EDPS calls for consistency in EU approach to criminal records

There is a clear need for the EU to develop a more efficient system for exchanging information on the criminal records of non-EU citizens. At the same time, any proposal to update the current system must ensure consistency with the EU Charter of Fundamental Rights and the Lisbon Treaty and fully respect data protection principles, the European Data Protection Supervisor (EDPS) said today, as he published his Opinion on the Commission’s Proposal for a Regulation on ECRIS-TCN.

Member States use the current European Criminal Records Information Service (ECRIS) primarily to facilitate judicial cooperation, through the exchange of information relating to criminal convictions. In 2016, the Commission proposed a Directive on ECRIS aimed at improving this system. They wanted to make it easier for Member States to exchange information on non-EU citizens, known as third-country nationals (TCN). The proposed Regulation on ECRIS-TCN aims to complement the Directive and address some of the technical problems encountered in its application, most notably by changing the system used to identify which Member States hold information on criminal convictions relating to non-EU citizens from a decentralised system to a central system.

Giovanni Buttarelli, EDPS, said: "There is a clear need to improve the ECRIS system to better facilitate the exchange of information on the criminal records of non-EU citizens, and we support the Commission’s efforts to do this. At the same time, it is vital that our approach is consistent. Firstly, this means ensuring that any difference and specificity in the treatment of the personal data of non-EU citizens and EU nationals is fully justified. Secondly, it means ensuring that the Regulation and the Directive fully respect the EU Charter of Fundamental Rights and the requirements for any lawful limitation of these rights.”

The EDPS notes that the proposed Regulation would establish a central database in which identity information, including fingerprints and facial images, would be stored. It would be hosted by eu-LISA, which currently hosts the majority of the EU’s large-scale IT databases in the area of freedom, security and justice, thus facilitating the interoperability of these databases, a key objective for the Commission, outlined in a proposal published yesterday. The EDPS recommends that the Commission complete a thorough impact assessment to determine whether a central database represents the least intrusive way of identifying which Member States hold information on the criminal convictions of non-EU citizens. He also calls attention to his recent Opinion on the Commission’s proposal for a Regulation on eu-LISA, in which he stressed the need to assess the impact on fundamental rights of concentrating all such databases in one agency.

The original ECRIS legislation was developed before the Lisbon Treaty and the EU Charter of Fundamental Rights came into force. Any plans to amend this law must therefore bring ECRIS and   ECRIS-TCN up to the standards specified in the Charter and Article 16 of the TFEU. This means clearly defining for what purposes, other than for criminal proceedings, the data in ECRIS or ECRIS-TCN will be used, and establishing that these purposes are both necessary and proportionate. This includes demonstrating that any plans to provide EU bodies with access to ECRIS-TCN is truly necessary, proportionate and compliant with their tasks. Access should also be appropriately limited to ensure that any difference in the treatment of non-EU citizens and EU nationals is fully justifiable.

As the data to be stored in ECRIS-TCN is very sensitive, the EDPS stresses that it must only be processed if it is strictly necessary to do so. In cases where Member States carry out a search for a purpose other than criminal proceedings, they should only be notified of a hit if the national law of the Member State holding the relevant information permits this. Fingerprints should only be processed in cases where identification of the individual cannot be achieved by other means, and the need to store and process facial images must be clearly established.

Improvements to the ECRIS system are undoubtedly needed. However, we must ensure that these improvements do not come at the expense of the fundamental rights to data protection and privacy applicable to all those whose data is processed in the EU.