2) of this Regulation.

1.  For a period of one year following the notification by eu-LISA of the completion of the test referred to in Article 62(1)(b) regarding the MID and before the start of operations of the MID, the ETIAS Central Unit as referred to in [Article 33(a) of Regulation (EU) 2016/1624] shall be responsible for carrying out a multiple-identity detection between the data stored in VIS, Eurodac, the EES and SIS. The multiple-identity detections shall be carried out using only biometric data in accordance with Article 27(2) of this Regulation.

Amendment    282

Proposal for a regulation

Article 59 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  Following the period referred to in paragraph 1, the Commission shall, in close cooperation with the ETIAS Central Unit, create a network of liaison officers to be hosted in the ETIAS Central Unit or single points of contact of the competent Member States’ authorities for the performance of the task laid down in this Article.

Amendment    283

Proposal for a regulation

Article 59 – paragraph 5 a (new)

Text proposed by the Commission

Amendment

 

5a.  Notification under Article 61(3) shall only be made once all yellow links have been verified and changed either into a green or into a red link.

Amendment    284

Proposal for a regulation

Article 59 – paragraph 6

Text proposed by the Commission

Amendment

6.  eu-LISA shall assist where necessary the ETIAS Central Unit in carrying out the multiple-identity detection referred to in this Article.

deleted

Amendment    285

Proposal for a regulation

Article 60 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  The cost incurred in connection with the establishment and operation of a central Union backup solution for each system indicated in paragraph 1, where necessary, shall be borne by the general budget of the Union.

Amendment    286

Proposal for a regulation

Article 61 – paragraph 1 – subparagraph 2

Text proposed by the Commission

Amendment

A consolidated list of those authorities shall be published in the Official Journal of the European Union within a period of three months from the date on which each interoperability component commenced operations in accordance with Article 62. Where there are amendments to the list, eu-LISA shall publish an updated consolidated list once a year.

A consolidated list of those authorities shall be published in the Official Journal of the European Union within a period of three months from the date on which each interoperability component commenced operations in accordance with Article 62. Where there are amendments to the list, eu-LISA shall publish an updated consolidated list once a year. The list shall include the date of notification for each authority listed.

Amendment    287

Proposal for a regulation

Article 62 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1.  The Commission shall decide the date from which each interoperability component is to start operations, after the following conditions are met:

1.  No later than five years after the entry into force of this Regulation, the Commission shall adopt a decision setting the date on which each interoperability component is to start operations, after the following conditions are met:

Amendment    288

Proposal for a regulation

Article 62 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b)  eu-LISA has declared the successful completion of a comprehensive test of the relevant interoperability component, which is to be conducted by eu-LISA in cooperation with the Member States;

(b)  eu-LISA has declared the successful completion of a comprehensive test of the relevant interoperability component, which is to be conducted by eu-LISA in cooperation with the Member States, the ETIAS Central Unit and Europol;

Amendment    289

Proposal for a regulation

Article 62 – paragraph 1 – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

The date referred to in the first subparagraph shall be set for within 30 days from the decision of the Commission.

Amendment    290

Proposal for a regulation

Article 62 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a.  By way of derogation from paragraph 1, the measures referred to in Article 37 shall apply as of … [one year after the entry into force of this Regulation].

Amendment    291

Proposal for a regulation

Article 63 – paragraph 2

Text proposed by the Commission

Amendment

2.  The power to adopt delegated acts referred to in Articles 8(2) and 9(7) shall be conferred on the Commission for an indeterminate period of time from [the date of entry into force of this Regulation].

2.  The power to adopt delegated acts referred to in Articles 8(2), 9(7), 28(5) and 39(5) shall be conferred on the Commission for an indeterminate period of time from [the date of entry into force of this Regulation].

Amendment    292

Proposal for a regulation

Article 63 – paragraph 3

Text proposed by the Commission

Amendment

3.  The delegation of power referred to in Articles 8(2) and 9(7) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

3.  The delegation of power referred to in Articles 8(2), 9(7), 28(5) and 39(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

Amendment    293

Proposal for a regulation

Article 63 – paragraph 6

Text proposed by the Commission

Amendment

6.  A delegated act adopted pursuant to Articles 8(2) and 9(7) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of [two months] of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council.

6.  A delegated act adopted pursuant to Articles 8(2), 9(7), 28(5) and 39(5) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of [two months] of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council.

Amendment    294

Proposal for a regulation

Article 66 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

Member States and Union agencies shall organise for their staff authorised to process data from the interoperability components, appropriate training programme about data security, data quality, data protection rules and the procedures of the data processing.

Amendment    295

Proposal for a regulation

Article 66 – paragraph 1 b (new)

Text proposed by the Commission

Amendment

 

Common training courses on data security, data quality, data protection rules and the procedures for data processing shall be organised at Union level at least once a year to enhance cooperation and exchange of best practices between staff of Member States and Union bodies which are authorised to process data from the interoperability components.

Amendment    296

Proposal for a regulation

Article 67 – paragraph 1

Text proposed by the Commission

Amendment

The Commission shall, in close cooperation with the Member States, eu-LISA and other relevant agencies, make available a practical handbook for the implementation and management of the interoperability components. The practical handbook shall provide technical and operational guidelines, recommendations and best practices. The Commission shall adopt the practical handbook in the form of a recommendation.

The Commission shall, in close cooperation with the Member States, eu-LISA and other relevant agencies, update the practical handbooks made available for the EES, VIS, [ETIAS], Eurodac, SIS and [ECRIS-TCN ] with information necessary and make available a practical handbook for the implementation and management of the interoperability components. The handbooks shall provide technical and operational guidelines, recommendations and best practices. The Commission shall adopt the updates in accordance with to the rules and in the form as laid down in the respective legal instruments. The handbook on the interoperability components shall be adopted in the form of a recommendation.

Amendment    297

Proposal for a regulation

Article 67 – paragraph 1 – subparagraph 1 (new)

Text proposed by the Commission

Amendment

 

The practical handbook should provide guidance to Member States on how to deal with yellow links that are the results of inconsistencies with the identity data contained in ETIAS. Such modalities should not create disproportionate burdens on persons who, without any intention to deceive the authorities, have entered inaccurate or ambiguous data in ETIAS.

Amendment    298

Proposal for a regulation

Article 68 – paragraph 1

Text proposed by the Commission

Amendment

1.  eu-LISA shall ensure that procedures are in place to monitor the development of the interoperability components in light of objectives relating to planning and costs and to monitor the functioning of the interoperability components in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

1.  eu-LISA shall ensure that procedures are in place to monitor the development of the interoperability components and the integration of the existing national infrastructure and connection to the national uniform interface in light of objectives relating to planning and costs and to monitor the functioning of the interoperability components in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

Amendment    299

Proposal for a regulation

Article 68 – paragraph 2

Text proposed by the Commission

Amendment

2.  By [Six months after the entry into force of this Regulation — OPOCE, please replace with the actual date] and every six months thereafter during the development phase of the interoperability components, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of the interoperability components. Once the development is finalised, a report shall be submitted to the European Parliament and the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.

2.  By [Six months after the entry into force of this Regulation — OPOCE, please replace with the actual date] and every six months thereafter during the development phase of the interoperability components, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of the interoperability components. That report shall include an overview of the current development of costs and progress of the project, a financial impact assessment, and information on any technical problems and risks that may impact the overall costs of the system to be borne by the general budget of the Union in accordance with Article 60.

Amendment    300

Proposal for a regulation

Article 68 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a.  Six months after the start of the operations of each interoperability component, eu-LISA shall submit a report to the European Parliament and to the Council on the state of play of the connection by Member States to the communication infrastructure of the ESP and the CIR and the integration of the existing national systems and infrastructure with the ESP, shared BMS, the MID and the CIR.

Amendment    301

Proposal for a regulation

Article 68 – paragraph 2 b (new)

Text proposed by the Commission

Amendment

 

2b.  In the event of delays in the development process, the European Parliament and the Council shall be informed by eu-LISA as soon as possible of the reasons for the delays and of their impact in terms of time and finances.

Amendment    302

Proposal for a regulation

Article 68 – paragraph 2 c (new)

Text proposed by the Commission

Amendment

 

2c.  During the development phase of the interoperability components, the Commission shall evaluate the necessity of further harmonisation of the national systems and infrastructure of Member States at the external borders. The Commission shall transmit the evaluation report to the European Parliament and to the Council. These evaluation reports shall include recommendations, an impact assessment and an assessment of the cost for the Union budget.

Amendment    303

Proposal for a regulation

Article 68 – paragraph 3

Text proposed by the Commission

Amendment

3.  For the purposes of technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the interoperability components.

3.  For the purposes of technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the interoperability components without having access to any personal data processed by those components. Such access shall be logged.

Amendment    304

Proposal for a regulation

Article 68 – paragraph 4

Text proposed by the Commission

Amendment

4.  Four years after the start of operations of each interoperability component and every four years thereafter, eu-LISA shall submit to the European Parliament, the Council and the Commission a report on the technical functioning of the interoperability components, including the security thereof.

4.  Three years after the start of operations of each interoperability component and every three years thereafter, eu-LISA shall submit to the European Parliament, the Council and the Commission a report on the connection of Member States to the communication infrastructure of the ESP and the CIR and the integration of the existing national systems and infrastructure with the ESP, shared BMS, the MID and the CIR, as well as on the technical functioning of the interoperability components, including the security thereof.

Amendment    305

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – point d a (new)

Text proposed by the Commission

Amendment

 

(da)  an assessment of the Member States’ use of the CIR for identification;

Amendment    306

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – point d b (new)

Text proposed by the Commission

Amendment

 

(db)  an assessment to ensure that Member States are in full compliance with their obligations with respect to each Union information system;

Amendment    307

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – point d c (new)

Text proposed by the Commission

Amendment

 

(dc)  an assessment of the security of Member States’ connection to the communication infrastructure of the ESP and the CIR and the security of the integration of the existing national systems and infrastructure with the ESP, shared BMS, the MID and the CIR;

Amendment    308

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – point d d (new)

Text proposed by the Commission

Amendment

 

(dd)  an assessment of queries of the CIR for law enforcement purposes;

Amendment    309

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – point e a (new)

Text proposed by the Commission

Amendment

 

(ea)  an assessment of the search of the Interpol databases via the ESP, including information on the number of hits against Interpol databases and information on any problems encountered.

Amendment    310

Proposal for a regulation

Article 68 – paragraph 8 – subparagraph 1 – introductory part

Text proposed by the Commission

Amendment

While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare annual reports on the effectiveness of access to data stored in the common identity repository for law enforcement purposes, containing information and statistics on:

While respecting the provisions of national law on the publication of sensitive information including limitations deriving from matters of national security, each Member State and Europol shall prepare annual reports on the effectiveness of access to data stored in the common identity repository for law enforcement purposes, containing information and statistics on:

Amendment    311

Proposal for a regulation

Article 68 – paragraph 8 – subparagraph 2 a (new)

Text proposed by the Commission

Amendment

 

The Commission shall transmit those reports to the European Parliament, to the Council, to the European Data Protection Supervisor and to the European Union Agency for Fundamental Rights.

EXPLANATORY STATEMENT

Background and content of the proposal

The Commission presented the proposal establishing a framework for interoperability between EU information systems (borders and visa) (COM(2017) 793) and the proposal establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration) (COM(2017) 794) accompanied by a legislative financial statement and based on an impact assessment on 12 December 2017. It follows up on, among others, the Communication of the Commission of 6 April 2016 entitled 'Stronger and Smarter Information Systems for Borders and Security' (COM(2016) 205) in which the Commission outlined the need for the EU to strengthen and improve its IT systems, data architecture and information exchange in the area of border management, law enforcement and counter-terrorism and the final report of the high-level expert group on information systems and interoperability of 11 May 2017 that concluded that it is necessary and technically feasible to work towards practical solutions for interoperability and that they can, in principle, both deliver operational gains and be established in compliance with data protection requirements.

The proposal established four interoperability components: The European Search Portal (ESP); the shared Biometric Matching Service (Shared BMS); the Common Identity Repository (CIR); and the Multiple Identity Detector (MID) and lays down provisions on the objectives of the interoperability components, their technical architecture, rules regarding the use of the components, the storing of logs, the quality of the data, rules regarding data protection, supervision and responsibilities of the various agencies and the Member States. It also contains amendments to a number of other legislative instruments.

Procedure

In order to assess the Commission’s proposal and to prepare for this draft report the rapporteurs sought input from a wide range of sources. A series of meetings held at shadow level took place with the Commission’s services to discuss the entire proposal in detail. In addition, various stakeholders and experts were invited to attend meetings with the shadow rapporteurs. These were the European agencies affected by or interested in the proposals (eu-LISA, Europol, Frontex, FRA), and the European Data Protection Supervisor. To complement these meetings a request for an opinion of the Fundamental Rights Agency was made and a visit to the technical site of eu-LISA in Strasbourg organised.

Position of the rapporteurs

The rapporteurs welcome the proposals by the Commission on establishing a framework for interoperability between EU information systems. EU citizens expect the European Union to deliver on effective asylum and migration management, on proper external border management and on addressing ongoing threats to internal security. The refugee crisis as well as the series of terrorist attacks over the past years has shown the urgency of enhancing relevant information sharing. Delivering on these issues is important in order to maintain public trust in the Union migration and asylum system, the Union security measures and the Union capabilities to manage the external borders.

The rapporteurs furthermore agree with the Commission that the opportunities offered by interoperability as a measure to enhance security and the protection of the external border need to be balanced with the obligation to ensure that interferences with fundamental rights that may derive from the new interoperability environment are limited to what is strictly necessary to genuinely meet the objectives of general interest pursued, subject to the principle of proportionality. That balance is carefully reflected in the amendments proposed. The rapporteurs further believe that the interoperability components offer an opportunity to increase the protection of fundamental rights, for instance by ensuring the correct identification of bona fide persons and combating identity fraud.

The establishment of interoperability improves the management of the external borders by establishing fast, simple and efficient access to EU information systems. Therefore, we have to be careful not to increase the number of tasks we ask border guards to undertake. The Rapporteurs have made several proposals in order to achieve this: firstly, there shouldn’t be a strict obligation for border guards to deal with a yellow flag in second line checks. It should be up to the border guard to make this decision as they are trained to detect identity fraud. Secondly, the European Search Portal (ESP) should provide answers to the border guard immediately when the underlying systems provide answers. It shouldn’t wait to collect all answers from the underlying systems before presenting it to the border guard. Thirdly, emphasis should be given to properly train border guards in dealing with the manual verification system that will be introduced by this proposal.

The rapporteurs have introduced a separate article highlighting the need for all interoperability components to enable fast, seamless, efficient and controlled access using the best available technology in order to deliver response times in line with operational needs. Many daily operations of border guards, police officers, immigration officers or consular staff will depend on the correct functioning of these interoperability components. It is therefore crucial to guarantee the proper functioning of the components, but the rapporteurs find it equally important to create a backup system for especially the Common Identity Repository (CIR) and the ESP. The proper functioning of all the components as well as the underlying systems will depend on these two components, therefore a back up structure should be provided for.

The rapporteurs would like to highlight the fact that the interoperability components will not change the underlying systems, rules and procedures therein. The interoperability components should facilitate access, but access rights will not change through this proposal. Several amendments have been introduced in order to clarify this. The only changes in relation to access rights, are made in the field of law enforcement access purposes a hit/no-hit mechanism is established. This not only optimizes the access to the underlying systems, it also makes sure that only those databases are being searched that contain relevant information. The rapporteurs amended the procedure in the proposal in order to make sure that only those law enforcement officers that are allowed to have full access to the data systems will be able to search the systems through the hit/no-hit procedure.

Furthermore the proposal allows Member States police authorities, if so empowered through national law, to use the CIR for the identification of a person during an identity check. According to the rapporteurs the procedure for identification should reflect standard practise in the Member States. Therefore, amendments have been made in order to identify the person first, following rules and procedures in national law, with identity or travel documents, before allowing the CIR to be queried with the use of biometric data of the person. The CIR may only be queried to identify a person when the person is physically present.

In order to strengthen the ability of the European Commission, the Council and the European Parliament to monitor and evaluate the functioning of this proposal, further amendments have been made to this article. Especially, with regard to the use of the CIR for the purposes of identification, for the purposes of law enforcement and the use of the Interpol database through the ESP.

OPINION of the Committee on Budgets (20.6.2018)

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a regulation of the European Parliament and of the Council on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration)
(COM(2017)0794 – C8‑0003/2018 – 2017/0352(COD))

Rapporteur for opinion: Bernd Kölmel

SHORT JUSTIFICATION

The rapporteur welcomes the two Commission proposals for a regulation for establishing a framework for interoperability between EU information systems adopted on 12 December 2017. Both proposals aim at overcoming structural shortcomings in the present EU information management architecture by making information systems interoperable, i.e. able to exchange data and share information. The rapporteur fully subscribes to their purpose, which is to ensure fast access to information, including by law enforcement authorities, to detect multiple identities and combat identity fraud, to facilitate identity checks of third-country nationals and to facilitate the prevention, investigation or prosecution of serious crime and terrorism.

The present opinion concerns the proposal on police and judicial cooperation, asylum and migration, which aims to regulate access to the Schengen Information System as currently regulated by Council Decision 2007/533/JHA, as well as Eurodac and ECRIS-TCN (European Criminal Records Information System for third-country nationals).

The rapporteur agrees with the proposal to establish the following four interoperability components: a European search portal capable of querying simultaneously all relevant EU systems in the areas of security, border and migration management, a shared biometric matching service, a common identity repository and a multiple-identity detector. In addition, he welcomes the proposal to establish a central repository for reporting and statistics for the extraction of anonymous statistical data for policy, operational and data quality purposes.

The total budget required to finance both proposals over nine years (2019-2027) is estimated at EUR 461 million, including:

-  EUR 261.3 million for eu-LISA for the development and maintenance of the interoperability components (of which EUR 23 million in 2019-2020);

-  EUR 136.3 million for Member States to cover the changes to their national systems (from 2021);

-  EUR 48.9 million for Europol to cover the upgrade of Europol's IT systems (of which EUR 9,1 million in 2019-2020);

-  EUR 4.8 million for Frontex for the set-up phase of the multiple-identity detector (from 2021);

-  EUR 2.0 million for CEPOL to deliver training to operational staff (of which EUR 100 000 in 2020);

-  EUR 7.7 million for DG HOME for a limited increase of staff and related costs during the development period (of which EUR 2 million in 2019-2020), to be covered under heading 5.

The total cost of EUR 32.1 million for the years 2019 and 2020 to be borne by heading 3 is to be covered under the current ISF-Borders Regulation, where sufficient appropriations are still available. The proposed budget beyond 2020 is illustrative and does not prejudge the negotiations on the next MFF,for which the Commission adopted its proposal on 2 May 2018. The rapporteur notes with satisfaction that there are no overlaps with the budget requests under other recent legislative proposals in this area, notably ECRIS-TCN (European Criminal Records Information System for third-country nationals), the revision of SIS II, EES, ETIAS, the Eurodac recast and the revision of the founding regulation of eu-LISA.

The rapporteur notes that the one-off set-up costs to Member States are estimated at EUR 85,5 million and that the Commission proposes to reimburse all integration costs incurred by Member States, in order to be able to monitor their advancement in implementing these regulations.

The rapporteur considers the estimated cost to the EU budget to be justified and proportionate, and underlines that enhanced interoperability at EU level is expected to generate cost savings of around EUR 77,5 million per year, mainly for Member States’ IT departments and administrations for border management, migration and law enforcement. Nonetheless, the rapporteur urges the Commission, eu-LISA, Frontex, Europol, CEPOL and the Member States to ensure the highest degree of cost efficiency possible throughout the development and operation phases. In particular eu-LISA is urged to make every effort to avoid cost overruns and delays when defining and implementing the preferred technical solution, and to ensure optimal project staffing by reassigning staff to new tasks as earlier projects come to completion.

With regard to revenue, the rapporteur requests that the Commission provide as soon as possible detailed information on the contributions expected from Schengen-associated countries, which are to be treated as miscellaneous assigned revenue to the eu-LISA budget line (18 02 07).

Finally, the rapporteur strengthens a number of provisions on reporting and evaluation, in order to enable the budgetary authority to follow closely the development and early functioning of the new interoperability components in view of future budgetary decisions, in particular under the post-2020 MFF.

AMENDMENTS

The Committee on Budgets calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:

Amendment    1

Proposal for a regulation

Article 60 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1 a.  The cost incurred in connection with the establishment and operation of a central EU backup solution for each system indicated in paragraph 1, where necessary, shall be borne by the general budget of the Union.

Amendment    2

Proposal for a regulation

Article 60 – paragraph 2 – subparagraph 1

Text proposed by the Commission

Amendment

Costs incurred in connection with the integration of the existing national infrastructures and their connection to the national uniform interfaces as well as in connection with hosting the national uniform interfaces shall be borne by the general budget of the Union.

Costs incurred in connection with the integration of the existing national infrastructures and their connection to the national uniform interfaces as well as in connection with hosting and future developments of the national uniform interfaces shall be borne by the general budget of the Union.

Amendment    3

Proposal for a regulation

Article 60 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2 a.   The annual appropriations shall be authorised by the European Parliament and the Council within the limits of the multiannual financial framework and within the framework of the annual budgetary procedure.

Amendment    4

Proposal for a regulation

Article 68 – paragraph 2

Text proposed by the Commission

Amendment

2.  By [Six months after the entry into force of this Regulation — OPOCE, please replace with the actual date] and every six months thereafter during the development phase of the interoperability components, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of the interoperability components. Once the development is finalised, a report shall be submitted to the European Parliament and the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.

2.  By [Six months after the entry into force of this Regulation — OPOCE, please replace with the actual date] and every six months thereafter during the development phase of the interoperability components, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of the interoperability components. That report shall include an overview of the current development of costs and progress of the project, a financial impact assessment, and information on any technical problems and risks that may impact the overall costs of the system to be borne by the general budget of the Union in accordance with Article 60.

Amendment    5

Proposal for a regulation

Article 68 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2 a.  In the event of delays in the development process, the European Parliament and the Council shall be informed by eu-LISA as soon as possible of the reasons for the delays and of their impact in terms of time and finances.

Amendment    6

Proposal for a regulation

Article 68 – paragraph 4

Text proposed by the Commission

Amendment

4.  Four years after the start of operations of each interoperability component and every four years thereafter, eu-LISA shall submit to the European Parliament, the Council and the Commission a report on the technical functioning of the interoperability components, including the security thereof.

4.  Two years after the start of operations of each interoperability component and every two years thereafter, eu-LISA shall submit to the European Parliament, the Council and the Commission a report on the technical functioning of the interoperability components, including their security and costs.

Amendment    7

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – introductory part

Text proposed by the Commission

Amendment

In addition, one year after each report from eu-LISA, the Commission shall produce an overall evaluation of the components, including:

In addition, six months after each report from eu-LISA, the Commission shall produce an overall evaluation of the components, including:

Amendment    8

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – point b

Text proposed by the Commission

Amendment

(b)  an examination of the results achieved against objectives and the impact on fundamental rights;

(b)  an examination of the results achieved against objectives and the impact on fundamental rights, as well as the associated costs;

Amendment    9

Proposal for a regulation

Article 68 – paragraph 5 – subparagraph 1 – point e

Text proposed by the Commission

Amendment

(e)  an assessment of any implications, including any disproportionate impact on the flow of traffic at border crossing points and those with a budgetary impact on the Union budget.

(e)  an assessment of any implications including those with an impact on the flow of traffic at border crossing points and those with a budgetary impact on the Union budget.

PROCEDURE – COMMITTEE ASKED FOR OPINION

Title

Interoperability between EU information systems (police and judicial cooperation, asylum and migration)

References

COM(2017)0794 – C8-0003/2018 – 2017/0352(COD)

Committee responsible

       Date announced in plenary

LIBE

28.2.2018

 

 

 

Opinion by

       Date announced in plenary

BUDG

28.2.2018

Rapporteur

       Date appointed

Bernd Kölmel

25.1.2018

Discussed in committee

17.5.2018

 

 

 

Date adopted

19.6.2018

 

 

 

Result of final vote

+:

–:

0:

30

3

3

Members present for the final vote

Nedzhmi Ali, Jean Arthuis, Richard Ashworth, Gérard Deprez, Manuel dos Santos, José Manuel Fernandes, Eider Gardiazabal Rubial, Jens Geier, Iris Hoffmann, Monika Hohlmeier, John Howarth, Bernd Kölmel, Zbigniew Kuźmiuk, Vladimír Maňka, Siegfried Mureşan, Jan Olbrycht, Răzvan Popa, Petri Sarvamaa, Jordi Solé, Patricija Šulin, Isabelle Thomas, Inese Vaidere, Monika Vana, Tiemo Wölken, Marco Zanni

Substitutes present for the final vote

Anneli Jäätteenmäki, Alain Lamassoure, Janusz Lewandowski, Verónica Lope Fontagné, Andrey Novakov, Pavel Poc, Ivan Štefanec, Claudia Țapardel

Substitutes under Rule 200(2) present for the final vote

John Stuart Agnew, Martina Anderson, Auke Zijlstra

FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION

30

+

ALDE

Nedzhmi Ali, Jean Arthuis, Gérard Deprez, Anneli Jäätteenmäki

ECR

Bernd Kölmel, Zbigniew Kuźmiuk

PPE

Richard Ashworth, José Manuel Fernandes, Monika Hohlmeier, Alain Lamassoure, Janusz Lewandowski, Verónica Lope Fontagné, Siegfried Mureşan, Andrey Novakov, Jan Olbrycht, Petri Sarvamaa, Ivan Štefanec, Patricija Šulin, Inese Vaidere

S&D

Eider Gardiazabal Rubial, Jens Geier, Iris Hoffmann, John Howarth, Vladimír Maňka, Pavel Poc, Răzvan Popa, Manuel dos Santos, Claudia Țapardel, Isabelle Thomas, Tiemo Wölken

3

-

EFDD

John Stuart Agnew

ENF

Auke Zijlstra

GUE/NGL

Martina Anderson

3

0

ENF

Marco Zanni

VERTS/ALE

Jordi Solé, Monika Vana

Key to symbols:

+  :  in favour

-  :  against

0  :  abstention

PROCEDURE – COMMITTEE RESPONSIBLE

Title

Interoperability between EU information systems (police and judicial cooperation, asylum and migration)

References

COM(2018)0480 – C8-0293/2018 – COM(2017)0794 – C8-0003/2018 – 2017/0352(COD)

Date submitted to Parliament

13.6.2018

 

 

 

Committee responsible

       Date announced in plenary

LIBE

28.2.2018

 

 

 

Committees asked for opinions

       Date announced in plenary

AFET

28.2.2018

BUDG

28.2.2018

 

 

Not delivering opinions

       Date of decision

AFET

22.2.2018

 

 

 

Rapporteurs

       Date appointed

Nuno Melo

1.2.2018

 

 

 

Discussed in committee

11.6.2018

3.9.2018

15.10.2018

 

Date adopted

15.10.2018

 

 

 

Result of final vote

+:

–:

0:

45

9

0

Members present for the final vote

Asim Ademov, Heinz K. Becker, Malin Björk, Rachida Dati, Agustín Díaz de Mera García Consuegra, Cornelia Ernst, Tanja Fajon, Laura Ferrara, Kinga Gál, Ana Gomes, Eva Joly, Dietmar Köster, Barbara Kudrycka, Juan Fernando López Aguilar, Monica Macovei, Roberta Metsola, Louis Michel, Claude Moraes, Péter Niedermüller, Giancarlo Scottà, Helga Stevens, Traian Ungureanu, Bodil Valero, Marie-Christine Vergiat, Harald Vilimsky, Josef Weidenholzer, Kristina Winberg, Auke Zijlstra

Substitutes present for the final vote

Miriam Dalli, Gérard Deprez, Anna Hedh, Lívia Járóka, Sylvia-Yvonne Kaufmann, Ska Keller, Miltiadis Kyrkos, Jean Lambert, Jeroen Lenaers, Nuno Melo, Maite Pagazaurtundúa Ruiz, Barbara Spinelli, Axel Voss

Substitutes under Rule 200(2) present for the final vote

Pervenche Berès, Luis de Grandes Pascual, Esther de Lange, Raffaele Fitto, John Flack, Arne Gericke, Karine Gloanec Maurin, Gesine Meissner, Francisco José Millán Mon, Marijana Petir, Ulrike Rodust, Massimiliano Salini, Tibor Szanyi

Date tabled

19.10.2018

FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE

45

+

ALDE

Gérard Deprez, Gesine Meissner, Louis Michel, Maite Pagazaurtundúa Ruiz

ECR

Raffaele Fitto, John Flack, Arne Gericke, Monica Macovei, Helga Stevens, Kristina Winberg

EFDD

Laura Ferrara

ENF

Giancarlo Scottà, Harald Vilimsky

PPE

Asim Ademov, Heinz K. Becker, Rachida Dati, Agustín Díaz de Mera García Consuegra, Kinga Gál, Luis de Grandes Pascual, Lívia Járóka, Barbara Kudrycka, Esther de Lange, Jeroen Lenaers, Nuno Melo, Roberta Metsola, Francisco José Millán Mon, Marijana Petir, Massimiliano Salini, Traian Ungureanu, Axel Voss

S&D

Pervenche Berès, Miriam Dalli, Tanja Fajon, Karine Gloanec Maurin, Ana Gomes, Anna Hedh, Sylvia-Yvonne Kaufmann, Dietmar Köster, Miltiadis Kyrkos, Juan Fernando López Aguilar, Claude Moraes, Péter Niedermüller, Ulrike Rodust, Tibor Szanyi, Josef Weidenholzer

9

-

ENF

Auke Zijlstra

GUE/NGL

Malin Björk, Cornelia Ernst, Barbara Spinelli, Marie-Christine Vergiat

VERTS/ALE

Eva Joly, Ska Keller, Jean Lambert, Bodil Valero

0

0

 

 

Key to symbols:

+  :  in favour

-  :  against

0  :  abstention

Last updated: 22 October 2018
Legal notice - Privacy policy